feat: add FETCH_PRICE permission for manual price fetch endpoint

The POST /api/audit/price-history/fetch endpoint now requires
FETCH_PRICE permission instead of VIEW_AUDIT, which is more
semantically correct since it's a write operation.

backend/models.py

@@ -39,6 +39,7 @@ class Permission(str, PyEnum):
 
     # Audit permissions
     VIEW_AUDIT = "view_audit"
+    FETCH_PRICE = "fetch_price"
 
     # Profile permissions
     MANAGE_OWN_PROFILE = "manage_own_profile"
@@ -84,6 +85,7 @@ ROLE_DEFINITIONS: dict[str, RoleConfig] = {
         "description": "Administrator with audit/invite/appointment access",
         "permissions": [
             Permission.VIEW_AUDIT,
+            Permission.FETCH_PRICE,
             Permission.MANAGE_INVITES,
             Permission.MANAGE_AVAILABILITY,
             Permission.VIEW_ALL_APPOINTMENTS,

backend/routes/audit.py

@@ -190,7 +190,7 @@ async def get_price_history(
 @router.post("/price-history/fetch", response_model=PriceHistoryResponse)
 async def fetch_price_now(
     db: AsyncSession = Depends(get_db),
-    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
+    _current_user: User = Depends(require_permission(Permission.FETCH_PRICE)),
 ) -> PriceHistoryResponse:
     """Manually trigger a price fetch from Bitfinex."""
     price, timestamp = await fetch_btc_eur_price()

backend/tests/test_price_history.py

@@ -215,7 +215,7 @@ class TestManualFetch:
         assert response.status_code == 401
 
     @pytest.mark.asyncio
-    async def test_requires_view_audit_permission(self, client_factory, regular_user):
+    async def test_requires_fetch_price_permission(self, client_factory, regular_user):
         """Verify regular users cannot trigger manual fetch."""
         async with client_factory.create(cookies=regular_user["cookies"]) as authed:
             response = await authed.post("/api/audit/price-history/fetch")