feat(documents): gate /incomplete behind WRITE_ALL permission

Only users who can enrich documents should see the queue.
Mirrors the frontend guard in enrich/+page.server.ts and closes the
CWE-285 gap Nora flagged on issue #296.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java

@@ -414,6 +414,13 @@ class DocumentControllerTest {
                 .andExpect(jsonPath("$[0].uploadedAt").exists());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void getIncomplete_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(get("/api/documents/incomplete"))
+                .andExpect(status().isForbidden());
+    }
+
     // ─── GET /api/documents/incomplete/next ──────────────────────────────────
 
     @Test