[0.5.0][RLAC P4-followup] View-as picker, visibility picker, access explorer, admin E2E

[erichare]

Follow-up to RLAC P4 (#294). P4 (PR pending) shipped the workspace-settings admin surface — the rlacEnabled toggle, the Principals registry (list/create/delete), and the read-only Policy-audit panel. The remaining items from #294 are cross-cutting (they touch pages beyond settings and/or add global request-header state), so they're split out here:

1. View-as picker. A workspace-scoped "view as principal" control (KB Explorer header + ingest/edit dialogs) that sets the x-view-as-principal request header so an operator can preview the effective view for any principal. Needs a small global header-injection seam in lib/api.ts (the runtime already honors the header).
2. Per-document visibility picker. On the ingest + edit-document dialogs: Only-me / Public / Custom-principal-list → writes visibleTo. (The PATCH route already re-tags chunks — P1.)
3. Access explorer. A "who-can-see-what" view: for a document, the resolved principal set; or for a principal, the visible documents. Cheapest impl reuses View-as + the existing list endpoints.
4. Playwright admin-flow E2E. Browser E2E for: flip RLAC on → create principal → ingest as principal → verify another principal can't see it. Best folded into the P5 ([0.5.0][RLAC P5] Conformance fixtures + docs rewrite #295) E2E pass since it needs the full stack.

Components, hooks (useRlac), and client methods from P4 are reusable here.