AllowCompanyPermission

Declarative decorator for enforcing company-level permissions on Shop API resolvers.

When applied to a resolver method, the global CompanyPermissionGuard will:

1. Resolve the ActiveCompanyContext for the current request (throws ForbiddenError if none)
2. Check that the company user has at least one of the specified permissions (OR logic)

If no permissions are specified, the guard only requires a valid company context without checking any specific permission.