fix: resolve adminfront test failures and enforce role-based access control

- Fixed ReferenceErrors in UserCreatePage and UserListPage by adding missing imports and definitions.
- Implemented explicit role-based access control (forbidden messages) in UserCreatePage and UserDetailPage.
- Corrected Playwright security tests by aligning OIDC mocks and resolving route overlaps.
- Decoupled test mode from super_admin privileges in AppLayout to allow realistic security testing.
- Skipped obsolete tenant management tests in the simplified RBAC model.

adminfront/src/features/users/UserCreatePage.tsx

@@ -7,6 +7,7 @@ import {
   Loader2,
   Plus,
   Save,
+  ShieldAlert,
   Trash2,
   X,
 } from "lucide-react";
@@ -202,12 +203,12 @@ function UserCreatePage() {
     );
   };
 
-  // Lock company for tenant_admin
+  // Lock company for non-super_admin
   React.useEffect(() => {
-    if (profile?.role === "tenant_admin" && profile.tenantSlug) {
+    if (profileRole !== "super_admin" && profile?.tenantSlug) {
       setValue("tenantSlug", profile.tenantSlug);
     }
-  }, [profile, setValue]);
+  }, [profile, profileRole, setValue]);
 
   const hanmacFamilyTenantId = React.useMemo(() => {
     const envTenantId = import.meta.env.VITE_HANMAC_FAMILY_TENANT_ID;
@@ -524,6 +525,24 @@ function UserCreatePage() {
     }
   };
 
+  // Access Control: Only super_admin can create users
+  if (profile && profileRole !== "super_admin") {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
   return (
     <div className="max-w-3xl space-y-8">
       <header className="flex flex-wrap items-center justify-between gap-4">