refactor(modules): marketplace install flow with checksum validation

Rewires module installation to use slug + version + checksum_sha256 instead of the opaque module identifier. ModuleInstaller splits marketplace token handling out of install() into helpers, adopts structured error responses, and validates the downloaded archive's SHA-256 against the marketplace manifest before unpacking.

ModuleResource is simplified to accept an already-loaded installed-module instance rather than fetching it from state, exposes access_tier and checksum fields, and drops the auto-disable-on-unpurchased side effect that was bleeding write logic into a read resource. UnzipUpdateRequest accepts a nullable module with a conditional module_name field so the same endpoint serves both app and module updates.

ModulesPolicy::manageModules now short-circuits for super-admins so administration flows (token validation, store state) are not blocked on a company-scoped ability. Two new feature tests cover both the authorization bypass and ModuleResource serialization.

tests/Feature/Admin/Modules/ModuleAuthorizationTest.php

@@ -0,0 +1,22 @@
+<?php
+
+use App\Models\User;
+use Illuminate\Support\Facades\Artisan;
+use Laravel\Sanctum\Sanctum;
+
+use function Pest\Laravel\getJson;
+
+beforeEach(function () {
+    Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
+    Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
+
+    Sanctum::actingAs(User::find(1), ['*']);
+});
+
+it('allows super admins to validate marketplace tokens without a company header in admin mode', function () {
+    getJson('/api/v1/modules/check?api_token=test-marketplace-token')
+        ->assertOk()
+        ->assertJson([
+            'error' => 'invalid_token',
+        ]);
+});