feat(loyalty): pair POS terminal devices with one-time setup QR

Adds the backend half of the Android tablet rollout. Merchants can
pair tablets to specific stores from /merchants/loyalty/devices (or
admins can pair on behalf from the merchant detail page). Each
pairing issues a long-lived JWT shown ONCE in the response with a
server-rendered QR PNG containing {api_url, store_code, auth_token} —
the tablet scans it on first boot and persists the three fields.

The store API (/api/v1/store/loyalty/*) now accepts these device JWTs
alongside user JWTs. Revoking a device row immediately rejects its
token (401 TERMINAL_DEVICE_REVOKED). Tokens expire after 1 year;
re-pair to renew.

- Migration loyalty_010 + TerminalDevice model
- create_device_token / verify_device_token JWT helpers
- 5 endpoints x 2 portals (merchant + admin on-behalf)
- Bearer-auth wiring in app/api/deps.py
- Pages, shared list partial with one-time pairing-QR modal,
  Alpine.js factories
- Locale strings (en authoritative; fr/de/lb seeded with EN copy
  for translation)
- 6 integration tests covering pair, list, revoke, idempotency,
  cross-merchant rejection, store-API auth via device JWT

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/modules/loyalty/migrations/versions/loyalty_010_add_terminal_devices.py

@@ -0,0 +1,123 @@
+"""loyalty 010 - add terminal_devices table
+
+Pairs Android (or other) POS tablets to a single store. Stores only the
+JWT id (`jti`); the token itself is shown once at pairing and never
+persisted. Multiple devices per store are allowed.
+
+Revision ID: loyalty_010
+Revises: loyalty_009
+Create Date: 2026-05-04
+"""
+import sqlalchemy as sa
+
+from alembic import op
+
+revision = "loyalty_010"
+down_revision = "loyalty_009"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "loyalty_terminal_devices",
+        sa.Column("id", sa.Integer(), primary_key=True),
+        sa.Column(
+            "merchant_id",
+            sa.Integer(),
+            sa.ForeignKey("merchants.id", ondelete="CASCADE"),
+            nullable=False,
+        ),
+        sa.Column(
+            "store_id",
+            sa.Integer(),
+            sa.ForeignKey("stores.id", ondelete="CASCADE"),
+            nullable=False,
+        ),
+        sa.Column("label", sa.String(length=100), nullable=False),
+        sa.Column("jti", sa.String(length=36), nullable=False),
+        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("last_seen_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column("last_seen_ip", sa.String(length=45), nullable=True),
+        sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column(
+            "revoked_by_id",
+            sa.Integer(),
+            sa.ForeignKey("users.id", ondelete="SET NULL"),
+            nullable=True,
+        ),
+        sa.Column("revoked_reason", sa.String(length=255), nullable=True),
+        sa.Column(
+            "created_by_id",
+            sa.Integer(),
+            sa.ForeignKey("users.id", ondelete="SET NULL"),
+            nullable=True,
+        ),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.text("CURRENT_TIMESTAMP"),
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.text("CURRENT_TIMESTAMP"),
+        ),
+        sa.CheckConstraint(
+            "expires_at > created_at",
+            name="ck_loyalty_terminal_devices_expiry_after_creation",
+        ),
+    )
+
+    op.create_index(
+        "ix_loyalty_terminal_devices_merchant_id",
+        "loyalty_terminal_devices",
+        ["merchant_id"],
+    )
+    op.create_index(
+        "ix_loyalty_terminal_devices_store_id",
+        "loyalty_terminal_devices",
+        ["store_id"],
+    )
+    op.create_index(
+        "ix_loyalty_terminal_devices_revoked_at",
+        "loyalty_terminal_devices",
+        ["revoked_at"],
+    )
+    op.create_index(
+        "ix_loyalty_terminal_devices_jti",
+        "loyalty_terminal_devices",
+        ["jti"],
+        unique=True,
+    )
+    op.create_index(
+        "idx_loyalty_terminal_devices_store_active",
+        "loyalty_terminal_devices",
+        ["store_id", "revoked_at"],
+    )
+
+
+def downgrade() -> None:
+    op.drop_index(
+        "idx_loyalty_terminal_devices_store_active",
+        table_name="loyalty_terminal_devices",
+    )
+    op.drop_index(
+        "ix_loyalty_terminal_devices_jti",
+        table_name="loyalty_terminal_devices",
+    )
+    op.drop_index(
+        "ix_loyalty_terminal_devices_revoked_at",
+        table_name="loyalty_terminal_devices",
+    )
+    op.drop_index(
+        "ix_loyalty_terminal_devices_store_id",
+        table_name="loyalty_terminal_devices",
+    )
+    op.drop_index(
+        "ix_loyalty_terminal_devices_merchant_id",
+        table_name="loyalty_terminal_devices",
+    )
+    op.drop_table("loyalty_terminal_devices")