fix(security) : add role checks on Gitea API resources and all MCP tools

- GiteaBranch, GiteaBranchName, GiteaPullRequest: require ROLE_USER
- All 22 MCP tools: require ROLE_USER (ROLE_ADMIN for users/clients listing)

Tickets: T-002, T-007

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php

@@ -16,6 +16,8 @@ use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -30,6 +32,7 @@ class CreateTimeEntryTool
         private readonly TaskTagRepository $taskTagRepository,
         private readonly TimeEntryRepository $timeEntryRepository,
         private readonly ClientTicketRepository $clientTicketRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -43,6 +46,10 @@ class CreateTimeEntryTool
         ?string $description = null,
         ?int $clientTicketId = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $user = $this->userRepository->find($userId);
         if (null === $user) {
             throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));