feat: implement RBAC for dispute endpoints

backend/src/routes/disputes.js

@@ -1,12 +1,13 @@
 import express from 'express';
 import { DisputeService } from '../disputes/dispute-service.js';
 import { DB } from '../db/index.js';
+import { requireRole } from '../middleware/requireRole.js';
 
 const router = express.Router();
 const disputeService = new DisputeService(new DB());
 
-// Create a new dispute
-router.post('/', async (req, res) => {
+// Create a new dispute - accessible to 'user' role
+router.post('/', requireRole(['user']), async (req, res) => {
   try {
     const { deal_id, opened_by_user_id, reason_code, summary, requested_outcome } = req.body;
     
@@ -42,8 +43,8 @@ router.get('/:id', async (req, res) => {
   }
 });
 
-// Update dispute status
-router.post('/:id/status', async (req, res) => {
+// Update dispute status - accessible to 'moderator' and 'admin' roles
+router.post('/:id/status', requireRole(['moderator', 'admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const { status, updated_by_user_id } = req.body;
@@ -72,8 +73,8 @@ router.post('/:id/evidence', async (req, res) => {
   }
 });
 
-// Resolve a dispute
-router.post('/:id/resolve', async (req, res) => {
+// Resolve a dispute - accessible to 'admin' role only
+router.post('/:id/resolve', requireRole(['admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const { resolved_by_user_id, decision, reason } = req.body;