Define and implement authorization model for analyze. Database-level privilege. Atlas role onboarding prep.

From threat model doc:

Define a dedicated privilege action (e.g., runAnalyze) as part of the command registration, grant it only to dbAdmin and above by default, and enforce it as the very first check in the command handler — before any I/O or sampling begins. Add a negative test that verifies a readWrite user is rejected. Make sure Atlas's role onboarding for this command assigns it to an appropriate admin-level role, not to general-purpose read/write roles.