Define complete ability configuration

[candyhazlett]

`ability.rb` only has Project rules right now, and several cards are waiting on a coherent auth design before they can be implemented. This card is about getting that design in place first — either a full implementation or documented stubs — so those cards aren't each making it up as they go.

Tasks

• Map out all resources (User, Project, Collection, CoreFile, ProjectMember, CollectionCoreFile, ImageFile) × roles (guest, logged-in non-member, contributor, owner, admin) × actions (:read, :create, :update, :destroy, :manage_members)
• Make sure collection-scoped contributors and soft-deleted record visibility are accounted for in the design
• Write the rules (or stubs with TODOs) into `ability.rb`
• Check for conflicts or gaps before the implementation cards start

Acceptance Criteria

• Full permission matrix documented
• All rules or stubs in `ability.rb` — nothing left unaddressed
• Collection-scoped contributor logic and soft-delete visibility policy are both decided
• Work dependent on Ability can proceed without redesigning the overall structure