feat(permissions) : add role-based access control system

Backend:
- Add role hierarchy (ADMIN > GESTIONNAIRE > VIEWER > USER) in security.yaml
- Add password authentication on profile activation (SessionProfileController)
- Add SessionProfileAuthenticator with stateless API firewall
- Add ProfilePasswordHasher state processor for API Platform
- Add security annotations on all 18 API Platform entities
- Add denyAccessUnlessGranted on all 13 custom controllers
- Add AdminProfileController for profile/role management (/api/admin/profiles)
- Add InitProfilePasswordsCommand for initial admin setup
- Simplify SessionProfilesController to list-only (removed create/delete)

Frontend (submodule update):
- Add usePermissions composable (isAdmin, canEdit, canView, isGranted)
- Add password login modal on profiles page
- Add admin backoffice page for profile management
- Disable all form fields for ROLE_VIEWER across all edit/create pages
- Show navigation buttons for all roles, hide destructive actions for viewers
- Add readonly mode to ModelTypeForm and site/constructeur modals
- Guard /admin routes in middleware
- Configure Vite proxy for API requests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/Controller/DocumentQueryController.php

@@ -30,6 +30,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/site/{id}', name: 'documents_by_site', methods: ['GET'])]
     public function listBySite(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $site = $this->siteRepository->find($id);
         if (!$site) {
             return $this->json(['success' => false, 'error' => 'Site not found.'], 404);
@@ -43,6 +45,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/machine/{id}', name: 'documents_by_machine', methods: ['GET'])]
     public function listByMachine(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $machine = $this->machineRepository->find($id);
         if (!$machine) {
             return $this->json(['success' => false, 'error' => 'Machine not found.'], 404);
@@ -56,6 +60,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/composant/{id}', name: 'documents_by_composant', methods: ['GET'])]
     public function listByComposant(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $composant = $this->composantRepository->find($id);
         if (!$composant) {
             return $this->json(['success' => false, 'error' => 'Composant not found.'], 404);
@@ -69,6 +75,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/piece/{id}', name: 'documents_by_piece', methods: ['GET'])]
     public function listByPiece(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $piece = $this->pieceRepository->find($id);
         if (!$piece) {
             return $this->json(['success' => false, 'error' => 'Piece not found.'], 404);
@@ -82,6 +90,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/product/{id}', name: 'documents_by_product', methods: ['GET'])]
     public function listByProduct(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $product = $this->productRepository->find($id);
         if (!$product) {
             return $this->json(['success' => false, 'error' => 'Product not found.'], 404);