feat(auth): enforce role level boundaries and owner assignment rules

Add `admin.users.assign-owner` permission to control Owner role assignment.
Restrict role assignment to roles strictly below the assigner's highest level.

system-wordings.ts

@@ -769,6 +769,8 @@ export const systemWordingMessages = {
       roleNotFound: 'Role not found',
       ownerRequired: 'At least one Owner is required',
       ownerRoleLocked: 'Owner role permissions cannot be edited',
+      ownerRoleOperationDenied: 'Only Owners with Owner assignment permission can assign or remove the Owner role',
+      roleLevelOperationDenied: 'You can only assign or remove roles below your highest role level',
       permissionKeyInvalid: 'Permission key is invalid',
       permissionNotFound: 'Permission not found',
       criticalPermissionRequired: 'Critical administration permissions must remain enabled',
@@ -1548,6 +1550,8 @@ export const systemWordingMessages = {
         roleNotFound: '角色不存在',
         ownerRequired: '必须至少保留一个 Owner',
         ownerRoleLocked: 'Owner 角色权限不能编辑',
+        ownerRoleOperationDenied: '只有具备 Owner 分配权限的 Owner 可以分配或移除 Owner 角色',
+        roleLevelOperationDenied: '只能分配或移除低于自己最高角色等级的角色',
         permissionKeyInvalid: '权限 Key 不合法',
         permissionNotFound: '权限不存在',
         criticalPermissionRequired: '关键管理权限必须保持启用',