feat: time-based permission grants (scheduled windows and expiry)

[coopernetes]

Problem

All permission grants are currently permanent — they apply until explicitly deleted. There is no way to express:

• A permission that is only valid during a scheduled maintenance window (e.g. a CI pipeline push window, a release window)
• A permission that automatically expires after a set time (e.g. a contractor's access that should lapse after 30 days)
• A recurring schedule (e.g. allow push to a deploy repo only between 09:00–17:00 on weekdays)

Without time-based grants, operators must remember to manually revoke access after the intended window, which is error-prone.

Proposed behaviour

Extend `RepoPermission` with optional time bounds:

• `valid-from` — ISO-8601 timestamp; permission not active before this time
• `valid-until` — ISO-8601 timestamp; permission automatically expires after this time
• `schedule` — cron-style expression or named window; permission only active during matching periods

At evaluation time, `RepoPermissionService` checks the active time bounds in addition to the existing path/operation matching. Expired permissions are still stored (for audit) but return no match.

Notes

• Relates to the JIT permission model (Just-in-time permissions on specific pushes #74) — a JIT grant is effectively a `valid-until` with a very short window
• The dashboard should surface expiry status and allow admins to view/extend active time-bounded grants
• DB schema: add `valid_from` and `valid_until` nullable timestamp columns to `repo_permissions`