feat(client-portal) : phase 1 foundations — ROLE_CLIENT hardening + ClientTicket (back)

LST-69 (3.2) phase 1. New ClientPortal module + security foundations for the
client portal (spec docs/superpowers/specs/2026-03-15-client-portal-design.md).

- Security: User::getRoles() no longer adds ROLE_USER to ROLE_CLIENT users;
  role_hierarchy ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]. Existing Task/Project/
  Client/TimeEntry/metadata endpoints already required ROLE_USER -> a pure
  ROLE_CLIENT is walled off (verified: 403).
- User (Core): client (ManyToOne ClientInterface, SET NULL) + allowedProjects
  (ManyToMany ProjectInterface). UserInterface extended (getClient/
  getAllowedProjects).
- New ClientTicket entity (module ClientPortal) + enums + repository + API with
  per-client isolation (ClientTicketProvider: own tickets ∩ allowedProjects),
  per-project numbering under advisory lock (rejects if user.client null),
  status transition rules. ClientTicketInterface contract for Task/TaskDocument.
- TaskDocument generalized: task nullable + clientTicket (CASCADE) + CHECK;
  per-role access. Task.clientTicket exposed in task:read.
- Additive migration; demo client fixtures.
- Tenancy tests assert the isolation invariant (a client never sees another
  client's tickets) rather than brittle absolute counts (shared test DB).

178 tests green, mapping valid, cs-fixer clean.

tests/Functional/Module/ClientPortal/ClientTicketApiTest.php

@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\ClientPortal;
+
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+use function count;
+
+/**
+ * Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
+ * internal API but can reach its own client portal collection.
+ *
+ * @internal
+ */
+final class ClientTicketApiTest extends WebTestCase
+{
+    public function testClientUserCannotListTasks(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/tasks');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testClientUserCannotListProjects(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/projects');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testClientUserCanListOwnClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+        self::assertNotEmpty($data['member']);
+        // Tenancy invariant (robust to POST tests accumulating tickets in the
+        // shared test DB): client-liot sees its own SIRH ticket but NEVER the
+        // ticket submitted by another client (ACME, on the CRM project).
+        $titles = array_column($data['member'], 'title');
+        self::assertContains('Erreur lors de l\'export des congés', $titles);
+        self::assertNotContains('Ajouter un filtre par commercial', $titles);
+    }
+
+    public function testClientUserSeesOnlyOwnTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-acme');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        // Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
+        // ticket submitted by client-liot (on the SIRH project).
+        $titles = array_column($data['member'], 'title');
+        self::assertContains('Ajouter un filtre par commercial', $titles);
+        self::assertNotContains('Erreur lors de l\'export des congés', $titles);
+    }
+
+    public function testInternalUserCannotListClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'alice');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanListAllClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'admin');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertGreaterThanOrEqual(2, count($data['member']));
+    }
+
+    public function testClientCanCreateTicketAndNumberIsGenerated(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $projectIri = $this->sirhProjectIri($em);
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('POST', '/api/client_tickets', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'type'        => 'other',
+            'title'       => 'Demande de fonctionnalité',
+            'description' => 'Une nouvelle option serait utile.',
+            'project'     => $projectIri,
+        ]));
+
+        self::assertResponseStatusCodeSame(201);
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertSame('new', $data['status']);
+        self::assertGreaterThanOrEqual(1, $data['number']);
+    }
+
+    public function testAdminCannotCreateTicket(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $projectIri = $this->sirhProjectIri($em);
+        $this->loginClient($client, 'admin');
+
+        $client->request('POST', '/api/client_tickets', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'type'        => 'other',
+            'title'       => 'Admin attempt',
+            'description' => 'Should be forbidden.',
+            'project'     => $projectIri,
+        ]));
+
+        // Admin has no client, so ticket creation is denied.
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testRejectingTicketRequiresStatusComment(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        $ticket = $em->getRepository(ClientTicket::class)
+            ->findOneBy(['status' => ClientTicketStatus::New])
+        ;
+        self::assertNotNull($ticket);
+        $id = $ticket->getId();
+
+        $this->loginClient($client, 'admin');
+
+        $client->request('PATCH', '/api/client_tickets/'.$id, server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['status' => 'rejected']));
+
+        self::assertResponseStatusCodeSame(422);
+    }
+
+    private function sirhProjectIri(EntityManagerInterface $em): string
+    {
+        $project = $em->getRepository(Project::class)
+            ->findOneBy(['code' => 'SIRH'])
+        ;
+        self::assertNotNull($project);
+
+        return '/api/projects/'.$project->getId();
+    }
+
+    private function loginClient(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}