feat(core) : RBAC - filtrage sidebar par permission

Les items sidebar peuvent declarer une cle `permission` optionnelle.
Le SidebarProvider verifie isGranted() et masque les items dont
l'utilisateur ne possede pas la permission requise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

config/sidebar.php

@@ -8,6 +8,8 @@ declare(strict_types=1);
  * This file defines the sidebar sections displayed in the frontend.
  * Each item references the module that owns it via the `module` key.
  * Items whose module is not active (see config/modules.php) are filtered out.
+ * Items may also declare a `permission` key (RBAC permission code) : the item
+ * is hidden from users who do not hold that permission.
  *
  * This config is decoupled from the modules themselves: you can freely
  * move an item from one section to another without touching the module code.
@@ -33,16 +35,18 @@ return [
                 'module' => 'core',
             ],
             [
-                'label'  => 'sidebar.core.roles',
-                'to'     => '/admin/roles',
-                'icon'   => 'mdi:shield-account-outline',
-                'module' => 'core',
+                'label'      => 'sidebar.core.roles',
+                'to'         => '/admin/roles',
+                'icon'       => 'mdi:shield-account-outline',
+                'module'     => 'core',
+                'permission' => 'core.roles.view',
             ],
             [
-                'label'  => 'sidebar.core.users',
-                'to'     => '/admin/users',
-                'icon'   => 'mdi:account-group-outline',
-                'module' => 'core',
+                'label'      => 'sidebar.core.users',
+                'to'         => '/admin/users',
+                'icon'       => 'mdi:account-group-outline',
+                'module'     => 'core',
+                'permission' => 'core.users.view',
             ],
             [
                 'label'  => 'sidebar.general.logout',