fix(security) : block SVG upload, enforce ROLE_CLIENT restrictions on documents

- Block SVG MIME type in TaskDocumentProcessor upload validation
- Serve existing SVG files as attachment (defense-in-depth) in download controller
- Block ROLE_CLIENT from uploading documents to tasks (only allowed via portal tickets)
- Add Doctrine extension to filter projects by allowedProjects for ROLE_CLIENT

Tickets: T-003, T-005, T-006

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Controller/TaskDocumentDownloadController.php

@@ -51,9 +51,12 @@ class TaskDocumentDownloadController extends AbstractController
         $mimeType = $document->getMimeType() ?? 'application/octet-stream';
 
         // Inline for images and PDFs, attachment for everything else
-        $disposition = str_starts_with($mimeType, 'image/') || 'application/pdf' === $mimeType
-            ? ResponseHeaderBag::DISPOSITION_INLINE
-            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+        // SVG files are always served as attachment to prevent XSS via embedded JavaScript
+        $disposition = 'image/svg+xml' === $mimeType
+            ? ResponseHeaderBag::DISPOSITION_ATTACHMENT
+            : (str_starts_with($mimeType, 'image/') || 'application/pdf' === $mimeType
+                ? ResponseHeaderBag::DISPOSITION_INLINE
+                : ResponseHeaderBag::DISPOSITION_ATTACHMENT);
 
         $response->setContentDisposition($disposition, $document->getOriginalName());
         $response->headers->set('Content-Type', $mimeType);