fix(security) : add role checks on Gitea API resources and all MCP tools

- GiteaBranch, GiteaBranchName, GiteaPullRequest: require ROLE_USER
- All 22 MCP tools: require ROLE_USER (ROLE_ADMIN for users/clients listing)

Tickets: T-002, T-007

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/ApiResource/GiteaPullRequest.php

@@ -15,6 +15,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             uriTemplate: '/tasks/{taskId}/gitea/pull-requests',
             normalizationContext: ['groups' => ['gitea_pr:read']],
             provider: GiteaPullRequestProvider::class,
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]