fix(expense-snapshot): gate page on Expenses:write to match the write-only API

The snapshot management page backs an API that gates every action on
Expenses:Write, so a read-only user reaching it via a read-gated nav/route
would hit a silent 403 and a blank page. Require write for both.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

APP/src/app/app.routes.ts

@@ -168,7 +168,9 @@ export const routes: Routes = [
                 component: ExpenseSnapshotsPageComponent,
                 canActivate: [PermissionGuard],
                 data: {
-                    permission: { module: PermissionModules.Expenses, action: 'read' },
+                    // Snapshots are a write-only management surface (the API gates every action on
+                    // Expenses:Write), so require write — a read-only user has nothing to do here.
+                    permission: { module: PermissionModules.Expenses, action: 'write' },
                     title: 'Expense Snapshots', titleZh: '費用範本', section: 'Finance',
                 },
             },

APP/src/app/portals/user-portal/user-portal.component.ts

@@ -133,7 +133,7 @@ export class UserPortalComponent implements OnInit, OnDestroy {
         { text: 'Expense Categories', icon: categorizeIcon,      path: '/user-portal/finance/expense-categories',
           permission: { module: PermissionModules.ExpenseCategories, action: 'read' } },
         { text: 'Expense Snapshots', icon: categorizeIcon,      path: '/user-portal/finance/expense-snapshots',
-          permission: { module: PermissionModules.Expenses, action: 'read' } },
+          permission: { module: PermissionModules.Expenses, action: 'write' } },
         { text: 'Disbursements',      icon: banknoteOutlineIcon, path: '/user-portal/finance/disbursements',
           permission: { module: PermissionModules.Disbursements, action: 'read' } },
         { text: 'Check Register',     icon: walletOutlineIcon,   path: '/user-portal/finance/check-register',