feat(documents): gate /incomplete behind WRITE_ALL permission

Only users who can enrich documents should see the queue.
Mirrors the frontend guard in enrich/+page.server.ts and closes the
CWE-285 gap Nora flagged on issue #296.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java

@@ -199,6 +199,7 @@ public class DocumentController {
     }
 
     @GetMapping("/incomplete")
+    @RequirePermission(Permission.WRITE_ALL)
     public List<IncompleteDocumentDTO> getIncomplete(
             @Parameter(description = "Maximum number of results (server caps at 200)")
             @RequestParam(defaultValue = "50") int size) {

backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java

@@ -414,6 +414,13 @@ class DocumentControllerTest {
                 .andExpect(jsonPath("$[0].uploadedAt").exists());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void getIncomplete_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(get("/api/documents/incomplete"))
+                .andExpect(status().isForbidden());
+    }
+
     // ─── GET /api/documents/incomplete/next ──────────────────────────────────
 
     @Test