feat: replace namespace permissions with per-node graph permission model (can_read/can_create_rel/can_write/has_ownership)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

models/rel_type.go

@@ -8,13 +8,17 @@ type Rel struct {
 }
 
 const (
-	RelBlocks         RelType = "blocks"
-	RelSubtask        RelType = "subtask"
-	RelRelated        RelType = "related"
-	RelCreated        RelType = "created"
-	RelAssignee       RelType = "assignee"
-	RelInNamespace    RelType = "in_namespace"
-	RelMentions       RelType = "mentions"
-	RelHasReadAccess  RelType = "has_read_access"  // user → namespace
-	RelHasWriteAccess RelType = "has_write_access" // user → namespace
+	RelBlocks      RelType = "blocks"
+	RelSubtask     RelType = "subtask"
+	RelRelated     RelType = "related"
+	RelCreated     RelType = "created"
+	RelAssignee    RelType = "assignee"
+	RelInNamespace RelType = "in_namespace"
+	RelMentions    RelType = "mentions"
+
+	// Permission rels (subject → object). Levels are inclusive and transitive.
+	RelCanRead      RelType = "can_read"       // level 1: visible in list/show
+	RelCanCreateRel RelType = "can_create_rel" // level 2: can create relations between nodes
+	RelCanWrite     RelType = "can_write"      // level 3: can update/delete
+	RelHasOwnership RelType = "has_ownership"  // level 4: sole owner; deletion cascades to owned nodes
 )