feat: custom roles with per-permission matrix for café owners

- Owner can define named custom roles (e.g. Barista, Supervisor) with
  color, description, and a fine-grained permission set (21 permissions
  across 7 categories: admin, menu, staff, customer, reports, ops, kitchen)
- Employee assigned a custom role gets its permissions embedded in the
  JWT at login (customPerms claim) and parsed by TenantMiddleware —
  overrides the static EmployeeRole matrix for all API permission checks
- New endpoints: GET/POST/PATCH/DELETE /api/cafes/{id}/custom-roles and
  PUT /api/cafes/{id}/employees/{id}/custom-role for assignment
- Dashboard Settings → Team & Staff → Custom Roles panel with grouped
  checkbox matrix, group-level toggles, color preset picker, CRUD forms,
  and employee-count display; translations in fa/en/ar
- EF migration adds CustomRoles table + nullable CustomRoleId FK on Employees
- POS slip now shows per-item notes on both thermal print and bill preview

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Meezi.API/Services/AuthService.cs

@@ -558,7 +558,18 @@ public class AuthService : IAuthService
     {
         var resolution = await ResolveBranchAsync(employee, cafe, requestedBranchId, cancellationToken);
 
-        var accessToken = _jwtTokenService.CreateAccessToken(employee, cafe, resolution.EffectiveRole, resolution.ActiveBranchId);
+        // Load custom role permissions when the employee has a custom role assigned.
+        IReadOnlySet<Permission>? customPerms = null;
+        if (!string.IsNullOrEmpty(employee.CustomRoleId))
+        {
+            var cr = await _db.CustomRoles
+                .AsNoTracking()
+                .FirstOrDefaultAsync(r => r.Id == employee.CustomRoleId && r.CafeId == cafe.Id && r.DeletedAt == null, cancellationToken);
+            if (cr != null)
+                customPerms = CustomRolePermissions.Parse(cr.PermissionsJson);
+        }
+
+        var accessToken = _jwtTokenService.CreateAccessToken(employee, cafe, resolution.EffectiveRole, resolution.ActiveBranchId, customPerms);
         // On refresh, reuse the caller's refresh token (and slide its TTL below) instead
         // of minting a new one. A café often runs POS + KDS + queue display at once; if
         // refresh rotated the token, the first refresh would revoke it and every other
@@ -580,8 +591,7 @@ public class AuthService : IAuthService
             TimeSpan.FromDays(refreshDays),
             cancellationToken);
 
-        var permissions = Meezi.Core.Authorization.RolePermissions
-            .For(resolution.EffectiveRole)
+        var permissions = (customPerms as IEnumerable<Permission> ?? RolePermissions.For(resolution.EffectiveRole))
             .Select(p => p.ToString())
             .OrderBy(p => p)
             .ToList();

src/Meezi.API/Services/IJwtTokenService.cs

@@ -1,3 +1,4 @@
+using Meezi.Core.Authorization;
 using Meezi.Core.Entities;
 using Meezi.Core.Enums;
 
@@ -11,8 +12,15 @@ public interface IJwtTokenService
     /// Issue a token scoped to an active branch. The <paramref name="effectiveRole"/>
     /// is the role the employee holds in <paramref name="activeBranchId"/> (or their
     /// café-wide role when <paramref name="activeBranchId"/> is null).
+    /// When <paramref name="customPermissions"/> is non-null the token embeds those
+    /// permissions as a claim that overrides the role matrix on the server side.
     /// </summary>
-    string CreateAccessToken(Employee employee, Cafe cafe, EmployeeRole effectiveRole, string? activeBranchId);
+    string CreateAccessToken(
+        Employee employee,
+        Cafe cafe,
+        EmployeeRole effectiveRole,
+        string? activeBranchId,
+        IEnumerable<Permission>? customPermissions = null);
 
     string CreateConsumerAccessToken(ConsumerAccount account, string language = "fa");
     string CreateRefreshToken();

src/Meezi.API/Services/JwtTokenService.cs

@@ -1,6 +1,7 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using System.Text;
+using Meezi.Core.Authorization;
 using Meezi.Core.Constants;
 using Meezi.Core.Entities;
 using Meezi.Core.Enums;
@@ -21,7 +22,12 @@ public class JwtTokenService : IJwtTokenService
     public string CreateAccessToken(Employee employee, Cafe cafe) =>
         CreateAccessToken(employee, cafe, employee.Role, employee.BranchId);
 
-    public string CreateAccessToken(Employee employee, Cafe cafe, EmployeeRole effectiveRole, string? activeBranchId)
+    public string CreateAccessToken(
+        Employee employee,
+        Cafe cafe,
+        EmployeeRole effectiveRole,
+        string? activeBranchId,
+        IEnumerable<Permission>? customPermissions = null)
     {
         var key = _configuration["Jwt:Key"] ?? throw new InvalidOperationException("Jwt:Key is not configured.");
         var issuer = _configuration["Jwt:Issuer"] ?? "meezi";
@@ -41,6 +47,13 @@ public class JwtTokenService : IJwtTokenService
         if (!string.IsNullOrEmpty(activeBranchId))
             claims.Add(new Claim(MeeziClaimTypes.BranchId, activeBranchId));
 
+        if (customPermissions != null)
+        {
+            var encoded = string.Join(",", customPermissions.Select(p => p.ToString()));
+            if (!string.IsNullOrEmpty(encoded))
+                claims.Add(new Claim(MeeziClaimTypes.CustomPermissions, encoded));
+        }
+
         var credentials = new SigningCredentials(
             new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),
             SecurityAlgorithms.HmacSha256);