feat: implement Freigabesystem for payment approval workflow

Adds a dedicated approval view for PM_Freigabe users to release documents
for payment by setting Paperless custom field 15 to a predefined value.

- Backend: VIEW_FREIGABE permission mapped to PM_Freigabe OIDC group
- Backend: FreigabeErforderlich flag on DocumentType entity (auto-migrated)
- Backend: FreigabeModule with endpoints to list documents, fetch field
  options dynamically from Paperless, and set the approval custom field
- Frontend: /freigabe route with filter (default: nicht freigegeben),
  paginated table, and modal to select approval value
- Frontend: Settings checkbox to mark document types as requiring approval
- Frontend: Freigabe menu item visible only to PM_Freigabe/PM_Admin users

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

paperless-backend/src/auth/permissions.enum.ts

@@ -5,6 +5,7 @@ export const Permission = {
   VIEW_INBOX: 'VIEW_INBOX',
   VIEW_SCANNER: 'VIEW_SCANNER',
   MANAGE_SETTINGS: 'MANAGE_SETTINGS',
+  VIEW_FREIGABE: 'VIEW_FREIGABE',
 } as const;
 
 export type Permission = typeof Permission[keyof typeof Permission];
@@ -23,6 +24,7 @@ export function mapGroupsToPermissions(groups: string[] | undefined | null): Per
     permissions.add(Permission.VIEW_INBOX);
     permissions.add(Permission.VIEW_SCANNER);
     permissions.add(Permission.MANAGE_SETTINGS);
+    permissions.add(Permission.VIEW_FREIGABE);
     return Array.from(permissions);
   }
 
@@ -30,6 +32,7 @@ export function mapGroupsToPermissions(groups: string[] | undefined | null): Per
   if (groups.includes('PM_Maileingang')) permissions.add(Permission.VIEW_MAIL);
   if (groups.includes('PM_Posteingang')) permissions.add(Permission.VIEW_INBOX);
   if (groups.includes('PM_Scanner')) permissions.add(Permission.VIEW_SCANNER);
+  if (groups.includes('PM_Freigabe')) permissions.add(Permission.VIEW_FREIGABE);
 
   return Array.from(permissions);
 }