[CLAUDE] Fix: ApprovalWorkflowsV2 GET ai authenticated cũng đc — Drafter pick workflow lúc create PE

Bug UAT 2026-05-08: user Drafter (nv.test) login Workspace tạo phiếu B,
dropdown "Quy trình duyệt" empty silent. Sample seed B đã chạy đúng
(Designer admin hiển thị sample + clone v02 active) nhưng Workspace empty.

Root cause: class-level [Authorize(Policy = "Workflows.Read")] →
non-admin role 403 Forbidden khi GET /api/approval-workflows-v2.
TanStack Query catch error silent → dropdown empty không có warning.

Fix:
- Class-level [Authorize] only (any authenticated)
- GET inherit class policy (Drafter cần list workflow để pick — read-only)
- POST + DELETE giữ [Authorize(Policy = "Workflows.Create")] — admin-only Designer

Workflow data không nhạy cảm — chỉ là cấu hình quy trình. Validate
ApplicableType match PE.Type ở Create command đã có.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs

@@ -7,11 +7,15 @@ namespace SolutionErp.Api.Controllers;
 
 // Quy trình duyệt MỚI (Mig 22 — Session 17, 2026-05-08).
 // Schema riêng để UAT, KHÔNG đụng WorkflowDefinition cũ.
-// Reuse policy "Workflows.Read"/"Workflows.Create" giống PE/Contract designer
-// — admin đã có quyền quản lý workflow nói chung.
+// Authorization split:
+//   - GET Overview: chỉ cần authenticated — Drafter cần list workflow để pick
+//     lúc create PE/HĐ (read-only, không expose business data nhạy cảm).
+//   - POST/DELETE: policy "Workflows.Create" — admin-only Designer.
+// Bug fix 2026-05-08: trước class-level "Workflows.Read" → Drafter 403 →
+// Workspace dropdown empty silent (không thấy sample workflow đã seed).
 [ApiController]
 [Route("api/approval-workflows-v2")]
-[Authorize(Policy = "Workflows.Read")]
+[Authorize]
 public class ApprovalWorkflowsV2Controller(IMediator mediator) : ControllerBase
 {
     [HttpGet]