feat: custom roles with per-permission matrix for café owners

- Owner can define named custom roles (e.g. Barista, Supervisor) with
  color, description, and a fine-grained permission set (21 permissions
  across 7 categories: admin, menu, staff, customer, reports, ops, kitchen)
- Employee assigned a custom role gets its permissions embedded in the
  JWT at login (customPerms claim) and parsed by TenantMiddleware —
  overrides the static EmployeeRole matrix for all API permission checks
- New endpoints: GET/POST/PATCH/DELETE /api/cafes/{id}/custom-roles and
  PUT /api/cafes/{id}/employees/{id}/custom-role for assignment
- Dashboard Settings → Team & Staff → Custom Roles panel with grouped
  checkbox matrix, group-level toggles, color preset picker, CRUD forms,
  and employee-count display; translations in fa/en/ar
- EF migration adds CustomRoles table + nullable CustomRoleId FK on Employees
- POS slip now shows per-item notes on both thermal print and bill preview

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Meezi.API/Models/CustomRoles/CustomRoleDtos.cs

@@ -0,0 +1,24 @@
+namespace Meezi.API.Models.CustomRoles;
+
+public record CustomRoleDto(
+    string Id,
+    string Name,
+    string? Description,
+    string? Color,
+    IReadOnlyList<string> Permissions,
+    int EmployeeCount,
+    DateTime CreatedAt);
+
+public record CreateCustomRoleRequest(
+    string Name,
+    string? Description = null,
+    string? Color = null,
+    IReadOnlyList<string>? Permissions = null);
+
+public record UpdateCustomRoleRequest(
+    string? Name = null,
+    string? Description = null,
+    string? Color = null,
+    IReadOnlyList<string>? Permissions = null);
+
+public record AssignCustomRoleRequest(string? CustomRoleId);