Release/v1.0.0 finalize

[MarkADom]

Summary

This PR merges the release/v1.0.0-finalize branch into develop.
It consolidates architectural alignment, authorization hardening, performance fixes, and release posture preparation before tagging the first stable version.
This is a structural stabilization step, not the final public release tag.

Key Changes

Domain & Authorization

Canonical membership model alignment
Repository-driven authorization checks
Removal of in-memory permission validation
404 concealment for non-participants
Chat history contextual authorization fix

Performance

Critical N+1 removals
Fetch strategy improvements
Reduced lazy traversal overhead in list endpoints

Configuration

Hardened release profile (ddl-auto=validate)
Dev/release profile separation
Actuator exposure tightened

Testing

Expanded service and domain test coverage
Security behavior validated
Clean database validation workflow confirmed

Type of change

• feat
• fix
• refactor
• docs
• test
• ci

Validation

• I ran local checks
• I included commands/results below

Commands run:

./gradlew clean build
./gradlew bootRun --args='--spring.profiles.active=dev'
./gradlew bootRun   # validate mode

Docs impact

• No docs change needed
• Updated README/docs
• Updated API tests (Bruno)

Security impact

• No security impact
• Security-relevant change explained below

Repository-based authorization
404 concealment
Chat contextual hardening
Release config hardening

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
89.2% Coverage on New Code
0.1% Duplication on New Code

See analysis details on SonarQube Cloud