Secure /ma-commande URLs with accessToken to prevent brute force

- Add accessToken (32 hex chars) to BilletBuyer, generated at creation
- URLs now: /ma-commande/{orderNumber}/{token} and /ma-commande/{orderNumber}/{token}/billet/{ref}
- Both orderNumber AND token must match to access order page
- Token is random, unpredictable, unique per order
- Migration generates tokens for existing rows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/Entity/BilletBuyerTest.php

@@ -26,6 +26,7 @@ class BilletBuyerTest extends TestCase
         self::assertNull($buyer->getStripeSessionId());
         self::assertNull($buyer->getPaidAt());
         self::assertMatchesRegularExpression('/^ETICKET-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/', $buyer->getReference());
+        self::assertSame(32, \strlen($buyer->getAccessToken()));
         self::assertInstanceOf(\DateTimeImmutable::class, $buyer->getCreatedAt());
         self::assertCount(0, $buyer->getItems());
     }