fix(security) : add role checks on Gitea API resources and all MCP tools

- GiteaBranch, GiteaBranchName, GiteaPullRequest: require ROLE_USER
- All 22 MCP tools: require ROLE_USER (ROLE_ADMIN for users/clients listing)

Tickets: T-002, T-007

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Mcp/Tool/Reference/ListUsersTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\Reference;
 
 use App\Repository\UserRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-users', description: 'List all users with their IDs and usernames. Use this to discover valid user IDs for assignee or time entry parameters.')]
 class ListUsersTool
 {
     public function __construct(
         private readonly UserRepository $userRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
         $users = $this->userRepository->findBy([], ['username' => 'ASC']);
 
         return json_encode(array_map(fn ($user) => [