docs: add Phase 4 — RBAC with 3-tier roles and invitation flow

Three roles: platform admin (full SaaS), customer admin (tenant-scoped),
customer operator (read-only). Email invitation flow for tenant user
onboarding. 6 new requirements (RBAC-01 through RBAC-06).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.planning/STATE.md

@@ -137,6 +137,10 @@ Recent decisions affecting current work:
 - [Phase 03-operator-experience]: BudgetAlertBadge renders neutral 'No limit set' for null budget_limit_usd — prevents false alarms
 - [Phase 03-operator-experience]: All Phase 3 portal routers (portal, billing, channels, llm_keys, usage, webhook) mounted directly on gateway FastAPI app
 
+### Roadmap Evolution
+
+- Phase 4 added: RBAC — 3-tier role-based access control (platform admin, customer admin, customer operator) with invitation flow
+
 ### Pending Todos
 
 None yet.