Add pluggable ABAC engine for Payload

[tsemachh]

Summary

• add the new @shefing/abac package with a pluggable attribute-based access engine, built-in tenant and role providers, JWT enrichment, relationship filter helper, and /api/me/permissions endpoint
• wire the ABAC plugin into test-app with tenant-aware collections, seeding, integration coverage, and Playwright e2e coverage
• fix authorization role resolution for JWT-stored role IDs so ABAC + existing RBAC compose correctly over HTTP

Verification

• pnpm exec vitest run packages/authorization/src/access/general.test.ts
• cd test-app && pnpm test:e2e -- tests/e2e-plugins/abac.spec.ts

Notes

• Step 5 remains marked failed in the session plan because one local Vitest read-path mismatch was user-accepted as a blocker earlier in the session, but the HTTP/e2e coverage for Step 6 is now green.

[philjoseph]

Checkmarx One – Scan Summary & Details – 011f7414-d9ba-4153-8326-08afac90ff96

Great job! No new security vulnerabilities introduced in this pull request

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.