fix(security) : harden auth, session, document access and health endpoint

- Remove orphaned PUBLIC_ACCESS rule for deleted /api/test route
- Remove JWT login firewall (app is session-based only)
- Set APP_SECRET placeholder (real value must be in .env.local)
- Remove JWT env vars from .env
- Add session regeneration on login (prevent session fixation)
- Remove Document.path from API serialization groups (prevent path leak)
- Restrict health check details to ROLE_ADMIN (anonymes get status only)
- Add path traversal guard in DocumentStorageService
- Convert CreateProfileCommand password to interactive hidden prompt
- Restrict Profile Get endpoint to ROLE_ADMIN
- Change api firewall to stateless: false (matches session-based auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/Entity/Document.php

@@ -14,6 +14,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
+use App\Entity\Trait\CuidEntityTrait;
 use App\Repository\DocumentRepository;
 use App\State\DocumentUploadProcessor;
 use DateTimeImmutable;
@@ -28,6 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiFilter(ExistsFilter::class, properties: ['site', 'machine', 'composant', 'piece', 'product'])]
 #[ApiFilter(OrderFilter::class, properties: ['createdAt', 'name', 'size'])]
 #[ApiResource(
+    description: 'Documents et fichiers. Gestion des fichiers joints (PDF, images, etc.) rattachés aux machines, pièces, composants, produits ou sites. Upload via multipart/form-data.',
     operations: [
         new GetCollection(
             security: "is_granted('ROLE_VIEWER')",
@@ -52,6 +54,8 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 class Document
 {
+    use CuidEntityTrait;
+
     #[ORM\Id]
     #[ORM\Column(type: Types::STRING, length: 36)]
     #[Groups(['document:list', 'document:read', 'composant:read', 'piece:read', 'product:read'])]
@@ -66,7 +70,6 @@ class Document
     private string $filename;
 
     #[ORM\Column(type: Types::TEXT)]
-    #[Groups(['document:detail', 'document:read', 'composant:read', 'piece:read', 'product:read'])]
     private string $path;
 
     #[ORM\Column(type: Types::STRING, length: 100, name: 'mimeType')]
@@ -109,36 +112,12 @@ class Document
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE, name: 'updatedAt')]
     private DateTimeImmutable $updatedAt;
 
-    #[ORM\PrePersist]
-    public function setCreatedAtValue(): void
-    {
-        $now             = new DateTimeImmutable();
-        $this->createdAt = $now;
-        $this->updatedAt = $now;
-
-        if (null === $this->id) {
-            $this->id = $this->generateCuid();
-        }
-    }
-
-    #[ORM\PreUpdate]
-    public function setUpdatedAtValue(): void
+    public function __construct()
     {
+        $this->createdAt = new DateTimeImmutable();
         $this->updatedAt = new DateTimeImmutable();
     }
 
-    public function getId(): ?string
-    {
-        return $this->id;
-    }
-
-    public function setId(string $id): static
-    {
-        $this->id = $id;
-
-        return $this;
-    }
-
     public function getName(): string
     {
         return $this->name;
@@ -258,19 +237,4 @@ class Document
 
         return $this;
     }
-
-    public function getCreatedAt(): DateTimeImmutable
-    {
-        return $this->createdAt;
-    }
-
-    public function getUpdatedAt(): DateTimeImmutable
-    {
-        return $this->updatedAt;
-    }
-
-    private function generateCuid(): string
-    {
-        return 'cl'.bin2hex(random_bytes(12));
-    }
 }