test(commercial) : tests PHPUnit M2 fournisseurs (matrice RG + contrat sérialisation + DoD JSON réel) (ERP-92)

Suite fonctionnelle M2 assertant sur le CORPS JSON (jamais les annotations),
jumelle de la suite clients M1 :
- contrat de sérialisation : 4 régressions M1 re-testées (RIB gaté absent pour
  Commerciale, booléens triageProvider/isArchived présents, embed
  categories[].code/name, embed sites[].name/postalCode objet) + enveloppe AP4
  (member/totalItems/view, archivés exclus) + suppression du contact inline ;
- matrice RBAC réelle (app:seed-rbac) bureau/compta/commerciale/usine 200/403,
  gating accounting par omission de clé, mode strict PATCH (RG-2.16) ;
- RG-2.03/2.04/2.05/2.06/2.07/2.08/2.09/2.10/2.11/2.12/2.14/2.15/2.17 ;
- sous-ressources contacts/adresses/ribs (CRUD, sécurité, normalisation) ;
- anti N+1 liste (compte de requêtes constant), audit Supplier + RIB iban/bic.

Fix de contrat découvert et corrigé (sinon DoD figée sur un contrat faux) :
les référentiels comptables (TvaMode/PaymentType/PaymentDelay/Bank) ne portaient
que le groupe client:read:accounting (M1) → sur un fournisseur ils sortaient en
IRI nu. Ajout de supplier:read:accounting → objet {id, code, label} embarqué.

makefile : test-db-setup recrée l'index partiel uq_supplier_company_name_active
(droppé par schema:update comme pour le client) — oubli M2.

DoD § 4.0.bis : réponses JSON RÉELLES (liste + détail admin/commerciale) collées,
capturées via SupplierSerializationContractTest.

tests/Module/Commercial/Api/SupplierAuditTest.php

@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Commercial\Api;
+
+use Doctrine\DBAL\Connection;
+
+/**
+ * Tests Audit du repertoire fournisseurs (M2, spec § 6). Couvre :
+ *  - POST / PATCH / archivage -> ligne audit_log entity_type='commercial.Supplier'
+ *    avec l'action et le diff attendus ;
+ *  - RIB : `#[Auditable]` SANS `#[AuditIgnore]` sur iban/bic -> ces champs sensibles
+ *    DOIVENT apparaitre dans le diff audite (decision § 2.7, miroir M1).
+ *
+ * @internal
+ */
+final class SupplierAuditTest extends AbstractSupplierApiTestCase
+{
+    private const string SUPPLIER_TYPE = 'commercial.Supplier';
+    private const string RIB_TYPE      = 'commercial.SupplierRib';
+
+    private ?Connection $auditConnection = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        self::bootKernel();
+
+        /** @var Connection $conn */
+        $conn                  = self::getContainer()->get('doctrine.dbal.audit_connection');
+        $this->auditConnection = $conn;
+    }
+
+    protected function tearDown(): void
+    {
+        if (null !== $this->auditConnection) {
+            $this->auditConnection->close();
+        }
+        parent::tearDown();
+    }
+
+    public function testPostSupplierIsAudited(): void
+    {
+        $admin = $this->createAdminClient();
+        $cat   = $this->supplierCategory('NEGOCIANT');
+
+        $created = $admin->request('POST', '/api/suppliers', [
+            'headers' => ['Content-Type' => self::LD],
+            'json'    => [
+                'companyName' => 'Audit Created Co',
+                'categories'  => ['/api/categories/'.$cat->getId()],
+            ],
+        ])->toArray();
+        self::assertResponseStatusCodeSame(201);
+
+        self::assertGreaterThanOrEqual(
+            1,
+            $this->countAudit(self::SUPPLIER_TYPE, (string) $created['id'], 'create'),
+            'Un audit_log "create" doit etre genere pour le fournisseur.',
+        );
+    }
+
+    public function testPatchSupplierIsAudited(): void
+    {
+        $admin = $this->createAdminClient();
+        $seed  = $this->seedSupplier('Audit Patch Co');
+
+        $admin->request('PATCH', '/api/suppliers/'.$seed->getId(), [
+            'headers' => ['Content-Type' => self::MERGE],
+            'json'    => ['companyName' => 'Audit Patch Renamed'],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+
+        self::assertGreaterThanOrEqual(
+            1,
+            $this->countAudit(self::SUPPLIER_TYPE, (string) $seed->getId(), 'update'),
+            'Un audit_log "update" doit etre genere pour le PATCH.',
+        );
+    }
+
+    public function testArchiveSupplierIsAudited(): void
+    {
+        $admin = $this->createAdminClient();
+        $seed  = $this->seedSupplier('Audit Archive Co');
+
+        $admin->request('PATCH', '/api/suppliers/'.$seed->getId(), [
+            'headers' => ['Content-Type' => self::MERGE],
+            'json'    => ['isArchived' => true],
+        ]);
+        self::assertResponseStatusCodeSame(200);
+
+        $rows = $this->auditConnection->fetchAllAssociative(
+            'SELECT changes FROM audit_log WHERE entity_type = :type AND entity_id = :id AND action = :action ORDER BY performed_at DESC',
+            ['type' => self::SUPPLIER_TYPE, 'id' => (string) $seed->getId(), 'action' => 'update'],
+        );
+        self::assertGreaterThanOrEqual(1, count($rows));
+
+        /** @var array<string, mixed> $changes */
+        $changes = json_decode((string) $rows[0]['changes'], true, flags: JSON_THROW_ON_ERROR);
+        self::assertArrayHasKey('isArchived', $changes, 'Le diff d\'archivage doit tracer isArchived.');
+    }
+
+    public function testRibCreateAuditIncludesIbanAndBic(): void
+    {
+        $admin = $this->createAdminClient();
+        $seed  = $this->seedSupplier('Rib Audit Host');
+
+        $rib = $admin->request('POST', '/api/suppliers/'.$seed->getId().'/ribs', [
+            'headers' => ['Content-Type' => self::LD],
+            'json'    => [
+                'label' => 'Compte audite',
+                'bic'   => self::VALID_BIC,
+                'iban'  => self::VALID_IBAN,
+            ],
+        ])->toArray();
+        self::assertResponseStatusCodeSame(201);
+
+        $rows = $this->auditConnection->fetchAllAssociative(
+            'SELECT changes FROM audit_log WHERE entity_type = :type AND entity_id = :id AND action = :action ORDER BY performed_at DESC',
+            ['type' => self::RIB_TYPE, 'id' => (string) $rib['id'], 'action' => 'create'],
+        );
+        self::assertGreaterThanOrEqual(1, count($rows), 'Un audit_log "create" doit etre genere pour le RIB.');
+
+        /** @var array<string, mixed> $changes */
+        $changes = json_decode((string) $rows[0]['changes'], true, flags: JSON_THROW_ON_ERROR);
+        self::assertArrayHasKey('iban', $changes, 'iban doit figurer dans le diff audite (pas d\'AuditIgnore).');
+        self::assertArrayHasKey('bic', $changes, 'bic doit figurer dans le diff audite (pas d\'AuditIgnore).');
+        self::assertSame(self::VALID_IBAN, $changes['iban']);
+        self::assertSame(self::VALID_BIC, $changes['bic']);
+    }
+
+    private function countAudit(string $type, string $id, string $action): int
+    {
+        return (int) $this->auditConnection->fetchOne(
+            'SELECT COUNT(*) FROM audit_log WHERE entity_type = :type AND entity_id = :id AND action = :action',
+            ['type' => $type, 'id' => $id, 'action' => $action],
+        );
+    }
+}