fix(loyalty): paired-device JWT bypasses program.require_staff_pin

When the request principal is a paired POS terminal device
(current_user.terminal_device_id is not None), the staff PIN is
considered already-verified — the cashier bcrypt-verified locally on
the tablet's lock screen against the cached hashes from
/pins/for-device. Web-terminal user JWTs still require the per-action
PIN as before; the strict fraud-prevention path is unchanged.

Threat-model note: the device JWT is itself proof of authentication.
The merchant owner paired the device, the cashier verified locally,
and the JWT is revocable from /merchants/loyalty/devices. The 2-min
idle auto-lock + acting_terminal_device_id audit column give us the
attribution we'd otherwise get from a per-action PIN.

Applied to: stamp_service.add_stamp / redeem_stamps / void_stamps;
points_service.earn_points / redeem_points / void_points. adjust_points
was already permissive on missing PIN. New tests in TestDevicePinBypass
lock both the bypass behavior and the still-strict web-terminal path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/modules/loyalty/services/stamp_service.py

@@ -105,9 +105,12 @@ class StampService:
             logger.warning(f"Stamp attempted on points-only program {program.id}")
             raise LoyaltyCardInactiveException(card.id)
 
-        # Verify staff PIN if required
+        # Verify staff PIN if required.
+        # Paired terminal devices ARE the principal — the cashier already
+        # bcrypt-verified locally against the device's cached hash list.
+        # Web-terminal user JWTs still require the per-action PIN.
         verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
             if not staff_pin:
                 raise StaffPinRequiredException()
             verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -262,9 +265,9 @@ class StampService:
         if not program.is_active:
             raise LoyaltyProgramInactiveException(program.id)
 
-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see add_stamp.
         verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
             if not staff_pin:
                 raise StaffPinRequiredException()
             verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -381,9 +384,9 @@ class StampService:
         if settings and not settings.allow_void_transactions:
             raise LoyaltyCardInactiveException(card.id)
 
-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see add_stamp.
         verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
             if not staff_pin:
                 raise StaffPinRequiredException()
             verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)