feat: add module definition completeness validation and permissions

Add new validation rules MOD-020 to MOD-023 for module definition
completeness and standardize permissions across all modules.

Changes:
- Add MOD-020: Module definitions must have required attributes
- Add MOD-021: Modules with menus should have features
- Add MOD-022: Feature modules should have permissions
- Add MOD-023: Modules with routers should use get_*_with_routers pattern

Module permissions added:
- analytics: view, export, manage_dashboards
- billing: view_tiers, manage_tiers, view_subscriptions, manage_subscriptions, view_invoices
- cart: view, manage
- checkout: view_settings, manage_settings
- cms: view_pages, manage_pages, view_media, manage_media, manage_themes
- loyalty: view_programs, manage_programs, view_rewards, manage_rewards
- marketplace: view_integration, manage_integration, sync_products
- messaging: view_messages, send_messages, manage_templates
- payments: view_gateways, manage_gateways, view_transactions

Module improvements:
- Complete cart module with features and permissions
- Complete checkout module with features and permissions
- Add features to catalog module
- Add version to cms module
- Fix loyalty platform_router attachment
- Add path definitions to payments module
- Remove empty scheduled_tasks from dev_tools module

Documentation:
- Update module-system.md with new validation rules
- Update architecture-rules.md with MOD-020 to MOD-023

Tests:
- Add unit tests for module definition completeness
- Add tests for permission structure validation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

app/api/v1/platform/__init__.py

@@ -0,0 +1,38 @@
+# app/api/v1/public/__init__.py
+"""
+Public API endpoints (no authentication required).
+
+Includes:
+- signup: /signup/* (multi-step signup flow - cross-cutting)
+
+Auto-discovers and aggregates public routes from self-contained modules:
+- billing: /pricing/* (subscription tiers and add-ons)
+- marketplace: /letzshop-vendors/* (vendor lookup for signup)
+- core: /language/* (language preferences)
+
+These endpoints serve the marketing homepage, pricing pages, and signup flows.
+"""
+
+from fastapi import APIRouter
+
+from app.api.v1.public import signup
+from app.modules.routes import get_public_api_routes
+
+router = APIRouter()
+
+# Cross-cutting signup flow (spans auth, vendors, billing, payments)
+router.include_router(signup.router, tags=["public-signup"])
+
+# Auto-discover public routes from modules
+for route_info in get_public_api_routes():
+    if route_info.custom_prefix:
+        router.include_router(
+            route_info.router,
+            prefix=route_info.custom_prefix,
+            tags=route_info.tags,
+        )
+    else:
+        router.include_router(
+            route_info.router,
+            tags=route_info.tags,
+        )

app/api/v1/platform/signup.py

@@ -0,0 +1,277 @@
+# app/api/v1/public/signup.py
+"""
+Platform signup API endpoints.
+
+Handles the multi-step signup flow:
+1. Start signup (select tier)
+2. Claim Letzshop vendor (optional)
+3. Create account
+4. Setup payment (collect card via SetupIntent)
+5. Complete signup (create subscription with trial)
+
+All endpoints are public (no authentication required).
+"""
+
+import logging
+
+from fastapi import APIRouter, Depends, Response
+from pydantic import BaseModel, EmailStr
+from sqlalchemy.orm import Session
+
+from app.core.database import get_db
+from app.core.environment import should_use_secure_cookies
+from app.modules.marketplace.services.platform_signup_service import platform_signup_service
+
+router = APIRouter()
+logger = logging.getLogger(__name__)
+
+
+# =============================================================================
+# Request/Response Schemas
+# =============================================================================
+
+
+class SignupStartRequest(BaseModel):
+    """Start signup - select tier."""
+
+    tier_code: str
+    is_annual: bool = False
+
+
+class SignupStartResponse(BaseModel):
+    """Response from signup start."""
+
+    session_id: str
+    tier_code: str
+    is_annual: bool
+
+
+class ClaimVendorRequest(BaseModel):
+    """Claim Letzshop vendor."""
+
+    session_id: str
+    letzshop_slug: str
+    letzshop_vendor_id: str | None = None
+
+
+class ClaimVendorResponse(BaseModel):
+    """Response from vendor claim."""
+
+    session_id: str
+    letzshop_slug: str
+    vendor_name: str | None
+
+
+class CreateAccountRequest(BaseModel):
+    """Create account."""
+
+    session_id: str
+    email: EmailStr
+    password: str
+    first_name: str
+    last_name: str
+    company_name: str
+    phone: str | None = None
+
+
+class CreateAccountResponse(BaseModel):
+    """Response from account creation."""
+
+    session_id: str
+    user_id: int
+    vendor_id: int
+    stripe_customer_id: str
+
+
+class SetupPaymentRequest(BaseModel):
+    """Request payment setup."""
+
+    session_id: str
+
+
+class SetupPaymentResponse(BaseModel):
+    """Response with Stripe SetupIntent client secret."""
+
+    session_id: str
+    client_secret: str
+    stripe_customer_id: str
+
+
+class CompleteSignupRequest(BaseModel):
+    """Complete signup after card collection."""
+
+    session_id: str
+    setup_intent_id: str
+
+
+class CompleteSignupResponse(BaseModel):
+    """Response from signup completion."""
+
+    success: bool
+    vendor_code: str
+    vendor_id: int
+    redirect_url: str
+    trial_ends_at: str
+    access_token: str | None = None  # JWT token for automatic login
+
+
+# =============================================================================
+# Endpoints
+# =============================================================================
+
+
+@router.post("/signup/start", response_model=SignupStartResponse)  # public
+async def start_signup(request: SignupStartRequest) -> SignupStartResponse:
+    """
+    Start the signup process.
+
+    Step 1: User selects a tier and billing period.
+    Creates a signup session to track the flow.
+    """
+    session_id = platform_signup_service.create_session(
+        tier_code=request.tier_code,
+        is_annual=request.is_annual,
+    )
+
+    return SignupStartResponse(
+        session_id=session_id,
+        tier_code=request.tier_code,
+        is_annual=request.is_annual,
+    )
+
+
+@router.post("/signup/claim-vendor", response_model=ClaimVendorResponse)  # public
+async def claim_letzshop_vendor(
+    request: ClaimVendorRequest,
+    db: Session = Depends(get_db),
+) -> ClaimVendorResponse:
+    """
+    Claim a Letzshop vendor.
+
+    Step 2 (optional): User claims their Letzshop shop.
+    This pre-fills vendor info during account creation.
+    """
+    vendor_name = platform_signup_service.claim_vendor(
+        db=db,
+        session_id=request.session_id,
+        letzshop_slug=request.letzshop_slug,
+        letzshop_vendor_id=request.letzshop_vendor_id,
+    )
+
+    return ClaimVendorResponse(
+        session_id=request.session_id,
+        letzshop_slug=request.letzshop_slug,
+        vendor_name=vendor_name,
+    )
+
+
+@router.post("/signup/create-account", response_model=CreateAccountResponse)  # public
+async def create_account(
+    request: CreateAccountRequest,
+    db: Session = Depends(get_db),
+) -> CreateAccountResponse:
+    """
+    Create user and vendor accounts.
+
+    Step 3: User provides account details.
+    Creates User, Company, Vendor, and Stripe Customer.
+    """
+    result = platform_signup_service.create_account(
+        db=db,
+        session_id=request.session_id,
+        email=request.email,
+        password=request.password,
+        first_name=request.first_name,
+        last_name=request.last_name,
+        company_name=request.company_name,
+        phone=request.phone,
+    )
+
+    return CreateAccountResponse(
+        session_id=request.session_id,
+        user_id=result.user_id,
+        vendor_id=result.vendor_id,
+        stripe_customer_id=result.stripe_customer_id,
+    )
+
+
+@router.post("/signup/setup-payment", response_model=SetupPaymentResponse)  # public
+async def setup_payment(request: SetupPaymentRequest) -> SetupPaymentResponse:
+    """
+    Create Stripe SetupIntent for card collection.
+
+    Step 4: Collect card details without charging.
+    The card will be charged after the trial period ends.
+    """
+    client_secret, stripe_customer_id = platform_signup_service.setup_payment(
+        session_id=request.session_id,
+    )
+
+    return SetupPaymentResponse(
+        session_id=request.session_id,
+        client_secret=client_secret,
+        stripe_customer_id=stripe_customer_id,
+    )
+
+
+@router.post("/signup/complete", response_model=CompleteSignupResponse)  # public
+async def complete_signup(
+    request: CompleteSignupRequest,
+    response: Response,
+    db: Session = Depends(get_db),
+) -> CompleteSignupResponse:
+    """
+    Complete signup after card collection.
+
+    Step 5: Verify SetupIntent, attach payment method, create subscription.
+    Also sets HTTP-only cookie for page navigation and returns token for localStorage.
+    """
+    result = platform_signup_service.complete_signup(
+        db=db,
+        session_id=request.session_id,
+        setup_intent_id=request.setup_intent_id,
+    )
+
+    # Set HTTP-only cookie for page navigation (same as login does)
+    # This enables the user to access vendor pages immediately after signup
+    if result.access_token:
+        response.set_cookie(
+            key="vendor_token",
+            value=result.access_token,
+            httponly=True,  # JavaScript cannot access (XSS protection)
+            secure=should_use_secure_cookies(),  # HTTPS only in production/staging
+            samesite="lax",  # CSRF protection
+            max_age=3600 * 24,  # 24 hours
+            path="/vendor",  # RESTRICTED TO VENDOR ROUTES ONLY
+        )
+        logger.info(f"Set vendor_token cookie for new vendor {result.vendor_code}")
+
+    return CompleteSignupResponse(
+        success=result.success,
+        vendor_code=result.vendor_code,
+        vendor_id=result.vendor_id,
+        redirect_url=result.redirect_url,
+        trial_ends_at=result.trial_ends_at,
+        access_token=result.access_token,
+    )
+
+
+@router.get("/signup/session/{session_id}")  # public
+async def get_signup_session(session_id: str) -> dict:
+    """
+    Get signup session status.
+
+    Useful for resuming an incomplete signup.
+    """
+    session = platform_signup_service.get_session_or_raise(session_id)
+
+    # Return safe subset of session data
+    return {
+        "session_id": session_id,
+        "step": session.get("step"),
+        "tier_code": session.get("tier_code"),
+        "is_annual": session.get("is_annual"),
+        "letzshop_slug": session.get("letzshop_slug"),
+        "vendor_name": session.get("vendor_name"),
+        "created_at": session.get("created_at"),
+    }