feat(tkuser): requireAdmin → requireAdminOrPermission 전환 — 권한 기반 접근 제어

- 9개 라우트 파일의 쓰기 작업을 requireAdminOrPermission으로 전환
- 권한 관리에서 tkuser.* 권한 부여 시 일반 사용자도 해당 탭 접근 가능
- GET(참조 데이터)은 requireAuth 유지, permissionRoutes는 admin 전용 유지
- 기존 partnerRoutes.js 패턴과 동일한 방식 적용

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

user-management/api/routes/taskRoutes.js

@@ -7,20 +7,22 @@
 const express = require('express');
 const router = express.Router();
 const taskController = require('../controllers/taskController');
-const { requireAuth, requireAdmin } = require('../middleware/auth');
+const { requireAuth, requireAdminOrPermission } = require('../middleware/auth');
+
+const taskPerm = requireAdminOrPermission('tkuser.tasks');
 
 // Work Types (공정)
 router.get('/work-types', requireAuth, taskController.getWorkTypes);
-router.post('/work-types', requireAdmin, taskController.createWorkType);
-router.put('/work-types/:id', requireAdmin, taskController.updateWorkType);
-router.delete('/work-types/:id', requireAdmin, taskController.deleteWorkType);
+router.post('/work-types', taskPerm, taskController.createWorkType);
+router.put('/work-types/:id', taskPerm, taskController.updateWorkType);
+router.delete('/work-types/:id', taskPerm, taskController.deleteWorkType);
 
 // Tasks (작업)
 router.get('/', requireAuth, taskController.getTasks);
 router.get('/active', requireAuth, taskController.getActiveTasks);
 router.get('/:id', requireAuth, taskController.getTaskById);
-router.post('/', requireAdmin, taskController.createTask);
-router.put('/:id', requireAdmin, taskController.updateTask);
-router.delete('/:id', requireAdmin, taskController.deleteTask);
+router.post('/', taskPerm, taskController.createTask);
+router.put('/:id', taskPerm, taskController.updateTask);
+router.delete('/:id', taskPerm, taskController.deleteTask);
 
 module.exports = router;