feat(commercial) : RBAC fournisseurs (permissions + 3 sources + seed par rôle + sécurité référentiels) (ERP-90) (#69)

ERP-90 — Étape 3/7 M2 fournisseurs (stack sur ERP-89).

## Périmètre
- **5 permissions** `commercial.suppliers.*` (view / manage / accounting.view / accounting.manage / archive) dans `CommercialModule::permissions()`.
- **3 sources RBAC synchronisées** (règle ABSOLUE n°8, même commit) :
  - `config/sidebar.php` — item `/suppliers` + `commercial.suppliers.view`
  - `frontend/tests/e2e/_fixtures/personas.ts` — persona `user-full`
  - `SeedE2ECommand.php` — miroir back
- **Assignation par rôle** dans `RbacSeeder::MATRIX` (§ 2.9, idempotent) :
  - Bureau : view + manage
  - Compta : view + accounting.view + accounting.manage
  - Commerciale : view + manage
  - Usine : aucune
  - archive : Admin seul
- **Sécurité des référentiels** (`tva_modes` / `payment_delays` / `payment_types` / `banks`) élargie : `view client OR view fournisseur` (§ 4.7).

## Vérifications
- `app:sync-permissions` (+5) et `app:seed-rbac --with-demo-users` (idempotent) OK
- `make test` : 499 tests verts
- `make php-cs-fixer-allow-risky` : 0 fix
- `make nuxt-test` : 234 tests verts

---------

Co-authored-by: Matthieu <contact@malio.fr>
Reviewed-on: #69
Co-authored-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Co-committed-by: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>

src/Module/Commercial/Domain/Entity/Bank.php

@@ -25,7 +25,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
     operations: [
         new GetCollection(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['bank:read']],
             // Tri par defaut spec M1 § 4.7 : position ASC puis label ASC.
             order: ['position' => 'ASC', 'label' => 'ASC'],
@@ -33,11 +33,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
             paginationClientEnabled: true,
         ),
         new Get(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['bank:read']],
         ),
     ],
-    security: "is_granted('commercial.clients.view')",
+    security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
 )]
 #[ORM\Entity(repositoryClass: DoctrineBankRepository::class)]
 #[ORM\Table(name: 'bank')]

src/Module/Commercial/Domain/Entity/PaymentDelay.php

@@ -25,7 +25,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
     operations: [
         new GetCollection(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['payment_delay:read']],
             // Tri par defaut spec M1 § 4.7 : position ASC puis label ASC.
             order: ['position' => 'ASC', 'label' => 'ASC'],
@@ -33,11 +33,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
             paginationClientEnabled: true,
         ),
         new Get(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['payment_delay:read']],
         ),
     ],
-    security: "is_granted('commercial.clients.view')",
+    security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
 )]
 #[ORM\Entity(repositoryClass: DoctrinePaymentDelayRepository::class)]
 #[ORM\Table(name: 'payment_delay')]

src/Module/Commercial/Domain/Entity/PaymentType.php

@@ -28,7 +28,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
     operations: [
         new GetCollection(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['payment_type:read']],
             // Tri par defaut spec M1 § 4.7 : position ASC puis label ASC.
             order: ['position' => 'ASC', 'label' => 'ASC'],
@@ -36,11 +36,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
             paginationClientEnabled: true,
         ),
         new Get(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['payment_type:read']],
         ),
     ],
-    security: "is_granted('commercial.clients.view')",
+    security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
 )]
 #[ORM\Entity(repositoryClass: DoctrinePaymentTypeRepository::class)]
 #[ORM\Table(name: 'payment_type')]

src/Module/Commercial/Domain/Entity/TvaMode.php

@@ -17,7 +17,8 @@ use Symfony\Component\Serializer\Attribute\Groups;
  * re-seede en dev/test par CommercialReferentialFixtures.
  *
  * Lecture seule au M1 (HP-M2-2) : seules GetCollection et Get sont exposees
- * (ERP-56), sous la permission commercial.clients.view ; aucune ecriture
+ * (ERP-56), sous la permission commercial.clients.view (elargie aux roles
+ * fournisseurs au M2 via commercial.suppliers.view, ERP-90) ; aucune ecriture
  * declaree -> POST/PATCH/DELETE renvoient 405.
  *
  * Referentiel statique : pas de Timestampable/Blamable (whiteliste dans
@@ -28,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
     operations: [
         new GetCollection(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['tva_mode:read']],
             // Tri par defaut spec M1 § 4.7 : position ASC puis label ASC
             // (ordre des selecteurs comptables) — provider Doctrine par defaut.
@@ -39,11 +40,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
             paginationClientEnabled: true,
         ),
         new Get(
-            security: "is_granted('commercial.clients.view')",
+            security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
             normalizationContext: ['groups' => ['tva_mode:read']],
         ),
     ],
-    security: "is_granted('commercial.clients.view')",
+    security: "is_granted('commercial.clients.view') or is_granted('commercial.suppliers.view')",
 )]
 #[ORM\Entity(repositoryClass: DoctrineTvaModeRepository::class)]
 #[ORM\Table(name: 'tva_mode')]