feat(core) : RBAC Task 1 - entites Permission et Role + domaine securite

- Entite Permission avec methodes markOrphan/revive/updateMetadata
- Entite Role avec addPermission/removePermission/ensureDeletable
- Constantes SystemRoles (codes admin/user partages)
- Exception SystemRoleDeletionException pour la garde de suppression
- Tests unitaires couvrant le comportement domaine (pas de BDD)

Ticket #343 - 1/7 : fondations RBAC (domaine pur, sans persistence).
Les entites ne portent pas encore repositoryClass (ajoute en Task 2).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/Module/Core/Domain/Entity/PermissionTest.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class PermissionTest extends TestCase
+{
+    public function testConstructorInitialState(): void
+    {
+        $permission = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+
+        self::assertNull($permission->getId());
+        self::assertSame('core.users.view', $permission->getCode());
+        self::assertSame('Voir les utilisateurs', $permission->getLabel());
+        self::assertSame('core', $permission->getModule());
+        self::assertFalse($permission->isOrphan());
+    }
+
+    public function testMarkOrphanSetsFlag(): void
+    {
+        $permission = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+
+        $permission->markOrphan();
+
+        self::assertTrue($permission->isOrphan());
+    }
+
+    public function testReviveResetsOrphanAndUpdatesMetadata(): void
+    {
+        $permission = new Permission('core.users.view', 'Old label', 'core');
+        $permission->markOrphan();
+
+        $permission->revive('New label', 'commercial');
+
+        self::assertFalse($permission->isOrphan());
+        self::assertSame('New label', $permission->getLabel());
+        self::assertSame('commercial', $permission->getModule());
+    }
+
+    public function testUpdateMetadataDoesNotTouchOrphan(): void
+    {
+        $permission = new Permission('core.users.view', 'Old', 'core');
+        $permission->markOrphan();
+
+        $permission->updateMetadata('Lbl', 'core');
+
+        self::assertTrue($permission->isOrphan());
+        self::assertSame('Lbl', $permission->getLabel());
+    }
+}

tests/Module/Core/Domain/Entity/RoleTest.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class RoleTest extends TestCase
+{
+    public function testConstructorInitialState(): void
+    {
+        $role = new Role('custom', 'Custom');
+
+        self::assertNull($role->getId());
+        self::assertSame('custom', $role->getCode());
+        self::assertSame('Custom', $role->getLabel());
+        self::assertNull($role->getDescription());
+        self::assertFalse($role->isSystem());
+        self::assertTrue($role->getPermissions()->isEmpty());
+    }
+
+    public function testAddPermissionAddsOnce(): void
+    {
+        $role       = new Role('custom', 'Custom');
+        $permission = new Permission('core.users.view', 'Voir', 'core');
+
+        $role->addPermission($permission);
+        $role->addPermission($permission);
+
+        self::assertSame(1, $role->getPermissions()->count());
+    }
+
+    public function testRemovePermissionRemovesWhenPresent(): void
+    {
+        $role       = new Role('custom', 'Custom');
+        $permission = new Permission('core.users.view', 'Voir', 'core');
+
+        $role->addPermission($permission);
+        $role->removePermission($permission);
+
+        self::assertSame(0, $role->getPermissions()->count());
+    }
+
+    public function testRemovePermissionIsNoOpWhenAbsent(): void
+    {
+        $role       = new Role('custom', 'Custom');
+        $permission = new Permission('core.users.view', 'Voir', 'core');
+
+        $role->removePermission($permission);
+
+        self::assertSame(0, $role->getPermissions()->count());
+    }
+
+    public function testEnsureDeletableAllowsNonSystemRole(): void
+    {
+        $role = new Role('custom', 'Custom', false);
+
+        $role->ensureDeletable();
+
+        $this->expectNotToPerformAssertions();
+    }
+
+    public function testEnsureDeletableThrowsForSystemRole(): void
+    {
+        $role = new Role('admin', 'Admin', true);
+
+        $this->expectException(SystemRoleDeletionException::class);
+        $this->expectExceptionMessage('admin');
+
+        $role->ensureDeletable();
+    }
+}

tests/Module/Core/Domain/Security/SystemRolesTest.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Domain\Security;
+
+use App\Module\Core\Domain\Security\SystemRoles;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SystemRolesTest extends TestCase
+{
+    public function testAdminCodeConstant(): void
+    {
+        self::assertSame('admin', SystemRoles::ADMIN_CODE);
+    }
+
+    public function testUserCodeConstant(): void
+    {
+        self::assertSame('user', SystemRoles::USER_CODE);
+    }
+}