feat(observability) : error tracking GlitchTip back + front (INFRA #146)

Backend : sentry/sentry-symfony branché en prod uniquement (bundle prod-only,
exceptions seules, 4xx ignorés, release = app.version), DSN via SENTRY_DSN
(runtime, infra/prod/.env).
Frontend : @sentry/nuxt chargé seulement si NUXT_PUBLIC_SENTRY_DSN présent
(donc au build prod), upload des source maps gated sur les secrets. DSN front
et secrets passés en build-args (Dockerfile) depuis les secrets Gitea (CI).
Doc README (section Error tracking) + .env.example.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

infra/prod/Dockerfile

@@ -29,10 +29,26 @@ COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci
 
 COPY frontend/ ./
+
+# Sentry / GlitchTip (front) — fourni au BUILD :
+#  - NUXT_PUBLIC_SENTRY_DSN est bake dans le bundle statique (SPA generee).
+#  - SENTRY_URL/ORG/PROJECT/AUTH_TOKEN servent a uploader les source maps.
+# Si NUXT_PUBLIC_SENTRY_DSN est vide, le module Sentry n'est pas charge (no-op).
+ARG NUXT_PUBLIC_SENTRY_DSN=""
+ARG SENTRY_URL=""
+ARG SENTRY_ORG=""
+ARG SENTRY_PROJECT=""
+ARG SENTRY_AUTH_TOKEN=""
+
 ENV CI=1 \
     NUXT_TELEMETRY_DISABLED=1 \
     NUXT_PUBLIC_API_BASE=/api \
-    NUXT_PUBLIC_APP_BASE=/
+    NUXT_PUBLIC_APP_BASE=/ \
+    NUXT_PUBLIC_SENTRY_DSN=$NUXT_PUBLIC_SENTRY_DSN \
+    SENTRY_URL=$SENTRY_URL \
+    SENTRY_ORG=$SENTRY_ORG \
+    SENTRY_PROJECT=$SENTRY_PROJECT \
+    SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
 RUN npm run generate
 
 # --- Stage 3: Production image ---