refactor : simplify codebase and fix critical issues

Backend:
- Add MCP Serializer to centralize entity-to-array conversion (~300 lines deduped)
- Fix race condition in task/ticket number generation (SELECT FOR UPDATE + transaction)
- Add unique constraint on task (project_id, number) with migration
- Fix MIME type validation: use server-detected finfo instead of client-supplied type
- Add allowlist of permitted MIME types for uploads
- Fix TaskDocumentDownloadController: allow ROLE_CLIENT access, add priority:1
- Fix notification sent even when ticket status unchanged
- Remove redundant exception constructors
- Simplify services (BookStackApi double fetch, TokenEncryptor, GiteaApi)
- Consolidate duplicate checks in processors

Frontend:
- Fix useApi isHandlingUnauthorized scope (module-level to prevent double 401 redirect)
- Fix client-tickets toast key copy-paste bug
- Merge duplicated tasks service methods (getByProject + getByProjectArchived)
- Extract shared uploadWithRelation helper in task-documents service
- Extract formatFileSize utility from duplicated component code
- Extract status transition logic into useClientTicketHelpers composable
- Remove dead code (unused router, handleLogout, empty script blocks)
- Merge duplicate watchers and onMounted calls
- Normalize arrow functions to function declarations per convention

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/State/ClientTicketStatusProcessor.php

@@ -35,18 +35,21 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
 
         $originalData = $context['previous_data'] ?? null;
 
-        // ROLE_CLIENT: can only edit content fields, not status
-        if (!$this->security->isGranted('ROLE_ADMIN') && $originalData instanceof ClientTicket) {
-            $data->setStatus($originalData->getStatus());
-            $data->setStatusComment($originalData->getStatusComment());
-        }
+        $statusChanged = false;
 
         if ($originalData instanceof ClientTicket) {
+            // ROLE_CLIENT: can only edit content fields, not status
+            if (!$this->security->isGranted('ROLE_ADMIN')) {
+                $data->setStatus($originalData->getStatus());
+                $data->setStatusComment($originalData->getStatusComment());
+            }
+
             $oldStatus = $originalData->getStatus();
             $newStatus = $data->getStatus();
 
             if ($oldStatus !== $newStatus) {
-                $forbidden = self::FORBIDDEN_TRANSITIONS[$oldStatus] ?? [];
+                $statusChanged = true;
+                $forbidden     = self::FORBIDDEN_TRANSITIONS[$oldStatus] ?? [];
                 if (in_array($newStatus, $forbidden, true)) {
                     throw new BadRequestHttpException(sprintf('Transition from "%s" to "%s" is not allowed.', $oldStatus, $newStatus));
                 }
@@ -62,7 +65,9 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
         $this->entityManager->persist($data);
         $this->entityManager->flush();
 
-        $this->notificationService->createForStatusChange($data);
+        if ($statusChanged) {
+            $this->notificationService->createForStatusChange($data);
+        }
 
         return $data;
     }