feat(auth): add ROLE_ARCHETYPE_EDITOR_MANAGER for delegated role management

[jbourdin]

Description

Add a new ROLE_ARCHETYPE_EDITOR_MANAGER role that inherits ROLE_ARCHETYPE_EDITOR and can grant/revoke the ROLE_ARCHETYPE_EDITOR role to other users, without needing full ROLE_ADMIN access.

Motivation

Currently only ROLE_ADMIN can grant roles (via AdminUserController at /admin/users/{id}/roles). As the archetype editor team grows, it's useful to have a "team lead" who can onboard new editors without involving a full admin.

Current state

• Role hierarchy in config/packages/security.yaml:

  ROLE_ARCHETYPE_EDITOR: ROLE_USER
  ROLE_ADMIN: [ROLE_ORGANIZER, ROLE_CMS_EDITOR, ROLE_ARCHETYPE_EDITOR, ROLE_TECHNICAL_ADMIN]

• Roles stored as JSON array on User.roles (src/Entity/User.php)
• Role management UI at /admin/users/{id}/roles (admin-only, AdminUserController)
• ROLE_ARCHETYPE_EDITOR used across ~15 files (controllers, templates, security config)

Implementation considerations

• Add ROLE_ARCHETYPE_EDITOR_MANAGER: ROLE_ARCHETYPE_EDITOR to the role hierarchy
• Build a dedicated UI — likely a "Team" or "Editors" page under /admin/archetypes so the manager stays in their familiar admin space
• List users with ROLE_ARCHETYPE_EDITOR, allow toggling the role on/off for other users
• Only ROLE_ADMIN should be able to grant ROLE_ARCHETYPE_EDITOR_MANAGER itself

Open questions

• Should managers also be able to promote editors to managers? Or only ROLE_ADMIN?
• Should the UI live under /admin/archetypes/editors or extend the existing /admin/users page?
• Should there be an audit log of role changes made by managers?

Feature reference

Related to docs/features.md F1.4 — Role-based access control