feat: Wave 2 — entities, security guards, API key encryption (15 files)

Entities:
- Create 5 new TypeORM entities: webstore_config, webstore_categories,
  webstore_items, webstore_transactions, module_store (all verified against live DB)
- Fix wipe-profile entity: remove incorrect default {} for pre/post wipe configs

Security:
- Add @RequirePermission guards to 7 controllers (36 endpoints total):
  team, webstore, notifications, alerts, analytics, settings, schedules
- Encrypt panel API key with AES-256-GCM in setup service (was plaintext)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-nest/src/modules/settings/settings.controller.ts

@@ -7,6 +7,7 @@ import {
 } from '@nestjs/swagger';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { CurrentTenant } from '../../common/decorators/current-tenant.decorator';
+import { RequirePermission } from '../../common/decorators/require-permission.decorator';
 import { SettingsService } from './settings.service';
 import { UpdatePublicSiteDto } from './dto/update-public-site.dto';
 import { UpdateDomainDto } from './dto/update-domain.dto';
@@ -19,6 +20,7 @@ export class SettingsController {
   constructor(private readonly settingsService: SettingsService) {}
 
   @Get('public-site')
+  @RequirePermission('settings.view')
   @ApiOperation({
     summary: 'Get public site configuration',
     description: 'Returns public site settings for this license',
@@ -32,6 +34,7 @@ export class SettingsController {
   }
 
   @Put('public-site')
+  @RequirePermission('settings.manage')
   @ApiOperation({
     summary: 'Update public site configuration',
     description: 'Update public site settings for this license',
@@ -48,6 +51,7 @@ export class SettingsController {
   }
 
   @Put('domain')
+  @RequirePermission('settings.manage')
   @ApiOperation({
     summary: 'Update domain settings',
     description: 'Update subdomain or custom domain for this license',