feat(GRO-2513): gate Settings nav+route to manager/super-user, eliminate groomer 403

- App.tsx AdminLayout: fetch /api/staff/me on mount, filter NAV_LINKS so
  Settings only appears for role=manager or isSuperUser (fail-closed while
  loading). Guard /admin/settings route to redirect non-managers to /admin.
- Settings.tsx: replace parallel-fire useEffects with a single sequential
  flow — fetch /api/staff/me first, then only call /api/admin/settings for
  managers/super-users and /api/admin/auth-provider for super-users only.
  Groomers/receptionists never trigger the 403.
- UAT_PLAYBOOK.md §5.14: updated with role-gated test cases (TC-WEB-5.14.1–8)
  covering manager-sees-tab, groomer-no-tab, direct-URL redirect, zero-403,
  and shared-endpoint regression.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitignore

@@ -5,14 +5,4 @@ node_modules/
 dist/
 playwright-report/
 test-results/
-*.log
+*.log
-# Agent runtime artifacts — never commit
-.gh-token
-*.gh-token
-**/.gh-token
-.config/gh/
-**/.config/gh/
-**/AGENT_HOME/**
-$AGENT_HOME/**
-.claude/
-.codex/