feat(access): per-page user/group grants, snap-in-local

A snap-in-owned access mechanism. Adds:
  - unifi_page_grants table (nav_item_id, grantee_type, grantee_id)
    with cascadeOnDelete from nav_items so uninstalling the snap-in
    wipes its grant rows automatically
  - UnifiPageGrant model + ::userCanAccess(user, navItem) helper
  - UnifiPagesAccessController (index + update), super-admin only
  - RouteMatched listener in UnifiServiceProvider that 403s any
    unifi.* route if the matched nav_item has grants and the user
    isn't a super-admin / granted user / member of a granted group

Semantics: a page with NO grants stays open per the existing
permission middleware (no behaviour change). The moment grants are
added, ONLY super-admins and listed users/groups can see/open the
page. Super-admins always pass; their access can't be removed.

v1.4.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/UnifiServiceProvider.php

@@ -2,6 +2,11 @@
 
 namespace Dashboard\Unifi;
 
+use App\Models\DashboardApp;
+use App\Models\NavItem;
+use Dashboard\Unifi\Models\UnifiPageGrant;
+use Illuminate\Routing\Events\RouteMatched;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\ServiceProvider;
 
 class UnifiServiceProvider extends ServiceProvider
@@ -20,6 +25,34 @@ class UnifiServiceProvider extends ServiceProvider
         $this->loadRoutesFrom(__DIR__ . '/routes/unifi.php');
         $this->loadMigrationsFrom(__DIR__ . '/../database/migrations');
 
+        // Per-page access enforcement for unifi routes. If a unifi page has
+        // any UnifiPageGrant rows, only super-admins and granted users/
+        // groups can hit it; otherwise (no grants) it's open per the existing
+        // permission middleware. Super-admins always bypass.
+        Event::listen(RouteMatched::class, function (RouteMatched $event) {
+            $routeName = $event->route->getName();
+            if (! $routeName || ! str_starts_with($routeName, 'unifi.')) return;
+
+            $user = $event->request->user();
+            if (! $user || $user->is_super_admin) return;
+
+            try {
+                $appId = DashboardApp::where('slug', 'unifi')->value('id');
+                $item  = NavItem::where('route_name', $routeName)
+                    ->where('app_id', $appId)
+                    ->first();
+                if (! $item) return;
+
+                if (! UnifiPageGrant::userCanAccess($user, $item)) {
+                    abort(403, 'You do not have access to this page.');
+                }
+            } catch (\Throwable) {
+                // unifi_page_grants table may not exist yet on a fresh
+                // install before this snap-in's migrations have run —
+                // fail open in that narrow window.
+            }
+        });
+
         if ($this->app->runningInConsole()) {
             $this->commands([
                 Console\CheckWebhooks::class,