Split Media Library delete access from update permissions

[Copilot]

Media deletion in the upload plugin was coupled to assets.update, so users could not be granted delete access independently from edit/crop/move capabilities. This change introduces a dedicated delete permission and applies it consistently across Media Library delete flows.

• RBAC: introduce a dedicated delete action

  • Add plugin::upload.assets.delete to upload permission constants
  • Register a separate Delete action in upload bootstrap
  • Keep assets.update scoped to edit-oriented actions only

• Backend: require delete permission for delete endpoints

  • Switch single-file delete (DELETE /upload/files/:id) to assets.delete
  • Switch bulk delete (POST /upload/actions/bulk-delete) to assets.delete
  • Update controller permission checks so file removal resolves through ACTIONS.delete

• Admin UI: gate delete affordances on canDelete

  • Asset edit dialog now shows the delete action from canDelete, not canUpdate
  • Folder edit dialog now shows Delete folder from canDelete
  • AI asset card delete action now follows canDelete
  • Media Library input carousel passes real delete permissions into the asset dialog

• Bulk actions: separate selection from action visibility

  • Selection remains available when the user can either update or delete
  • Bulk delete renders only for canDelete
  • Bulk move renders only for canUpdate

• Targeted coverage

  • Extend bootstrap coverage to assert the new permission registration
  • Add controller coverage to assert delete operations check ACTIONS.delete
  • Update dialog and bulk action tests to reflect delete-specific RBAC behavior

Example of the permission split:

const ACTIONS = {
  create: 'plugin::upload.assets.create',
  update: 'plugin::upload.assets.update',
  delete: 'plugin::upload.assets.delete',
};