Soft-delete a business customer (sets is_active=False).

Does not touch kyb_status or the Sumsub applicant. Deactivated businesses are hidden from the default GET /businesses response unless the caller passes include_inactive=true. Idempotent.

require_client_permissions enforces allowed_roles only for client_user actors; the explicit role guard below also rejects client_api callers whose credential role is not Owner.