feat(organization): add built-in viewer role

[Rainash48]

/claim #1413

What is this PR about?

This PR implements a focused built-in viewer role slice from #1413. It adds a read-only role for assigned runtime resources, wires that role through the invite and change-role flows, reserves the viewer name from enterprise custom roles, renames the old enterprise viewer preset to auditor to avoid collisions, and blocks viewers from opening admin-only settings routes directly. The existing enterprise bypass behavior remains limited to owner/admin/member so the new viewer role stays truly read-only.

Checklist

Before submitting this PR, please make sure that:

• You created a dedicated branch based on the canary branch.
• You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
• You have tested this PR in your local instance. I validated this slice with pnpm --filter=dokploy run typecheck and pnpm --filter=dokploy run build-server. pnpm --filter=dokploy run build-next compiled successfully but later failed during page-data collection because this workspace does not have the expected dokploy-postgres / dokploy-redis services available (ENOTFOUND), so I could not complete end-to-end runtime verification here. I also added focused permission tests for the new viewer behavior, but the current Vitest setup in this checkout fails before running them because deep imports like @dokploy/server/services/permission are not exported to the test resolver.

Issues related (if applicable)

Related to #1413

Screenshots (if applicable)

N/A for this permission/backend slice. If maintainers want it, I can follow up with a short demo video once I can run the full local stack.