fix(security) : harden auth, session, document access and health endpoint

- Remove orphaned PUBLIC_ACCESS rule for deleted /api/test route
- Remove JWT login firewall (app is session-based only)
- Set APP_SECRET placeholder (real value must be in .env.local)
- Remove JWT env vars from .env
- Add session regeneration on login (prevent session fixation)
- Remove Document.path from API serialization groups (prevent path leak)
- Restrict health check details to ROLE_ADMIN (anonymes get status only)
- Add path traversal guard in DocumentStorageService
- Convert CreateProfileCommand password to interactive hidden prompt
- Restrict Profile Get endpoint to ROLE_ADMIN
- Change api firewall to stateless: false (matches session-based auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/Service/DocumentStorageService.php

@@ -27,7 +27,14 @@ class DocumentStorageService
 
     public function getAbsolutePath(string $relativePath): string
     {
-        return $this->storageDir.'/'.$relativePath;
+        $absolutePath = $this->storageDir.'/'.$relativePath;
+        $realPath     = realpath($absolutePath);
+
+        if (false !== $realPath && !str_starts_with($realPath, realpath($this->storageDir))) {
+            throw new RuntimeException(sprintf('Path traversal detected: "%s"', $relativePath));
+        }
+
+        return $absolutePath;
     }
 
     /**