feat(sprint-8 web 2026-04-25): pages PrimeFaces conformité (compliance dashboard + rapports trimestriels + PI-SPI readiness)

Front-end web JSF/PrimeFaces pour exposer les features backend Sprints 3, 5, 7 aux compliance officers et controleurs internes.

DTOs locaux (miroirs JSON, @JsonIgnoreProperties)
- ComplianceSnapshotDto + ConformiteIndicateurDto (P1-NEW-7)
- RapportTrimestrielDto + helpers estDraft/estSigne/estArchive (P2-NEW-3)
- PispiReadinessDto + CheckResultDto + helpers estReady/estBlocked (P1-NEW-15)

REST clients @RegisterRestClient configKey=unionflow-api
- ComplianceDashboardRestClient : getSnapshotCurrent + getSnapshotOf(orgId)
- RapportTrimestrielRestClient : lister, generer, signer, archiver, telechargerPdf
- PispiReadinessRestClient : getReadiness
- AuthHeaderFactory propage le token OIDC

Beans @ViewScoped
- ConformiteDashboardBean : init + rafraichir + couleurScore + hasAlertes
- RapportsTrimestrielsBean : lister, genererRapport, signerSelection, archiverSelection, telechargerPdf via ExternalContext
- PispiReadinessBean : rafraichir + gestion HTTP 503 BLOCKED + couleurStatus + couleurCheck

Pages XHTML PrimeFaces (template main-template.xhtml, classes Freya)
- /pages/secure/conformite/dashboard.xhtml — score global + 9 indicateurs en grille + alertes
- /pages/secure/conformite/rapports-trimestriels.xhtml — table DRAFT/SIGNE/ARCHIVE + bouton générer/signer/archiver/PDF
- /pages/secure/admin/pispi-readiness.xhtml — 8 checks + blocages/warnings dédiés + statut global

Tests (21/21 verts, JUnit5 natif puisque AssertJ non transitif)
- ConformiteDashboardBeanTest : 9 tests (couleur score success/warning/danger/secondary, hasAlertes 5 cas)
- PispiReadinessBeanTest : 8 tests (couleurStatus READY/DEGRADED/BLOCKED/null, couleurCheck PASS/FAIL × severity, DTO helpers)
- RapportTrimestrielDtoTest : 4 tests (estDraft/estSigne/estArchive/inconnu)

src/main/java/dev/lions/unionflow/client/service/ComplianceDashboardRestClient.java

@@ -0,0 +1,30 @@
+package dev.lions.unionflow.client.service;
+
+import dev.lions.unionflow.client.api.dto.ComplianceSnapshotDto;
+import dev.lions.unionflow.client.security.AuthHeaderFactory;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import java.util.UUID;
+import org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterRestClient(configKey = "unionflow-api")
+@RegisterClientHeaders(AuthHeaderFactory.class)
+@Path("/api/compliance/dashboard")
+@Consumes(MediaType.APPLICATION_JSON)
+@Produces(MediaType.APPLICATION_JSON)
+public interface ComplianceDashboardRestClient {
+
+  /** Snapshot pour l'organisation active (résolue par le backend via header X-Active-Organisation-Id). */
+  @GET
+  ComplianceSnapshotDto getSnapshotCurrent();
+
+  /** Snapshot d'une organisation arbitraire — restreint SUPER_ADMIN backend. */
+  @GET
+  @Path("/{organisationId}")
+  ComplianceSnapshotDto getSnapshotOf(@PathParam("organisationId") UUID organisationId);
+}

src/main/java/dev/lions/unionflow/client/service/PispiReadinessRestClient.java

@@ -0,0 +1,22 @@
+package dev.lions.unionflow.client.service;
+
+import dev.lions.unionflow.client.api.dto.PispiReadinessDto;
+import dev.lions.unionflow.client.security.AuthHeaderFactory;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterRestClient(configKey = "unionflow-api")
+@RegisterClientHeaders(AuthHeaderFactory.class)
+@Path("/api/admin/pispi/readiness")
+@Consumes(MediaType.APPLICATION_JSON)
+@Produces(MediaType.APPLICATION_JSON)
+public interface PispiReadinessRestClient {
+
+  @GET
+  PispiReadinessDto getReadiness();
+}

src/main/java/dev/lions/unionflow/client/service/RapportTrimestrielRestClient.java

@@ -0,0 +1,51 @@
+package dev.lions.unionflow.client.service;
+
+import dev.lions.unionflow.client.api.dto.RapportTrimestrielDto;
+import dev.lions.unionflow.client.security.AuthHeaderFactory;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import java.util.List;
+import java.util.UUID;
+import org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterRestClient(configKey = "unionflow-api")
+@RegisterClientHeaders(AuthHeaderFactory.class)
+@Path("/api/rapports/trimestriel")
+@Consumes(MediaType.APPLICATION_JSON)
+@Produces(MediaType.APPLICATION_JSON)
+public interface RapportTrimestrielRestClient {
+
+  @GET
+  List<RapportTrimestrielDto> lister(
+      @QueryParam("orgId") UUID orgId,
+      @QueryParam("annee") Integer annee);
+
+  @POST
+  @Path("/generer")
+  RapportTrimestrielDto generer(
+      @QueryParam("orgId") UUID orgId,
+      @QueryParam("annee") int annee,
+      @QueryParam("trimestre") int trimestre);
+
+  @POST
+  @Path("/{id}/signer")
+  RapportTrimestrielDto signer(
+      @PathParam("id") UUID id,
+      @QueryParam("signataireId") UUID signataireId);
+
+  @POST
+  @Path("/{id}/archiver")
+  RapportTrimestrielDto archiver(@PathParam("id") UUID id);
+
+  @GET
+  @Path("/{id}/pdf")
+  @Produces("application/pdf")
+  byte[] telechargerPdf(@PathParam("id") UUID id);
+}