Redesigned Roles & Permissions Management, Clearer Page-Statistics Labels, and Cross-Portal Session Fix

This QA release overhauls how roles and their permissions are managed in the Admin portal, replacing the old permission-matrix screen with an intuitive two-column transfer interface, and adds friendlier entity-type labels to the Page Statistics report. It also ships a session-stability fix that prevents users from being blocked when switching between the Mail, Admin, and Vendor portals in separate browser tabs.

The previous roles screen relied on a dense checkbox matrix and a separate standalone Permissions page, which was hard to navigate as the permission catalog grew and offered no pagination or search. Separately, the Page Statistics grid displayed raw internal type codes (e.g. "Client") instead of human-friendly names. A third issue caused intermittent "403" failures: when a user moved between portal tabs, the shared security (CSRF) cookie was overwritten while the in-memory token went stale, breaking requests on the original tab.

Administrators get a clearer, faster workflow for assigning and removing permissions on a role, with search, module grouping, multi-select, pagination, and unsaved-change indicators — and nothing is committed until they explicitly save. Page Statistics now shows readable entity labels (e.g. "Workspace Owner"), and the top-level view is scoped to client entities. End users who keep multiple DSM portals open in different tabs will no longer hit unexpected session errors when returning to an earlier tab.

• Roles page redesign (Admin): New PermissionTransferList component (with ModuleSection, PermissionColumn, TransferButtons) provides a dual-column assigned/available transfer UI with search, module grouping, and pagination; RoleFormDialog was rewritten to manage pending changes in local state and only call the API on save, then invalidate queries for fresh data.
• New paginated permissions API wiring: Added RoleListItem/RoleDetailResponse/RoleDetailParams types, getRolesList and useRoleDetail (paginated) in services/queries, and the roles list now shows a permission-count badge.
• Removed legacy code: Deleted the standalone /permissions page and the old PermissionMatrix component, and cleaned up admin navigation/exports.
• Page Statistics (Admin): Added entity-type display-name mapping (getEntityTypeLabel, createClientColumns, useEntityTypes), scoped the top-level grid to entity_type=Client, and corrected the CostConfigDialog entities limit from 500 to the API max of 100.
• Cross-portal CSRF fix (shared http-client): Added syncCsrfTokenFromCookie() and initCsrfAutoSync() (re-syncs the in-memory token from the cookie on visibilitychange), now initialized in the Mail, Admin, and Vendor API clients.
• Roughly 2,083 additions / 786 deletions across 24 files, concentrated in the Admin app.

Moderate and contained to the Admin portal. The roles/permissions flow was substantially rewritten and depends on the new paginated permissions API, so a backend/frontend contract mismatch could surface as missing permissions or save errors; the local-state-until-save design limits accidental writes. The CSRF auto-sync change touches the shared HTTP client used by all three portals, so it should be regression-checked across Mail, Admin, and Vendor. Deleting the /permissions route means any bookmarks to it will 404 by design.

• In Admin, open a role and confirm permission counts and the assigned/available lists are correct.
• Assign and unassign permissions via the transfer list; verify search, module grouping, multi-select, and column pagination work, and that changes are tracked locally and only persisted after Save (with unsaved-change indicators).
• Confirm Page Statistics shows display names (e.g. "Workspace Owner" not "Client") and that the top-level view lists only client entities; verify the cost-config entities dropdown loads (limit 100).
• Verify the old /permissions page is gone from navigation.
• Open Mail, Admin, and Vendor in separate tabs, switch between them, then perform an action (e.g. save) on the original tab and confirm no 403/CSRF errors occur.