docs: add Phase 4 — RBAC with 3-tier roles and invitation flow

Three roles: platform admin (full SaaS), customer admin (tenant-scoped),
customer operator (read-only). Email invitation flow for tenant user
onboarding. 6 new requirements (RBAC-01 through RBAC-06).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.planning/ROADMAP.md

@@ -92,6 +92,21 @@ Phases execute in numeric order: 1 -> 2 -> 3
 
 **LLM-03 conflict resolved:** BYO API keys confirmed in v1 scope per user decision during Phase 3 context gathering. Implemented via Fernet encryption in Phase 3.
 
+### Phase 4: RBAC
+**Goal**: Three-tier role-based access control — platform admins manage the SaaS, customer admins manage their tenant, customer operators get read-only access — with email invitation flow for onboarding tenant users
+**Depends on**: Phase 3
+**Requirements**: RBAC-01, RBAC-02, RBAC-03, RBAC-04, RBAC-05, RBAC-06
+**Success Criteria** (what must be TRUE):
+  1. A platform admin can see all tenants, all agents, and all users across the entire platform
+  2. A customer admin can only see their own tenant's agents, users, billing, and settings — no cross-tenant visibility
+  3. A customer operator can view agents and usage dashboards but cannot create, edit, or delete anything
+  4. A customer admin can invite a new user (admin or operator) by email — the invitee receives a link, clicks to activate, and sets their password
+  5. Portal navigation and API endpoints enforce role-based access — unauthorized actions return 403, not just hidden UI elements
+**Plans**: 0 plans
+
+Plans:
+- [ ] TBD (run /gsd:plan-phase 4 to break down)
+
 ---
 *Roadmap created: 2026-03-23*
 *Coverage: 25/25 v1 requirements mapped*