fix(api): fetch plugin metadata via permission-scoped processing endpoint

[albanm]

Add GET /api/v1/processings/:id/plugin, which returns a processing's plugin registry metadata. The endpoint checks the caller's permission on the processing (admin/exec/read), then fetches the artefact from the private registry as the processing owner — so a user holding only an individual permission inherits the owner's plugin access without needing their own registry grant. The UI now reads plugin metadata (cards + detail page) through this endpoint instead of calling /registry directly.

Why: a user can be granted an individual read/exec permission on a processing they don't own; requiring their own registry grant to view the plugin broke that case. Permission on the processing should transitively cover its plugin metadata.

Regression risks:

• usePluginFetch now takes a processingId instead of a pluginId and its module-level fetch cache is re-keyed accordingly; the only caller (processing-card.vue) is updated.
• Plugin metadata now flows through the processings API (extra hop, fetched as owner) rather than a direct same-origin /registry call. The creation/picker flows (new.vue, processings-actions.vue) intentionally keep the direct /registry list call.
• Registry 403/404 are translated to French messages and passed through (UI shows its "plugin broken" banner); any other registry failure becomes 502.