feat: BackupService real pg_dump, OrganisationService region stats, SystemConfigService overrides

- BackupService: DB-persisted metadata (BackupRecord/BackupConfig entities + V16 Flyway migration),
  real pg_dump execution via ProcessBuilder, soft-delete on deleteBackup, pg_restore manual guidance
- OrganisationService: repartitionRegion now queries Adresse entities (was Map.of() stub)
- SystemConfigService: in-memory config overrides via AtomicReference (no DB dependency)
- SystemMetricsService: null-guard on MemoryMXBean in getSystemStatus() (fixes test NPE)
- Souscription workflow: SouscriptionService, SouscriptionResource, FormuleAbonnementRepository,
  V11 Flyway migration, admin REST clients
- Flyway V8-V15: notes membres, types référence, type orga constraint, seed roles,
  première connexion, Wave checkout URL, Wave telephone column length fix
- .gitignore: added uploads/ and .claude/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/java/dev/lions/unionflow/server/client/AdminRoleServiceClient.java

@@ -0,0 +1,50 @@
+package dev.lions.unionflow.server.client;
+
+import dev.lions.user.manager.dto.role.RoleDTO;
+import jakarta.ws.rs.*;
+import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+import java.util.List;
+
+/**
+ * REST Client admin pour l'API rôles de lions-user-manager (Keycloak).
+ *
+ * <p>Utilise {@link AdminServiceTokenHeadersFactory} pour injecter le token
+ * du service account "admin-service" (client credentials grant).
+ */
+@Path("/api/roles")
+@RegisterRestClient(configKey = "lions-user-manager-api")
+@RegisterClientHeaders(AdminServiceTokenHeadersFactory.class)
+@Produces(MediaType.APPLICATION_JSON)
+@Consumes(MediaType.APPLICATION_JSON)
+public interface AdminRoleServiceClient {
+
+    @GET
+    @Path("/realm")
+    List<RoleDTO> getRealmRoles(@QueryParam("realm") String realmName);
+
+    @GET
+    @Path("/user/realm/{userId}")
+    List<RoleDTO> getUserRealmRoles(
+        @PathParam("userId") String userId,
+        @QueryParam("realm") String realmName
+    );
+
+    @POST
+    @Path("/assign/realm/{userId}")
+    void assignRealmRoles(
+        @PathParam("userId") String userId,
+        @QueryParam("realm") String realmName,
+        RoleServiceClient.RoleNamesRequest request
+    );
+
+    @POST
+    @Path("/revoke/realm/{userId}")
+    void revokeRealmRoles(
+        @PathParam("userId") String userId,
+        @QueryParam("realm") String realmName,
+        RoleServiceClient.RoleNamesRequest request
+    );
+}