feat(loyalty): pair POS terminal devices with one-time setup QR

Adds the backend half of the Android tablet rollout. Merchants can
pair tablets to specific stores from /merchants/loyalty/devices (or
admins can pair on behalf from the merchant detail page). Each
pairing issues a long-lived JWT shown ONCE in the response with a
server-rendered QR PNG containing {api_url, store_code, auth_token} —
the tablet scans it on first boot and persists the three fields.

The store API (/api/v1/store/loyalty/*) now accepts these device JWTs
alongside user JWTs. Revoking a device row immediately rejects its
token (401 TERMINAL_DEVICE_REVOKED). Tokens expire after 1 year;
re-pair to renew.

- Migration loyalty_010 + TerminalDevice model
- create_device_token / verify_device_token JWT helpers
- 5 endpoints x 2 portals (merchant + admin on-behalf)
- Bearer-auth wiring in app/api/deps.py
- Pages, shared list partial with one-time pairing-QR modal,
  Alpine.js factories
- Locale strings (en authoritative; fr/de/lb seeded with EN copy
  for translation)
- 6 integration tests covering pair, list, revoke, idempotency,
  cross-merchant rejection, store-API auth via device JWT

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/modules/loyalty/models/__init__.py

@@ -49,6 +49,10 @@ from app.modules.loyalty.models.staff_pin import (
     # Model
     StaffPin,
 )
+from app.modules.loyalty.models.terminal_device import (
+    # Model
+    TerminalDevice,
+)
 from app.modules.loyalty.models.transaction_category import (
     # Model
     StoreTransactionCategory,
@@ -67,4 +71,5 @@ __all__ = [
     "AppleDeviceRegistration",
     "MerchantLoyaltySettings",
     "StoreTransactionCategory",
+    "TerminalDevice",
 ]

app/modules/loyalty/models/terminal_device.py

@@ -0,0 +1,127 @@
+# app/modules/loyalty/models/terminal_device.py
+"""
+Terminal device model.
+
+A TerminalDevice represents a paired Android (or other) POS tablet bound
+to a single store. Each row owns the unique `jti` that we encode in the
+device's long-lived JWT — that's the only handle we keep on the issued
+token, since the JWT itself is shown once at pairing time and then never
+stored. Two states render a device's token unusable: explicit `revoked_at`
+(merchant action, row stays for audit) or `expires_at < now` (1y default).
+
+Multiple devices per store are allowed — a store can have several cashiers
+each with their own tablet — so there is no unique constraint across
+(store_id), only an index for lookups.
+"""
+
+from datetime import UTC, datetime
+
+from sqlalchemy import (
+    CheckConstraint,
+    Column,
+    DateTime,
+    ForeignKey,
+    Index,
+    Integer,
+    String,
+)
+from sqlalchemy.orm import relationship
+
+from app.core.database import Base
+from models.database.base import TimestampMixin
+
+
+class TerminalDevice(Base, TimestampMixin):
+    """A paired POS terminal device (typically an Android tablet)."""
+
+    __tablename__ = "loyalty_terminal_devices"
+
+    id = Column(Integer, primary_key=True, index=True)
+
+    merchant_id = Column(
+        Integer,
+        ForeignKey("merchants.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    store_id = Column(
+        Integer,
+        ForeignKey("stores.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+
+    label = Column(
+        String(100),
+        nullable=False,
+        comment="Merchant-facing device name e.g. 'Counter 1'",
+    )
+
+    # The only handle we keep on the issued JWT. The token itself is shown
+    # once at creation and never stored.
+    jti = Column(String(36), nullable=False, unique=True, index=True)
+
+    expires_at = Column(DateTime(timezone=True), nullable=False)
+    last_seen_at = Column(DateTime(timezone=True), nullable=True)
+    last_seen_ip = Column(String(45), nullable=True)
+
+    revoked_at = Column(DateTime(timezone=True), nullable=True, index=True)
+    revoked_by_id = Column(
+        Integer,
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    revoked_reason = Column(String(255), nullable=True)
+
+    # The user who paired the device. Used as the principal of record when
+    # the device performs operations on the store API.
+    created_by_id = Column(
+        Integer,
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+
+    merchant = relationship("Merchant", backref="terminal_devices")
+    store = relationship("Store", backref="terminal_devices")
+    revoked_by = relationship("User", foreign_keys=[revoked_by_id])
+    created_by = relationship("User", foreign_keys=[created_by_id])
+
+    __table_args__ = (
+        CheckConstraint(
+            "expires_at > created_at",
+            name="ck_loyalty_terminal_devices_expiry_after_creation",
+        ),
+        Index(
+            "idx_loyalty_terminal_devices_store_active",
+            "store_id",
+            "revoked_at",
+        ),
+    )
+
+    def __repr__(self) -> str:
+        return (
+            f"<TerminalDevice(id={self.id}, label='{self.label}', "
+            f"store_id={self.store_id}, revoked={self.revoked_at is not None})>"
+        )
+
+    @property
+    def is_revoked(self) -> bool:
+        return self.revoked_at is not None
+
+    @property
+    def is_expired(self) -> bool:
+        if not self.expires_at:
+            return False
+        expiry = self.expires_at
+        if expiry.tzinfo is None:
+            expiry = expiry.replace(tzinfo=UTC)
+        return datetime.now(UTC) >= expiry
+
+    @property
+    def status(self) -> str:
+        """One of: active, revoked, expired."""
+        if self.is_revoked:
+            return "revoked"
+        if self.is_expired:
+            return "expired"
+        return "active"