feat(P2.1): register 9 new permissions (milestone/task/propose actions) + wire check_permission in all action endpoints

- Add milestone.freeze/start/close, task.close/reopen_closed/reopen_completed, propose.accept/reject/reopen to DEFAULT_PERMISSIONS
- Replace placeholder check_project_role with check_permission in proposes.py accept/reject/reopen
- Replace freeform permission strings with dotted names in milestone_actions.py
- Add task.close and task.reopen_* permission checks in tasks.py transition endpoint
- Admin role auto-inherits all new permissions via init_wizard

app/api/routers/tasks.py

@@ -14,7 +14,7 @@ from app.schemas import schemas
 from app.services.webhook import fire_webhooks_sync
 from app.models.notification import Notification as NotificationModel
 from app.api.deps import get_current_user_or_apikey
-from app.api.rbac import check_project_role, ensure_can_edit_task
+from app.api.rbac import check_project_role, check_permission, ensure_can_edit_task
 from app.services.activity import log_activity
 
 router = APIRouter(tags=["Tasks"])
@@ -320,8 +320,14 @@ def transition_task(
         if task.assignee_id and current_user.id != task.assignee_id:
             raise HTTPException(status_code=403, detail="Only the assigned user can complete this task")
 
+    # P5.5: closing a task requires 'task.close' permission
+    if new_status == "closed":
+        check_permission(db, current_user.id, task.project_id, "task.close")
+
     # P5.6: reopen from completed/closed -> open
     if new_status == "open" and old_status in ("completed", "closed"):
+        perm_name = "task.reopen_completed" if old_status == "completed" else "task.reopen_closed"
+        check_permission(db, current_user.id, task.project_id, perm_name)
         # Clear finished_on on reopen so lifecycle timestamps are accurate
         task.finished_on = None