test(user) : couvre le soft-delete + désarchivage admin et corrige les retours de review

- ajoute des tests fonctionnels (archive au DELETE, exclusion de la
  collection, listing/désarchivage admin, anti-auto-archivage) et un test
  unitaire du ArchivedUserChecker
- expose un filtre BooleanFilter `archived` + bypass admin dans
  ExcludeArchivedUserExtension pour lister les archivés (?archived=true)
- rend `archived` modifiable par un admin (groupe user:write + ApiProperty
  ROLE_ADMIN) → désarchivage possible via PATCH /api/users/{id}
- RestoreMissingUsersCommand : ne compte que les insertions réelles
  (ON CONFLICT DO NOTHING n'est plus comptabilisé à tort)
- relève memory_limit des tests à 512M (boot sérialiseur API Platform)

src/Command/RestoreMissingUsersCommand.php

@@ -102,7 +102,7 @@ final class RestoreMissingUsersCommand extends Command
         $created = 0;
 
         foreach ($missingIds as $id) {
-            $this->connection->executeStatement(
+            $inserted = $this->connection->executeStatement(
                 <<<'SQL'
                     INSERT INTO "user"
                         (id, username, first_name, last_name, roles, password, created_at,
@@ -122,8 +122,14 @@ final class RestoreMissingUsersCommand extends Command
                     'password'  => $hash,
                 ],
             );
-            ++$created;
-            $io->writeln(sprintf('  ✓ user #%d recreated (archived)', $id));
+
+            // ON CONFLICT may have skipped an already-present row — only count real inserts.
+            if ($inserted > 0) {
+                ++$created;
+                $io->writeln(sprintf('  ✓ user #%d recreated (archived)', $id));
+            } else {
+                $io->writeln(sprintf('  • user #%d already present — skipped', $id));
+            }
         }
 
         $io->success(sprintf('%d user(s) restored as archived. References are valid again — no data lost.', $created));

src/Module/Core/Domain/Entity/User.php

@@ -4,6 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Core\Domain\Entity;
 
+use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
+use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -64,6 +66,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
+// Archived users are hidden from the default /users collection by
+// ExcludeArchivedUserExtension; an admin can still list them with ?archived=true.
+#[ApiFilter(BooleanFilter::class, properties: ['archived'])]
 #[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
@@ -118,7 +123,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
      * from selectable user lists.
      */
     #[ORM\Column(options: ['default' => false])]
-    #[Groups(['me:read', 'user:list'])]
+    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
+    #[Groups(['me:read', 'user:list', 'user:write'])]
     private bool $archived = false;
 
     // --- HR / absence management fields (readable only by an admin or the user themselves) ---

src/Module/Core/Infrastructure/ApiPlatform/Extension/ExcludeArchivedUserExtension.php

@@ -9,14 +9,23 @@ use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
 use ApiPlatform\Metadata\Operation;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\QueryBuilder;
+use Symfony\Bundle\SecurityBundle\Security;
+
+use function array_key_exists;
 
 /**
  * Hides archived (soft-deleted) users from the `/users` collection so they are
  * no longer offered as assignees/collaborators, while existing references to
  * them (already stored on tasks, time entries…) keep resolving normally.
+ *
+ * An admin can opt back in to see archived users — e.g. to restore one — by
+ * passing the `archived` query filter explicitly (`?archived=true`), in which
+ * case the BooleanFilter declared on User handles the predicate instead.
  */
-final class ExcludeArchivedUserExtension implements QueryCollectionExtensionInterface
+final readonly class ExcludeArchivedUserExtension implements QueryCollectionExtensionInterface
 {
+    public function __construct(private Security $security) {}
+
     public function applyToCollection(
         QueryBuilder $queryBuilder,
         QueryNameGeneratorInterface $queryNameGenerator,
@@ -28,6 +37,12 @@ final class ExcludeArchivedUserExtension implements QueryCollectionExtensionInte
             return;
         }
 
+        // Let an admin explicitly query archived users via ?archived=...
+        $filters = $context['filters'] ?? [];
+        if (array_key_exists('archived', $filters) && $this->security->isGranted('ROLE_ADMIN')) {
+            return;
+        }
+
         $alias = $queryBuilder->getRootAliases()[0];
         $queryBuilder->andWhere(sprintf('%s.archived = false', $alias));
     }