CVE-2026-47412: praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}

Type: Authorization bypass enabling destructive action. The DELETE /workspaces/{workspace_id} endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member"). Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project, issue, comment, agent, label, and member record (cascading via the foreign-key relationships). There is no owner-role gate, no confirmation token, no soft-delete window, no recovery path. File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 77-86; services/workspace_service.py’s delete() method. Root cause: the route uses Depends(require_workspace_member) which defaults to min_role="member" and is never overridden. The service method WorkspaceService.delete(workspace_id) performs the destructive operation without any caller-permission verification. The role hierarchy (MemberService.has_role, member_service.py:80-96) is implemented but unused for this endpoint.