`Admin` is set once and can never be rotated; roles aren't separated. Add `set_admin` (auth-gated) and document the RBAC matrix.
Acceptance criteria
- Admin can transfer the role; non-admin cannot.
- `docs/SECURITY.md` RBAC matrix updated.
- Tests for authorized + unauthorized rotation.
`Admin` is set once and can never be rotated; roles aren't separated. Add `set_admin` (auth-gated) and document the RBAC matrix.
Acceptance criteria