fix(config-service): make /config/user-system anonymous so INACTIVE users can read inviteOnly

[aicam]

What changes were proposed in this PR?

#5305 moved GET /config/user-system from @PermitAll to
@RolesAllowed("REGULAR", "ADMIN"). A freshly-registered user is INACTIVE
until admin approval, so they cannot reach @RolesAllowed endpoints — the
request returns 403, inviteOnly is left undefined on the frontend, the
registration-request form never appears, and no admin notification email is
sent. In invite-only deployments, new sign-ups are silently dropped.

This PR restores @PermitAll on /config/user-system. The endpoint exposes
only the non-sensitive boolean inviteOnly flag, which is specifically needed
before activation.

Any related issues, documentation, discussions?

Resolves #5587

How was this PR tested?

• Added ConfigResourceAuthSpec cases: /config/user-system returns 200
  anonymously, exposes exactly the inviteOnly key, and still returns 200 with
  a valid Bearer token.
• Manually on an invite-only deployment: a fresh INACTIVE registration receives
  inviteOnly: true, the registration-request form appears, and the admin
  notification email is sent.

The following picture shows the modal opened after applying this fix to one of our deployments

Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (Claude Opus 4.8)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.68%. Comparing base (ad10b7f) to head (7e89653).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5572      +/-   ##
============================================
- Coverage     52.32%   51.68%   -0.64%     
+ Complexity     2484     2423      -61     
============================================
  Files          1068     1057      -11     
  Lines         41353    41036     -317     
  Branches       4441     4413      -28     
============================================
- Hits          21639    21211     -428     
- Misses        18444    18580     +136     
+ Partials       1270     1245      -25     

Flag	Coverage Δ		*Carryforward flag
access-control-service	64.61% <ø> (ø)
agent-service	33.76% <ø> (ø)		Carriedforward from 749798d
amber	52.23% <ø> (-1.08%)	⬇️	Carriedforward from 749798d
computing-unit-managing-service	1.65% <ø> (ø)
config-service	57.97% <ø> (+1.91%)	⬆️
file-service	38.32% <ø> (ø)
frontend	46.35% <ø> (-0.42%)	⬇️	Carriedforward from 749798d
pyamber	90.60% <ø> (-0.12%)	⬇️	Carriedforward from 749798d
python	90.75% <ø> (ø)		Carriedforward from 749798d
workflow-compiling-service	58.69% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bobbai00]

The PR description is not following the PR template. Please fix the PR description.

Also, please create an issue and resolve that issue in this PR.

Since it is related to user experience, please include screenshots of BEFORE & AFTER.

[bobbai00]

@xuang7 I think this needs to be included in the release v1.2 . Can you review it and decide ?

Needs Xuan's input on release

[xuang7]

test @aicam

[Yicong-Huang]

please move needed endpoint (e.g., invite-only config) to pre-login which is exposed to all. don't expose all endpoints just because one of the flag needs to be exposed.