feat: add access profile selection support with device-specific profile persistence

Add SelectOwnProfile handler to allow users to choose from available access profiles. Store selected profile ID per device in settings table with device_access_profile category. Implement GetSelectedProfileID and SetSelectedProfileID repository methods using JSONB storage.

Add ListSelectableProfiles to policy repository and service to query user/group/device-specific profiles ordered by priority. Filter gateway

backend/internal/policy/repository.go

@@ -14,6 +14,7 @@ type Repository interface {
 	Update(ctx context.Context, policyID uuid.UUID, input UpdateRequest) (Policy, error)
 	Delete(ctx context.Context, policyID uuid.UUID) error
 	ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error)
+	ListSelectableProfiles(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]SelectableProfile, error)
 }
 
 type PGRepository struct {
@@ -206,6 +207,53 @@ func (r *PGRepository) ResolveDestinations(ctx context.Context, userID uuid.UUID
 	return destinations, rows.Err()
 }
 
+func (r *PGRepository) ListSelectableProfiles(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]SelectableProfile, error) {
+	query := `
+		select
+			p.id,
+			p.name,
+			p.description,
+			p.full_tunnel,
+			coalesce(array_agg(pd.destination::text order by pd.destination::text) filter (where pd.destination is not null), '{}')
+		from policies p
+		left join policy_destinations pd on pd.policy_id = p.id
+		join policy_targets pt on pt.policy_id = p.id
+		where p.deleted_at is null
+		  and p.is_active = true
+		  and p.effect = 'allow'
+		  and (
+			(pt.target_type = 'user' and pt.target_id = $1)
+			or (pt.target_type = 'group' and exists (
+				select 1 from group_memberships gm
+				where gm.group_id = pt.target_id and gm.user_id = $1
+			))
+	`
+	args := []any{userID}
+	if deviceID != nil {
+		query += ` or (pt.target_type = 'device' and pt.target_id = $2)`
+		args = append(args, *deviceID)
+	}
+	query += `)
+		group by p.id, p.name, p.description, p.full_tunnel, p.priority, p.created_at
+		order by p.priority asc, p.created_at desc`
+
+	rows, err := r.db.Query(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var profiles []SelectableProfile
+	for rows.Next() {
+		var item SelectableProfile
+		if err := rows.Scan(&item.ID, &item.Name, &item.Description, &item.FullTunnel, &item.Destinations); err != nil {
+			return nil, err
+		}
+		profiles = append(profiles, item)
+	}
+	return profiles, rows.Err()
+}
+
 func (r *PGRepository) getByID(ctx context.Context, policyID uuid.UUID) (Policy, error) {
 	items, err := r.List(ctx)
 	if err != nil {

backend/internal/policy/service.go

@@ -39,3 +39,7 @@ func (s *Service) Delete(ctx context.Context, policyID uuid.UUID) error {
 func (s *Service) ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error) {
 	return s.repo.ResolveDestinations(ctx, userID, deviceID)
 }
+
+func (s *Service) ListSelectableProfiles(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]SelectableProfile, error) {
+	return s.repo.ListSelectableProfiles(ctx, userID, deviceID)
+}

backend/internal/policy/types.go

@@ -40,3 +40,11 @@ type UpdateRequest struct {
 	Destinations []string `json:"destinations"`
 	Targets      []Target `json:"targets"`
 }
+
+type SelectableProfile struct {
+	ID           uuid.UUID `json:"id"`
+	Name         string    `json:"name"`
+	Description  string    `json:"description"`
+	FullTunnel   bool      `json:"full_tunnel"`
+	Destinations []string  `json:"destinations"`
+}