chore: Enforce custom role permissions on conversation access (#12583)

## Summary
- ensure conversation lookup uses the permission filter before fetching
records
- add request specs covering custom role access to unassigned
conversations

## Testing
- bundle exec rspec
spec/enterprise/controllers/api/v1/accounts/conversations_controller_spec.rb

------
https://chatgpt.com/codex/tasks/task_e_68de1f62b9b883268a54882e608a8bb8

app/policies/conversation_policy.rb

@@ -4,6 +4,44 @@ class ConversationPolicy < ApplicationPolicy
   end
 
   def destroy?
-    @account_user&.administrator?
+    administrator?
+  end
+
+  def show?
+    administrator? || agent_bot? || agent_can_view_conversation?
+  end
+
+  private
+
+  def agent_can_view_conversation?
+    inbox_access? || team_access?
+  end
+
+  def administrator?
+    account_user&.administrator?
+  end
+
+  def agent_bot?
+    user.is_a?(AgentBot)
+  end
+
+  def inbox_access?
+    user.inboxes.where(account_id: account&.id).exists?(id: record.inbox_id)
+  end
+
+  def team_access?
+    return false if record.team_id.blank?
+
+    user.teams.where(account_id: account&.id).exists?(id: record.team_id)
+  end
+
+  def assigned_to_user?
+    record.assignee_id == user.id
+  end
+
+  def participant?
+    record.conversation_participants.exists?(user_id: user.id)
   end
 end
+
+ConversationPolicy.prepend_mod_with('ConversationPolicy')