feat(client-portal) : phase 1 foundations — ROLE_CLIENT hardening + ClientTicket (back)

LST-69 (3.2) phase 1. New ClientPortal module + security foundations for the
client portal (spec docs/superpowers/specs/2026-03-15-client-portal-design.md).

- Security: User::getRoles() no longer adds ROLE_USER to ROLE_CLIENT users;
  role_hierarchy ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]. Existing Task/Project/
  Client/TimeEntry/metadata endpoints already required ROLE_USER -> a pure
  ROLE_CLIENT is walled off (verified: 403).
- User (Core): client (ManyToOne ClientInterface, SET NULL) + allowedProjects
  (ManyToMany ProjectInterface). UserInterface extended (getClient/
  getAllowedProjects).
- New ClientTicket entity (module ClientPortal) + enums + repository + API with
  per-client isolation (ClientTicketProvider: own tickets ∩ allowedProjects),
  per-project numbering under advisory lock (rejects if user.client null),
  status transition rules. ClientTicketInterface contract for Task/TaskDocument.
- TaskDocument generalized: task nullable + clientTicket (CASCADE) + CHECK;
  per-role access. Task.clientTicket exposed in task:read.
- Additive migration; demo client fixtures.
- Tenancy tests assert the isolation invariant (a client never sees another
  client's tickets) rather than brittle absolute counts (shared test DB).

178 tests green, mapping valid, cs-fixer clean.

config/modules.php

@@ -8,6 +8,7 @@ declare(strict_types=1);
  */
 
 use App\Module\Absence\AbsenceModule;
+use App\Module\ClientPortal\ClientPortalModule;
 use App\Module\Core\CoreModule;
 use App\Module\Directory\DirectoryModule;
 use App\Module\Integration\IntegrationModule;
@@ -25,4 +26,5 @@ return [
     MailModule::class,
     IntegrationModule::class,
     ReportingModule::class,
+    ClientPortalModule::class,
 ];

config/packages/doctrine.yaml

@@ -26,6 +26,7 @@ doctrine:
             App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
             App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
             App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
+            App\Shared\Domain\Contract\ClientTicketInterface: App\Module\ClientPortal\Domain\Entity\ClientTicket
         mappings:
             App:
                 type: attribute
@@ -68,6 +69,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
                 prefix: 'App\Module\Integration\Domain\Entity'
+            ClientPortal:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/ClientPortal/Domain/Entity'
+                prefix: 'App\Module\ClientPortal\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 

config/packages/security.yaml

@@ -1,6 +1,6 @@
 security:
     role_hierarchy:
-        ROLE_ADMIN: [ROLE_USER]
+        ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]
 
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:

config/services.yaml

@@ -111,6 +111,8 @@ services:
 
     App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
 
+    App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface: '@App\Module\ClientPortal\Infrastructure\Doctrine\DoctrineClientTicketRepository'
+
     App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
 
     App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'