Security: add missing class-level [Authorize] on ReleaseNotesController and KioskController

ReleaseNotesController had [Authorize] only on Index(), leaving the class
unprotected at declaration level — any future unannotated action would be
publicly accessible.

KioskController had no class-level auth, meaning PushSmsConsent() and
CancelSmsConsent() (staff-only POST actions) were reachable by anonymous
callers. [AllowAnonymous] on the existing tablet/intake actions still
overrides correctly, so the customer-facing kiosk flow is unaffected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Controllers/KioskController.cs

@@ -26,6 +26,7 @@ namespace PowderCoating.Web.Controllers;
 /// When creating new Customer or Job records from the kiosk, CompanyId is set explicitly
 /// from session.CompanyId so the EF SaveChanges interceptor doesn't override it with 0.
 /// </summary>
+[Authorize]
 public class KioskController : Controller
 {
     private const string CookieName         = "KioskDevice";

src/PowderCoating.Web/Controllers/ReleaseNotesController.cs

@@ -16,6 +16,7 @@ namespace PowderCoating.Web.Controllers;
 /// SuperAdmins because only platform staff should author release content.
 /// </para>
 /// </summary>
+[Authorize]
 public class ReleaseNotesController : Controller
 {
     private readonly IUnitOfWork _unitOfWork;
@@ -34,7 +35,6 @@ public class ReleaseNotesController : Controller
     /// newest-first.  Drafts are invisible to ordinary users so SuperAdmins can
     /// prepare notes in advance without surfacing them prematurely.
     /// </summary>
-    [Authorize]
     public async Task<IActionResult> Index()
     {
         var notes = (await _unitOfWork.ReleaseNotes.FindAsync(r => r.IsPublished))