fix(web-client-tpos): add multi-tenant data isolation to BFF controller
- Implement manual JWT parsing from Authorization header in BffDataController
- Add GetUserIdFromToken() and GetCurrentMerchantIdAsync() helpers
- Scope all 15 BFF endpoints by merchant ownership (shops, products, orders, staff, inventory, wallets, stats)
- Validate ownership on write operations (CreateProduct, CreateStaff, DeleteProduct)
- Add AttachToken() to all 23 PosDataService methods to forward auth token to BFF
- Add JwtSecurityTokenHandler NuGet package for token decoding
c838d3627b