feat(loyalty): cross-persona page alignment with shared components

Align loyalty pages across admin, merchant, and store personas so each
sees the same page set scoped to their access level. Admin acts as a
superset of merchant with "on behalf" capabilities.

New pages:
- Store: Staff PINs management (CRUD)
- Merchant: Cards, Card Detail, Transactions, Staff PINs (CRUD), Settings (read-only)
- Admin: Merchant Cards, Card Detail, Transactions, PINs (read-only)

Architecture:
- 4 shared Jinja2 partials (cards-list, card-detail, transactions, pins)
- 4 shared JS factory modules parameterized by apiPrefix/scope
- Persona templates are thin wrappers including shared partials
- PinDetailResponse schema for cross-store PIN listings

API: 17 new endpoints (11 merchant, 6 admin on-behalf)
Tests: 38 new integration tests, arch-check green
i18n: ~130 new keys across en/fr/de/lb
Docs: pages-and-navigation.md with full page matrix

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/modules/loyalty/tests/integration/test_merchant_api.py

@@ -372,3 +372,138 @@ class TestMerchantGetStats:
         assert data["total_cards"] == 0
         assert data["program"] is None
         assert data["locations"] == []
+
+
+# ============================================================================
+# GET /cards
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListCards:
+    """Tests for GET /api/v1/merchants/loyalty/cards."""
+
+    def test_list_cards_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns cards list for the merchant."""
+        response = client.get(f"{BASE}/cards", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert "cards" in data
+        assert "total" in data
+        assert isinstance(data["cards"], list)
+
+    def test_list_cards_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/cards")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /transactions
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListTransactions:
+    """Tests for GET /api/v1/merchants/loyalty/transactions."""
+
+    def test_list_transactions_empty(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns empty list when no transactions exist."""
+        response = client.get(f"{BASE}/transactions", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert data["transactions"] == []
+        assert data["total"] == 0
+
+    def test_list_transactions_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/transactions")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /pins
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListPins:
+    """Tests for GET /api/v1/merchants/loyalty/pins."""
+
+    def test_list_pins_empty(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns empty list when no PINs exist."""
+        response = client.get(f"{BASE}/pins", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert data["pins"] == []
+        assert data["total"] == 0
+
+    def test_list_pins_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/pins")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /settings
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantGetSettings:
+    """Tests for GET /api/v1/merchants/loyalty/settings."""
+
+    def test_get_settings_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns merchant loyalty settings."""
+        response = client.get(f"{BASE}/settings", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert "staff_pin_policy" in data
+
+    def test_get_settings_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/settings")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /locations
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantGetLocations:
+    """Tests for GET /api/v1/merchants/loyalty/locations."""
+
+    def test_get_locations_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns merchant's store locations."""
+        response = client.get(f"{BASE}/locations", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert isinstance(data, list)
+        assert len(data) >= 1
+
+    def test_get_locations_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/locations")
+        assert response.status_code in [401, 403]