feat(documents): retrofit WRITE_ALL guard on /incomplete-count + /incomplete/next

Closes the CWE-285 gap Nora flagged on issue #296: both endpoints expose
enrichment-queue information that only writers should see. Brings them in
line with the new /incomplete list endpoint and every other write-path
under DocumentController.

Frontend callers (/enrich/[id]/+page.server.ts) already gate on WRITE_ALL
at the route level, so no client-side change is needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java

@@ -194,6 +194,7 @@ public class DocumentController {
     }
 
     @GetMapping("/incomplete-count")
+    @RequirePermission(Permission.WRITE_ALL)
     public Map<String, Long> getIncompleteCount() {
         return Map.of("count", documentService.getIncompleteCount());
     }
@@ -207,6 +208,7 @@ public class DocumentController {
     }
 
     @GetMapping("/incomplete/next")
+    @RequirePermission(Permission.WRITE_ALL)
     public ResponseEntity<Document> getNextIncomplete(@RequestParam UUID excludeId) {
         return documentService.findNextIncompleteDocument(excludeId)
                 .map(ResponseEntity::ok)