test(client-portal) : regression guard for ROLE_CLIENT endpoint isolation

Data-provided test asserting a pure ROLE_CLIENT gets 403 on the internal
endpoints hardened after the review (/api/users, /api/share/browse,
/api/share/status, bookstack links), so the fixes can't silently regress.

tests/Functional/Module/ClientPortal/ClientTicketApiTest.php

@@ -12,6 +12,7 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Framework\Attributes\DataProvider;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
@@ -45,6 +46,34 @@ final class ClientTicketApiTest extends WebTestCase
         self::assertResponseStatusCodeSame(403);
     }
 
+    /**
+     * Regression guard for the post-migration security review: internal
+     * endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
+     * security) must reject a pure ROLE_CLIENT.
+     */
+    #[DataProvider('internalEndpointsForbiddenToClients')]
+    public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', $uri);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    /** @return iterable<string, array{string}> */
+    public static function internalEndpointsForbiddenToClients(): iterable
+    {
+        yield 'users directory' => ['/api/users'];
+
+        yield 'smb share browse' => ['/api/share/browse'];
+
+        yield 'smb share status' => ['/api/share/status'];
+
+        yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
+    }
+
     public function testClientUserCanListOwnClientTickets(): void
     {
         $client = self::createClient();