ADR-023: wire requireAction() into remaining 17 controllers

[rubenvdlinde]

ADR-023 action authorization — wire remaining controllers

The ADR-023 reference landed in #310: ActionAuthService + InitializeActions + full 74-action seed + admin matrix UI (get/set endpoints under #[AuthorizedAdminSetting] + ActionAuthMatrix.vue), with requireAction() wired into the 2 biggest controllers (DashboardApiController + WidgetApiController). gate-7 dropped 74 → 47.

This issue tracks wiring the remaining 17 controllers (47 methods) to the same pattern:

• governance/shared mutations → $this->actionAuth->requireAction($user, '<domain>.<verb>')
• reads + personal-preference writes → authentication null-check only (data RBAC via OpenRegister scopes them)

Action keys are already seeded in lib/actions.seed.json (default ["admin"]); the admin matrix UI already lists them.

Remaining controllers (finding counts)

Controller	methods
DashboardTranslationApiController	6
MetadataAdminController	5
TileApiController	4
RuleApiController	4
DashboardVersionApiController	4
DashboardReactionApiController	4
AnalyticsController	4
ResourceServeController	2
ResourceController	2
DashboardMetadataController	2
DashboardLockApiController	2
DashboardCommentsApiController	2
AdminOrgNavigationController	2
TemplateController	1
PeopleWidgetController	1
ManifestController	1
AdminController	1

Done when gate-7 (no-admin-idor) is green across all mydash controllers. Note: MetadataAdminController/AdminOrgNavigationController/AdminController may be better expressed as #[AuthorizedAdminSetting] (true admin tools) than via the action matrix — decide per ADR-023 Rule 3 when wiring.