feat: implement complete RBAC access control with tests

Add 4-layer access control stack (subscription → module → menu → permissions):
- P1: Wire requires_permission into menu sidebar filtering
- P2: Expose window.USER_PERMISSIONS for Alpine.js client-side gating
- P3: Add page-level permission guards on store routes
- P4: Role CRUD API endpoints and role editor UI
- P5: Audit trail for all role/permission changes

Includes unit tests (menu permission filtering, role CRUD service) and
integration tests (role API endpoints). All 404 core+tenancy tests pass.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/billing/definition.py

@@ -241,6 +241,7 @@ billing_module = ModuleDefinition(
                         icon="currency-euro",
                         route="/store/{store_code}/invoices",
                         order=30,
+                        requires_permission="billing.view_invoices",
                     ),
                 ],
             ),
@@ -256,6 +257,7 @@ billing_module = ModuleDefinition(
                         icon="credit-card",
                         route="/store/{store_code}/billing",
                         order=30,
+                        requires_permission="billing.view_subscriptions",
                     ),
                 ],
             ),