fix: restrict last_check file perms + add useAuth to architecture docs

- Use write_restricted() for auth/last_check file (consistent 0600)
- Add useAuth hook to the hooks table in docs/architecture.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/architecture.md

@@ -39,7 +39,7 @@ simpl-resultat/
 │   │   ├── shared/               # 6 composants réutilisables
 │   │   └── transactions/         # 5 composants
 │   ├── contexts/                 # ProfileContext (état global profil)
-│   ├── hooks/                    # 13 hooks custom (useReducer)
+│   ├── hooks/                    # 14 hooks custom (useReducer)
 │   ├── pages/                    # 10 pages
 │   ├── services/                 # 14 services métier
 │   ├── shared/                   # Types et constantes partagés
@@ -151,6 +151,7 @@ Chaque hook encapsule la logique d'état via `useReducer` :
 | `useTheme` | Thème clair/sombre |
 | `useUpdater` | Mise à jour de l'application (gated par entitlement licence) |
 | `useLicense` | État de la licence et entitlements |
+| `useAuth` | Authentification Compte Maximus (OAuth2 PKCE, subscription status) |
 
 ## Commandes Tauri (25)
 

src-tauri/src/commands/auth_commands.rs

@@ -340,13 +340,13 @@ pub async fn check_subscription_status(
     match refresh_auth_token(app.clone()).await {
         Ok(account) => {
             // Update last check timestamp
-            let _ = fs::write(&last_check_path, now.to_string());
+            let _ = write_restricted(&last_check_path, &now.to_string());
             Ok(Some(account))
         }
         Err(_) => {
             // Network error or expired session — graceful degradation.
             // Still update the timestamp to avoid hammering on every launch.
-            let _ = fs::write(&last_check_path, now.to_string());
+            let _ = write_restricted(&last_check_path, &now.to_string());
             get_account_info(app)
         }
     }