feat(P2.1): register 9 new permissions (milestone/task/propose actions) + wire check_permission in all action endpoints

- Add milestone.freeze/start/close, task.close/reopen_closed/reopen_completed, propose.accept/reject/reopen to DEFAULT_PERMISSIONS
- Replace placeholder check_project_role with check_permission in proposes.py accept/reject/reopen
- Replace freeform permission strings with dotted names in milestone_actions.py
- Add task.close and task.reopen_* permission checks in tasks.py transition endpoint
- Admin role auto-inherits all new permissions via init_wizard

app/init_wizard.py

@@ -109,6 +109,18 @@ DEFAULT_PERMISSIONS = [
     ("milestone.read", "View milestones", "milestone"),
     ("milestone.write", "Edit milestones", "milestone"),
     ("milestone.delete", "Delete milestones", "milestone"),
+    # Milestone actions
+    ("milestone.freeze", "Freeze milestone scope", "milestone"),
+    ("milestone.start", "Start milestone execution", "milestone"),
+    ("milestone.close", "Close / abort milestone", "milestone"),
+    # Task actions
+    ("task.close", "Close / cancel a task", "task"),
+    ("task.reopen_closed", "Reopen a closed task", "task"),
+    ("task.reopen_completed", "Reopen a completed task", "task"),
+    # Propose actions
+    ("propose.accept", "Accept a propose into a milestone", "propose"),
+    ("propose.reject", "Reject a propose", "propose"),
+    ("propose.reopen", "Reopen a rejected propose", "propose"),
     # Role/Permission management
     ("role.manage", "Manage roles and permissions", "admin"),
     # User management