feat(documents) : filesystem storage, server-side pagination and PDF compression

- Add DocumentStorageService for file-based storage (replaces Base64 in DB)
- Add DocumentServeController with /file and /download endpoints
- Add DocumentUploadProcessor using FormData + filesystem storage
- Add DocumentNormalizer exposing fileUrl/downloadUrl on all responses
- Add DocumentFileCleanupListener for automatic file deletion
- Add MigrateDocumentsToFilesystemCommand (Base64 → files, memory-safe)
- Add ApiFilter (SearchFilter, ExistsFilter, OrderFilter) on Document entity
- Add PdfCompressorService + refactor CompressPdfCommand for batch processing
- Fix TypeMachine PUT: deserialize=false + validate=false to prevent
  UniqueEntity false positive and writableLink collection interference
- Update CHANGELOG for v1.8.0
- Update frontend submodule

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -1,15 +1,51 @@
 # Changelog
 
-Liste des évolutions du projet inventory
+## [1.8.0] - 2026-03-03
 
-## [0.0.0]
-### Parameters
-Ajouter dans le fichier .env
-- DEFAULT_URI
-- DATABASE_URL
+### Ajouts
+- **Stockage documents sur disque** : les documents sont desormais stockes en fichiers sur le systeme de fichiers au lieu de Base64 en base de donnees. Les endpoints `/api/documents/{id}/file` et `/api/documents/{id}/download` servent les fichiers directement.
+- **Commande de migration** `app:migrate-documents-to-filesystem` : migre les documents existants (Base64 → fichiers) avec dry-run, batch-size et limit.
+- **Pagination serveur sur la page Documents** : recherche, tri (date/nom/taille), filtre par rattachement (site/machine/composant/piece/produit), selecteur par page (20/50/100).
+- **Compression PDF automatique** : les documents PDF uploades sont compresses automatiquement via Ghostscript. Commande `app:compress-pdf` pour compresser les PDFs existants.
+- **Nettoyage automatique des fichiers** : suppression du fichier sur disque lors de la suppression d'un document.
+- **Champ description** sur les entites Piece et Composant, visible dans les catalogues avec popover au survol.
 
-### Added
+### Corrections
+- Fix normalisation des documents : `fileUrl` et `downloadUrl` toujours exposes dans l'API (meme sans `path` dans le groupe de serialisation).
+- Fix recursion infinie dans `DocumentNormalizer` (`getSupportedTypes` retourne `false` pour desactiver le cache).
+- Fix edition de squelettes machines : `deserialize: false` + `validate: false` sur le PUT pour eviter le conflit UniqueEntity et l'interference du deserialiseur avec les collections writableLink.
+- Fix sites : ajout operation PATCH et correction migration contrainte.
+- Retrocompatibilite : le controleur de service gere transparentement les anciens documents Base64 et les nouveaux fichiers.
 
-### Changed
+### Migration requise
+```bash
+docker compose exec php php bin/console doctrine:migrations:migrate
+docker compose exec php php bin/console app:migrate-documents-to-filesystem
+```
 
-### Fixed
+## [1.7.0] - 2026-03-02
+
+### Ajouts
+- **Systeme de commentaires / tickets** : les utilisateurs peuvent laisser des commentaires sur les fiches (machines, pieces, composants, produits, categories, squelettes). Les gestionnaires peuvent les resoudre.
+- **Page commentaires** (`/comments`) : vue centralisee avec filtres (statut, type d'entite), pagination et liens cliquables vers les fiches.
+- **Badge notifications** : compteur de commentaires ouverts sur l'avatar utilisateur et dans le menu profil (polling 60s).
+- **Controle d'acces par roles** : ROLE_ADMIN, ROLE_GESTIONNAIRE, ROLE_VIEWER avec permissions granulaires sur toutes les pages.
+- **Badge de role** dans le dropdown du profil utilisateur.
+- **Journal d'audit etendu** : audit logging sur machines, constructeurs, types de modeles, documents et conversions.
+- **Commande `app:init-profile-passwords`** : initialisation en masse des mots de passe et roles.
+
+### Corrections
+- Toggle switch pour les champs personnalises booleens (remplace les checkboxes).
+- Recherche constructeur : filtrage cote client au lieu d'appels API debounce.
+- Prevention des doublons de noms de constructeurs et de references de pieces (contraintes unique).
+- Fix creation de squelettes machines : pagination, duplication, champs personnalises.
+
+### Migration requise
+```bash
+docker compose exec php php bin/console doctrine:migrations:migrate
+docker compose exec php php bin/console app:init-profile-passwords
+```
+
+## [1.6.0] - 2026-02-xx
+
+- Version initiale avec gestion du parc machines, pieces, composants, produits et categories.

CLAUDE.md

@@ -0,0 +1,168 @@
+# CLAUDE.md — Inventory Project
+
+## Project Overview
+
+Application de gestion d'inventaire industriel (machines, pièces, composants, produits).
+Mono-repo avec backend Symfony et frontend Nuxt en submodule git.
+
+## Stack
+
+| Layer | Tech | Version |
+|-------|------|---------|
+| Backend | Symfony + API Platform | 8.0 / ^4.2 |
+| PHP | PHP | >=8.4 |
+| Database | PostgreSQL | 16 |
+| Frontend | Nuxt (SPA, SSR off) | 4 |
+| UI | Vue 3 Composition API + TypeScript | 3.5 / 5.7 |
+| CSS | TailwindCSS 4 + DaisyUI 5 | |
+| Auth | Session-based (cookies, pas JWT) | |
+| Containers | Docker Compose | |
+
+## Project Structure
+
+```
+Inventory/                      # Backend Symfony (repo principal)
+├── src/Entity/                 # Entités Doctrine (annotations PHP 8 attributes)
+├── src/Controller/             # Controllers custom (session, comments, audit…)
+├── src/EventSubscriber/        # Audit subscribers (onFlush)
+├── config/                     # Config Symfony
+├── migrations/                 # Migrations Doctrine (raw SQL PostgreSQL)
+├── docker/                     # Dockerfile + .env.docker
+├── scripts/                    # release.sh, normalize-dump.py
+├── fixtures/                   # SQL fixtures
+├── tests/                      # PHPUnit
+├── pre-commit, commit-msg      # Git hooks
+├── makefile                    # Commandes Docker/dev
+├── VERSION                     # Source unique de version (semver)
+├── Inventory_frontend/         # ← SUBMODULE GIT (repo séparé)
+│   ├── app/pages/              # Pages Nuxt (file-based routing)
+│   ├── app/components/         # Composants Vue (auto-imported)
+│   ├── app/composables/        # Composables Vue
+│   ├── app/shared/             # Types, utils, validation
+│   ├── app/middleware/          # Auth middleware global
+│   └── app/services/           # Service layer (wrappers useApi)
+```
+
+## Key Commands
+
+```bash
+# Docker
+make start                    # Démarrer les containers
+make stop                     # Arrêter
+make shell                    # Shell dans le container PHP
+make install                  # Install complet (composer + npm + build)
+
+# Backend
+make test                     # PHPUnit
+docker compose exec php vendor/bin/php-cs-fixer fix   # Linter PHP
+docker compose exec php php bin/console doctrine:migrations:migrate
+
+# Frontend (dans Inventory_frontend/)
+npm run dev                   # Dev server (port 3001)
+npm run build                 # Build production
+npm run lint:fix              # ESLint fix
+npx nuxi typecheck            # TypeScript check (0 errors attendu)
+
+# Release
+./scripts/release.sh patch    # Bump patch version (ou minor/major)
+```
+
+## Git Conventions
+
+### Branches
+- `master` — production
+- `develop` — branche principale de dev (cible des PR)
+- `feat/xxx`, `fix/xxx`, `refactor/xxx` — branches de travail
+
+### Commit Message Format (enforced by hook)
+```
+<type>(<scope optionnel>) : <message>
+```
+**Espace obligatoire autour du `:`**. Types autorisés (minuscules) :
+`build`, `chore`, `ci`, `docs`, `feat`, `fix`, `perf`, `refactor`, `revert`, `style`, `test`, `wip`
+
+Exemples :
+- `feat(auth) : add login page`
+- `fix(machines) : prevent null crash on skeleton creation`
+
+### Pre-commit Hook
+1. php-cs-fixer sur les fichiers PHP stagés
+2. PHPUnit — bloque le commit si tests échouent
+
+### Submodule Workflow
+Le frontend est un submodule git. Lors d'un commit frontend :
+1. Commit dans `Inventory_frontend/` d'abord
+2. Commit dans le repo principal pour mettre à jour le pointeur submodule
+3. Push les deux repos
+
+## Architecture Backend
+
+### Entités Principales
+`Machine`, `Piece`, `Composant`, `Product`, `Constructeur`, `Site`, `TypeMachine`, `ModelType`, `CustomField`, `CustomFieldValue`, `Document`, `AuditLog`, `Comment`, `Profile`
+
+### Patterns
+- **IDs** : CUID-like strings (`'cl' + bin2hex(random_bytes(12))`), pas d'auto-increment
+- **ORM** : Attributs PHP 8 (`#[ORM\Column(...)]`, `#[Groups([...])]`)
+- **Lifecycle** : `#[ORM\HasLifecycleCallbacks]` avec `PrePersist`/`PreUpdate` pour `createdAt`/`updatedAt`
+- **Sécurité** : `security: "is_granted('ROLE_...')"` sur chaque opération API Platform
+- **Audit** : Subscribers Doctrine `onFlush` capturent diff + snapshot complet
+- **Migrations** : Raw SQL PostgreSQL avec `IF NOT EXISTS`/`IF EXISTS` pour idempotence
+
+### Rôles (hiérarchie)
+```
+ROLE_ADMIN → ROLE_GESTIONNAIRE → ROLE_VIEWER → ROLE_USER
+```
+
+### PostgreSQL — ATTENTION
+- Les noms de colonnes sont **TOUJOURS EN MINUSCULES** dans PG
+- Doctrine utilise camelCase (`typePieceId`) mais PG stocke `typepieceid`
+- Le SQL brut doit utiliser les noms lowercase
+- Tables de jointure many-to-many : colonnes `a` et `b` (ex: `_piececonstructeurs`)
+
+## Architecture Frontend
+
+### Patterns
+- **Composables** : `interface Deps { ... }` + `export function useXxx(deps: Deps)`
+- **Communication composants** : Props + Events uniquement (pas de provide/inject)
+- **API** : `useApi.ts` wraps fetch avec `credentials: 'include'` pour les cookies session
+- **Content-Type** : `application/ld+json` pour POST/PUT, `application/merge-patch+json` pour PATCH
+- **Auth** : `useProfileSession` + middleware global `profile.global.ts`
+- **Permissions** : `usePermissions.ts` miroir de la hiérarchie backend côté client
+- **Auto-imports** : Nuxt auto-importe composants (`components/`) et composables (`composables/`)
+
+### DaisyUI Classes
+- Input : `input input-bordered input-sm md:input-md`
+- Textarea : `textarea textarea-bordered textarea-sm md:textarea-md`
+- Select : `select select-bordered select-sm md:select-md`
+- Button : `btn btn-sm md:btn-md btn-primary`
+
+## Règles Importantes
+
+### Toujours faire AVANT de modifier du code
+1. **Lire le fichier** avant de l'éditer — ne jamais proposer de changements sur du code non lu
+2. **Comprendre le pattern existant** — reproduire le style du fichier (noms, indentation, structure)
+3. **Vérifier les deux repos** — un changement peut impacter backend ET frontend
+
+### Après chaque modification
+1. Backend PHP : `docker compose exec php vendor/bin/php-cs-fixer fix`
+2. Frontend : `npm run lint:fix` puis `npx nuxi typecheck` si fichiers TS modifiés
+
+### Ne jamais faire
+- Ajouter des features non demandées, du code mort, ou des abstractions prématurées
+- Utiliser `provide/inject` — le codebase utilise Props + Events
+- Utiliser JWT/tokens — l'auth est session-based
+- Écrire du SQL avec des noms camelCase — PostgreSQL = lowercase
+- Committer sans que l'utilisateur le demande explicitement
+- Force push sans confirmation explicite
+- Modifier la config git
+
+### Submodule — Synchronisation
+Quand les branches `master` et `develop` divergent sur l'un des deux repos, **toujours les synchroniser** :
+- Main repo : `git checkout master && git merge develop && git push`
+- Frontend : `git checkout develop && git merge master && git push` (ou l'inverse selon le cas)
+
+## URLs Locales
+- API Symfony : `http://localhost:8081/api`
+- Nuxt dev : `http://localhost:3001`
+- Adminer (PG) : `http://localhost:5050`
+- PG direct : `localhost:5433` (user: root, pass: root, db: inventory)

VERSION

@@ -1 +1 @@
-1.6.2
+1.7.0

config/packages/security.yaml

@@ -29,33 +29,36 @@ security:
                 success_handler: lexik_jwt_authentication.handler.authentication_success
                 failure_handler: lexik_jwt_authentication.handler.authentication_failure
 
-        session_profile:
-            pattern: ^/api/session
-            stateless: false
-
-        session_api:
-            pattern: ^/api/(sites|machines|documents|profiles)
-            stateless: false
+        session_public:
+            pattern: ^/api/session/profiles?$
+            security: false
 
         api:
             pattern: ^/api
-            stateless: false
+            stateless: true
+            custom_authenticators:
+                - App\Security\SessionProfileAuthenticator
 
         main:
             lazy: true
             provider: app_user_provider
 
+    role_hierarchy:
+        ROLE_ADMIN: ROLE_GESTIONNAIRE
+        ROLE_GESTIONNAIRE: ROLE_VIEWER
+        ROLE_VIEWER: ROLE_USER
+
     # Note: Only the *first* matching rule is applied
     access_control:
-        - { path: ^/api/session/profile, roles: PUBLIC_ACCESS }
-        - { path: ^/api/session/profiles, roles: PUBLIC_ACCESS }
-        - { path: ^/api, roles: PUBLIC_ACCESS }
+        - { path: ^/api/session/profile$, roles: PUBLIC_ACCESS }
+        - { path: ^/api/session/profiles, roles: PUBLIC_ACCESS, methods: [GET] }
+        - { path: ^/api/admin, roles: ROLE_ADMIN }
         - { path: ^/api/docs, roles: PUBLIC_ACCESS }
         - { path: ^/api/test, roles: PUBLIC_ACCESS }
         - { path: ^/docs, roles: PUBLIC_ACCESS }
         - { path: ^/contexts, roles: PUBLIC_ACCESS }
         - { path: ^/\.well-known, roles: PUBLIC_ACCESS }
-        - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
+        - { path: ^/api, roles: ROLE_VIEWER }
 
 when@test:
     security:

migrations/Version20260302103003.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260302103003 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Create comments table + make piece reference unique instead of name';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // Comments table (IF NOT EXISTS in case first attempt partially succeeded)
+        $this->addSql('CREATE TABLE IF NOT EXISTS comments (id VARCHAR(36) NOT NULL, content TEXT NOT NULL, entity_type VARCHAR(50) NOT NULL, entity_id VARCHAR(36) NOT NULL, entity_name VARCHAR(255) DEFAULT NULL, author_id VARCHAR(36) NOT NULL, author_name VARCHAR(255) NOT NULL, status VARCHAR(20) NOT NULL, resolved_by_id VARCHAR(36) DEFAULT NULL, resolved_by_name VARCHAR(255) DEFAULT NULL, resolved_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IF NOT EXISTS idx_comment_entity_status ON comments (entity_type, entity_id, status)');
+        $this->addSql('COMMENT ON COLUMN comments.resolved_at IS \'(DC2Type:datetime_immutable)\'');
+        $this->addSql('COMMENT ON COLUMN comments.created_at IS \'(DC2Type:datetime_immutable)\'');
+        $this->addSql('COMMENT ON COLUMN comments.updated_at IS \'(DC2Type:datetime_immutable)\'');
+
+        // Piece: remove unique constraint on name (it's a constraint, not just an index)
+        $this->addSql('ALTER TABLE pieces DROP CONSTRAINT IF EXISTS uniq_b92d74725e237e06');
+
+        // Deduplicate piece references before adding unique constraint
+        $this->addSql("
+            UPDATE pieces p
+            SET reference = p.reference || '-' || LEFT(p.id, 6)
+            FROM (
+                SELECT id, reference,
+                       ROW_NUMBER() OVER (PARTITION BY reference ORDER BY createdat) AS rn
+                FROM pieces
+                WHERE reference IS NOT NULL AND reference != ''
+            ) dup
+            WHERE p.id = dup.id AND dup.rn > 1
+        ");
+
+        $this->addSql('CREATE UNIQUE INDEX IF NOT EXISTS uniq_pieces_reference ON pieces (reference)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE IF EXISTS comments');
+        $this->addSql('DROP INDEX IF EXISTS uniq_pieces_reference');
+        $this->addSql('CREATE UNIQUE INDEX uniq_b92d74725e237e06 ON pieces (name)');
+    }
+}

migrations/Version20260302120000.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260302120000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add description column to pieces and composants tables';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE pieces ADD COLUMN IF NOT EXISTS description TEXT DEFAULT NULL');
+        $this->addSql('ALTER TABLE composants ADD COLUMN IF NOT EXISTS description TEXT DEFAULT NULL');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE pieces DROP COLUMN IF EXISTS description');
+        $this->addSql('ALTER TABLE composants DROP COLUMN IF EXISTS description');
+    }
+}

src/Command/CompressPdfCommand.php

@@ -4,7 +4,10 @@ declare(strict_types=1);
 
 namespace App\Command;
 
+use App\Entity\Document;
 use App\Repository\DocumentRepository;
+use App\Service\DocumentStorageService;
+use App\Service\PdfCompressorService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -13,15 +16,20 @@ use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;
 
+use function count;
+use function strlen;
+
 #[AsCommand(
     name: 'app:compress-pdf',
-    description: 'Compress all PDF documents stored in database without quality loss',
+    description: 'Compress all PDF documents without quality loss',
 )]
 class CompressPdfCommand extends Command
 {
     public function __construct(
         private readonly DocumentRepository $documentRepository,
         private readonly EntityManagerInterface $em,
+        private readonly PdfCompressorService $pdfCompressor,
+        private readonly DocumentStorageService $storageService,
     ) {
         parent::__construct();
     }
@@ -61,87 +69,13 @@ class CompressPdfCommand extends Command
         $compressed = 0;
 
         foreach ($documents as $document) {
-            $base64Data = $document->getPath();
+            $path = $document->getPath();
 
-            // Remove data URI prefix if present
-            if (str_contains($base64Data, ',')) {
-                $base64Data = explode(',', $base64Data, 2)[1];
-            }
-
-            $pdfContent = base64_decode($base64Data, true);
-            if (false === $pdfContent) {
-                $io->warning(sprintf('Failed to decode document: %s', $document->getName()));
-
-                continue;
-            }
-
-            $originalSize = strlen($pdfContent);
-
-            if ($dryRun) {
-                $io->text(sprintf(
-                    '  [DRY-RUN] Would compress: %s (%s)',
-                    $document->getName(),
-                    $this->formatBytes($originalSize)
-                ));
-
-                continue;
-            }
-
-            // Create temp files
-            $tempInput  = tempnam(sys_get_temp_dir(), 'pdf_in_');
-            $tempOutput = tempnam(sys_get_temp_dir(), 'pdf_out_');
-
-            file_put_contents($tempInput, $pdfContent);
-
-            // Compress with qpdf (lossless)
-            $command = sprintf(
-                'qpdf --linearize --object-streams=generate %s %s 2>&1',
-                escapeshellarg($tempInput),
-                escapeshellarg($tempOutput)
-            );
-
-            exec($command, $cmdOutput, $returnCode);
-
-            if (0 !== $returnCode || !file_exists($tempOutput)) {
-                $io->warning(sprintf('Failed to compress: %s', $document->getName()));
-                @unlink($tempInput);
-                @unlink($tempOutput);
-
-                continue;
-            }
-
-            $compressedContent = file_get_contents($tempOutput);
-            $compressedSize    = strlen($compressedContent);
-
-            // Only update if we actually saved space
-            if ($compressedSize < $originalSize) {
-                $saved = $originalSize - $compressedSize;
-                $totalSaved += $saved;
-                ++$compressed;
-
-                // Rebuild base64 with data URI prefix
-                $newBase64 = 'data:application/pdf;base64,'.base64_encode($compressedContent);
-                $document->setPath($newBase64);
-                $document->setSize($compressedSize);
-
-                $io->text(sprintf(
-                    '  ✓ %s: %s → %s (-%s, -%.1f%%)',
-                    $document->getName(),
-                    $this->formatBytes($originalSize),
-                    $this->formatBytes($compressedSize),
-                    $this->formatBytes($saved),
-                    ($saved / $originalSize) * 100
-                ));
+            if ($this->storageService->isBase64DataUri($path)) {
+                $this->compressBase64Document($document, $path, $dryRun, $io, $totalSaved, $compressed);
             } else {
-                $io->text(sprintf(
-                    '  - %s: Already optimal (%s)',
-                    $document->getName(),
-                    $this->formatBytes($originalSize)
-                ));
+                $this->compressFileDocument($document, $path, $dryRun, $io, $totalSaved, $compressed);
             }
-
-            @unlink($tempInput);
-            @unlink($tempOutput);
         }
 
         if (!$dryRun && $compressed > 0) {
@@ -161,6 +95,115 @@ class CompressPdfCommand extends Command
         return Command::SUCCESS;
     }
 
+    private function compressBase64Document(
+        Document $document,
+        string $path,
+        bool $dryRun,
+        SymfonyStyle $io,
+        int &$totalSaved,
+        int &$compressed,
+    ): void {
+        $base64Data = $path;
+        if (str_contains($base64Data, ',')) {
+            $base64Data = explode(',', $base64Data, 2)[1];
+        }
+
+        $pdfContent = base64_decode($base64Data, true);
+        if (false === $pdfContent) {
+            $io->warning(sprintf('Failed to decode document: %s', $document->getName()));
+
+            return;
+        }
+
+        $originalSize = strlen($pdfContent);
+
+        if ($dryRun) {
+            $io->text(sprintf(
+                '  [DRY-RUN] Would compress (base64): %s (%s)',
+                $document->getName(),
+                $this->formatBytes($originalSize)
+            ));
+
+            return;
+        }
+
+        $result = $this->pdfCompressor->compressBase64Pdf($path);
+        if (null !== $result) {
+            $document->setPath($result['path']);
+            $document->setSize($result['size']);
+            $totalSaved += $result['saved'];
+            ++$compressed;
+
+            $io->text(sprintf(
+                '  OK %s: %s → %s (-%s, -%.1f%%)',
+                $document->getName(),
+                $this->formatBytes($result['originalSize']),
+                $this->formatBytes($result['size']),
+                $this->formatBytes($result['saved']),
+                ($result['saved'] / $result['originalSize']) * 100
+            ));
+        } else {
+            $io->text(sprintf(
+                '  - %s: Already optimal (%s)',
+                $document->getName(),
+                $this->formatBytes($originalSize)
+            ));
+        }
+    }
+
+    private function compressFileDocument(
+        Document $document,
+        string $path,
+        bool $dryRun,
+        SymfonyStyle $io,
+        int &$totalSaved,
+        int &$compressed,
+    ): void {
+        $absolutePath = $this->storageService->getAbsolutePath($path);
+        if (!file_exists($absolutePath)) {
+            $io->warning(sprintf('File not found: %s (%s)', $document->getName(), $path));
+
+            return;
+        }
+
+        $originalSize = filesize($absolutePath);
+        if (false === $originalSize) {
+            return;
+        }
+
+        if ($dryRun) {
+            $io->text(sprintf(
+                '  [DRY-RUN] Would compress (file): %s (%s)',
+                $document->getName(),
+                $this->formatBytes($originalSize)
+            ));
+
+            return;
+        }
+
+        $result = $this->pdfCompressor->compressFile($absolutePath);
+        if (null !== $result) {
+            $document->setSize($result['size']);
+            $totalSaved += $result['saved'];
+            ++$compressed;
+
+            $io->text(sprintf(
+                '  OK %s: %s → %s (-%s, -%.1f%%)',
+                $document->getName(),
+                $this->formatBytes($result['originalSize']),
+                $this->formatBytes($result['size']),
+                $this->formatBytes($result['saved']),
+                ($result['saved'] / $result['originalSize']) * 100
+            ));
+        } else {
+            $io->text(sprintf(
+                '  - %s: Already optimal (%s)',
+                $document->getName(),
+                $this->formatBytes($originalSize)
+            ));
+        }
+    }
+
     private function formatBytes(int $bytes): string
     {
         $units = ['B', 'KB', 'MB', 'GB'];

src/Command/InitProfilePasswordsCommand.php

@@ -0,0 +1,85 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Command;
+
+use App\Repository\ProfileRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+use function count;
+use function in_array;
+
+#[AsCommand(
+    name: 'app:init-profile-passwords',
+    description: 'Initialize all profile passwords to first letter of firstName + "123"',
+)]
+class InitProfilePasswordsCommand extends Command
+{
+    public function __construct(
+        private readonly ProfileRepository $profiles,
+        private readonly EntityManagerInterface $em,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        $all = $this->profiles->findAll();
+
+        if (0 === count($all)) {
+            $io->warning('Aucun profil trouvé.');
+
+            return Command::SUCCESS;
+        }
+
+        // Promote first profile to ROLE_ADMIN if none exists
+        $hasAdmin = false;
+        foreach ($all as $profile) {
+            if (in_array('ROLE_ADMIN', $profile->getRoles(), true)) {
+                $hasAdmin = true;
+
+                break;
+            }
+        }
+
+        $isFirst = true;
+        $count   = 0;
+        foreach ($all as $profile) {
+            // Set password: first letter of firstName + "123"
+            $firstLetter = mb_strtoupper(mb_substr($profile->getFirstName(), 0, 1));
+            $plain       = $firstLetter.'123';
+            $hashed      = $this->passwordHasher->hashPassword($profile, $plain);
+            $profile->setPassword($hashed);
+
+            // Set roles: first profile → ADMIN, others → VIEWER (minimum to use the app)
+            if (!$hasAdmin && $isFirst) {
+                $profile->setRoles(['ROLE_ADMIN']);
+                $io->writeln(sprintf('  %s %s → mdp: %s — ROLE_ADMIN', $profile->getFirstName(), $profile->getLastName(), $plain));
+                $isFirst = false;
+            } elseif (in_array('ROLE_USER', $profile->getRoles(), true) && !in_array('ROLE_VIEWER', $profile->getRoles(), true) && !in_array('ROLE_GESTIONNAIRE', $profile->getRoles(), true) && !in_array('ROLE_ADMIN', $profile->getRoles(), true)) {
+                $profile->setRoles(['ROLE_VIEWER']);
+                $io->writeln(sprintf('  %s %s → mdp: %s — ROLE_VIEWER', $profile->getFirstName(), $profile->getLastName(), $plain));
+            } else {
+                $io->writeln(sprintf('  %s %s → mdp: %s — %s', $profile->getFirstName(), $profile->getLastName(), $plain, implode(', ', $profile->getRoles())));
+            }
+
+            ++$count;
+        }
+
+        $this->em->flush();
+
+        $io->success(sprintf('%d mot(s) de passe initialisé(s).', $count));
+
+        return Command::SUCCESS;
+    }
+}

src/Command/MigrateDocumentsToFilesystemCommand.php

@@ -0,0 +1,218 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Command;
+
+use App\Repository\DocumentRepository;
+use App\Service\DocumentStorageService;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Throwable;
+
+use function count;
+use function strlen;
+
+#[AsCommand(
+    name: 'app:migrate-documents-to-filesystem',
+    description: 'Migrate document storage from Base64 in DB to filesystem',
+)]
+class MigrateDocumentsToFilesystemCommand extends Command
+{
+    public function __construct(
+        private readonly DocumentRepository $documentRepository,
+        private readonly EntityManagerInterface $em,
+        private readonly DocumentStorageService $storageService,
+    ) {
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->addOption('dry-run', null, InputOption::VALUE_NONE, 'Show what would be migrated without making changes')
+            ->addOption('batch-size', null, InputOption::VALUE_REQUIRED, 'Number of documents to process before flushing', '50')
+            ->addOption('limit', null, InputOption::VALUE_REQUIRED, 'Max documents to migrate (for testing)', '0')
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io        = new SymfonyStyle($input, $output);
+        $dryRun    = $input->getOption('dry-run');
+        $batchSize = (int) $input->getOption('batch-size');
+        $limit     = (int) $input->getOption('limit');
+
+        $io->title('Document Storage Migration: Base64 → Filesystem');
+
+        // Verify storage directory is writable
+        $storageDir = $this->storageService->getStorageDir();
+        if (!$dryRun) {
+            if (!is_dir($storageDir)) {
+                mkdir($storageDir, 0o775, true);
+            }
+            if (!is_writable($storageDir)) {
+                $io->error("Storage directory is not writable: {$storageDir}");
+
+                return Command::FAILURE;
+            }
+            $io->text("Storage directory: {$storageDir}");
+        }
+
+        // Step 1: fetch only IDs of Base64 documents (no heavy path column loaded)
+        $conn       = $this->em->getConnection();
+        $ids        = $conn->fetchFirstColumn("SELECT id FROM documents WHERE path LIKE 'data:%'");
+        $total      = count($ids);
+        $migrated   = 0;
+        $skipped    = 0;
+        $errors     = 0;
+        $totalBytes = 0;
+
+        $io->text(sprintf('Found %d documents with Base64 data to migrate', $total));
+
+        if (0 === $total) {
+            $io->success('Nothing to migrate — all documents are already file-based.');
+
+            return Command::SUCCESS;
+        }
+
+        // Step 2: process one document at a time to avoid memory exhaustion
+        foreach ($ids as $index => $docId) {
+            if ($limit > 0 && $migrated >= $limit) {
+                $io->text("Reached limit of {$limit} documents.");
+
+                break;
+            }
+
+            // Fetch single row with raw SQL to keep memory flat
+            $row = $conn->fetchAssociative(
+                'SELECT id, name, filename, path, mimetype, size FROM documents WHERE id = ?',
+                [$docId]
+            );
+
+            if (!$row) {
+                ++$skipped;
+
+                continue;
+            }
+
+            $path = $row['path'];
+            if (!$this->storageService->isBase64DataUri($path)) {
+                ++$skipped;
+
+                continue;
+            }
+
+            $docName  = $row['name'] ?: $row['filename'];
+            $filename = $row['filename'] ?: $row['name'];
+            $mimeType = $row['mimetype'] ?? 'application/octet-stream';
+
+            // Extract binary content from data URI
+            $parts   = explode(',', $path, 2);
+            $base64  = $parts[1] ?? '';
+            $content = base64_decode($base64, true);
+
+            // Free the raw row immediately
+            unset($row, $path, $base64, $parts);
+
+            if (false === $content || '' === $content) {
+                $io->warning(sprintf('[%d/%d] Cannot decode: %s (id: %s)', $index + 1, $total, $docName, $docId));
+                ++$errors;
+
+                continue;
+            }
+
+            $fileSize  = strlen($content);
+            $extension = $this->storageService->extensionFromFilename(
+                $filename ?: ('file.'.$this->storageService->extensionFromMimeType($mimeType))
+            );
+
+            if ($dryRun) {
+                $io->text(sprintf(
+                    '  [DRY-RUN] Would migrate: %s (%s)',
+                    $docName,
+                    $this->formatBytes($fileSize)
+                ));
+                ++$migrated;
+                $totalBytes += $fileSize;
+                unset($content);
+
+                continue;
+            }
+
+            try {
+                $relativePath = $this->storageService->store($content, $docId, $extension);
+                unset($content);
+
+                // Update DB directly — avoid loading entity with huge path
+                $conn->executeStatement(
+                    'UPDATE documents SET path = ?, size = ? WHERE id = ?',
+                    [$relativePath, $fileSize, $docId]
+                );
+
+                ++$migrated;
+                $totalBytes += $fileSize;
+
+                $io->text(sprintf(
+                    '  [OK] %s → %s (%s)',
+                    $docName,
+                    $relativePath,
+                    $this->formatBytes($fileSize)
+                ));
+            } catch (Throwable $e) {
+                unset($content);
+                $io->error(sprintf(
+                    '  [FAIL] %s: %s',
+                    $docName,
+                    $e->getMessage()
+                ));
+                ++$errors;
+
+                continue;
+            }
+
+            if (0 === $migrated % $batchSize) {
+                $io->text(sprintf('  ... %d migrated so far', $migrated));
+            }
+        }
+
+        $io->newLine();
+        $io->table(
+            ['Metric', 'Count'],
+            [
+                ['Total documents', (string) $total],
+                ['Migrated', (string) $migrated],
+                ['Skipped (already file-based)', (string) $skipped],
+                ['Errors', (string) $errors],
+                ['Total bytes written', $this->formatBytes($totalBytes)],
+            ]
+        );
+
+        if ($dryRun) {
+            $io->info('Dry run completed. No changes were made.');
+        } elseif ($errors > 0) {
+            $io->warning(sprintf('Migration completed with %d errors.', $errors));
+        } else {
+            $io->success('Migration completed successfully.');
+        }
+
+        return $errors > 0 ? Command::FAILURE : Command::SUCCESS;
+    }
+
+    private function formatBytes(int $bytes): string
+    {
+        $units = ['B', 'KB', 'MB', 'GB'];
+        $i     = 0;
+        while ($bytes >= 1024 && $i < count($units) - 1) {
+            $bytes /= 1024;
+            ++$i;
+        }
+
+        return round($bytes, 2).' '.$units[$i];
+    }
+}

src/Controller/ActivityLogController.php

@@ -7,11 +7,12 @@ namespace App\Controller;
 use App\Repository\AuditLogRepository;
 use App\Repository\ProfileRepository;
 use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class ActivityLogController
+final class ActivityLogController extends AbstractController
 {
     public function __construct(
         private readonly AuditLogRepository $auditLogs,
@@ -21,6 +22,8 @@ final class ActivityLogController
     #[Route('/api/activity-logs', name: 'api_activity_logs', methods: ['GET'])]
     public function __invoke(Request $request): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $page         = max(1, $request->query->getInt('page', 1));
         $itemsPerPage = min(100, max(1, $request->query->getInt('itemsPerPage', 30)));
 

src/Controller/AdminProfileController.php

@@ -0,0 +1,193 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller;
+
+use App\Entity\Profile;
+use App\Repository\ProfileRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+use Symfony\Component\Routing\Attribute\Route;
+
+use function count;
+use function in_array;
+
+#[Route('/api/admin/profiles')]
+final class AdminProfileController extends AbstractController
+{
+    public function __construct(
+        private readonly ProfileRepository $profiles,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+    ) {}
+
+    #[Route('', name: 'admin_profiles_list', methods: ['GET'])]
+    public function list(): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+
+        $items = $this->profiles->findBy([], ['firstName' => 'ASC']);
+
+        return new JsonResponse(array_map([$this, 'serializeProfile'], $items));
+    }
+
+    #[Route('', name: 'admin_profiles_create', methods: ['POST'])]
+    public function create(Request $request): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+
+        $payload   = $request->toArray();
+        $firstName = trim((string) ($payload['firstName'] ?? ''));
+        $lastName  = trim((string) ($payload['lastName'] ?? ''));
+
+        if ('' === $firstName || '' === $lastName) {
+            return new JsonResponse(['message' => 'firstName et lastName sont requis.'], JsonResponse::HTTP_BAD_REQUEST);
+        }
+
+        $email    = trim((string) ($payload['email'] ?? ''));
+        $password = $payload['password'] ?? null;
+        $role     = $payload['role'] ?? 'ROLE_VIEWER';
+
+        $allowedRoles = ['ROLE_ADMIN', 'ROLE_GESTIONNAIRE', 'ROLE_VIEWER', 'ROLE_USER'];
+        if (!in_array($role, $allowedRoles, true)) {
+            return new JsonResponse(['message' => 'Role invalide.'], JsonResponse::HTTP_BAD_REQUEST);
+        }
+
+        $profile = new Profile();
+        $profile->setFirstName($firstName);
+        $profile->setLastName($lastName);
+        $profile->setIsActive(true);
+        $profile->setRoles([$role]);
+
+        if ('' !== $email) {
+            $profile->setEmail($email);
+        }
+
+        if (null !== $password && '' !== $password) {
+            $profile->setPassword(
+                $this->passwordHasher->hashPassword($profile, $password)
+            );
+        }
+
+        $this->entityManager->persist($profile);
+        $this->entityManager->flush();
+
+        return new JsonResponse($this->serializeProfile($profile), JsonResponse::HTTP_CREATED);
+    }
+
+    #[Route('/{id}/role', name: 'admin_profiles_update_role', methods: ['PUT'])]
+    public function updateRole(string $id, Request $request): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+
+        $profile = $this->profiles->find($id);
+        if (!$profile) {
+            return new JsonResponse(['message' => 'Profil introuvable.'], JsonResponse::HTTP_NOT_FOUND);
+        }
+
+        $payload = $request->toArray();
+        $role    = $payload['role'] ?? null;
+
+        $allowedRoles = ['ROLE_ADMIN', 'ROLE_GESTIONNAIRE', 'ROLE_VIEWER', 'ROLE_USER'];
+        if (!$role || !in_array($role, $allowedRoles, true)) {
+            return new JsonResponse(['message' => 'Role invalide.'], JsonResponse::HTTP_BAD_REQUEST);
+        }
+
+        // Prevent removing the last admin
+        if (in_array('ROLE_ADMIN', $profile->getRoles(), true) && 'ROLE_ADMIN' !== $role) {
+            $adminCount = $this->countAdmins();
+            if ($adminCount <= 1) {
+                return new JsonResponse(
+                    ['message' => 'Impossible de retirer le dernier administrateur.'],
+                    JsonResponse::HTTP_CONFLICT
+                );
+            }
+        }
+
+        $profile->setRoles([$role]);
+        $this->entityManager->flush();
+
+        return new JsonResponse($this->serializeProfile($profile));
+    }
+
+    #[Route('/{id}/password', name: 'admin_profiles_update_password', methods: ['PUT'])]
+    public function updatePassword(string $id, Request $request): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+
+        $profile = $this->profiles->find($id);
+        if (!$profile) {
+            return new JsonResponse(['message' => 'Profil introuvable.'], JsonResponse::HTTP_NOT_FOUND);
+        }
+
+        $payload  = $request->toArray();
+        $password = $payload['password'] ?? '';
+
+        if ('' === $password) {
+            return new JsonResponse(['message' => 'Le mot de passe est requis.'], JsonResponse::HTTP_BAD_REQUEST);
+        }
+
+        $profile->setPassword(
+            $this->passwordHasher->hashPassword($profile, $password)
+        );
+        $this->entityManager->flush();
+
+        return new JsonResponse($this->serializeProfile($profile));
+    }
+
+    #[Route('/{id}/deactivate', name: 'admin_profiles_deactivate', methods: ['PUT'])]
+    public function deactivate(string $id): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_ADMIN');
+
+        $profile = $this->profiles->find($id);
+        if (!$profile) {
+            return new JsonResponse(['message' => 'Profil introuvable.'], JsonResponse::HTTP_NOT_FOUND);
+        }
+
+        // Prevent deactivating the last admin
+        if (in_array('ROLE_ADMIN', $profile->getRoles(), true)) {
+            $adminCount = $this->countAdmins();
+            if ($adminCount <= 1) {
+                return new JsonResponse(
+                    ['message' => 'Impossible de desactiver le dernier administrateur.'],
+                    JsonResponse::HTTP_CONFLICT
+                );
+            }
+        }
+
+        $profile->setIsActive(false);
+        $this->entityManager->flush();
+
+        return new JsonResponse($this->serializeProfile($profile));
+    }
+
+    private function serializeProfile(Profile $profile): array
+    {
+        return [
+            'id'          => $profile->getId(),
+            'firstName'   => $profile->getFirstName(),
+            'lastName'    => $profile->getLastName(),
+            'email'       => $profile->getEmail(),
+            'isActive'    => $profile->isActive(),
+            'hasPassword' => null !== $profile->getPassword() && '' !== $profile->getPassword(),
+            'roles'       => $profile->getRoles(),
+            'createdAt'   => $profile->getCreatedAt()->format('c'),
+            'updatedAt'   => $profile->getUpdatedAt()->format('c'),
+        ];
+    }
+
+    private function countAdmins(): int
+    {
+        $all = $this->profiles->findBy(['isActive' => true]);
+
+        return count(array_filter(
+            $all,
+            static fn (Profile $p) => in_array('ROLE_ADMIN', $p->getRoles(), true)
+        ));
+    }
+}

src/Controller/CommentController.php

@@ -0,0 +1,145 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller;
+
+use App\Entity\Comment;
+use App\Repository\ProfileRepository;
+use DateTimeImmutable;
+use DateTimeInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Attribute\Route;
+
+#[Route('/api/comments')]
+final class CommentController extends AbstractController
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly ProfileRepository $profiles,
+    ) {}
+
+    #[Route('', name: 'api_comments_create', methods: ['POST'])]
+    public function create(Request $request): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
+        $session   = $request->getSession();
+        $profileId = $session->get('profileId');
+        if (!$profileId) {
+            return $this->json(['message' => 'Aucun profil actif.'], 401);
+        }
+
+        $profile = $this->profiles->find($profileId);
+        if (!$profile) {
+            return $this->json(['message' => 'Profil introuvable.'], 401);
+        }
+
+        $payload = json_decode($request->getContent(), true);
+        if (!is_array($payload)) {
+            return $this->json(['message' => 'Payload JSON invalide.'], 400);
+        }
+
+        $content    = trim((string) ($payload['content'] ?? ''));
+        $entityType = trim((string) ($payload['entityType'] ?? ''));
+        $entityId   = trim((string) ($payload['entityId'] ?? ''));
+        $entityName = isset($payload['entityName']) ? trim((string) $payload['entityName']) : null;
+
+        if ('' === $content) {
+            return $this->json(['message' => 'Le contenu est requis.'], 400);
+        }
+
+        $allowedTypes = ['machine', 'piece', 'composant', 'product', 'piece_category', 'component_category', 'product_category', 'machine_skeleton'];
+        if (!in_array($entityType, $allowedTypes, true)) {
+            return $this->json(['message' => 'Type d\'entité invalide.'], 400);
+        }
+
+        if ('' === $entityId) {
+            return $this->json(['message' => 'L\'identifiant de l\'entité est requis.'], 400);
+        }
+
+        $authorName = trim(sprintf('%s %s', $profile->getFirstName(), $profile->getLastName()));
+        if ('' === $authorName) {
+            $authorName = $profile->getEmail() ?? 'Inconnu';
+        }
+
+        $comment = new Comment();
+        $comment->setContent($content);
+        $comment->setEntityType($entityType);
+        $comment->setEntityId($entityId);
+        $comment->setEntityName($entityName);
+        $comment->setAuthorId($profileId);
+        $comment->setAuthorName($authorName);
+
+        $this->entityManager->persist($comment);
+        $this->entityManager->flush();
+
+        return $this->json($this->normalize($comment), 201);
+    }
+
+    #[Route('/{id}/resolve', name: 'api_comments_resolve', methods: ['PATCH'])]
+    public function resolve(string $id, Request $request): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
+        $comment = $this->entityManager->getRepository(Comment::class)->find($id);
+        if (!$comment) {
+            return $this->json(['message' => 'Commentaire introuvable.'], 404);
+        }
+
+        $session   = $request->getSession();
+        $profileId = $session->get('profileId');
+        $profile   = $profileId ? $this->profiles->find($profileId) : null;
+
+        $resolverName = 'Inconnu';
+        if ($profile) {
+            $resolverName = trim(sprintf('%s %s', $profile->getFirstName(), $profile->getLastName()));
+            if ('' === $resolverName) {
+                $resolverName = $profile->getEmail() ?? 'Inconnu';
+            }
+        }
+
+        $comment->setStatus('resolved');
+        $comment->setResolvedById($profileId);
+        $comment->setResolvedByName($resolverName);
+        $comment->setResolvedAt(new DateTimeImmutable());
+
+        $this->entityManager->flush();
+
+        return $this->json($this->normalize($comment));
+    }
+
+    #[Route('/stats/unresolved-count', name: 'api_comments_unresolved_count', methods: ['GET'])]
+    public function unresolvedCount(): JsonResponse
+    {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
+        $count = $this->entityManager->getRepository(Comment::class)
+            ->count(['status' => 'open'])
+        ;
+
+        return $this->json(['count' => $count]);
+    }
+
+    private function normalize(Comment $comment): array
+    {
+        return [
+            'id'             => $comment->getId(),
+            'content'        => $comment->getContent(),
+            'entityType'     => $comment->getEntityType(),
+            'entityId'       => $comment->getEntityId(),
+            'entityName'     => $comment->getEntityName(),
+            'authorId'       => $comment->getAuthorId(),
+            'authorName'     => $comment->getAuthorName(),
+            'status'         => $comment->getStatus(),
+            'resolvedById'   => $comment->getResolvedById(),
+            'resolvedByName' => $comment->getResolvedByName(),
+            'resolvedAt'     => $comment->getResolvedAt()?->format(DateTimeInterface::ATOM),
+            'createdAt'      => $comment->getCreatedAt()->format(DateTimeInterface::ATOM),
+            'updatedAt'      => $comment->getUpdatedAt()->format(DateTimeInterface::ATOM),
+        ];
+    }
+}

src/Controller/ComposantHistoryController.php

@@ -8,11 +8,12 @@ use App\Repository\AuditLogRepository;
 use App\Repository\ComposantRepository;
 use App\Repository\ProfileRepository;
 use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class ComposantHistoryController
+final class ComposantHistoryController extends AbstractController
 {
     public function __construct(
         private readonly ComposantRepository $components,
@@ -23,6 +24,8 @@ final class ComposantHistoryController
     #[Route('/api/composants/{id}/history', name: 'api_composant_history', methods: ['GET'])]
     public function __invoke(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $component = $this->components->find($id);
         if (!$component) {
             return new JsonResponse(

src/Controller/CustomFieldValueController.php

@@ -34,6 +34,8 @@ class CustomFieldValueController extends AbstractController
     #[Route('', name: 'custom_field_values_create', methods: ['POST'])]
     public function create(Request $request): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $payload = $this->decodePayload($request);
         if ($payload instanceof JsonResponse) {
             return $payload;
@@ -63,6 +65,8 @@ class CustomFieldValueController extends AbstractController
     #[Route('/upsert', name: 'custom_field_values_upsert', methods: ['POST'])]
     public function upsert(Request $request): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $payload = $this->decodePayload($request);
         if ($payload instanceof JsonResponse) {
             return $payload;
@@ -104,6 +108,8 @@ class CustomFieldValueController extends AbstractController
     #[Route('/{entityType}/{entityId}', name: 'custom_field_values_list', methods: ['GET'])]
     public function listByEntity(string $entityType, string $entityId): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $target = $this->resolveTarget([
             'entityType' => $entityType,
             'entityId'   => $entityId,
@@ -126,6 +132,8 @@ class CustomFieldValueController extends AbstractController
     #[Route('/{id}', name: 'custom_field_values_update', methods: ['PATCH'])]
     public function update(string $id, Request $request): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $value = $this->customFieldValueRepository->find($id);
         if (!$value instanceof CustomFieldValue) {
             return $this->json(['success' => false, 'error' => 'Custom field value not found.'], 404);
@@ -148,6 +156,8 @@ class CustomFieldValueController extends AbstractController
     #[Route('/{id}', name: 'custom_field_values_delete', methods: ['DELETE'])]
     public function delete(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $value = $this->customFieldValueRepository->find($id);
         if (!$value instanceof CustomFieldValue) {
             return $this->json(['success' => false, 'error' => 'Custom field value not found.'], 404);

src/Controller/DocumentQueryController.php

@@ -30,6 +30,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/site/{id}', name: 'documents_by_site', methods: ['GET'])]
     public function listBySite(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $site = $this->siteRepository->find($id);
         if (!$site) {
             return $this->json(['success' => false, 'error' => 'Site not found.'], 404);
@@ -43,6 +45,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/machine/{id}', name: 'documents_by_machine', methods: ['GET'])]
     public function listByMachine(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $machine = $this->machineRepository->find($id);
         if (!$machine) {
             return $this->json(['success' => false, 'error' => 'Machine not found.'], 404);
@@ -56,6 +60,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/composant/{id}', name: 'documents_by_composant', methods: ['GET'])]
     public function listByComposant(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $composant = $this->composantRepository->find($id);
         if (!$composant) {
             return $this->json(['success' => false, 'error' => 'Composant not found.'], 404);
@@ -69,6 +75,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/piece/{id}', name: 'documents_by_piece', methods: ['GET'])]
     public function listByPiece(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $piece = $this->pieceRepository->find($id);
         if (!$piece) {
             return $this->json(['success' => false, 'error' => 'Piece not found.'], 404);
@@ -82,6 +90,8 @@ class DocumentQueryController extends AbstractController
     #[Route('/product/{id}', name: 'documents_by_product', methods: ['GET'])]
     public function listByProduct(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $product = $this->productRepository->find($id);
         if (!$product) {
             return $this->json(['success' => false, 'error' => 'Product not found.'], 404);
@@ -102,7 +112,8 @@ class DocumentQueryController extends AbstractController
                 'id'          => $document->getId(),
                 'name'        => $document->getName(),
                 'filename'    => $document->getFilename(),
-                'path'        => $document->getPath(),
+                'fileUrl'     => '/api/documents/'.$document->getId().'/file',
+                'downloadUrl' => '/api/documents/'.$document->getId().'/download',
                 'mimeType'    => $document->getMimeType(),
                 'size'        => $document->getSize(),
                 'siteId'      => $document->getSite()?->getId(),

src/Controller/DocumentServeController.php

@@ -0,0 +1,109 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller;
+
+use App\Repository\DocumentRepository;
+use App\Service\DocumentStorageService;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\Routing\Attribute\Route;
+
+use function strlen;
+
+#[Route('/api/documents')]
+class DocumentServeController extends AbstractController
+{
+    public function __construct(
+        private readonly DocumentRepository $documentRepository,
+        private readonly DocumentStorageService $storageService,
+    ) {}
+
+    #[Route('/{id}/file', name: 'document_serve_file', methods: ['GET'])]
+    public function serve(string $id): Response
+    {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
+        $document = $this->documentRepository->find($id);
+        if (!$document) {
+            return $this->json(['error' => 'Document not found.'], 404);
+        }
+
+        $path = $document->getPath();
+
+        // Backward compatibility: serve Base64 data URIs from DB
+        if ($this->storageService->isBase64DataUri($path)) {
+            $parts   = explode(',', $path, 2);
+            $content = base64_decode($parts[1] ?? '', true);
+            if (false === $content) {
+                return $this->json(['error' => 'Invalid document data.'], 500);
+            }
+
+            return new Response($content, 200, [
+                'Content-Type'        => $document->getMimeType(),
+                'Content-Disposition' => ResponseHeaderBag::DISPOSITION_INLINE.'; filename="'.$document->getFilename().'"',
+                'Content-Length'      => (string) strlen($content),
+                'Cache-Control'       => 'private, max-age=3600',
+            ]);
+        }
+
+        // File-based path: serve from disk
+        $absolutePath = $this->storageService->getAbsolutePath($path);
+        if (!file_exists($absolutePath)) {
+            return $this->json(['error' => 'File not found on disk.'], 404);
+        }
+
+        $response = new BinaryFileResponse($absolutePath);
+        $response->headers->set('Content-Type', $document->getMimeType());
+        $response->setContentDisposition(
+            ResponseHeaderBag::DISPOSITION_INLINE,
+            $document->getFilename()
+        );
+        $response->headers->set('Cache-Control', 'private, max-age=3600');
+
+        return $response;
+    }
+
+    #[Route('/{id}/download', name: 'document_download_file', methods: ['GET'])]
+    public function download(string $id): Response
+    {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
+        $document = $this->documentRepository->find($id);
+        if (!$document) {
+            return $this->json(['error' => 'Document not found.'], 404);
+        }
+
+        $path = $document->getPath();
+
+        if ($this->storageService->isBase64DataUri($path)) {
+            $parts   = explode(',', $path, 2);
+            $content = base64_decode($parts[1] ?? '', true);
+            if (false === $content) {
+                return $this->json(['error' => 'Invalid document data.'], 500);
+            }
+
+            return new Response($content, 200, [
+                'Content-Type'        => 'application/octet-stream',
+                'Content-Disposition' => ResponseHeaderBag::DISPOSITION_ATTACHMENT.'; filename="'.$document->getFilename().'"',
+                'Content-Length'      => (string) strlen($content),
+            ]);
+        }
+
+        $absolutePath = $this->storageService->getAbsolutePath($path);
+        if (!file_exists($absolutePath)) {
+            return $this->json(['error' => 'File not found on disk.'], 404);
+        }
+
+        $response = new BinaryFileResponse($absolutePath);
+        $response->setContentDisposition(
+            ResponseHeaderBag::DISPOSITION_ATTACHMENT,
+            $document->getFilename()
+        );
+
+        return $response;
+    }
+}

src/Controller/MachineCustomFieldsController.php

@@ -26,6 +26,8 @@ class MachineCustomFieldsController extends AbstractController
     #[Route('/{id}/add-custom-fields', name: 'machine_add_custom_fields', methods: ['POST'])]
     public function addMissingCustomFields(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $machine = $this->machineRepository->find($id);
         if (!$machine instanceof Machine) {
             return $this->json(['success' => false, 'error' => 'Machine not found.'], 404);

src/Controller/MachineHistoryController.php

@@ -8,11 +8,12 @@ use App\Repository\AuditLogRepository;
 use App\Repository\MachineRepository;
 use App\Repository\ProfileRepository;
 use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class MachineHistoryController
+final class MachineHistoryController extends AbstractController
 {
     public function __construct(
         private readonly MachineRepository $machines,
@@ -23,6 +24,8 @@ final class MachineHistoryController
     #[Route('/api/machines/{id}/history', name: 'api_machine_history', methods: ['GET'])]
     public function __invoke(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $machine = $this->machines->find($id);
         if (!$machine) {
             return new JsonResponse(

src/Controller/MachineSkeletonController.php

@@ -53,6 +53,8 @@ class MachineSkeletonController extends AbstractController
     #[Route('/{id}/skeleton', name: 'machine_skeleton_get', methods: ['GET'])]
     public function getSkeleton(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $machine = $this->machineRepository->find($id);
         if (!$machine instanceof Machine) {
             return $this->json(['success' => false, 'error' => 'Machine not found.'], 404);
@@ -73,6 +75,8 @@ class MachineSkeletonController extends AbstractController
     #[Route('/{id}/skeleton', name: 'machine_skeleton_update', methods: ['PATCH'])]
     public function updateSkeleton(string $id, Request $request): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $machine = $this->machineRepository->find($id);
         if (!$machine instanceof Machine) {
             return $this->json(['success' => false, 'error' => 'Machine not found.'], 404);

src/Controller/ModelTypeConversionController.php

@@ -6,11 +6,12 @@ namespace App\Controller;
 
 use App\Repository\ModelTypeRepository;
 use App\Service\ModelTypeCategoryConversionService;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class ModelTypeConversionController
+final class ModelTypeConversionController extends AbstractController
 {
     public function __construct(
         private readonly ModelTypeRepository $modelTypes,
@@ -20,6 +21,8 @@ final class ModelTypeConversionController
     #[Route('/api/model_types/{id}/conversion-check', name: 'api_model_type_conversion_check', methods: ['GET'])]
     public function check(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $modelType = $this->modelTypes->find($id);
 
         if (!$modelType) {
@@ -35,6 +38,8 @@ final class ModelTypeConversionController
     #[Route('/api/model_types/{id}/convert', name: 'api_model_type_convert', methods: ['POST'])]
     public function convert(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_GESTIONNAIRE');
+
         $modelType = $this->modelTypes->find($id);
 
         if (!$modelType) {

src/Controller/PieceHistoryController.php

@@ -8,11 +8,12 @@ use App\Repository\AuditLogRepository;
 use App\Repository\PieceRepository;
 use App\Repository\ProfileRepository;
 use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class PieceHistoryController
+final class PieceHistoryController extends AbstractController
 {
     public function __construct(
         private readonly PieceRepository $pieces,
@@ -23,6 +24,8 @@ final class PieceHistoryController
     #[Route('/api/pieces/{id}/history', name: 'api_piece_history', methods: ['GET'])]
     public function __invoke(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $piece = $this->pieces->find($id);
         if (!$piece) {
             return new JsonResponse(

src/Controller/ProductHistoryController.php

@@ -8,11 +8,12 @@ use App\Repository\AuditLogRepository;
 use App\Repository\ProductRepository;
 use App\Repository\ProfileRepository;
 use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
-final class ProductHistoryController
+final class ProductHistoryController extends AbstractController
 {
     public function __construct(
         private readonly ProductRepository $products,
@@ -23,6 +24,8 @@ final class ProductHistoryController
     #[Route('/api/products/{id}/history', name: 'api_product_history', methods: ['GET'])]
     public function __invoke(string $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted('ROLE_VIEWER');
+
         $product = $this->products->find($id);
         if (!$product) {
             return new JsonResponse(

src/Controller/SessionProfileController.php

@@ -8,11 +8,15 @@ use App\Repository\ProfileRepository;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Attribute\Route;
 
 final class SessionProfileController
 {
-    public function __construct(private readonly ProfileRepository $profiles) {}
+    public function __construct(
+        private readonly ProfileRepository $profiles,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+    ) {}
 
     #[Route('/api/session/profile', name: 'api_session_profile_get', methods: ['GET'])]
     public function getActiveProfile(Request $request): JsonResponse
@@ -64,7 +68,24 @@ final class SessionProfileController
             return new JsonResponse(['message' => 'Profil introuvable ou inactif.'], JsonResponse::HTTP_UNAUTHORIZED);
         }
 
+        $password = $payload['password'] ?? '';
+        if ('' === $password) {
+            return new JsonResponse(['message' => 'Mot de passe requis.'], JsonResponse::HTTP_BAD_REQUEST);
+        }
+
+        if (!$profile->getPassword()) {
+            return new JsonResponse(
+                ['message' => 'Ce profil n\'a pas de mot de passe. Contactez un administrateur.'],
+                JsonResponse::HTTP_FORBIDDEN,
+            );
+        }
+
+        if (!$this->passwordHasher->isPasswordValid($profile, $password)) {
+            return new JsonResponse(['message' => 'Mot de passe incorrect.'], JsonResponse::HTTP_UNAUTHORIZED);
+        }
+
         $session->set('profileId', $profile->getId());
+        $session->set('profileRoles', $profile->getRoles());
 
         return new JsonResponse([
             'id'        => $profile->getId(),

src/Controller/SessionProfilesController.php

@@ -4,18 +4,14 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\Profile;
 use App\Repository\ProfileRepository;
-use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Attribute\Route;
 
 final class SessionProfilesController
 {
     public function __construct(
         private readonly ProfileRepository $profiles,
-        private readonly EntityManagerInterface $entityManager
     ) {}
 
     #[Route('/api/session/profiles', name: 'api_session_profiles_list', methods: ['GET'])]
@@ -29,52 +25,13 @@ final class SessionProfilesController
             ->getResult()
         ;
 
-        return new JsonResponse(array_map([$this, 'serializeProfile'], $items));
-    }
-
-    #[Route('/api/session/profiles', name: 'api_session_profiles_create', methods: ['POST'])]
-    public function create(Request $request): JsonResponse
-    {
-        $payload   = $request->toArray();
-        $firstName = trim((string) ($payload['firstName'] ?? ''));
-        $lastName  = trim((string) ($payload['lastName'] ?? ''));
-
-        if ('' === $firstName || '' === $lastName) {
-            return new JsonResponse(['message' => 'firstName et lastName sont requis.'], JsonResponse::HTTP_BAD_REQUEST);
-        }
-
-        $profile = new Profile();
-        $profile->setFirstName($firstName);
-        $profile->setLastName($lastName);
-        $profile->setIsActive(true);
-
-        $this->entityManager->persist($profile);
-        $this->entityManager->flush();
-
-        return new JsonResponse($this->serializeProfile($profile), JsonResponse::HTTP_CREATED);
-    }
-
-    #[Route('/api/session/profiles/{id}', name: 'api_session_profiles_delete', methods: ['DELETE'])]
-    public function delete(string $id): JsonResponse
-    {
-        $profile = $this->profiles->find($id);
-        if (!$profile) {
-            return new JsonResponse(['message' => 'Profil introuvable.'], JsonResponse::HTTP_NOT_FOUND);
-        }
-
-        $profile->setIsActive(false);
-        $this->entityManager->flush();
-
-        return new JsonResponse(['success' => true]);
-    }
-
-    private function serializeProfile(Profile $profile): array
-    {
-        return [
-            'id'        => $profile->getId(),
-            'firstName' => $profile->getFirstName(),
-            'lastName'  => $profile->getLastName(),
-            'isActive'  => $profile->isActive(),
-        ];
+        return new JsonResponse(array_map(static function ($profile): array {
+            return [
+                'id'          => $profile->getId(),
+                'firstName'   => $profile->getFirstName(),
+                'lastName'    => $profile->getLastName(),
+                'hasPassword' => null !== $profile->getPassword() && '' !== $profile->getPassword(),
+            ];
+        }, $items));
     }
 }

src/Entity/Comment.php

@@ -0,0 +1,235 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use DateTimeImmutable;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity]
+#[ORM\Table(name: 'comments')]
+#[ORM\Index(columns: ['entity_type', 'entity_id', 'status'], name: 'idx_comment_entity_status')]
+#[ORM\HasLifecycleCallbacks]
+#[ApiFilter(SearchFilter::class, properties: ['entityType' => 'exact', 'entityId' => 'exact', 'status' => 'exact'])]
+#[ApiFilter(OrderFilter::class, properties: ['createdAt'])]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
+    order: ['createdAt' => 'DESC'],
+    paginationClientItemsPerPage: true,
+    paginationMaximumItemsPerPage: 200
+)]
+class Comment
+{
+    #[ORM\Id]
+    #[ORM\Column(type: Types::STRING, length: 36)]
+    private ?string $id = null;
+
+    #[ORM\Column(type: Types::TEXT)]
+    private string $content;
+
+    #[ORM\Column(type: Types::STRING, length: 50, name: 'entity_type')]
+    private string $entityType;
+
+    #[ORM\Column(type: Types::STRING, length: 36, name: 'entity_id')]
+    private string $entityId;
+
+    #[ORM\Column(type: Types::STRING, length: 255, nullable: true, name: 'entity_name')]
+    private ?string $entityName = null;
+
+    #[ORM\Column(type: Types::STRING, length: 36, name: 'author_id')]
+    private string $authorId;
+
+    #[ORM\Column(type: Types::STRING, length: 255, name: 'author_name')]
+    private string $authorName;
+
+    #[ORM\Column(type: Types::STRING, length: 20)]
+    private string $status = 'open';
+
+    #[ORM\Column(type: Types::STRING, length: 36, nullable: true, name: 'resolved_by_id')]
+    private ?string $resolvedById = null;
+
+    #[ORM\Column(type: Types::STRING, length: 255, nullable: true, name: 'resolved_by_name')]
+    private ?string $resolvedByName = null;
+
+    #[ORM\Column(type: Types::DATETIME_IMMUTABLE, nullable: true, name: 'resolved_at')]
+    private ?DateTimeImmutable $resolvedAt = null;
+
+    #[ORM\Column(type: Types::DATETIME_IMMUTABLE, name: 'created_at')]
+    private DateTimeImmutable $createdAt;
+
+    #[ORM\Column(type: Types::DATETIME_IMMUTABLE, name: 'updated_at')]
+    private DateTimeImmutable $updatedAt;
+
+    #[ORM\PrePersist]
+    public function setCreatedAtValue(): void
+    {
+        $now             = new DateTimeImmutable();
+        $this->createdAt = $now;
+        $this->updatedAt = $now;
+
+        if (null === $this->id) {
+            $this->id = $this->generateCuid();
+        }
+    }
+
+    #[ORM\PreUpdate]
+    public function setUpdatedAtValue(): void
+    {
+        $this->updatedAt = new DateTimeImmutable();
+    }
+
+    public function getId(): ?string
+    {
+        return $this->id;
+    }
+
+    public function getContent(): string
+    {
+        return $this->content;
+    }
+
+    public function setContent(string $content): static
+    {
+        $this->content = $content;
+
+        return $this;
+    }
+
+    public function getEntityType(): string
+    {
+        return $this->entityType;
+    }
+
+    public function setEntityType(string $entityType): static
+    {
+        $this->entityType = $entityType;
+
+        return $this;
+    }
+
+    public function getEntityId(): string
+    {
+        return $this->entityId;
+    }
+
+    public function setEntityId(string $entityId): static
+    {
+        $this->entityId = $entityId;
+
+        return $this;
+    }
+
+    public function getEntityName(): ?string
+    {
+        return $this->entityName;
+    }
+
+    public function setEntityName(?string $entityName): static
+    {
+        $this->entityName = $entityName;
+
+        return $this;
+    }
+
+    public function getAuthorId(): string
+    {
+        return $this->authorId;
+    }
+
+    public function setAuthorId(string $authorId): static
+    {
+        $this->authorId = $authorId;
+
+        return $this;
+    }
+
+    public function getAuthorName(): string
+    {
+        return $this->authorName;
+    }
+
+    public function setAuthorName(string $authorName): static
+    {
+        $this->authorName = $authorName;
+
+        return $this;
+    }
+
+    public function getStatus(): string
+    {
+        return $this->status;
+    }
+
+    public function setStatus(string $status): static
+    {
+        $this->status = $status;
+
+        return $this;
+    }
+
+    public function getResolvedById(): ?string
+    {
+        return $this->resolvedById;
+    }
+
+    public function setResolvedById(?string $resolvedById): static
+    {
+        $this->resolvedById = $resolvedById;
+
+        return $this;
+    }
+
+    public function getResolvedByName(): ?string
+    {
+        return $this->resolvedByName;
+    }
+
+    public function setResolvedByName(?string $resolvedByName): static
+    {
+        $this->resolvedByName = $resolvedByName;
+
+        return $this;
+    }
+
+    public function getResolvedAt(): ?DateTimeImmutable
+    {
+        return $this->resolvedAt;
+    }
+
+    public function setResolvedAt(?DateTimeImmutable $resolvedAt): static
+    {
+        $this->resolvedAt = $resolvedAt;
+
+        return $this;
+    }
+
+    public function getCreatedAt(): DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function getUpdatedAt(): DateTimeImmutable
+    {
+        return $this->updatedAt;
+    }
+
+    private function generateCuid(): string
+    {
+        return 'cl'.bin2hex(random_bytes(12));
+    }
+}

src/Entity/Composant.php

@@ -8,6 +8,12 @@ use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\ComposantRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -22,6 +28,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiFilter(SearchFilter::class, properties: ['name' => 'ipartial', 'reference' => 'ipartial', 'typeComposant' => 'exact'])]
 #[ApiFilter(OrderFilter::class, properties: ['name', 'createdAt'])]
 #[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
     normalizationContext: ['groups' => ['composant:read']],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200
@@ -41,6 +55,10 @@ class Composant
     #[Groups(['composant:read'])]
     private ?string $reference = null;
 
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['composant:read'])]
+    private ?string $description = null;
+
     #[ORM\Column(type: Types::DECIMAL, precision: 10, scale: 2, nullable: true)]
     #[Groups(['composant:read'])]
     private ?string $prix = null;
@@ -161,6 +179,18 @@ class Composant
         return $this;
     }
 
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): static
+    {
+        $this->description = $description;
+
+        return $this;
+    }
+
     public function getPrix(): ?string
     {
         return $this->prix;

src/Entity/Constructeur.php

@@ -5,17 +5,33 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\ConstructeurRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 
+#[UniqueEntity(fields: ['name'], message: 'Un fournisseur avec ce nom existe déjà.')]
 #[ORM\Entity(repositoryClass: ConstructeurRepository::class)]
 #[ORM\Table(name: 'constructeurs')]
 #[ORM\HasLifecycleCallbacks]
 #[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200
 )]

src/Entity/CustomField.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\CustomFieldRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -16,7 +22,16 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: CustomFieldRepository::class)]
 #[ORM\Table(name: 'custom_fields')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class CustomField
 {
     #[ORM\Id]

src/Entity/CustomFieldValue.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\CustomFieldValueRepository;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
@@ -14,7 +20,16 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: CustomFieldValueRepository::class)]
 #[ORM\Table(name: 'custom_field_values')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class CustomFieldValue
 {
     #[ORM\Id]

src/Entity/Document.php

@@ -4,6 +4,10 @@ declare(strict_types=1);
 
 namespace App\Entity;
 
+use ApiPlatform\Doctrine\Orm\Filter\ExistsFilter;
+use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
@@ -11,6 +15,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use App\Repository\DocumentRepository;
+use App\State\DocumentUploadProcessor;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -19,16 +24,31 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: DocumentRepository::class)]
 #[ORM\Table(name: 'documents')]
 #[ORM\HasLifecycleCallbacks]
+#[ApiFilter(SearchFilter::class, properties: ['name' => 'partial', 'filename' => 'partial'])]
+#[ApiFilter(ExistsFilter::class, properties: ['site', 'machine', 'composant', 'piece', 'product'])]
+#[ApiFilter(OrderFilter::class, properties: ['createdAt', 'name', 'size'])]
 #[ApiResource(
     operations: [
-        new GetCollection(normalizationContext: ['groups' => ['document:list']]),
-        new Get(normalizationContext: ['groups' => ['document:list', 'document:detail']]),
-        new Post(),
-        new Put(),
-        new Delete(),
+        new GetCollection(
+            security: "is_granted('ROLE_VIEWER')",
+            normalizationContext: ['groups' => ['document:list']],
+        ),
+        new Get(
+            security: "is_granted('ROLE_VIEWER')",
+            normalizationContext: ['groups' => ['document:list', 'document:detail']],
+        ),
+        new Post(
+            security: "is_granted('ROLE_GESTIONNAIRE')",
+            processor: DocumentUploadProcessor::class,
+            deserialize: false,
+            inputFormats: ['multipart' => ['multipart/form-data']],
+        ),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
     ],
     paginationClientItemsPerPage: true,
-    paginationMaximumItemsPerPage: 200
+    paginationMaximumItemsPerPage: 500,
+    order: ['createdAt' => 'DESC']
 )]
 class Document
 {

src/Entity/Machine.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\MachineRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -16,7 +22,16 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: MachineRepository::class)]
 #[ORM\Table(name: 'machines')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class Machine
 {
     #[ORM\Id]

src/Entity/MachineComponentLink.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\MachineComponentLinkRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -15,7 +21,16 @@ use Doctrine\ORM\Mapping as ORM;
 #[ORM\Entity(repositoryClass: MachineComponentLinkRepository::class)]
 #[ORM\Table(name: 'machine_component_links')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class MachineComponentLink
 {
     #[ORM\Id]

src/Entity/MachinePieceLink.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\MachinePieceLinkRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -15,7 +21,16 @@ use Doctrine\ORM\Mapping as ORM;
 #[ORM\Entity(repositoryClass: MachinePieceLinkRepository::class)]
 #[ORM\Table(name: 'machine_piece_links')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class MachinePieceLink
 {
     #[ORM\Id]

src/Entity/MachineProductLink.php

@@ -5,6 +5,12 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\MachineProductLinkRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -15,7 +21,16 @@ use Doctrine\ORM\Mapping as ORM;
 #[ORM\Entity(repositoryClass: MachineProductLinkRepository::class)]
 #[ORM\Table(name: 'machine_product_links')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class MachineProductLink
 {
     #[ORM\Id]

src/Entity/ModelType.php

@@ -8,6 +8,12 @@ use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Enum\ModelCategory;
 use App\Repository\ModelTypeRepository;
 use DateTimeImmutable;
@@ -24,6 +30,14 @@ use Symfony\Component\Serializer\Annotation\Groups;
 #[ApiFilter(SearchFilter::class, properties: ['category' => 'exact', 'name' => 'ipartial'])]
 #[ApiFilter(OrderFilter::class, properties: ['name', 'createdAt'])]
 #[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200
 )]

src/Entity/Piece.php

@@ -8,20 +8,36 @@ use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\PieceRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Serializer\Attribute\Groups;
 
+#[UniqueEntity(fields: ['reference'], message: 'Une pièce avec cette référence existe déjà.')]
 #[ORM\Entity(repositoryClass: PieceRepository::class)]
 #[ORM\Table(name: 'pieces')]
 #[ORM\HasLifecycleCallbacks]
 #[ApiFilter(SearchFilter::class, properties: ['name' => 'ipartial', 'reference' => 'ipartial', 'typePiece' => 'exact'])]
 #[ApiFilter(OrderFilter::class, properties: ['name', 'createdAt'])]
 #[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
     normalizationContext: ['groups' => ['piece:read']],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200
@@ -33,14 +49,18 @@ class Piece
     #[Groups(['piece:read', 'document:list'])]
     private ?string $id = null;
 
-    #[ORM\Column(type: Types::STRING, length: 255, unique: true)]
+    #[ORM\Column(type: Types::STRING, length: 255)]
     #[Groups(['piece:read', 'document:list'])]
     private string $name;
 
-    #[ORM\Column(type: Types::STRING, length: 255, nullable: true)]
+    #[ORM\Column(type: Types::STRING, length: 255, unique: true, nullable: true)]
     #[Groups(['piece:read'])]
     private ?string $reference = null;
 
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['piece:read'])]
+    private ?string $description = null;
+
     #[ORM\Column(type: Types::DECIMAL, precision: 10, scale: 2, nullable: true)]
     #[Groups(['piece:read'])]
     private ?string $prix = null;
@@ -161,6 +181,18 @@ class Piece
         return $this;
     }
 
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): static
+    {
+        $this->description = $description;
+
+        return $this;
+    }
+
     public function getPrix(): ?string
     {
         return $this->prix;

src/Entity/Product.php

@@ -8,6 +8,12 @@ use ApiPlatform\Doctrine\Orm\Filter\OrderFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\ProductRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -22,6 +28,14 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiFilter(SearchFilter::class, properties: ['name' => 'ipartial', 'reference' => 'ipartial', 'typeProduct' => 'exact'])]
 #[ApiFilter(OrderFilter::class, properties: ['name', 'createdAt'])]
 #[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ],
     normalizationContext: ['groups' => ['product:read']],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200

src/Entity/Profile.php

@@ -8,9 +8,11 @@ use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use App\Repository\ProfileRepository;
+use App\State\ProfilePasswordHasher;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
@@ -24,11 +26,24 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ORM\HasLifecycleCallbacks]
 #[ApiResource(
     operations: [
-        new Get(),
-        new GetCollection(),
-        new Post(),
-        new Put(),
-        new Delete(),
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_ADMIN')"),
+        new Post(
+            security: "is_granted('ROLE_ADMIN')",
+            denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
+            processor: ProfilePasswordHasher::class,
+        ),
+        new Put(
+            security: "is_granted('ROLE_ADMIN')",
+            denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
+            processor: ProfilePasswordHasher::class,
+        ),
+        new Patch(
+            security: "is_granted('ROLE_ADMIN')",
+            denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
+            processor: ProfilePasswordHasher::class,
+        ),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
     ],
     normalizationContext: ['groups' => ['profile:read']],
     denormalizationContext: ['groups' => ['profile:write']]
@@ -63,16 +78,21 @@ class Profile implements UserInterface, PasswordAuthenticatedUserInterface
      * @var list<string> The user roles
      */
     #[ORM\Column(type: 'json', options: ['default' => '["ROLE_USER"]'])]
-    #[Groups(['profile:read', 'profile:write'])]
+    #[Groups(['profile:read', 'profile:admin:write'])]
     private array $roles = ['ROLE_USER'];
 
     /**
-     * @var string The hashed password
+     * @var null|string The hashed password
      */
     #[ORM\Column(type: 'string', nullable: true)]
-    #[Groups(['profile:write'])]
     private ?string $password = null;
 
+    /**
+     * Non-persisted field used for password hashing via ProfilePasswordHasher.
+     */
+    #[Groups(['profile:write'])]
+    private ?string $plainPassword = null;
+
     #[ORM\Column(type: 'datetime_immutable', name: 'createdat')]
     #[Groups(['profile:read'])]
     private DateTimeImmutable $createdAt;
@@ -83,7 +103,6 @@ class Profile implements UserInterface, PasswordAuthenticatedUserInterface
 
     public function __construct()
     {
-        // Générer un CUID-like ID pour compatibilité avec Prisma
         $this->id        = 'cl'.substr(strtolower(base_convert(random_bytes(12), 2, 36)), 0, 24);
         $this->createdAt = new DateTimeImmutable();
         $this->updatedAt = new DateTimeImmutable();
@@ -157,11 +176,10 @@ class Profile implements UserInterface, PasswordAuthenticatedUserInterface
      */
     public function getRoles(): array
     {
-        $roles = $this->roles;
-        // guarantee every user at least has ROLE_USER
+        $roles   = $this->roles;
         $roles[] = 'ROLE_USER';
 
-        return array_unique($roles);
+        return array_values(array_unique($roles));
     }
 
     /**
@@ -182,20 +200,37 @@ class Profile implements UserInterface, PasswordAuthenticatedUserInterface
         return $this->password;
     }
 
-    public function setPassword(string $password): static
+    public function setPassword(?string $password): static
     {
         $this->password = $password;
 
         return $this;
     }
 
+    public function getPlainPassword(): ?string
+    {
+        return $this->plainPassword;
+    }
+
+    public function setPlainPassword(?string $plainPassword): static
+    {
+        $this->plainPassword = $plainPassword;
+
+        return $this;
+    }
+
+    #[Groups(['profile:read'])]
+    public function getHasPassword(): bool
+    {
+        return null !== $this->password && '' !== $this->password;
+    }
+
     /**
      * @see UserInterface
      */
     public function eraseCredentials(): void
     {
-        // If you store any temporary, sensitive data on the user, clear it here
-        // $this->plainPassword = null;
+        $this->plainPassword = null;
     }
 
     public function getCreatedAt(): DateTimeImmutable

src/Entity/Site.php

@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use App\Repository\SiteRepository;
@@ -24,11 +25,12 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ORM\HasLifecycleCallbacks]
 #[ApiResource(
     operations: [
-        new Get(),
-        new GetCollection(),
-        new Post(),
-        new Put(),
-        new Delete(),
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
     ],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200

src/Entity/TypeMachine.php

@@ -12,6 +12,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use App\Repository\TypeMachineRepository;
+use App\State\TypeMachinePutProcessor;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -27,11 +28,11 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[UniqueEntity(fields: ['name'], message: 'Ce nom de type de machine existe déjà.')]
 #[ApiResource(
     operations: [
-        new Get(),
-        new GetCollection(),
-        new Post(),
-        new Put(),
-        new Delete(),
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')", processor: TypeMachinePutProcessor::class, deserialize: false, validate: false),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
     ],
     paginationClientItemsPerPage: true,
     paginationMaximumItemsPerPage: 200
@@ -100,21 +101,21 @@ class TypeMachine
     /**
      * @var Collection<int, TypeMachineComponentRequirement>
      */
-    #[ORM\OneToMany(targetEntity: TypeMachineComponentRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'])]
+    #[ORM\OneToMany(targetEntity: TypeMachineComponentRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'], orphanRemoval: true)]
     #[ApiProperty(readableLink: true, writableLink: true)]
     private Collection $componentRequirements;
 
     /**
      * @var Collection<int, TypeMachinePieceRequirement>
      */
-    #[ORM\OneToMany(targetEntity: TypeMachinePieceRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'])]
+    #[ORM\OneToMany(targetEntity: TypeMachinePieceRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'], orphanRemoval: true)]
     #[ApiProperty(readableLink: true, writableLink: true)]
     private Collection $pieceRequirements;
 
     /**
      * @var Collection<int, TypeMachineProductRequirement>
      */
-    #[ORM\OneToMany(targetEntity: TypeMachineProductRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'])]
+    #[ORM\OneToMany(targetEntity: TypeMachineProductRequirement::class, mappedBy: 'typeMachine', cascade: ['persist', 'remove'], orphanRemoval: true)]
     #[ApiProperty(readableLink: true, writableLink: true)]
     private Collection $productRequirements;
 
@@ -319,11 +320,7 @@ class TypeMachine
 
     public function removeComponentRequirement(TypeMachineComponentRequirement $componentRequirement): static
     {
-        if ($this->componentRequirements->removeElement($componentRequirement)) {
-            if ($componentRequirement->getTypeMachine() === $this) {
-                $componentRequirement->setTypeMachine(null);
-            }
-        }
+        $this->componentRequirements->removeElement($componentRequirement);
 
         return $this;
     }
@@ -348,11 +345,7 @@ class TypeMachine
 
     public function removePieceRequirement(TypeMachinePieceRequirement $pieceRequirement): static
     {
-        if ($this->pieceRequirements->removeElement($pieceRequirement)) {
-            if ($pieceRequirement->getTypeMachine() === $this) {
-                $pieceRequirement->setTypeMachine(null);
-            }
-        }
+        $this->pieceRequirements->removeElement($pieceRequirement);
 
         return $this;
     }
@@ -377,11 +370,7 @@ class TypeMachine
 
     public function removeProductRequirement(TypeMachineProductRequirement $productRequirement): static
     {
-        if ($this->productRequirements->removeElement($productRequirement)) {
-            if ($productRequirement->getTypeMachine() === $this) {
-                $productRequirement->setTypeMachine(null);
-            }
-        }
+        $this->productRequirements->removeElement($productRequirement);
 
         return $this;
     }

src/Entity/TypeMachineComponentRequirement.php

@@ -6,6 +6,12 @@ namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\TypeMachineComponentRequirementRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -17,7 +23,16 @@ use Symfony\Component\Serializer\Annotation\Groups;
 #[ORM\Entity(repositoryClass: TypeMachineComponentRequirementRepository::class)]
 #[ORM\Table(name: 'type_machine_component_requirements')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class TypeMachineComponentRequirement
 {
     #[ORM\Id]

src/Entity/TypeMachinePieceRequirement.php

@@ -6,6 +6,12 @@ namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\TypeMachinePieceRequirementRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -17,7 +23,16 @@ use Symfony\Component\Serializer\Annotation\Groups;
 #[ORM\Entity(repositoryClass: TypeMachinePieceRequirementRepository::class)]
 #[ORM\Table(name: 'type_machine_piece_requirements')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class TypeMachinePieceRequirement
 {
     #[ORM\Id]

src/Entity/TypeMachineProductRequirement.php

@@ -6,6 +6,12 @@ namespace App\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use App\Repository\TypeMachineProductRequirementRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -17,7 +23,16 @@ use Symfony\Component\Serializer\Annotation\Groups;
 #[ORM\Entity(repositoryClass: TypeMachineProductRequirementRepository::class)]
 #[ORM\Table(name: 'type_machine_product_requirements')]
 #[ORM\HasLifecycleCallbacks]
-#[ApiResource]
+#[ApiResource(
+    operations: [
+        new Get(security: "is_granted('ROLE_VIEWER')"),
+        new GetCollection(security: "is_granted('ROLE_VIEWER')"),
+        new Post(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Put(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Patch(security: "is_granted('ROLE_GESTIONNAIRE')"),
+        new Delete(security: "is_granted('ROLE_GESTIONNAIRE')"),
+    ]
+)]
 class TypeMachineProductRequirement
 {
     #[ORM\Id]

src/EventListener/DocumentFileCleanupListener.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\EventListener;
+
+use App\Entity\Document;
+use App\Service\DocumentStorageService;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsEntityListener;
+use Doctrine\ORM\Events;
+use Psr\Log\LoggerInterface;
+
+#[AsEntityListener(event: Events::postRemove, method: 'postRemove', entity: Document::class)]
+class DocumentFileCleanupListener
+{
+    public function __construct(
+        private readonly DocumentStorageService $storageService,
+        private readonly ?LoggerInterface $logger = null,
+    ) {}
+
+    public function postRemove(Document $document): void
+    {
+        $path = $document->getPath();
+
+        // Do not attempt file deletion for Base64 data URIs
+        if ($this->storageService->isBase64DataUri($path)) {
+            return;
+        }
+
+        $deleted = $this->storageService->delete($path);
+
+        if ($deleted) {
+            $this->logger?->info('Document file deleted from disk', [
+                'documentId' => $document->getId(),
+                'path'       => $path,
+            ]);
+        } else {
+            $this->logger?->warning('Document file not found on disk during cleanup', [
+                'documentId' => $document->getId(),
+                'path'       => $path,
+            ]);
+        }
+    }
+}

src/EventListener/DocumentPdfCompressorListener.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\EventListener;
 
 use App\Entity\Document;
+use App\Service\DocumentStorageService;
 use App\Service\PdfCompressorService;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsEntityListener;
 use Doctrine\ORM\Events;
@@ -16,6 +17,7 @@ class DocumentPdfCompressorListener
 {
     public function __construct(
         private readonly PdfCompressorService $pdfCompressor,
+        private readonly DocumentStorageService $storageService,
         private readonly ?LoggerInterface $logger = null,
     ) {}
 
@@ -35,15 +37,26 @@ class DocumentPdfCompressorListener
             return;
         }
 
-        $result = $this->pdfCompressor->compressBase64Pdf($document->getPath());
+        $path = $document->getPath();
 
-        if (null === $result) {
-            return;
+        if ($this->storageService->isBase64DataUri($path)) {
+            // Legacy Base64 path
+            $result = $this->pdfCompressor->compressBase64Pdf($path);
+            if (null === $result) {
+                return;
+            }
+            $document->setPath($result['path']);
+            $document->setSize($result['size']);
+        } else {
+            // File-based path
+            $absolutePath = $this->storageService->getAbsolutePath($path);
+            $result       = $this->pdfCompressor->compressFile($absolutePath);
+            if (null === $result) {
+                return;
+            }
+            $document->setSize($result['size']);
         }
 
-        $document->setPath($result['path']);
-        $document->setSize($result['size']);
-
         $this->logger?->info('PDF compressed', [
             'document'       => $document->getName(),
             'originalSize'   => $result['originalSize'],

src/Security/SessionProfileAuthenticator.php

@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\Entity\Profile;
+use App\Repository\ProfileRepository;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+final class SessionProfileAuthenticator extends AbstractAuthenticator
+{
+    public function __construct(
+        private readonly ProfileRepository $profiles,
+    ) {}
+
+    public function supports(Request $request): ?bool
+    {
+        if (!$request->hasSession()) {
+            return false;
+        }
+
+        return $request->getSession()->has('profileId');
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $profileId = $request->getSession()->get('profileId');
+
+        return new SelfValidatingPassport(
+            new UserBadge($profileId, function (string $id): Profile {
+                $profile = $this->profiles->find($id);
+
+                if (!$profile || !$profile->isActive()) {
+                    throw new CustomUserMessageAuthenticationException('Profil introuvable ou inactif.');
+                }
+
+                return $profile;
+            })
+        );
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        // Let the request continue normally
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return new JsonResponse(
+            ['message' => $exception->getMessageKey()],
+            JsonResponse::HTTP_UNAUTHORIZED,
+        );
+    }
+}

src/Serializer/DocumentNormalizer.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Serializer;
+
+use App\Entity\Document;
+use ArrayObject;
+use Symfony\Component\Serializer\Normalizer\NormalizerAwareInterface;
+use Symfony\Component\Serializer\Normalizer\NormalizerAwareTrait;
+use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
+
+use function is_array;
+
+class DocumentNormalizer implements NormalizerInterface, NormalizerAwareInterface
+{
+    use NormalizerAwareTrait;
+
+    private const ALREADY_CALLED = 'DOCUMENT_NORMALIZER_ALREADY_CALLED';
+
+    /**
+     * @return null|array<string, mixed>|ArrayObject<int|string, mixed>|bool|float|int|string
+     */
+    public function normalize(mixed $data, ?string $format = null, array $context = []): array|ArrayObject|bool|float|int|string|null
+    {
+        $context[self::ALREADY_CALLED] = true;
+
+        /** @var null|array<string, mixed> $normalized */
+        $normalized = $this->normalizer->normalize($data, $format, $context);
+
+        if (is_array($normalized) && $data instanceof Document && $data->getId()) {
+            // Remove raw 'path' if present (never expose it to the client)
+            unset($normalized['path']);
+
+            // Always provide URL-based access
+            $normalized['fileUrl']     = '/api/documents/'.$data->getId().'/file';
+            $normalized['downloadUrl'] = '/api/documents/'.$data->getId().'/download';
+        }
+
+        return $normalized;
+    }
+
+    public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool
+    {
+        if (isset($context[self::ALREADY_CALLED])) {
+            return false;
+        }
+
+        return $data instanceof Document;
+    }
+
+    /**
+     * @return array<class-string, bool>
+     */
+    public function getSupportedTypes(?string $format): array
+    {
+        return [
+            Document::class => false,
+        ];
+    }
+}

src/Service/DocumentStorageService.php

@@ -0,0 +1,141 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service;
+
+use DateTimeImmutable;
+use RuntimeException;
+use Symfony\Component\HttpKernel\KernelInterface;
+
+use function dirname;
+
+class DocumentStorageService
+{
+    private readonly string $storageDir;
+
+    public function __construct(
+        private readonly KernelInterface $kernel,
+    ) {
+        $this->storageDir = $this->kernel->getProjectDir().'/var/storage/documents';
+    }
+
+    public function getStorageDir(): string
+    {
+        return $this->storageDir;
+    }
+
+    public function getAbsolutePath(string $relativePath): string
+    {
+        return $this->storageDir.'/'.$relativePath;
+    }
+
+    /**
+     * Store binary content and return the relative path.
+     * Path format: {year}/{month}/{documentId}.{ext}.
+     */
+    public function store(string $content, string $documentId, string $extension): string
+    {
+        $now          = new DateTimeImmutable();
+        $subDir       = $now->format('Y').'/'.$now->format('m');
+        $relativePath = $subDir.'/'.$documentId.'.'.$extension;
+        $absolutePath = $this->storageDir.'/'.$relativePath;
+
+        $dir = dirname($absolutePath);
+        if (!is_dir($dir)) {
+            if (!mkdir($dir, 0o775, true) && !is_dir($dir)) {
+                throw new RuntimeException(sprintf('Cannot create directory "%s"', $dir));
+            }
+        }
+
+        $bytesWritten = file_put_contents($absolutePath, $content);
+        if (false === $bytesWritten) {
+            throw new RuntimeException(sprintf('Cannot write file "%s"', $absolutePath));
+        }
+
+        return $relativePath;
+    }
+
+    /**
+     * Store a file from a given source path (e.g., temp upload).
+     */
+    public function storeFromPath(string $sourcePath, string $documentId, string $extension): string
+    {
+        $content = file_get_contents($sourcePath);
+        if (false === $content) {
+            throw new RuntimeException(sprintf('Cannot read source file "%s"', $sourcePath));
+        }
+
+        return $this->store($content, $documentId, $extension);
+    }
+
+    public function read(string $relativePath): string
+    {
+        $absolutePath = $this->getAbsolutePath($relativePath);
+        if (!file_exists($absolutePath)) {
+            throw new RuntimeException(sprintf('File not found: "%s"', $absolutePath));
+        }
+
+        $content = file_get_contents($absolutePath);
+        if (false === $content) {
+            throw new RuntimeException(sprintf('Cannot read file "%s"', $absolutePath));
+        }
+
+        return $content;
+    }
+
+    public function delete(string $relativePath): bool
+    {
+        $absolutePath = $this->getAbsolutePath($relativePath);
+        if (!file_exists($absolutePath)) {
+            return false;
+        }
+
+        return @unlink($absolutePath);
+    }
+
+    public function exists(string $relativePath): bool
+    {
+        return file_exists($this->getAbsolutePath($relativePath));
+    }
+
+    public function isBase64DataUri(string $path): bool
+    {
+        return str_starts_with($path, 'data:');
+    }
+
+    public function extensionFromMimeType(string $mimeType): string
+    {
+        $map = [
+            'application/pdf'                                                         => 'pdf',
+            'image/jpeg'                                                              => 'jpg',
+            'image/png'                                                               => 'png',
+            'image/gif'                                                               => 'gif',
+            'image/webp'                                                              => 'webp',
+            'image/svg+xml'                                                           => 'svg',
+            'image/bmp'                                                               => 'bmp',
+            'text/plain'                                                              => 'txt',
+            'text/csv'                                                                => 'csv',
+            'application/json'                                                        => 'json',
+            'application/xml'                                                         => 'xml',
+            'application/zip'                                                         => 'zip',
+            'audio/mpeg'                                                              => 'mp3',
+            'audio/ogg'                                                               => 'ogg',
+            'video/mp4'                                                               => 'mp4',
+            'video/webm'                                                              => 'webm',
+            'application/vnd.openxmlformats-officedocument.wordprocessingml.document' => 'docx',
+            'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'       => 'xlsx',
+            'application/msword'                                                      => 'doc',
+            'application/vnd.ms-excel'                                                => 'xls',
+        ];
+
+        return $map[$mimeType] ?? 'bin';
+    }
+
+    public function extensionFromFilename(string $filename): string
+    {
+        $ext = pathinfo($filename, PATHINFO_EXTENSION);
+
+        return '' !== $ext ? strtolower($ext) : 'bin';
+    }
+}

src/Service/PdfCompressorService.php

@@ -6,6 +6,63 @@ namespace App\Service;
 
 class PdfCompressorService
 {
+    /**
+     * Compress an actual PDF file on disk. Returns metadata or null if no gain.
+     *
+     * @return null|array{size: int, originalSize: int, saved: int}
+     */
+    public function compressFile(string $absolutePath): ?array
+    {
+        exec('which qpdf', $qpdfPath, $returnCode);
+        if (0 !== $returnCode) {
+            return null;
+        }
+
+        if (!file_exists($absolutePath)) {
+            return null;
+        }
+
+        $originalSize = filesize($absolutePath);
+        if (false === $originalSize) {
+            return null;
+        }
+
+        $tempOutput = tempnam(sys_get_temp_dir(), 'pdf_out_');
+
+        $command = sprintf(
+            'qpdf --linearize --object-streams=generate %s %s 2>&1',
+            escapeshellarg($absolutePath),
+            escapeshellarg($tempOutput)
+        );
+
+        exec($command, $cmdOutput, $returnCode);
+
+        if (0 !== $returnCode || !file_exists($tempOutput)) {
+            @unlink($tempOutput);
+
+            return null;
+        }
+
+        $compressedSize = filesize($tempOutput);
+        if (false === $compressedSize || $compressedSize >= $originalSize) {
+            @unlink($tempOutput);
+
+            return null;
+        }
+
+        if (!rename($tempOutput, $absolutePath)) {
+            @unlink($tempOutput);
+
+            return null;
+        }
+
+        return [
+            'size'         => $compressedSize,
+            'originalSize' => $originalSize,
+            'saved'        => $originalSize - $compressedSize,
+        ];
+    }
+
     public function compressBase64Pdf(string $base64Data): ?array
     {
         // Check if qpdf is available

src/State/DocumentUploadProcessor.php

@@ -0,0 +1,128 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Entity\Document;
+use App\Service\DocumentStorageService;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\File\UploadedFile;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+final class DocumentUploadProcessor implements ProcessorInterface
+{
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
+        private readonly ProcessorInterface $decorated,
+        private readonly RequestStack $requestStack,
+        private readonly DocumentStorageService $storageService,
+        private readonly EntityManagerInterface $em,
+    ) {}
+
+    /**
+     * @param array<string, mixed> $uriVariables
+     * @param array<string, mixed> $context
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
+    {
+        $request = $this->requestStack->getCurrentRequest();
+        if (null === $request) {
+            throw new BadRequestHttpException('No request available.');
+        }
+
+        $contentType = $request->headers->get('Content-Type', '');
+
+        // Multipart/form-data → file upload
+        if (str_contains($contentType, 'multipart/form-data')) {
+            return $this->handleMultipartUpload($operation, $uriVariables, $context, $request);
+        }
+
+        // Fallback to default processor for legacy JSON/Base64 requests
+        if (!$data instanceof Document) {
+            return $this->decorated->process($data, $operation, $uriVariables, $context);
+        }
+
+        return $this->decorated->process($data, $operation, $uriVariables, $context);
+    }
+
+    private function handleMultipartUpload(
+        Operation $operation,
+        array $uriVariables,
+        array $context,
+        Request $request,
+    ): Document {
+        /** @var null|UploadedFile $file */
+        $file = $request->files->get('file');
+        if (null === $file || !$file->isValid()) {
+            throw new BadRequestHttpException('A valid file is required in the "file" field.');
+        }
+
+        $document = new Document();
+
+        // Metadata from form fields
+        $name     = $request->request->get('name', $file->getClientOriginalName());
+        $filename = $file->getClientOriginalName();
+        $mimeType = $file->getMimeType() ?: $request->request->get('mimeType', 'application/octet-stream');
+        $size     = $file->getSize();
+
+        $document->setName($name);
+        $document->setFilename($filename);
+        $document->setMimeType($mimeType);
+        $document->setSize((int) $size);
+
+        // Handle entity relations from form fields
+        $this->setRelationsFromRequest($document, $request);
+
+        // Generate CUID early so we can use it for the filename on disk
+        $documentId = 'cl'.bin2hex(random_bytes(12));
+        $document->setId($documentId);
+
+        // Store file on disk
+        $extension    = $this->storageService->extensionFromFilename($filename);
+        $relativePath = $this->storageService->storeFromPath(
+            $file->getPathname(),
+            $documentId,
+            $extension,
+        );
+        $document->setPath($relativePath);
+
+        // Persist via decorated processor (triggers prePersist for timestamps)
+        return $this->decorated->process($document, $operation, $uriVariables, $context);
+    }
+
+    private function setRelationsFromRequest(Document $document, Request $request): void
+    {
+        $relationMap = [
+            'machineId'   => 'Machine',
+            'composantId' => 'Composant',
+            'pieceId'     => 'Piece',
+            'productId'   => 'Product',
+            'siteId'      => 'Site',
+        ];
+
+        foreach ($relationMap as $field => $entityName) {
+            $value = $request->request->get($field);
+            if (!$value) {
+                continue;
+            }
+
+            // Accept both raw ID and IRI format
+            $id = $value;
+            if (str_contains($value, '/')) {
+                $parts = explode('/', rtrim($value, '/'));
+                $id    = end($parts);
+            }
+
+            $entityClass = 'App\Entity\\'.$entityName;
+            $entity      = $this->em->getReference($entityClass, $id);
+            $setter      = 'set'.$entityName;
+            $document->{$setter}($entity);
+        }
+    }
+}

src/State/ProfilePasswordHasher.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Entity\Profile;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+final class ProfilePasswordHasher implements ProcessorInterface
+{
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
+        private readonly ProcessorInterface $decorated,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+    ) {}
+
+    /**
+     * @param array<string, mixed> $uriVariables
+     * @param array<string, mixed> $context
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
+    {
+        if ($data instanceof Profile && $data->getPlainPassword()) {
+            $data->setPassword(
+                $this->passwordHasher->hashPassword($data, $data->getPlainPassword())
+            );
+            $data->eraseCredentials();
+        }
+
+        return $this->decorated->process($data, $operation, $uriVariables, $context);
+    }
+}

src/State/TypeMachinePutProcessor.php

@@ -0,0 +1,211 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Entity\CustomField;
+use App\Entity\ModelType;
+use App\Entity\TypeMachine;
+use App\Entity\TypeMachineComponentRequirement;
+use App\Entity\TypeMachinePieceRequirement;
+use App\Entity\TypeMachineProductRequirement;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+use function array_key_exists;
+use function is_string;
+
+final class TypeMachinePutProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly RequestStack $requestStack,
+    ) {}
+
+    /**
+     * @param array<string, mixed> $uriVariables
+     * @param array<string, mixed> $context
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TypeMachine
+    {
+        $typeMachine = $this->em->getRepository(TypeMachine::class)->find($uriVariables['id']);
+
+        if (!$typeMachine) {
+            throw new NotFoundHttpException('Type de machine non trouvé.');
+        }
+
+        // Guard: cannot edit if machines are linked
+        if (!$typeMachine->getMachines()->isEmpty()) {
+            throw new HttpException(422, 'Ce type de machine ne peut pas être modifié car des machines y sont rattachées.');
+        }
+
+        $request = $this->requestStack->getCurrentRequest();
+        $payload = json_decode($request->getContent(), true) ?? [];
+
+        $this->updateScalarProperties($typeMachine, $payload);
+
+        if (array_key_exists('customFields', $payload)) {
+            $this->replaceCustomFields($typeMachine, $payload['customFields'] ?? []);
+        }
+
+        if (array_key_exists('componentRequirements', $payload)) {
+            $this->replaceComponentRequirements($typeMachine, $payload['componentRequirements'] ?? []);
+        }
+
+        if (array_key_exists('pieceRequirements', $payload)) {
+            $this->replacePieceRequirements($typeMachine, $payload['pieceRequirements'] ?? []);
+        }
+
+        if (array_key_exists('productRequirements', $payload)) {
+            $this->replaceProductRequirements($typeMachine, $payload['productRequirements'] ?? []);
+        }
+
+        $this->em->flush();
+
+        return $typeMachine;
+    }
+
+    private function updateScalarProperties(TypeMachine $typeMachine, array $payload): void
+    {
+        if (isset($payload['name'])) {
+            $typeMachine->setName($payload['name']);
+        }
+
+        if (array_key_exists('description', $payload)) {
+            $typeMachine->setDescription($payload['description']);
+        }
+
+        if (array_key_exists('category', $payload)) {
+            $typeMachine->setCategory($payload['category']);
+        }
+
+        if (array_key_exists('maintenanceFrequency', $payload)) {
+            $typeMachine->setMaintenanceFrequency($payload['maintenanceFrequency']);
+        }
+
+        if (array_key_exists('components', $payload)) {
+            $typeMachine->setComponents($payload['components']);
+        }
+
+        if (array_key_exists('criticalParts', $payload)) {
+            $typeMachine->setCriticalParts($payload['criticalParts']);
+        }
+
+        if (array_key_exists('machinePieces', $payload)) {
+            $typeMachine->setMachinePieces($payload['machinePieces']);
+        }
+
+        if (array_key_exists('specifications', $payload)) {
+            $typeMachine->setSpecifications($payload['specifications']);
+        }
+    }
+
+    private function replaceCustomFields(TypeMachine $typeMachine, array $fieldsData): void
+    {
+        foreach ($typeMachine->getCustomFields()->toArray() as $old) {
+            $typeMachine->removeCustomField($old);
+        }
+
+        foreach ($fieldsData as $index => $data) {
+            $field = new CustomField();
+            $field->setName($data['name'] ?? '');
+            $field->setType($data['type'] ?? 'text');
+            $field->setRequired($data['required'] ?? false);
+            $field->setOptions($data['options'] ?? null);
+            $field->setOrderIndex($data['orderIndex'] ?? $index);
+            $typeMachine->addCustomField($field);
+        }
+    }
+
+    private function replaceComponentRequirements(TypeMachine $typeMachine, array $requirementsData): void
+    {
+        foreach ($typeMachine->getComponentRequirements()->toArray() as $old) {
+            $typeMachine->removeComponentRequirement($old);
+        }
+
+        foreach ($requirementsData as $index => $data) {
+            $req = new TypeMachineComponentRequirement();
+            $req->setLabel($data['label'] ?? null);
+            $req->setMinCount($data['minCount'] ?? 1);
+            $req->setMaxCount($data['maxCount'] ?? null);
+            $req->setRequired($data['required'] ?? true);
+            $req->setAllowNewModels($data['allowNewModels'] ?? true);
+            $req->setOrderIndex($data['orderIndex'] ?? $index);
+
+            $modelType = $this->resolveModelType($data['typeComposant'] ?? null);
+            if ($modelType) {
+                $req->setTypeComposant($modelType);
+            }
+
+            $typeMachine->addComponentRequirement($req);
+        }
+    }
+
+    private function replacePieceRequirements(TypeMachine $typeMachine, array $requirementsData): void
+    {
+        foreach ($typeMachine->getPieceRequirements()->toArray() as $old) {
+            $typeMachine->removePieceRequirement($old);
+        }
+
+        foreach ($requirementsData as $index => $data) {
+            $req = new TypeMachinePieceRequirement();
+            $req->setLabel($data['label'] ?? null);
+            $req->setMinCount($data['minCount'] ?? 0);
+            $req->setMaxCount($data['maxCount'] ?? null);
+            $req->setRequired($data['required'] ?? false);
+            $req->setAllowNewModels($data['allowNewModels'] ?? true);
+            $req->setOrderIndex($data['orderIndex'] ?? $index);
+
+            $modelType = $this->resolveModelType($data['typePiece'] ?? null);
+            if ($modelType) {
+                $req->setTypePiece($modelType);
+            }
+
+            $typeMachine->addPieceRequirement($req);
+        }
+    }
+
+    private function replaceProductRequirements(TypeMachine $typeMachine, array $requirementsData): void
+    {
+        foreach ($typeMachine->getProductRequirements()->toArray() as $old) {
+            $typeMachine->removeProductRequirement($old);
+        }
+
+        foreach ($requirementsData as $index => $data) {
+            $req = new TypeMachineProductRequirement();
+            $req->setLabel($data['label'] ?? null);
+            $req->setMinCount($data['minCount'] ?? 0);
+            $req->setMaxCount($data['maxCount'] ?? null);
+            $req->setRequired($data['required'] ?? false);
+            $req->setAllowNewModels($data['allowNewModels'] ?? true);
+            $req->setOrderIndex($data['orderIndex'] ?? $index);
+
+            $modelType = $this->resolveModelType($data['typeProduct'] ?? null);
+            if ($modelType) {
+                $req->setTypeProduct($modelType);
+            }
+
+            $typeMachine->addProductRequirement($req);
+        }
+    }
+
+    private function resolveModelType(mixed $value): ?ModelType
+    {
+        if (!$value) {
+            return null;
+        }
+
+        $id = $value;
+
+        if (is_string($value) && preg_match('#/api/model_types/(.+)$#', $value, $matches)) {
+            $id = $matches[1];
+        }
+
+        return $this->em->getReference(ModelType::class, $id);
+    }
+}