Add canStream user permission to control streaming access

Adds a per-user "Can Stream" permission mirroring the existing "Can Download"
pattern. Server admins can now disable streaming for specific users, encouraging
local downloads instead. Addresses #2572.

Changes:
- User model: stream permission in mapping, defaults, and getter
- ApiKey model: stream permission in defaults
- Controller: 403 enforcement on playback session creation endpoints
- Frontend: permission toggle in admin UI, play button gated by canStream,
  download button shown when streaming disabled, message when neither allowed
- Tests: 11 Mocha tests (model + controller), 1 Cypress test (card UI)
- Localization: English strings for toggle label and fallback message

The getter uses !== false (rather than !!) so existing users without the
stream key in their permissions JSON default to allowed on upgrade.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/controllers/LibraryItemController.js

@@ -413,6 +413,10 @@ class LibraryItemController {
    * @param {Response} res
    */
   startPlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
     if (!req.libraryItem.hasAudioTracks) {
       Logger.error(`[LibraryItemController] startPlaybackSession cannot playback ${req.libraryItem.id}`)
       return res.sendStatus(404)
@@ -430,6 +434,10 @@ class LibraryItemController {
    * @param {Response} res
    */
   startEpisodePlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
     if (!req.libraryItem.isPodcast) {
       Logger.error(`[LibraryItemController] startEpisodePlaybackSession invalid media type ${req.libraryItem.id}`)
       return res.sendStatus(400)