feat: implement complete RBAC access control with tests

Add 4-layer access control stack (subscription → module → menu → permissions):
- P1: Wire requires_permission into menu sidebar filtering
- P2: Expose window.USER_PERMISSIONS for Alpine.js client-side gating
- P3: Add page-level permission guards on store routes
- P4: Role CRUD API endpoints and role editor UI
- P5: Audit trail for all role/permission changes

Includes unit tests (menu permission filtering, role CRUD service) and
integration tests (role API endpoints). All 404 core+tenancy tests pass.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/loyalty/definition.py

@@ -168,6 +168,7 @@ loyalty_module = ModuleDefinition(
                         icon="gift",
                         route="/store/{store_code}/loyalty/terminal",
                         order=10,
+                        requires_permission="loyalty.view_programs",
                     ),
                     MenuItemDefinition(
                         id="cards",
@@ -175,6 +176,7 @@ loyalty_module = ModuleDefinition(
                         icon="identification",
                         route="/store/{store_code}/loyalty/cards",
                         order=20,
+                        requires_permission="loyalty.view_programs",
                     ),
                     MenuItemDefinition(
                         id="stats",
@@ -182,6 +184,7 @@ loyalty_module = ModuleDefinition(
                         icon="chart-bar",
                         route="/store/{store_code}/loyalty/stats",
                         order=30,
+                        requires_permission="loyalty.view_programs",
                     ),
                 ],
             ),