Introduces a generic "Required Access" mechanism: any model using
HasRequiredAccess can list other entities as required-access targets;
if the requesting entity has access to ANY of them — direct, role,
or permission — the holder is considered unlocked. Sits alongside
Required Roles / Permissions and is OR-combined with them.
The unlock check resolves in a single EXISTS query that joins
required_accesses with accesses, so cost stays O(1) regardless of
target count.
20 new unit tests cover relations, sync semantics, expiry handling,
isolation between holders, and the constant-cost query property.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fabian @ Blax Software
2ca17ba914