feat: add UsersController and register all services

Adds UsersController with CRUD endpoints (list, get, create, update,
deactivate, reset-password) restricted to super_admin role. Registers
IUserManagementService in Program.cs alongside existing services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

API/ROLAC.API/Controllers/UsersController.cs

@@ -0,0 +1,78 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using ROLAC.API.DTOs.Users;
+using ROLAC.API.Services;
+
+namespace ROLAC.API.Controllers;
+
+[ApiController]
+[Route("api/users")]
+[Authorize(Roles = "super_admin")]
+public class UsersController : ControllerBase
+{
+    private readonly IUserManagementService _users;
+    public UsersController(IUserManagementService users) => _users = users;
+
+    /// <summary>GET /api/users?page=1&pageSize=20&search=Chris</summary>
+    [HttpGet]
+    public async Task<IActionResult> GetPaged(
+        [FromQuery] int     page     = 1,
+        [FromQuery] int     pageSize = 20,
+        [FromQuery] string? search   = null)
+        => Ok(await _users.GetPagedAsync(page, pageSize, search));
+
+    /// <summary>GET /api/users/{id}</summary>
+    [HttpGet("{id}")]
+    public async Task<IActionResult> GetById(string id)
+    {
+        var dto = await _users.GetByIdAsync(id);
+        return dto is null ? NotFound() : Ok(dto);
+    }
+
+    /// <summary>
+    /// POST /api/users — creates account for a Member, returns { userId, tempPassword }.
+    /// TempPassword is returned ONCE — show it to the admin and never log it.
+    /// </summary>
+    [HttpPost]
+    public async Task<IActionResult> Create([FromBody] CreateUserRequest request)
+    {
+        try
+        {
+            var result = await _users.CreateAsync(request);
+            return Ok(result);
+        }
+        catch (InvalidOperationException ex)
+        {
+            return BadRequest(new { message = ex.Message });
+        }
+    }
+
+    /// <summary>PUT /api/users/{id} — update email, roles, IsActive</summary>
+    [HttpPut("{id}")]
+    public async Task<IActionResult> Update(string id, [FromBody] UpdateUserRequest request)
+    {
+        try   { await _users.UpdateAsync(id, request); return NoContent(); }
+        catch (KeyNotFoundException)          { return NotFound(); }
+        catch (InvalidOperationException ex)  { return BadRequest(new { message = ex.Message }); }
+    }
+
+    /// <summary>DELETE /api/users/{id} — deactivates account (IsActive=false), does not delete</summary>
+    [HttpDelete("{id}")]
+    public async Task<IActionResult> Deactivate(string id)
+    {
+        try   { await _users.DeactivateAsync(id); return NoContent(); }
+        catch (KeyNotFoundException) { return NotFound(); }
+    }
+
+    /// <summary>POST /api/users/{id}/reset-password — returns new temp password</summary>
+    [HttpPost("{id}/reset-password")]
+    public async Task<IActionResult> ResetPassword(string id)
+    {
+        try
+        {
+            var pwd = await _users.ResetPasswordAsync(id);
+            return Ok(new { tempPassword = pwd });
+        }
+        catch (KeyNotFoundException) { return NotFound(); }
+    }
+}