feat: add access profile selection support with device-specific profile persistence

Add SelectOwnProfile handler to allow users to choose from available access profiles. Store selected profile ID per device in settings table with device_access_profile category. Implement GetSelectedProfileID and SetSelectedProfileID repository methods using JSONB storage.

Add ListSelectableProfiles to policy repository and service to query user/group/device-specific profiles ordered by priority. Filter gateway

backend/internal/gateway/repository.go

@@ -98,13 +98,22 @@ func (r *PGRepository) BuildSyncBundle(ctx context.Context, gatewayID uuid.UUID)
 		from devices d
 		join wireguard_peers wp on wp.device_id = d.id and wp.deleted_at is null
 		join gateways g on g.id = d.gateway_id
+		left join settings s on s.category = 'device_access_profile' and s.key = d.id::text
 		left join group_memberships gm on gm.user_id = d.user_id
 		left join policy_targets pt on (
 			(pt.target_type = 'device' and pt.target_id = d.id) or
 			(pt.target_type = 'user' and pt.target_id = d.user_id) or
 			(pt.target_type = 'group' and pt.target_id = gm.group_id)
 		)
-		left join policy_destinations pd on pd.policy_id = pt.policy_id
+		left join policies p on p.id = pt.policy_id
+			and p.deleted_at is null
+			and p.is_active = true
+			and p.effect = 'allow'
+		left join policy_destinations pd on pd.policy_id = p.id
+			and (
+				s.value->>'profile_id' is null
+				or p.id::text = s.value->>'profile_id'
+			)
 		where d.gateway_id = $1 and d.deleted_at is null and d.status = 'active'
 		group by d.id, wp.public_key, wp.assigned_ip, g.dns_servers
 	`, gatewayID)