docs(server): update users endpoint permissions and project delete role matrix

Author: Diogo-Ferraz

README.md

@@ -30,8 +30,10 @@ flowchart LR
 - JWT validation in API service.
 - Role and resource-based authorization checks in handlers.
 - Auth user directory exposes `isActive` status and user roles.
-- Admin-only user management endpoints in Auth service:
+- User management endpoints in Auth service:
   - `GET /api/users` with `search`, `isActive`, and `role` filters (paged).
+    - `Administrator`: can query all users with full filters.
+    - `ProjectManager`: restricted to `role=User` queries (assignable-contributor lookup).
   - `GET /api/users/{id}/details` for richer admin user profile data.
   - `PATCH /api/users/{id}/status` to activate/deactivate users.
 - Safety guards:

docs/API_CONTRACT.md

@@ -2,7 +2,7 @@
 
 This guide centralizes SPA-facing API behavior across both services:
 - `TaskManagement.Api`
-- `TaskManagement.Auth` (admin user-management APIs under `api/*`)
+- `TaskManagement.Auth` (user-management APIs under `api/*`)
 
 Use this as the single contract reference for filters, pagination, patch semantics, and error format.
 
@@ -12,7 +12,7 @@ List endpoints support pagination:
 - `GET /api/projects`
 - `GET /api/taskitems`
 - `GET /api/activity`
-- `GET /api/users` (Auth service, admin-only)
+- `GET /api/users` (Auth service, role-restricted behavior)
 
 Defaults and caps:
 - Projects: `page=1`, `pageSize=50`, max `200`
@@ -53,6 +53,10 @@ Supported query params:
 - `role`
 - `page`, `pageSize`, `skip`, `take`
 
+Authorization behavior:
+- `Administrator`: full user listing/filtering.
+- `ProjectManager`: allowed only when `role=User`; other queries return `403`.
+
 ## Patch Semantics
 
 Patch endpoints:
@@ -99,6 +103,11 @@ Endpoints:
 - `GET /api/users/{id}/details`
 - `PATCH /api/users/{id}/status`
 
+Endpoint access:
+- `GET /api/users`: `Administrator` + `ProjectManager` (PM restricted to `role=User`).
+- `GET /api/users/{id}/details`: `Administrator` only.
+- `PATCH /api/users/{id}/status`: `Administrator` only.
+
 Status change payload:
 
 ```json

docs/ROLE_MATRIX.md

@@ -14,7 +14,7 @@ Legend:
 | `POST /api/projects` (create) | Yes | Yes | No | Policy `CanManageProjects` |
 | `PUT /api/projects/{id}` (update) | Yes | Yes | No | PM/Admin not restricted by owner |
 | `PATCH /api/projects/{id}` (partial update) | Yes | Yes | No | PM/Admin not restricted by owner |
-| `DELETE /api/projects/{id}` (delete) | Yes | Yes | No | PM/Admin not restricted by owner |
+| `DELETE /api/projects/{id}` (delete) | Yes | Scoped | No | PM must be project owner |
 | `GET /api/projects/{id}` (read one) | Yes | Yes | Scoped | User must be owner/member |
 | `GET /api/projects` (read list) | Yes (all) | Scoped | Scoped | Non-admin: owner/member projects |
 | `GET /api/projects/my-projects` | Scoped | Scoped | Scoped | Owner/member projects |