fix: also deny clear_completed under tasks:manage

Addresses CodeRabbit review — clear_completed is destructive and should
be blocked alongside delete at the manage permission level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

auth/permissions.py

@@ -138,7 +138,7 @@ SERVICE_PERMISSION_LEVELS: Dict[str, List[Tuple[str, List[str]]]] = {
 # Levels not listed here (or services without entries) deny nothing.
 SERVICE_DENIED_ACTIONS: Dict[str, Dict[str, FrozenSet[str]]] = {
     "tasks": {
-        "manage": frozenset({"delete"}),
+        "manage": frozenset({"delete", "clear_completed"}),
     },
 }
 

tests/test_permissions.py

@@ -163,6 +163,14 @@ class TestIsActionDenied:
         set_permissions({"tasks": "manage"})
         assert is_action_denied("tasks", "move") is False
 
+    def test_tasks_manage_denies_clear_completed(self):
+        set_permissions({"tasks": "manage"})
+        assert is_action_denied("tasks", "clear_completed") is True
+
+    def test_tasks_full_allows_clear_completed(self):
+        set_permissions({"tasks": "full"})
+        assert is_action_denied("tasks", "clear_completed") is False
+
     def test_service_not_in_permissions_allows_all(self):
         set_permissions({"gmail": "readonly"})
         assert is_action_denied("tasks", "delete") is False