Restrict VCL/CCP Metrics page to Admin and Leadership groups

Add requireGroup('Admin', 'Leadership') as router-level middleware on all
VCL multi-vertical routes. Hide the CCP Metrics nav item from users not in
those groups and guard the page render in App.js with a redirect fallback.

backend/routes/vclMultiVertical.js

@@ -186,8 +186,9 @@ function isSafeTempPath(filePath) {
 function createVCLMultiVerticalRouter(upload) {
     const router = express.Router();
 
-    // All routes require authentication
+    // All routes require authentication + Leadership or Admin group
     router.use(requireAuth());
+    router.use(requireGroup('Admin', 'Leadership'));
 
     /**
      * POST /preview