From 8313c759c641b68fc4b5ceaa56b422bd5ed612ae Mon Sep 17 00:00:00 2001
From: THOLOT DECHENE Matthieu <matthieu@yuno.malio.fr>
Date: Tue, 23 Jun 2026 13:50:42 +0000
Subject: [PATCH] =?UTF-8?q?Migration=20modular=20monolith=20DDD=20(0.1=20?=
 =?UTF-8?q?=E2=86=92=203.3)=20(#17)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Migration modular monolith DDD — Lesstime (0.1 → 3.3)

Cette MR regroupe l'intégralité de la refonte en monolithe modulaire (strangler progressif, additif). Elle remplace les MR stackées de Phase 1 (#12–#16), désormais incluses ici.

**Ne pas merger avant validation fonctionnelle** : branche destinée à être testée telle quelle.

### Périmètre — 9 modules sous `src/Module/`
| Phase | Module | Contenu |
|------|--------|---------|
| 0.1 | (socle) | infrastructure modulaire, `ModuleInterface`, mapping Doctrine par module |
| 0.2 | (socle front) | auto-détection des layers Nuxt sous `frontend/modules/*` |
| 1.1 | **Core** | Identité (User/Auth), Notifications, Notifier |
| 1.2 | Core | RBAC fin (permissions `module.resource.action`, sidebar gated) |
| 1.3 | Core | Audit log (`#[Auditable]`, listener, provider DBAL) |
| 2.1 | **TimeTracking** | TimeEntry + MCP + export |
| 2.2 | **ProjectManagement** | cœur métier Projets/Tâches + 38 MCP tools |
| 2.3 | **Absence** | demandes, soldes, policies, justificatifs |
| 2.4 | **Directory** | Clients (migrés) + **Prospects** (nouveau, conversion → Client) |
| 2.5 | **Mail** | intégration IMAP OVH + liens tâches |
| 2.6 | **Integration** | Gitea / BookStack / Zimbra / Share |
| 3.1 | **Reporting** | rapports transverses (DBAL read-only, 0 import inter-module) |
| 3.2 | **ClientPortal** | portail client (ROLE_CLIENT cloisonné, tickets, notifications) |
| 3.3 | (finition) | nettoyage legacy — `src/Entity` vide, app 100% modulaire |

### Architecture
- Découplage inter-modules par **contrats** (`UserInterface`, `ProjectInterface`, `TaskInterface`, `TaskTagInterface`, `ClientInterface`, `ClientTicketInterface`, `LeaveProfileInterface`) + `resolve_target_entities` 100% modulaire (aucune cible legacy).
- Repositories : interface `Domain/Repository` + implémentation `Infrastructure/Doctrine`, bindées.
- Reporting en DBAL read-only pur (aucun import d'entité d'un autre module).
- Chaque migration de module : déplacement à comportement préservé (API publique et noms d'outils MCP inchangés), migrations **additives** uniquement (zéro destructif).

### Sécurité
- ROLE_CLIENT cloisonné : un utilisateur client n'accède qu'à `/portal` et à ses propres tickets (filtrés par `allowedProjects`), interdit sur toute l'API interne.
- Correctif : interdiction pour un client de créer un lien vers le partage SMB (upload uniquement).

### QA non-régression (branche reconstruite from scratch)
- Migrations from scratch + fixtures : OK.
- Compilation dev + prod : OK.
- **180 tests PHPUnit verts**, php-cs-fixer clean, ~96 routes, **66 outils MCP** tous sous `App\Module\*`.
- Smoke test runtime multi-rôles (admin / ROLE_USER / ROLE_CLIENT) : 44 vérifications HTTP, **0 écart**, cloisonnement client étanche.
- Build Nuxt OK, 9 layers, 0 import legacy résiduel.

### Points à arbitrer (hors périmètre de cette migration)
- Durcissement MCP/IDOR pré-existant (`userId` explicite sans scoping sur certains tools TimeTracking/Absence/TaskDocument) — ticket dédié recommandé.
- Validation fonctionnelle de **Prospect** et **ClientPortal** (conçus depuis les specs disque).
- **Harmonisation visuelle Malio finale** (3.3) — finition esthétique inter-modules laissée au PO.

---

## ⚠️ Déploiement / migration des données — à ne pas oublier

### 1. Resynchroniser les séquences PostgreSQL après tout import/restore de dump
Si la prod (ou tout environnement) est **montée depuis un dump** (`pg_restore` / `COPY`), les lignes sont chargées avec leurs `id` explicites **sans avancer les séquences** → au premier `INSERT` : `duplicate key value violates unique constraint "..._pkey"` (constaté en local sur `notification`, `task`, `time_entry`…).

À lancer **juste après chaque restore/import** :

```sql
DO $$
DECLARE r RECORD; maxid BIGINT; seq TEXT;
BEGIN
  FOR r IN SELECT table_name, column_name FROM information_schema.columns WHERE table_schema='public'
  LOOP
    seq := pg_get_serial_sequence(quote_ident(r.table_name), r.column_name);
    IF seq IS NOT NULL THEN
      EXECUTE format('SELECT COALESCE(MAX(%I),0) FROM %I', r.column_name, r.table_name) INTO maxid;
      PERFORM setval(seq, GREATEST(maxid,1), maxid > 0);
    END IF;
  END LOOP;
END $$;
```

> Ne concerne **pas** une prod qui tourne déjà (séquences avancées organiquement) — uniquement le cas restore/import. Idempotent, sans risque.

### 2. Fix dénormalisation des collections typées-contrat (code, inclus dans la branche)
Les relations **to-many** typées par une interface `Shared\Domain\Contract\*` (`TimeEntry::tags` → `TaskTagInterface`, `Task::collaborators` → `UserInterface`) étaient **indénormalisables par API Platform** (mono-valué OK via IRI, collection KO) → **tout POST/PATCH portant une telle collection renvoyait 400/500**. Corrigé par un dénormaliseur générique `ContractRelationDenormalizer` (réutilise `resolve_target_entities`, zéro couplage par-entité) + test fonctionnel de non-régression.

---------

Co-authored-by: Matthieu <contact@malio.fr>
Reviewed-on: https://gitea.malio.fr/MALIO-DEV/Lesstime/pulls/17
---
 .claude/skills/ticket-executor/LEARNINGS.md   |  108 +
 .gitea/workflows/pull-request.yml             |  115 +
 config/modules.php                            |   28 +
 config/packages/api_platform.yaml             |   14 +
 config/packages/doctrine.yaml                 |   73 +-
 config/packages/messenger.yaml                |    2 +-
 config/packages/security.yaml                 |    4 +-
 config/services.yaml                          |   94 +-
 config/sidebar.php                            |   44 +
 .../plans/2026-06-19-lst-56-socle-back.md     | 1155 ++++++
 .../plans/2026-06-19-lst-57-rbac-fin.md       | 1690 +++++++++
 .../plans/2026-06-19-lst-61-audit-log.md      |  706 ++++
 .../plans/2026-06-19-lst-62-socle-front.md    |  976 +++++
 .../plans/2026-06-19-lst-63-module-core.md    |  732 ++++
 .../2026-06-20-lst-58-directory-prospect.md   |   66 +
 ...6-06-20-lst-65-module-projectmanagement.md |   82 +
 ...2026-06-22-directory-commercial-reports.md | 3306 +++++++++++++++++
 ...26-06-19-lst-56-modular-monolith-design.md |  192 +
 ...6-19-migration-modular-monolith-roadmap.md |  161 +
 ...-22-directory-commercial-reports-design.md |  203 +
 frontend/{ => app}/layouts/auth.vue           |    0
 frontend/{ => app}/layouts/default.vue        |  177 +-
 frontend/{ => app}/middleware/admin.ts        |    0
 frontend/app/middleware/auth.global.ts        |   30 +
 frontend/{ => app}/middleware/employee.ts     |    0
 frontend/app/middleware/modules.global.ts     |   15 +
 .../admin/AdminAbsencePolicyTab.vue           |    4 +-
 frontend/components/admin/AdminAuditTab.vue   |  160 +
 .../components/admin/AdminBookStackTab.vue    |    2 +-
 frontend/components/admin/AdminClientTab.vue  |    4 +-
 frontend/components/admin/AdminEffortTab.vue  |    4 +-
 frontend/components/admin/AdminGiteaTab.vue   |    2 +-
 frontend/components/admin/AdminMailTab.vue    |    2 +-
 .../components/admin/AdminPriorityTab.vue     |    4 +-
 frontend/components/admin/AdminRoleTab.vue    |  116 +
 frontend/components/admin/AdminShareTab.vue   |    2 +-
 frontend/components/admin/AdminTagTab.vue     |    4 +-
 .../components/admin/AdminWorkflowTab.vue     |    4 +-
 frontend/components/admin/AdminZimbraTab.vue  |    2 +-
 frontend/components/admin/RoleDrawer.vue      |  186 +
 frontend/components/admin/WorkflowDrawer.vue  |   10 +-
 .../components/share/SharedFilePreview.vue    |    4 +-
 frontend/components/user/UserDrawer.vue       |   53 +-
 frontend/i18n/locales/fr.json                 | 1769 +++++----
 frontend/middleware/auth.global.ts            |   16 -
 frontend/modules/.gitkeep                     |    0
 .../AbsenceBalanceAdjustDrawer.vue            |    4 +-
 .../components}/AbsenceBalanceCards.vue       |    3 +-
 .../absence/components}/AbsenceCalendar.vue   |    5 +-
 .../absence/components}/AbsenceDateField.vue  |    2 +-
 .../components}/AbsenceDetailDrawer.vue       |    5 +-
 .../components}/AbsenceRejectDrawer.vue       |    5 +-
 .../components}/AbsenceRequestDrawer.vue      |    5 +-
 .../absence/components}/EmployeeDrawer.vue    |    0
 .../absence}/composables/useAbsenceHelpers.ts |    2 +-
 frontend/modules/absence/nuxt.config.ts       |    1 +
 .../{ => modules/absence}/pages/absences.vue  |    5 +-
 .../absence}/pages/team-absences.vue          |    5 +-
 .../absence}/services/absences.ts             |    0
 .../absence}/services/dto/absence.ts          |    0
 .../core/composables/usePermissions.ts        |   27 +
 frontend/modules/core/nuxt.config.ts          |    1 +
 frontend/{ => modules/core}/pages/login.vue   |    0
 frontend/{ => modules/core}/pages/profile.vue |    0
 frontend/modules/core/services/audit-logs.ts  |   65 +
 frontend/modules/core/services/permissions.ts |   22 +
 frontend/modules/core/services/roles.ts       |   50 +
 .../directory/components}/ClientDrawer.vue    |   31 +-
 .../components/CommercialReportTab.vue        |  160 +
 .../components/DirectoryAddressBlock.vue      |   69 +
 .../components/DirectoryContactBlock.vue      |   73 +
 .../directory/components/ProspectDrawer.vue   |  191 +
 .../components/ReportDocumentList.vue         |   42 +
 .../components/ReportDocumentUpload.vue       |   45 +
 .../composables/useDirectoryDetail.ts         |   92 +
 frontend/modules/directory/nuxt.config.ts     |    1 +
 .../pages/directory/clients/[id].vue          |  107 +
 .../directory/pages/directory/index.vue       |  241 ++
 .../pages/directory/prospects/[id].vue        |  107 +
 .../modules/directory/services/addresses.ts   |   32 +
 .../directory}/services/clients.ts            |    6 +-
 .../directory/services/commercial-reports.ts  |   32 +
 .../modules/directory/services/contacts.ts    |   32 +
 .../modules/directory/services/dto/address.ts |   23 +
 .../directory}/services/dto/client.ts         |    6 -
 .../services/dto/commercial-report.ts         |   27 +
 .../modules/directory/services/dto/contact.ts |   23 +
 .../directory/services/dto/prospect.ts        |   28 +
 .../directory/services/dto/report-document.ts |   13 +
 .../modules/directory/services/prospects.ts   |   44 +
 .../directory/services/report-documents.ts    |   39 +
 .../composables/useShareStatus.ts             |    2 +-
 frontend/modules/integration/nuxt.config.ts   |    1 +
 .../integration}/services/bookstack.ts        |    0
 .../integration}/services/dto/bookstack.ts    |    0
 .../integration}/services/dto/gitea.ts        |    0
 .../integration}/services/dto/share.ts        |    0
 .../integration}/services/dto/zimbra.ts       |    0
 .../integration}/services/gitea.ts            |    0
 .../integration}/services/share-settings.ts   |    0
 .../integration}/services/share.ts            |    0
 .../integration}/services/zimbra.ts           |    0
 .../components}/MailAttachmentPreview.vue     |    0
 .../mail/components}/MailCreateTaskModal.vue  |   16 +-
 .../mail/components}/MailFolderTree.vue       |    2 +-
 .../mail/components}/MailLinkTaskModal.vue    |   10 +-
 .../mail/components}/MailMessageList.vue      |    2 +-
 .../mail/components}/MailMessageViewer.vue    |    4 +-
 .../mail/components}/MailRefreshButton.vue    |    2 +-
 frontend/modules/mail/nuxt.config.ts          |    1 +
 frontend/{ => modules/mail}/pages/mail.vue    |    4 +-
 .../{ => modules/mail}/services/dto/mail.ts   |    0
 frontend/{ => modules/mail}/services/mail.ts  |    4 +-
 frontend/{ => modules/mail}/stores/mail.ts    |    4 +-
 .../components}/ProjectDrawer.vue             |   14 +-
 .../components}/ProjectGroupTab.vue           |    8 +-
 .../ProjectWorkflowSwitchModal.vue            |   12 +-
 .../components}/StatusPickerPopover.vue       |    2 +-
 .../components}/TaskBookStackLinks.vue        |    4 +-
 .../components}/TaskBulkActions.vue           |   12 +-
 .../components}/TaskCard.vue                  |    2 +-
 .../components}/TaskDocumentList.vue          |    4 +-
 .../components}/TaskDocumentPreview.vue       |    4 +-
 .../components}/TaskDocumentShareLinker.vue   |    6 +-
 .../components}/TaskDocumentUpload.vue        |    2 +-
 .../components}/TaskEffortDrawer.vue          |    4 +-
 .../components}/TaskGitSection.vue            |    6 +-
 .../components}/TaskGroupDrawer.vue           |    8 +-
 .../components}/TaskListItem.vue              |    2 +-
 .../components}/TaskModal.vue                 |   32 +-
 .../components}/TaskPriorityDrawer.vue        |    4 +-
 .../components}/TaskTagDrawer.vue             |    4 +-
 .../modules/project-management/nuxt.config.ts |    1 +
 .../project-management}/pages/my-tasks.vue    |   52 +-
 .../pages/projects/[id]/archives.vue          |   34 +-
 .../pages/projects/[id]/groups.vue            |    4 +-
 .../pages/projects/[id]/index.vue             |   41 +-
 .../pages/projects/index.vue                  |    8 +-
 .../services/dto/project.ts                   |    2 +-
 .../services/dto/task-document.ts             |    2 +-
 .../services/dto/task-effort.ts               |    0
 .../services/dto/task-group.ts                |    0
 .../services/dto/task-priority.ts             |    0
 .../services/dto/task-recurrence.ts           |    0
 .../services/dto/task-status.ts               |    0
 .../services/dto/task-tag.ts                  |    0
 .../project-management}/services/dto/task.ts  |    2 +-
 .../services/dto/workflow.ts                  |    0
 .../project-management}/services/projects.ts  |    0
 .../services/task-documents.ts                |    5 +-
 .../services/task-efforts.ts                  |    0
 .../services/task-groups.ts                   |    0
 .../services/task-priorities.ts               |    0
 .../services/task-recurrences.ts              |    0
 .../services/task-statuses.ts                 |    0
 .../project-management}/services/task-tags.ts |    0
 .../project-management}/services/tasks.ts     |    0
 .../project-management}/services/workflows.ts |    0
 .../components/ReportingBarChart.vue          |   52 +
 .../components/ReportingDoughnut.vue          |   56 +
 .../reporting/composables/useCsvExport.ts     |   44 +
 .../composables/useReportingFilters.ts        |   41 +
 frontend/modules/reporting/nuxt.config.ts     |    1 +
 .../modules/reporting/pages/reporting.vue     |  388 ++
 .../reporting/services/dto/reporting.ts       |   34 +
 .../modules/reporting/services/reporting.ts   |   51 +
 .../components}/TimeEntryBlock.vue            |    2 +-
 .../components}/TimeEntryContextMenu.vue      |    2 +-
 .../components}/TimeEntryDrawer.vue           |    8 +-
 .../components}/TimeEntryList.vue             |    2 +-
 .../components}/TimeTrackingCalendar.vue      |    4 +-
 .../components}/TimeTrackingExportDrawer.vue  |    6 +-
 frontend/modules/time-tracking/nuxt.config.ts |    1 +
 .../time-tracking}/pages/time-tracking.vue    |   10 +-
 .../time-tracking}/services/dto/time-entry.ts |    8 +-
 .../time-tracking}/services/time-entries.ts   |    0
 .../time-tracking}/stores/timer.ts            |    6 +-
 frontend/nuxt.config.ts                       |   57 +-
 frontend/pages/admin.vue                      |   16 +-
 frontend/pages/documents.vue                  |    4 +-
 frontend/pages/index.vue                      |   20 +-
 frontend/services/dto/notification.ts         |    2 +-
 frontend/services/dto/user-data.ts            |    1 +
 frontend/services/users.ts                    |    6 +-
 frontend/{ => shared}/composables/useApi.ts   |    2 +-
 frontend/shared/composables/useModules.ts     |   22 +
 frontend/shared/composables/useSidebar.ts     |   31 +
 frontend/{ => shared}/stores/auth.ts          |    0
 frontend/{ => shared}/stores/ui.ts            |    0
 frontend/shared/types/sidebar.ts              |   11 +
 infra/prod/deploy.sh                          |    3 +
 makefile                                      |    7 +-
 migrations/Version20260619145109.php          |   74 +
 migrations/Version20260619185448.php          |   56 +
 migrations/Version20260620161036.php          |   52 +
 migrations/Version20260620161500.php          |   79 +
 migrations/Version20260620170000.php          |   81 +
 migrations/Version20260620180000.php          |   53 +
 migrations/Version20260620190000.php          |   48 +
 migrations/Version20260620200000.php          |   54 +
 migrations/Version20260620201000.php          |  125 +
 migrations/Version20260621120000.php          |  115 +
 migrations/Version20260621130000.php          |   41 +
 migrations/Version20260622090000.php          |  120 +
 migrations/Version20260622100916.php          |  222 ++
 src/Command/GenerateApiTokenCommand.php       |    4 +-
 src/DataFixtures/AppFixtures.php              |  144 +-
 src/Module/Absence/AbsenceModule.php          |   43 +
 .../Service/AbsenceBalanceService.php         |   30 +-
 .../Absence/Domain}/Entity/AbsenceBalance.php |   26 +-
 .../Absence/Domain}/Entity/AbsencePolicy.php  |   15 +-
 .../Absence/Domain}/Entity/AbsenceRequest.php |   37 +-
 .../Absence/Domain}/Enum/AbsenceStatus.php    |    2 +-
 .../Absence/Domain}/Enum/AbsenceType.php      |    2 +-
 .../Absence/Domain}/Enum/HalfDay.php          |    2 +-
 .../AbsenceBalanceRepositoryInterface.php     |   24 +
 .../AbsencePolicyRepositoryInterface.php      |   23 +
 .../AbsenceRequestRepositoryInterface.php     |   45 +
 .../Domain}/Service/AbsenceDayCalculator.php  |    4 +-
 .../Domain}/Service/PublicHolidayProvider.php |    2 +-
 .../State/AbsenceBalanceProvider.php          |   16 +-
 .../State/AbsenceCancelProcessor.php          |   19 +-
 .../State/AbsenceRequestProcessor.php         |   24 +-
 .../State/AbsenceRequestProvider.php          |   16 +-
 .../State/AbsenceReviewProcessor.php          |   12 +-
 .../Command/AccrueLeaveCommand.php            |   28 +-
 .../Controller}/AbsenceCalendarController.php |    6 +-
 ...AbsenceJustificationDownloadController.php |    9 +-
 .../AbsenceJustificationUploadController.php  |    7 +-
 .../Controller}/AbsencePreviewController.php  |   22 +-
 .../Controller}/PublicHolidayController.php   |    4 +-
 .../DoctrineAbsenceBalanceRepository.php      |   37 +
 .../DoctrineAbsencePolicyRepository.php}      |   14 +-
 .../DoctrineAbsenceRequestRepository.php}     |   22 +-
 .../Mcp/Tool}/CancelAbsenceRequestTool.php    |   14 +-
 .../Mcp/Tool}/CreateAbsenceRequestTool.php    |   30 +-
 .../Mcp/Tool}/DeleteAbsenceRequestTool.php    |    8 +-
 .../Mcp/Tool}/GetAbsenceRequestTool.php       |   10 +-
 .../Mcp/Tool}/ListAbsenceBalancesTool.php     |   16 +-
 .../Mcp/Tool}/ListAbsencePoliciesTool.php     |    8 +-
 .../Mcp/Tool}/ListAbsenceRequestsTool.php     |   18 +-
 .../Mcp/Tool}/ReviewAbsenceRequestTool.php    |   18 +-
 .../Mcp/Tool}/UpdateAbsenceBalanceTool.php    |   10 +-
 .../Mcp/Tool}/UpdateAbsencePolicyTool.php     |   10 +-
 .../Core/Application/DTO/AuditLogOutput.php   |   30 +
 .../Core/Application/Rbac/RbacSeeder.php      |   36 +
 src/Module/Core/CoreModule.php                |   42 +
 .../Core/Domain}/Entity/Notification.php      |   17 +-
 src/Module/Core/Domain/Entity/Permission.php  |  115 +
 src/Module/Core/Domain/Entity/Role.php        |  151 +
 src/{ => Module/Core/Domain}/Entity/User.php  |  130 +-
 .../Core/Domain}/Enum/ContractType.php        |    2 +-
 .../Exception/SystemRoleDeletionException.php |   15 +
 .../PermissionRepositoryInterface.php         |   22 +
 .../Repository/RoleRepositoryInterface.php    |   19 +
 .../Repository/UserRepositoryInterface.php    |   32 +
 .../Core/Domain/Security/SystemRoles.php      |   11 +
 .../ApiPlatform/Pagination/DbalPaginator.php  |   74 +
 .../Resource/AuditLogEntityTypesResource.php  |   34 +
 .../ApiPlatform/Resource/AuditLogResource.php |   54 +
 .../ApiPlatform}/State/MeProvider.php         |   13 +-
 .../State/NotificationProvider.php            |    8 +-
 .../State/Processor/RoleProcessor.php         |   45 +
 .../State/Processor/UserRbacProcessor.php     |   43 +
 .../Provider/AuditLogEntityTypesProvider.php  |   35 +
 .../State/Provider/AuditLogProvider.php       |  247 ++
 .../State/UserPasswordHasherProcessor.php     |    4 +-
 .../Infrastructure/Audit/AuditLogWriter.php   |   94 +
 .../Audit/RequestIdProvider.php               |   33 +
 .../Console/SeedRbacCommand.php               |   30 +
 .../Console/SyncPermissionsCommand.php        |   84 +
 .../Controller/MarkAllReadController.php      |   10 +-
 .../NotificationUnreadCountController.php     |   10 +-
 .../RegenerateApiTokenController.php          |    4 +-
 .../Controller/UserAvatarController.php       |    4 +-
 .../Infrastructure/Doctrine/AuditListener.php |  513 +++
 .../DoctrineNotificationRepository.php}       |   12 +-
 .../Doctrine/DoctrinePermissionRepository.php |   51 +
 .../Doctrine/DoctrineRoleRepository.php       |   42 +
 .../Doctrine/DoctrineUserRepository.php}      |   41 +-
 .../Infrastructure/Mcp/Tool}/GetUserTool.php  |    8 +-
 .../Mcp/Tool}/ListUsersTool.php               |    6 +-
 .../Mcp/Tool}/UpdateUserTool.php              |   10 +-
 src/Module/Core/Infrastructure/Notifier.php   |   33 +
 .../Security/PermissionVoter.php              |   38 +
 src/Module/Directory/DirectoryModule.php      |   43 +
 .../Directory/Domain/Entity/Address.php       |  183 +
 .../Directory/Domain}/Entity/Client.php       |   71 +-
 .../Domain/Entity/CommercialReport.php        |  187 +
 .../Directory/Domain/Entity/Contact.php       |  183 +
 .../Directory/Domain/Entity/Prospect.php      |  191 +
 .../Domain/Entity/ReportDocument.php          |  166 +
 .../Directory/Domain/Enum/ProspectStatus.php  |   25 +
 .../Directory/Domain/Enum/ReportType.php      |   23 +
 .../Repository/AddressRepositoryInterface.php |   12 +
 .../Repository/ClientRepositoryInterface.php  |   20 +
 .../CommercialReportRepositoryInterface.php   |   12 +
 .../Repository/ContactRepositoryInterface.php |   12 +
 .../ProspectRepositoryInterface.php           |   20 +
 .../ReportDocumentRepositoryInterface.php     |   12 +
 .../State/ConvertProspectProcessor.php        |   90 +
 .../State/ReportDocumentProcessor.php         |  165 +
 .../ReportDocumentDownloadController.php      |   56 +
 .../Doctrine/DoctrineAddressRepository.php    |   26 +
 .../Doctrine/DoctrineClientRepository.php     |   26 +
 .../DoctrineCommercialReportRepository.php    |   26 +
 .../Doctrine/DoctrineContactRepository.php    |   26 +
 .../Doctrine/DoctrineProspectRepository.php   |   26 +
 .../DoctrineReportDocumentRepository.php      |   26 +
 .../CommercialReportAuthorListener.php        |   28 +
 .../EventListener/ReportDocumentListener.php  |   32 +
 .../Mcp/Tool/ConvertProspectTool.php          |   87 +
 .../Mcp/Tool}/CreateClientTool.php            |   12 +-
 .../Mcp/Tool/CreateProspectTool.php           |   60 +
 .../Mcp/Tool}/DeleteClientTool.php            |    8 +-
 .../Mcp/Tool/DeleteProspectTool.php           |   42 +
 .../Mcp/Tool}/GetClientTool.php               |   10 +-
 .../Mcp/Tool/GetProspectTool.php              |   37 +
 .../Mcp/Tool}/ListClientsTool.php             |    6 +-
 .../Mcp/Tool/ListProspectsTool.php            |   44 +
 .../Mcp/Tool}/UpdateClientTool.php            |   22 +-
 .../Mcp/Tool/UpdateProspectTool.php           |   76 +
 .../Domain}/Entity/BookStackConfiguration.php |   15 +-
 .../Domain}/Entity/GiteaConfiguration.php     |   15 +-
 .../Domain}/Entity/ShareConfiguration.php     |   15 +-
 .../Domain}/Entity/TaskBookStackLink.php      |   15 +-
 .../Domain}/Entity/ZimbraConfiguration.php    |   15 +-
 .../Exception/BookStackApiException.php       |    2 +-
 .../Domain}/Exception/GiteaApiException.php   |    2 +-
 .../Exception/InvalidPathException.php        |    2 +-
 .../Exception/ShareConnectionException.php    |    2 +-
 .../Exception/ShareNotConfiguredException.php |    2 +-
 ...kStackConfigurationRepositoryInterface.php |   12 +
 .../GiteaConfigurationRepositoryInterface.php |   12 +
 .../ShareConfigurationRepositoryInterface.php |   12 +
 .../TaskBookStackLinkRepositoryInterface.php  |   17 +
 ...ZimbraConfigurationRepositoryInterface.php |   12 +
 .../Integration/Domain/Service}/FileEntry.php |    2 +-
 .../Domain/Service}/FileSource.php            |    2 +-
 .../Domain/Service}/SharePathResolver.php     |    4 +-
 .../Domain/Service}/ShareTestResult.php       |    2 +-
 .../ApiPlatform/Resource}/BookStackLink.php   |   16 +-
 .../Resource}/BookStackSearchResult.php       |    8 +-
 .../Resource}/BookStackSettings.php           |    6 +-
 .../ApiPlatform/Resource}/BookStackShelf.php  |    4 +-
 .../Resource}/BookStackTestConnection.php     |    4 +-
 .../ApiPlatform/Resource}/GiteaBranch.php     |    6 +-
 .../ApiPlatform/Resource}/GiteaBranchName.php |    4 +-
 .../Resource}/GiteaPullRequest.php            |    4 +-
 .../ApiPlatform/Resource}/GiteaRepository.php |    4 +-
 .../ApiPlatform/Resource}/GiteaSettings.php   |    6 +-
 .../Resource}/GiteaTestConnection.php         |    4 +-
 .../ApiPlatform/Resource}/ShareSettings.php   |    6 +-
 .../Resource}/ShareTestConnection.php         |    4 +-
 .../ApiPlatform/Resource}/ZimbraSettings.php  |    6 +-
 .../Resource}/ZimbraTestConnection.php        |    4 +-
 .../State/BookStackLinkProcessor.php          |   17 +-
 .../State/BookStackLinkProvider.php           |   10 +-
 .../State/BookStackSearchResultProvider.php   |   15 +-
 .../State/BookStackSettingsProcessor.php      |   12 +-
 .../State/BookStackSettingsProvider.php       |    8 +-
 .../State/BookStackShelfProvider.php          |    8 +-
 .../State/BookStackTestConnectionProvider.php |    6 +-
 .../State/GiteaBranchNameProvider.php         |   13 +-
 .../State/GiteaBranchProcessor.php            |   15 +-
 .../State/GiteaBranchProvider.php             |   15 +-
 .../State/GiteaPullRequestProvider.php        |   15 +-
 .../State/GiteaRepositoryProvider.php         |    8 +-
 .../State/GiteaSettingsProcessor.php          |   12 +-
 .../State/GiteaSettingsProvider.php           |    8 +-
 .../State/GiteaTestConnectionProvider.php     |    6 +-
 .../State/ShareSettingsProcessor.php          |   12 +-
 .../State/ShareSettingsProvider.php           |    8 +-
 .../State/ShareTestConnectionProvider.php     |    6 +-
 .../State/ZimbraSettingsProcessor.php         |   12 +-
 .../State/ZimbraSettingsProvider.php          |    8 +-
 .../State/ZimbraTestConnectionProvider.php    |    6 +-
 .../Controller}/ShareBrowseController.php     |   16 +-
 .../Controller}/ShareDownloadController.php   |   14 +-
 .../Controller}/ShareSearchController.php     |   12 +-
 .../Controller}/ShareStatusController.php     |    8 +-
 ...ctrineBookStackConfigurationRepository.php |   26 +
 .../DoctrineGiteaConfigurationRepository.php} |   10 +-
 .../DoctrineShareConfigurationRepository.php} |   10 +-
 .../DoctrineTaskBookStackLinkRepository.php   |   34 +
 ...DoctrineZimbraConfigurationRepository.php} |   10 +-
 .../Service/BookStackApiService.php           |   35 +-
 .../Service/GiteaApiService.php               |   15 +-
 .../Infrastructure/Service}/SmbFileSource.php |   18 +-
 src/Module/Integration/IntegrationModule.php  |   41 +
 .../Application}/Dto/MailAttachmentDto.php    |    2 +-
 .../Mail/Application}/Dto/MailFolderDto.php   |    2 +-
 .../Application}/Dto/MailMessageDetailDto.php |    2 +-
 .../Application}/Dto/MailMessageHeaderDto.php |    2 +-
 .../Mail/Application}/Dto/MailSyncReport.php  |    2 +-
 .../Message/MailSyncRequested.php             |    2 +-
 .../MailSyncRequestedHandler.php              |   10 +-
 .../Application}/Service/MailSyncService.php  |   24 +-
 .../Mail/Domain}/Entity/MailConfiguration.php |   15 +-
 .../Mail/Domain}/Entity/MailFolder.php        |    6 +-
 .../Mail/Domain}/Entity/MailMessage.php       |    6 +-
 .../Mail/Domain}/Entity/TaskMailLink.php      |   24 +-
 .../Exception/MailProviderException.php       |    2 +-
 .../Provider}/MailProviderInterface.php       |   10 +-
 .../MailConfigurationRepositoryInterface.php  |   12 +
 .../MailFolderRepositoryInterface.php         |   17 +
 .../MailMessageRepositoryInterface.php        |   49 +
 .../TaskMailLinkRepositoryInterface.php       |   24 +
 .../ApiPlatform/Resource}/MailSettings.php    |    6 +-
 .../State}/MailSettingsProcessor.php          |   12 +-
 .../State}/MailSettingsProvider.php           |    8 +-
 .../Console}/MailRedecodeHeadersCommand.php   |    8 +-
 .../Console}/MailSyncCommand.php              |   12 +-
 .../MailAttachmentDownloadController.php      |   14 +-
 .../Controller}/MailCreateTaskController.php  |   26 +-
 .../Controller}/MailFoldersListController.php |    8 +-
 .../Controller}/MailLinkTaskController.php    |   21 +-
 .../MailMessageDetailController.php           |   14 +-
 .../Controller}/MailMessageFlagController.php |   14 +-
 .../Controller}/MailMessageReadController.php |   14 +-
 .../MailMessagesListController.php            |   12 +-
 .../Controller}/MailSyncTriggerController.php |    6 +-
 .../MailTestConnectionController.php          |    6 +-
 .../Controller}/MailUnlinkTaskController.php  |   19 +-
 .../Controller}/TaskMailsListController.php   |   15 +-
 .../DoctrineMailConfigurationRepository.php}  |   10 +-
 .../DoctrineMailFolderRepository.php}         |   10 +-
 .../DoctrineMailMessageRepository.php}        |   17 +-
 .../DoctrineTaskMailLinkRepository.php}       |   18 +-
 .../Infrastructure/Imap}/ImapMailProvider.php |   19 +-
 .../Imap}/MimeHeaderDecoder.php               |    2 +-
 .../Security/MailAccessChecker.php            |    8 +-
 src/Module/Mail/MailModule.php                |   41 +
 .../Domain}/Entity/Project.php                |   27 +-
 .../ProjectManagement/Domain}/Entity/Task.php |   38 +-
 .../Domain}/Entity/TaskDocument.php           |   17 +-
 .../Domain}/Entity/TaskEffort.php             |    6 +-
 .../Domain}/Entity/TaskGroup.php              |    6 +-
 .../Domain}/Entity/TaskPriority.php           |    6 +-
 .../Domain}/Entity/TaskRecurrence.php         |    8 +-
 .../Domain}/Entity/TaskStatus.php             |    8 +-
 .../Domain}/Entity/TaskTag.php                |    9 +-
 .../Domain}/Entity/Workflow.php               |    8 +-
 .../Domain}/Enum/RecurrenceType.php           |    2 +-
 .../Domain}/Enum/StatusCategory.php           |    2 +-
 .../Repository/ProjectRepositoryInterface.php |   20 +
 .../TaskEffortRepositoryInterface.php         |   20 +
 .../TaskGroupRepositoryInterface.php          |   20 +
 .../TaskPriorityRepositoryInterface.php       |   20 +
 .../TaskRecurrenceRepositoryInterface.php     |   12 +
 .../Repository/TaskRepositoryInterface.php    |   22 +
 .../TaskStatusRepositoryInterface.php         |   22 +
 .../Repository/TaskTagRepositoryInterface.php |   20 +
 .../WorkflowRepositoryInterface.php           |   22 +
 .../Resource}/SwitchWorkflowOutput.php        |    2 +-
 .../ApiPlatform}/State/RecurrenceHandler.php  |   24 +-
 .../State/SwitchProjectWorkflowProcessor.php  |   10 +-
 .../State/TaskCalendarProcessor.php           |    8 +-
 .../State/TaskDocumentProcessor.php           |   18 +-
 .../State/TaskDocumentProvider.php            |    8 +-
 .../State/TaskNumberProcessor.php             |   10 +-
 .../State/WorkflowDeleteProcessor.php         |    4 +-
 .../TaskDocumentDownloadController.php        |   10 +-
 .../Doctrine/DoctrineProjectRepository.php    |   26 +
 .../Doctrine/DoctrineTaskEffortRepository.php |   26 +
 .../Doctrine/DoctrineTaskGroupRepository.php  |   26 +
 .../DoctrineTaskPriorityRepository.php        |   26 +
 .../DoctrineTaskRecurrenceRepository.php      |   26 +
 .../Doctrine/DoctrineTaskRepository.php}      |   14 +-
 .../DoctrineTaskStatusRepository.php}         |   15 +-
 .../Doctrine/DoctrineTaskTagRepository.php    |   26 +
 .../Doctrine/DoctrineWorkflowRepository.php}  |   12 +-
 .../EventListener/TaskDocumentListener.php    |    4 +-
 .../TaskNotificationListener.php              |   43 +-
 .../UniqueDefaultWorkflowListener.php         |    4 +-
 .../Mcp/Tool/Project/CreateProjectTool.php    |   12 +-
 .../Mcp/Tool/Project/DeleteProjectTool.php    |    8 +-
 .../Mcp/Tool/Project/GetProjectTool.php       |   14 +-
 .../Mcp/Tool/Project/ListProjectsTool.php     |    8 +-
 .../Mcp/Tool/Project/UpdateProjectTool.php    |   16 +-
 .../Mcp/Tool/Task/AddTaskDocumentTool.php     |   10 +-
 .../Tool/Task/CreateTaskRecurrenceTool.php    |   14 +-
 .../Mcp/Tool/Task/CreateTaskTool.php          |   52 +-
 .../Mcp/Tool/Task/DeleteTaskDocumentTool.php  |    4 +-
 .../Tool/Task/DeleteTaskRecurrenceTool.php    |   10 +-
 .../Mcp/Tool/Task/DeleteTaskTool.php          |   10 +-
 .../Mcp/Tool/Task/GetTaskTool.php             |   10 +-
 .../Mcp/Tool/Task/ListTasksTool.php           |    8 +-
 .../Mcp/Tool/Task/UpdateTaskDocumentTool.php  |    4 +-
 .../Tool/Task/UpdateTaskRecurrenceTool.php    |   12 +-
 .../Mcp/Tool/Task/UpdateTaskTool.php          |   46 +-
 .../Mcp/Tool/TaskMeta/CreateEffortTool.php    |    4 +-
 .../Mcp/Tool/TaskMeta/CreateGroupTool.php     |   12 +-
 .../Mcp/Tool/TaskMeta/CreatePriorityTool.php  |    4 +-
 .../Mcp/Tool/TaskMeta/CreateStatusTool.php    |   12 +-
 .../Mcp/Tool/TaskMeta/CreateTagTool.php       |    4 +-
 .../Mcp/Tool/TaskMeta/DeleteEffortTool.php    |    8 +-
 .../Mcp/Tool/TaskMeta/DeleteGroupTool.php     |    8 +-
 .../Mcp/Tool/TaskMeta/DeletePriorityTool.php  |    8 +-
 .../Mcp/Tool/TaskMeta/DeleteStatusTool.php    |    8 +-
 .../Mcp/Tool/TaskMeta/DeleteTagTool.php       |    8 +-
 .../Mcp/Tool/TaskMeta/ListEffortsTool.php     |    6 +-
 .../Mcp/Tool/TaskMeta/ListGroupsTool.php      |    8 +-
 .../Mcp/Tool/TaskMeta/ListPrioritiesTool.php  |    6 +-
 .../Mcp/Tool/TaskMeta/ListStatusesTool.php    |    8 +-
 .../Mcp/Tool/TaskMeta/ListTagsTool.php        |    6 +-
 .../Mcp/Tool/TaskMeta/UpdateEffortTool.php    |    8 +-
 .../Mcp/Tool/TaskMeta/UpdateGroupTool.php     |   10 +-
 .../Mcp/Tool/TaskMeta/UpdatePriorityTool.php  |    8 +-
 .../Mcp/Tool/TaskMeta/UpdateStatusTool.php    |   10 +-
 .../Mcp/Tool/TaskMeta/UpdateTagTool.php       |    8 +-
 .../Mcp/Tool/Workflow/ListWorkflowsTool.php   |    6 +-
 .../Workflow/SwitchProjectWorkflowTool.php    |    6 +-
 .../Infrastructure}/Service/CalDavService.php |   19 +-
 .../Service/RecurrenceCalculator.php          |    8 +-
 .../ProjectManagementModule.php               |   43 +
 .../Application/DTO/AbsencesByTypeOutput.php  |   17 +
 .../Application/DTO/TasksByStatusOutput.php   |   19 +
 .../Application/DTO/TimePerProjectOutput.php  |   19 +
 .../Application/DTO/TimePerUserOutput.php     |   19 +
 .../Resource/AbsencesByTypeResource.php       |   33 +
 .../Resource/TasksByStatusResource.php        |   32 +
 .../Resource/TimePerProjectResource.php       |   34 +
 .../Resource/TimePerUserResource.php          |   33 +
 .../State/AbsencesByTypeProvider.php          |   82 +
 .../ApiPlatform/State/ReportFilterTrait.php   |   89 +
 .../State/TasksByStatusProvider.php           |   67 +
 .../State/TimePerProjectProvider.php          |   81 +
 .../ApiPlatform/State/TimePerUserProvider.php |   79 +
 src/Module/Reporting/ReportingModule.php      |   44 +
 .../TimeTracking/Domain}/Entity/TimeEntry.php |   53 +-
 .../TimeEntryRepositoryInterface.php          |   35 +
 .../State/ActiveTimeEntryProvider.php         |    8 +-
 .../Controller/TimeEntryExportController.php  |   30 +-
 .../Doctrine/DoctrineTimeEntryRepository.php} |   24 +-
 .../Export}/TimeEntryExportService.php        |    6 +-
 .../Mcp/Tool}/CreateTimeEntryTool.php         |   32 +-
 .../Mcp/Tool}/DeleteTimeEntryTool.php         |    8 +-
 .../Mcp/Tool}/ListTimeEntriesTool.php         |    8 +-
 .../Mcp/Tool}/UpdateTimeEntryTool.php         |   28 +-
 .../TimeTracking/TimeTrackingModule.php       |   41 +
 src/Repository/AbsenceBalanceRepository.php   |   31 -
 .../BookStackConfigurationRepository.php      |   22 -
 src/Repository/ClientRepository.php           |   17 -
 src/Repository/ProjectRepository.php          |   17 -
 .../TaskBookStackLinkRepository.php           |   23 -
 src/Repository/TaskEffortRepository.php       |   17 -
 src/Repository/TaskGroupRepository.php        |   17 -
 src/Repository/TaskPriorityRepository.php     |   17 -
 src/Repository/TaskRecurrenceRepository.php   |   17 -
 src/Repository/TaskTagRepository.php          |   17 -
 src/Security/ApiTokenAuthenticator.php        |    6 +-
 .../CurrentUserProviderInterface.php          |   12 +
 src/Shared/Domain/Attribute/AuditIgnore.php   |   17 +
 src/Shared/Domain/Attribute/Auditable.php     |   17 +
 .../Domain/Contract/BlamableInterface.php     |   16 +
 .../Domain/Contract/ClientInterface.php       |   15 +
 .../Domain/Contract/LeaveProfileInterface.php |   24 +
 .../Domain/Contract/NotifierInterface.php     |   15 +
 .../Domain/Contract/ProjectInterface.php      |   17 +
 src/Shared/Domain/Contract/TaskInterface.php  |   19 +
 .../Domain/Contract/TaskTagInterface.php      |   17 +
 .../Contract/TimestampableInterface.php       |   18 +
 src/Shared/Domain/Contract/UserInterface.php  |   32 +
 src/Shared/Domain/Module/ModuleInterface.php  |   23 +
 src/Shared/Domain/Module/ModuleRegistry.php   |   57 +
 src/Shared/Domain/Sidebar/SidebarFilter.php   |   94 +
 .../Trait/TimestampableBlamableTrait.php      |   71 +
 .../ApiPlatform/Resource}/AppVersion.php      |    4 +-
 .../ApiPlatform/Resource/ModulesResource.php  |   28 +
 .../ApiPlatform/Resource/SidebarResource.php  |   34 +
 .../ApiPlatform}/State/AppVersionProvider.php |    4 +-
 .../ApiPlatform/State/ModulesProvider.php     |   30 +
 .../ApiPlatform/State/SidebarProvider.php     |   51 +
 .../Database/ColumnCommentsCatalog.php        |   24 +
 .../TimestampableBlamableSubscriber.php       |   64 +
 .../Infrastructure/Mcp}/Serializer.php        |   85 +-
 .../Security/SecurityCurrentUserProvider.php  |   23 +
 .../Service/TokenEncryptor.php                |    2 +-
 .../Mail/MailFoldersControllerTest.php        |    2 +-
 .../Mail/MailMessagesControllerTest.php       |    2 +-
 .../Mail/MailSettingsControllerTest.php       |    2 +-
 .../Mail/MailSyncTriggerControllerTest.php    |    2 +-
 .../MailTaskIntegrationControllerTest.php     |   10 +-
 .../Functional/Controller/ShareBrowseTest.php |    2 +-
 .../Functional/Controller/ShareSearchTest.php |    2 +-
 .../Controller/ShareSettingsTest.php          |    2 +-
 .../TaskNotificationListenerTest.php          |   12 +-
 .../Mcp/AbsenceRequestLifecycleTest.php       |   46 +-
 .../Module/Core/AuditListenerTest.php         |  108 +
 .../Module/Core/AuditLogApiTest.php           |  140 +
 tests/Functional/Module/Core/NotifierTest.php |   35 +
 tests/Functional/Module/Core/RoleApiTest.php  |   79 +
 .../Module/Core/SeedRbacCommandTest.php       |   35 +
 .../Core/SyncPermissionsCommandTest.php       |   29 +
 .../Module/Core/UserRbacApiTest.php           |  134 +
 .../Directory/ProspectConversionTest.php      |   74 +
 .../TaskTimestampableTest.php                 |  102 +
 .../Module/Reporting/ReportingApiTest.php     |   96 +
 .../TimeEntryTimestampableTest.php            |  111 +
 .../Functional/Shared/ModulesEndpointTest.php |   34 +
 .../Functional/Shared/SidebarEndpointTest.php |   69 +
 .../ConvertProspectProcessorTest.php          |   67 +
 .../Directory/Domain/Enum/ReportTypeTest.php  |   23 +
 tests/Unit/Mail/ImapMailProviderTest.php      |   14 +-
 tests/Unit/Mail/MailSyncReportTest.php        |    2 +-
 tests/Unit/Mail/MimeHeaderDecoderTest.php     |    2 +-
 .../Unit/Mcp/CoercingSchemaGeneratorTest.php  |    4 +-
 tests/Unit/Module/Core/CoreModuleTest.php     |   43 +
 .../Core/Domain/Entity/PermissionTest.php     |   58 +
 .../Module/Core/Domain/Entity/RoleTest.php    |   58 +
 .../Security/PermissionVoterTest.php          |   53 +
 .../MailConfigurationRepositoryTest.php       |    8 +-
 .../Unit/Service/AbsenceDayCalculatorTest.php |    6 +-
 tests/Unit/Service/MailSyncServiceTest.php    |   40 +-
 .../Service/PublicHolidayProviderTest.php     |    2 +-
 tests/Unit/Service/SharePathResolverTest.php  |    4 +-
 .../Database/ColumnCommentsCatalogTest.php    |   33 +
 .../TimestampableBlamableSubscriberTest.php   |  132 +
 .../Module/ModuleRegistryPermissionsTest.php  |   29 +
 .../Unit/Shared/Module/ModuleRegistryTest.php |   81 +
 .../Unit/Shared/Sidebar/SidebarFilterTest.php |  130 +
 622 files changed, 24802 insertions(+), 2864 deletions(-)
 create mode 100644 .gitea/workflows/pull-request.yml
 create mode 100644 config/modules.php
 create mode 100644 config/sidebar.php
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-56-socle-back.md
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-61-audit-log.md
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-63-module-core.md
 create mode 100644 docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
 create mode 100644 docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
 create mode 100644 docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
 create mode 100644 docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
 create mode 100644 docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md
 create mode 100644 docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md
 rename frontend/{ => app}/layouts/auth.vue (100%)
 rename frontend/{ => app}/layouts/default.vue (55%)
 rename frontend/{ => app}/middleware/admin.ts (100%)
 create mode 100644 frontend/app/middleware/auth.global.ts
 rename frontend/{ => app}/middleware/employee.ts (100%)
 create mode 100644 frontend/app/middleware/modules.global.ts
 create mode 100644 frontend/components/admin/AdminAuditTab.vue
 create mode 100644 frontend/components/admin/AdminRoleTab.vue
 create mode 100644 frontend/components/admin/RoleDrawer.vue
 delete mode 100644 frontend/middleware/auth.global.ts
 create mode 100644 frontend/modules/.gitkeep
 rename frontend/{components/absence => modules/absence/components}/AbsenceBalanceAdjustDrawer.vue (93%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceBalanceCards.vue (97%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceCalendar.vue (96%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceDateField.vue (96%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceDetailDrawer.vue (97%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceRejectDrawer.vue (91%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceRequestDrawer.vue (98%)
 rename frontend/{components/absence => modules/absence/components}/EmployeeDrawer.vue (100%)
 rename frontend/{ => modules/absence}/composables/useAbsenceHelpers.ts (98%)
 create mode 100644 frontend/modules/absence/nuxt.config.ts
 rename frontend/{ => modules/absence}/pages/absences.vue (97%)
 rename frontend/{ => modules/absence}/pages/team-absences.vue (99%)
 rename frontend/{ => modules/absence}/services/absences.ts (100%)
 rename frontend/{ => modules/absence}/services/dto/absence.ts (100%)
 create mode 100644 frontend/modules/core/composables/usePermissions.ts
 create mode 100644 frontend/modules/core/nuxt.config.ts
 rename frontend/{ => modules/core}/pages/login.vue (100%)
 rename frontend/{ => modules/core}/pages/profile.vue (100%)
 create mode 100644 frontend/modules/core/services/audit-logs.ts
 create mode 100644 frontend/modules/core/services/permissions.ts
 create mode 100644 frontend/modules/core/services/roles.ts
 rename frontend/{components/client => modules/directory/components}/ClientDrawer.vue (73%)
 create mode 100644 frontend/modules/directory/components/CommercialReportTab.vue
 create mode 100644 frontend/modules/directory/components/DirectoryAddressBlock.vue
 create mode 100644 frontend/modules/directory/components/DirectoryContactBlock.vue
 create mode 100644 frontend/modules/directory/components/ProspectDrawer.vue
 create mode 100644 frontend/modules/directory/components/ReportDocumentList.vue
 create mode 100644 frontend/modules/directory/components/ReportDocumentUpload.vue
 create mode 100644 frontend/modules/directory/composables/useDirectoryDetail.ts
 create mode 100644 frontend/modules/directory/nuxt.config.ts
 create mode 100644 frontend/modules/directory/pages/directory/clients/[id].vue
 create mode 100644 frontend/modules/directory/pages/directory/index.vue
 create mode 100644 frontend/modules/directory/pages/directory/prospects/[id].vue
 create mode 100644 frontend/modules/directory/services/addresses.ts
 rename frontend/{ => modules/directory}/services/clients.ts (85%)
 create mode 100644 frontend/modules/directory/services/commercial-reports.ts
 create mode 100644 frontend/modules/directory/services/contacts.ts
 create mode 100644 frontend/modules/directory/services/dto/address.ts
 rename frontend/{ => modules/directory}/services/dto/client.ts (58%)
 create mode 100644 frontend/modules/directory/services/dto/commercial-report.ts
 create mode 100644 frontend/modules/directory/services/dto/contact.ts
 create mode 100644 frontend/modules/directory/services/dto/prospect.ts
 create mode 100644 frontend/modules/directory/services/dto/report-document.ts
 create mode 100644 frontend/modules/directory/services/prospects.ts
 create mode 100644 frontend/modules/directory/services/report-documents.ts
 rename frontend/{ => modules/integration}/composables/useShareStatus.ts (88%)
 create mode 100644 frontend/modules/integration/nuxt.config.ts
 rename frontend/{ => modules/integration}/services/bookstack.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/bookstack.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/gitea.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/share.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/zimbra.ts (100%)
 rename frontend/{ => modules/integration}/services/gitea.ts (100%)
 rename frontend/{ => modules/integration}/services/share-settings.ts (100%)
 rename frontend/{ => modules/integration}/services/share.ts (100%)
 rename frontend/{ => modules/integration}/services/zimbra.ts (100%)
 rename frontend/{components/mail => modules/mail/components}/MailAttachmentPreview.vue (100%)
 rename frontend/{components/mail => modules/mail/components}/MailCreateTaskModal.vue (89%)
 rename frontend/{components/mail => modules/mail/components}/MailFolderTree.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailLinkTaskModal.vue (96%)
 rename frontend/{components/mail => modules/mail/components}/MailMessageList.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailMessageViewer.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailRefreshButton.vue (89%)
 create mode 100644 frontend/modules/mail/nuxt.config.ts
 rename frontend/{ => modules/mail}/pages/mail.vue (97%)
 rename frontend/{ => modules/mail}/services/dto/mail.ts (100%)
 rename frontend/{ => modules/mail}/services/mail.ts (98%)
 rename frontend/{ => modules/mail}/stores/mail.ts (99%)
 rename frontend/{components/project => modules/project-management/components}/ProjectDrawer.vue (94%)
 rename frontend/{components/project => modules/project-management/components}/ProjectGroupTab.vue (94%)
 rename frontend/{components/project => modules/project-management/components}/ProjectWorkflowSwitchModal.vue (94%)
 rename frontend/{components/task => modules/project-management/components}/StatusPickerPopover.vue (91%)
 rename frontend/{components/task => modules/project-management/components}/TaskBookStackLinks.vue (96%)
 rename frontend/{components/task => modules/project-management/components}/TaskBulkActions.vue (92%)
 rename frontend/{components/task => modules/project-management/components}/TaskCard.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentList.vue (95%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentPreview.vue (97%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentShareLinker.vue (95%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentUpload.vue (97%)
 rename frontend/{components/task => modules/project-management/components}/TaskEffortDrawer.vue (91%)
 rename frontend/{components/task => modules/project-management/components}/TaskGitSection.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskGroupDrawer.vue (93%)
 rename frontend/{components/task => modules/project-management/components}/TaskListItem.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskModal.vue (97%)
 rename frontend/{components/task => modules/project-management/components}/TaskPriorityDrawer.vue (92%)
 rename frontend/{components/task => modules/project-management/components}/TaskTagDrawer.vue (93%)
 create mode 100644 frontend/modules/project-management/nuxt.config.ts
 rename frontend/{ => modules/project-management}/pages/my-tasks.vue (90%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/archives.vue (76%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/groups.vue (82%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/index.vue (90%)
 rename frontend/{ => modules/project-management}/pages/projects/index.vue (94%)
 rename frontend/{ => modules/project-management}/services/dto/project.ts (92%)
 rename frontend/{ => modules/project-management}/services/dto/task-document.ts (81%)
 rename frontend/{ => modules/project-management}/services/dto/task-effort.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-group.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-priority.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-recurrence.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-status.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-tag.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task.ts (96%)
 rename frontend/{ => modules/project-management}/services/dto/workflow.ts (100%)
 rename frontend/{ => modules/project-management}/services/projects.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-documents.ts (94%)
 rename frontend/{ => modules/project-management}/services/task-efforts.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-groups.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-priorities.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-recurrences.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-statuses.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-tags.ts (100%)
 rename frontend/{ => modules/project-management}/services/tasks.ts (100%)
 rename frontend/{ => modules/project-management}/services/workflows.ts (100%)
 create mode 100644 frontend/modules/reporting/components/ReportingBarChart.vue
 create mode 100644 frontend/modules/reporting/components/ReportingDoughnut.vue
 create mode 100644 frontend/modules/reporting/composables/useCsvExport.ts
 create mode 100644 frontend/modules/reporting/composables/useReportingFilters.ts
 create mode 100644 frontend/modules/reporting/nuxt.config.ts
 create mode 100644 frontend/modules/reporting/pages/reporting.vue
 create mode 100644 frontend/modules/reporting/services/dto/reporting.ts
 create mode 100644 frontend/modules/reporting/services/reporting.ts
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryBlock.vue (99%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryContextMenu.vue (96%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryDrawer.vue (96%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryList.vue (98%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeTrackingCalendar.vue (99%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeTrackingExportDrawer.vue (96%)
 create mode 100644 frontend/modules/time-tracking/nuxt.config.ts
 rename frontend/{ => modules/time-tracking}/pages/time-tracking.vue (97%)
 rename frontend/{ => modules/time-tracking}/services/dto/time-entry.ts (62%)
 rename frontend/{ => modules/time-tracking}/services/time-entries.ts (100%)
 rename frontend/{ => modules/time-tracking}/stores/timer.ts (93%)
 rename frontend/{ => shared}/composables/useApi.ts (99%)
 create mode 100644 frontend/shared/composables/useModules.ts
 create mode 100644 frontend/shared/composables/useSidebar.ts
 rename frontend/{ => shared}/stores/auth.ts (100%)
 rename frontend/{ => shared}/stores/ui.ts (100%)
 create mode 100644 frontend/shared/types/sidebar.ts
 create mode 100644 migrations/Version20260619145109.php
 create mode 100644 migrations/Version20260619185448.php
 create mode 100644 migrations/Version20260620161036.php
 create mode 100644 migrations/Version20260620161500.php
 create mode 100644 migrations/Version20260620170000.php
 create mode 100644 migrations/Version20260620180000.php
 create mode 100644 migrations/Version20260620190000.php
 create mode 100644 migrations/Version20260620200000.php
 create mode 100644 migrations/Version20260620201000.php
 create mode 100644 migrations/Version20260621120000.php
 create mode 100644 migrations/Version20260621130000.php
 create mode 100644 migrations/Version20260622090000.php
 create mode 100644 migrations/Version20260622100916.php
 create mode 100644 src/Module/Absence/AbsenceModule.php
 rename src/{ => Module/Absence/Application}/Service/AbsenceBalanceService.php (79%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsenceBalance.php (85%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsencePolicy.php (89%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsenceRequest.php (87%)
 rename src/{ => Module/Absence/Domain}/Enum/AbsenceStatus.php (91%)
 rename src/{ => Module/Absence/Domain}/Enum/AbsenceType.php (96%)
 rename src/{ => Module/Absence/Domain}/Enum/HalfDay.php (87%)
 create mode 100644 src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
 create mode 100644 src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
 create mode 100644 src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
 rename src/{ => Module/Absence/Domain}/Service/AbsenceDayCalculator.php (96%)
 rename src/{ => Module/Absence/Domain}/Service/PublicHolidayProvider.php (98%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceBalanceProvider.php (77%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceCancelProcessor.php (87%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceRequestProcessor.php (81%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceRequestProvider.php (80%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceReviewProcessor.php (91%)
 rename src/{ => Module/Absence/Infrastructure}/Command/AccrueLeaveCommand.php (83%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceCalendarController.php (86%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceJustificationDownloadController.php (89%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceJustificationUploadController.php (92%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsencePreviewController.php (83%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/PublicHolidayController.php (92%)
 create mode 100644 src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
 rename src/{Repository/AbsencePolicyRepository.php => Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php} (51%)
 rename src/{Repository/AbsenceRequestRepository.php => Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php} (84%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/CancelAbsenceRequestTool.php (81%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/CreateAbsenceRequestTool.php (81%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/DeleteAbsenceRequestTool.php (81%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/GetAbsenceRequestTool.php (73%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsenceBalancesTool.php (75%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsencePoliciesTool.php (77%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsenceRequestsTool.php (78%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ReviewAbsenceRequestTool.php (85%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/UpdateAbsenceBalanceTool.php (82%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/UpdateAbsencePolicyTool.php (86%)
 create mode 100644 src/Module/Core/Application/DTO/AuditLogOutput.php
 create mode 100644 src/Module/Core/Application/Rbac/RbacSeeder.php
 create mode 100644 src/Module/Core/CoreModule.php
 rename src/{ => Module/Core/Domain}/Entity/Notification.php (85%)
 create mode 100644 src/Module/Core/Domain/Entity/Permission.php
 create mode 100644 src/Module/Core/Domain/Entity/Role.php
 rename src/{ => Module/Core/Domain}/Entity/User.php (71%)
 rename src/{ => Module/Core/Domain}/Enum/ContractType.php (92%)
 create mode 100644 src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
 create mode 100644 src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
 create mode 100644 src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
 create mode 100644 src/Module/Core/Domain/Repository/UserRepositoryInterface.php
 create mode 100644 src/Module/Core/Domain/Security/SystemRoles.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/MeProvider.php (55%)
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/NotificationProvider.php (84%)
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/UserPasswordHasherProcessor.php (92%)
 create mode 100644 src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
 create mode 100644 src/Module/Core/Infrastructure/Audit/RequestIdProvider.php
 create mode 100644 src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
 create mode 100644 src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
 rename src/{ => Module/Core/Infrastructure}/Controller/MarkAllReadController.php (71%)
 rename src/{ => Module/Core/Infrastructure}/Controller/NotificationUnreadCountController.php (71%)
 rename src/{ => Module/Core/Infrastructure}/Controller/RegenerateApiTokenController.php (91%)
 rename src/{ => Module/Core/Infrastructure}/Controller/UserAvatarController.php (98%)
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/AuditListener.php
 rename src/{Repository/NotificationRepository.php => Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php} (77%)
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
 rename src/{Repository/UserRepository.php => Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php} (59%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/GetUserTool.php (81%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/ListUsersTool.php (83%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/UpdateUserTool.php (90%)
 create mode 100644 src/Module/Core/Infrastructure/Notifier.php
 create mode 100644 src/Module/Core/Infrastructure/Security/PermissionVoter.php
 create mode 100644 src/Module/Directory/DirectoryModule.php
 create mode 100644 src/Module/Directory/Domain/Entity/Address.php
 rename src/{ => Module/Directory/Domain}/Entity/Client.php (64%)
 create mode 100644 src/Module/Directory/Domain/Entity/CommercialReport.php
 create mode 100644 src/Module/Directory/Domain/Entity/Contact.php
 create mode 100644 src/Module/Directory/Domain/Entity/Prospect.php
 create mode 100644 src/Module/Directory/Domain/Entity/ReportDocument.php
 create mode 100644 src/Module/Directory/Domain/Enum/ProspectStatus.php
 create mode 100644 src/Module/Directory/Domain/Enum/ReportType.php
 create mode 100644 src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
 create mode 100644 src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
 create mode 100644 src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
 create mode 100644 src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
 create mode 100644 src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
 create mode 100644 src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
 create mode 100644 src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
 create mode 100644 src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php
 create mode 100644 src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/CreateClientTool.php (78%)
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/DeleteClientTool.php (81%)
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/GetClientTool.php (73%)
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/ListClientsTool.php (82%)
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/UpdateClientTool.php (70%)
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
 rename src/{ => Module/Integration/Domain}/Entity/BookStackConfiguration.php (72%)
 rename src/{ => Module/Integration/Domain}/Entity/GiteaConfiguration.php (65%)
 rename src/{ => Module/Integration/Domain}/Entity/ShareConfiguration.php (83%)
 rename src/{ => Module/Integration/Domain}/Entity/TaskBookStackLink.php (81%)
 rename src/{ => Module/Integration/Domain}/Entity/ZimbraConfiguration.php (78%)
 rename src/{ => Module/Integration/Domain}/Exception/BookStackApiException.php (70%)
 rename src/{ => Module/Integration/Domain}/Exception/GiteaApiException.php (69%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/InvalidPathException.php (69%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/ShareConnectionException.php (70%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/ShareNotConfiguredException.php (71%)
 create mode 100644 src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
 rename src/{Service/Share => Module/Integration/Domain/Service}/FileEntry.php (85%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/FileSource.php (92%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/SharePathResolver.php (90%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/ShareTestResult.php (79%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackLink.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackSearchResult.php (77%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackSettings.php (83%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackShelf.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackTestConnection.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaBranch.php (84%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaBranchName.php (78%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaPullRequest.php (87%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaRepository.php (81%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaSettings.php (82%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaTestConnection.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ShareSettings.php (87%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ShareTestConnection.php (81%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ZimbraSettings.php (85%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ZimbraTestConnection.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackLinkProcessor.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackLinkProvider.php (81%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSearchResultProvider.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSettingsProcessor.php (75%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSettingsProvider.php (66%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackShelfProvider.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackTestConnectionProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchNameProvider.php (72%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchProcessor.php (75%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchProvider.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaPullRequestProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaRepositoryProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaSettingsProcessor.php (73%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaSettingsProvider.php (67%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaTestConnectionProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareSettingsProcessor.php (79%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareSettingsProvider.php (74%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareTestConnectionProvider.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraSettingsProcessor.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraSettingsProvider.php (72%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraTestConnectionProvider.php (80%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareBrowseController.php (82%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareDownloadController.php (87%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareSearchController.php (83%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareStatusController.php (71%)
 create mode 100644 src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
 rename src/{Repository/GiteaConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php} (50%)
 rename src/{Repository/ShareConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php} (56%)
 create mode 100644 src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
 rename src/{Repository/ZimbraConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php} (56%)
 rename src/{ => Module/Integration/Infrastructure}/Service/BookStackApiService.php (87%)
 rename src/{ => Module/Integration/Infrastructure}/Service/GiteaApiService.php (94%)
 rename src/{Service/Share => Module/Integration/Infrastructure/Service}/SmbFileSource.php (89%)
 create mode 100644 src/Module/Integration/IntegrationModule.php
 rename src/{Mail => Module/Mail/Application}/Dto/MailAttachmentDto.php (85%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailFolderDto.php (86%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailMessageDetailDto.php (88%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailMessageHeaderDto.php (92%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailSyncReport.php (91%)
 rename src/{ => Module/Mail/Application}/Message/MailSyncRequested.php (77%)
 rename src/{ => Module/Mail/Application}/MessageHandler/MailSyncRequestedHandler.php (85%)
 rename src/{ => Module/Mail/Application}/Service/MailSyncService.php (94%)
 rename src/{ => Module/Mail/Domain}/Entity/MailConfiguration.php (87%)
 rename src/{ => Module/Mail/Domain}/Entity/MailFolder.php (92%)
 rename src/{ => Module/Mail/Domain}/Entity/MailMessage.php (96%)
 rename src/{ => Module/Mail/Domain}/Entity/TaskMailLink.php (70%)
 rename src/{Mail => Module/Mail/Domain}/Exception/MailProviderException.php (91%)
 rename src/{Mail => Module/Mail/Domain/Provider}/MailProviderInterface.php (88%)
 create mode 100644 src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
 rename src/{ApiResource => Module/Mail/Infrastructure/ApiPlatform/Resource}/MailSettings.php (90%)
 rename src/{State/Mail => Module/Mail/Infrastructure/ApiPlatform/State}/MailSettingsProcessor.php (87%)
 rename src/{State/Mail => Module/Mail/Infrastructure/ApiPlatform/State}/MailSettingsProvider.php (80%)
 rename src/{Command => Module/Mail/Infrastructure/Console}/MailRedecodeHeadersCommand.php (90%)
 rename src/{Command => Module/Mail/Infrastructure/Console}/MailSyncCommand.php (88%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailAttachmentDownloadController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailCreateTaskController.php (83%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailFoldersListController.php (83%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailLinkTaskController.php (74%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageDetailController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageFlagController.php (78%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageReadController.php (78%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessagesListController.php (84%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailSyncTriggerController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailTestConnectionController.php (88%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailUnlinkTaskController.php (69%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/TaskMailsListController.php (79%)
 rename src/{Repository/MailConfigurationRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php} (58%)
 rename src/{Repository/MailFolderRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php} (66%)
 rename src/{Repository/MailMessageRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php} (90%)
 rename src/{Repository/TaskMailLinkRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php} (59%)
 rename src/{Mail => Module/Mail/Infrastructure/Imap}/ImapMailProvider.php (95%)
 rename src/{Mail => Module/Mail/Infrastructure/Imap}/MimeHeaderDecoder.php (96%)
 rename src/{ => Module/Mail/Infrastructure}/Security/MailAccessChecker.php (80%)
 create mode 100644 src/Module/Mail/MailModule.php
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Project.php (87%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Task.php (91%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskDocument.php (88%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskEffort.php (87%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskGroup.php (93%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskPriority.php (89%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskRecurrence.php (94%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskStatus.php (93%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskTag.php (85%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Workflow.php (92%)
 rename src/{ => Module/ProjectManagement/Domain}/Enum/RecurrenceType.php (77%)
 rename src/{ => Module/ProjectManagement/Domain}/Enum/StatusCategory.php (81%)
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
 rename src/{ApiResource => Module/ProjectManagement/Infrastructure/ApiPlatform/Resource}/SwitchWorkflowOutput.php (88%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/RecurrenceHandler.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/SwitchProjectWorkflowProcessor.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskCalendarProcessor.php (91%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskDocumentProcessor.php (94%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskDocumentProvider.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskNumberProcessor.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/WorkflowDeleteProcessor.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Controller/TaskDocumentDownloadController.php (91%)
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
 rename src/{Repository/TaskRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php} (72%)
 rename src/{Repository/TaskStatusRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php} (57%)
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
 rename src/{Repository/WorkflowRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php} (52%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/TaskDocumentListener.php (87%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/TaskNotificationListener.php (73%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/UniqueDefaultWorkflowListener.php (91%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/CreateProjectTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/DeleteProjectTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/GetProjectTool.php (77%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/ListProjectsTool.php (74%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/UpdateProjectTool.php (77%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/AddTaskDocumentTool.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/CreateTaskRecurrenceTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/CreateTaskTool.php (76%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskDocumentTool.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/GetTaskTool.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/ListTasksTool.php (93%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskDocumentTool.php (96%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateEffortTool.php (87%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateGroupTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreatePriorityTool.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateStatusTool.php (84%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateTagTool.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteEffortTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteGroupTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeletePriorityTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteStatusTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteTagTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListEffortsTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListGroupsTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListPrioritiesTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListStatusesTool.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListTagsTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateEffortTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateGroupTool.php (81%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdatePriorityTool.php (81%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateStatusTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateTagTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Workflow/ListWorkflowsTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php (90%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Service/CalDavService.php (94%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Service/RecurrenceCalculator.php (96%)
 create mode 100644 src/Module/ProjectManagement/ProjectManagementModule.php
 create mode 100644 src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TimePerUserOutput.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
 create mode 100644 src/Module/Reporting/ReportingModule.php
 rename src/{ => Module/TimeTracking/Domain}/Entity/TimeEntry.php (76%)
 create mode 100644 src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
 rename src/{ => Module/TimeTracking/Infrastructure/ApiPlatform}/State/ActiveTimeEntryProvider.php (72%)
 rename src/{ => Module/TimeTracking/Infrastructure}/Controller/TimeEntryExportController.php (80%)
 rename src/{Repository/TimeEntryRepository.php => Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php} (70%)
 rename src/{Service => Module/TimeTracking/Infrastructure/Export}/TimeEntryExportService.php (98%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/CreateTimeEntryTool.php (74%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/DeleteTimeEntryTool.php (80%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/ListTimeEntriesTool.php (89%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/UpdateTimeEntryTool.php (74%)
 create mode 100644 src/Module/TimeTracking/TimeTrackingModule.php
 delete mode 100644 src/Repository/AbsenceBalanceRepository.php
 delete mode 100644 src/Repository/BookStackConfigurationRepository.php
 delete mode 100644 src/Repository/ClientRepository.php
 delete mode 100644 src/Repository/ProjectRepository.php
 delete mode 100644 src/Repository/TaskBookStackLinkRepository.php
 delete mode 100644 src/Repository/TaskEffortRepository.php
 delete mode 100644 src/Repository/TaskGroupRepository.php
 delete mode 100644 src/Repository/TaskPriorityRepository.php
 delete mode 100644 src/Repository/TaskRecurrenceRepository.php
 delete mode 100644 src/Repository/TaskTagRepository.php
 create mode 100644 src/Shared/Application/CurrentUserProviderInterface.php
 create mode 100644 src/Shared/Domain/Attribute/AuditIgnore.php
 create mode 100644 src/Shared/Domain/Attribute/Auditable.php
 create mode 100644 src/Shared/Domain/Contract/BlamableInterface.php
 create mode 100644 src/Shared/Domain/Contract/ClientInterface.php
 create mode 100644 src/Shared/Domain/Contract/LeaveProfileInterface.php
 create mode 100644 src/Shared/Domain/Contract/NotifierInterface.php
 create mode 100644 src/Shared/Domain/Contract/ProjectInterface.php
 create mode 100644 src/Shared/Domain/Contract/TaskInterface.php
 create mode 100644 src/Shared/Domain/Contract/TaskTagInterface.php
 create mode 100644 src/Shared/Domain/Contract/TimestampableInterface.php
 create mode 100644 src/Shared/Domain/Contract/UserInterface.php
 create mode 100644 src/Shared/Domain/Module/ModuleInterface.php
 create mode 100644 src/Shared/Domain/Module/ModuleRegistry.php
 create mode 100644 src/Shared/Domain/Sidebar/SidebarFilter.php
 create mode 100644 src/Shared/Domain/Trait/TimestampableBlamableTrait.php
 rename src/{ApiResource => Shared/Infrastructure/ApiPlatform/Resource}/AppVersion.php (78%)
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
 rename src/{ => Shared/Infrastructure/ApiPlatform}/State/AppVersionProvider.php (83%)
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
 create mode 100644 src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
 create mode 100644 src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
 rename src/{Mcp/Tool => Shared/Infrastructure/Mcp}/Serializer.php (81%)
 create mode 100644 src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
 rename src/{ => Shared/Infrastructure}/Service/TokenEncryptor.php (97%)
 create mode 100644 tests/Functional/Module/Core/AuditListenerTest.php
 create mode 100644 tests/Functional/Module/Core/AuditLogApiTest.php
 create mode 100644 tests/Functional/Module/Core/NotifierTest.php
 create mode 100644 tests/Functional/Module/Core/RoleApiTest.php
 create mode 100644 tests/Functional/Module/Core/SeedRbacCommandTest.php
 create mode 100644 tests/Functional/Module/Core/SyncPermissionsCommandTest.php
 create mode 100644 tests/Functional/Module/Core/UserRbacApiTest.php
 create mode 100644 tests/Functional/Module/Directory/ProspectConversionTest.php
 create mode 100644 tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php
 create mode 100644 tests/Functional/Module/Reporting/ReportingApiTest.php
 create mode 100644 tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php
 create mode 100644 tests/Functional/Shared/ModulesEndpointTest.php
 create mode 100644 tests/Functional/Shared/SidebarEndpointTest.php
 create mode 100644 tests/Module/Directory/ConvertProspectProcessorTest.php
 create mode 100644 tests/Module/Directory/Domain/Enum/ReportTypeTest.php
 create mode 100644 tests/Unit/Module/Core/CoreModuleTest.php
 create mode 100644 tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
 create mode 100644 tests/Unit/Module/Core/Domain/Entity/RoleTest.php
 create mode 100644 tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php
 create mode 100644 tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php
 create mode 100644 tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
 create mode 100644 tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php
 create mode 100644 tests/Unit/Shared/Module/ModuleRegistryTest.php
 create mode 100644 tests/Unit/Shared/Sidebar/SidebarFilterTest.php

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index a5f24ac..7e9fca6 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -54,8 +54,116 @@
 - **Pattern**: Retirer de composer.json + bundles.php + supprimer config YAML + templates
 - **Learning**: API Platform ne requiert PAS twig, c'est juste suggéré pour Swagger UI
 
+## Session 2026-06-19 (LST-56 / 0.1 — Socle back modular monolith)
+
+### Contexte
+- Ticket exécuté via plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-56-socle-back.md`) délégué à un sous-agent (contexte isolé), pilotage MCP/chrono/vérif depuis la session principale.
+- 4 tâches, 14 nouveaux tests (110 total, 216 assertions, vert), 4 commits (un par tâche).
+
+### Patterns
+- **Strangler 100 % additif** : nouveau noyau `src/Shared/` (Domain/Contract, Domain/Module, Domain/Sidebar, Domain/Trait, Application, Infrastructure/{ApiPlatform,Doctrine,Security,Database}) sans toucher au métier — `make test` reste vert sans migration.
+- **Endpoints DTO purs** : logique métier dans classes pures testées unitairement (`ModuleRegistry`, `SidebarFilter`), exposées par Providers API Platform minces (`ModulesProvider`/`SidebarProvider`) sur des Resources DTO.
+- **resolve_target_entities** : contrat `Shared\Domain\Contract\UserInterface` mappé sur `App\Entity\User` (sera re-pointé vers `Module\Core\User` en 1.1). Inert tant qu'aucune entité n'utilise le trait.
+
+### Gotchas
+- **API Platform 4 découvre les Resources sous `src/Shared/...` sans config `mapping.paths`** — le 404 anticipé dans le plan ne s'est pas produit, aucun ajout dans `api_platform.yaml` nécessaire.
+- **Hook pre-commit php-cs-fixer** normalise le style du code fourni dans le plan : `\DateTimeImmutable`→`DateTimeImmutable` importé, FQN→`use`, `static::createClient()`→`self::`. Pur style, tests inchangés. Ne pas lutter contre.
+- **`config/reference.php`** : fichier auto-généré qui apparaît modifié dans `git status` — ne jamais le committer.
+
+### Time tracking
+- Le sous-agent a stoppé lui-même le timer d'implémentation (id 1005, 35 min) — garder le time-tracking sur la session principale pour rester maître du chrono si un sous-agent a accès aux tools MCP lesstime.
+
+## Session 2026-06-19 (LST-62 / 0.2 — Socle front : shell + auto-détection layers Nuxt)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-62-socle-front.md`), 7 tasks. Exécution en 3 sous-agents (Task 1 back ; Tasks 2-4 fondations front ; Tasks 5-7 middlewares/layout/i18n), pilotage chrono/MCP/vérif sur la session principale.
+- 7 commits + 1 commit doc de correction du plan. Back : 115 tests verts (110 + 5 nouveaux cas gate rôle).
+
+### Patterns
+- **Gate de rôle additif dans la sidebar** : clé `roles` optionnelle sur section/item dans `config/sidebar.php` ; `SidebarFilter::filter($sections, $activeModuleIds, $activeRoles = [])` masque sans polluer `disabledRoutes` (réservé au filtrage par module). `SidebarProvider` injecte `Symfony\Bundle\SecurityBundle\Security` et passe `array_values($user->getRoles())`. ROLE_ADMIN seulement (pas le RBAC fin, qui viendra en 1.1/1.2).
+- **Layout front aligné Starseed** (vérifié dans le code Starseed) : `srcDir: '.'`, `dir.layouts/middleware → app/`, code transverse auto-importé sous `shared/{composables,stores,utils}` via `imports.dirs` EXPLICITE, scan `readdirSync('modules/')` → `extends` + dossiers `modules/*/composables` ajoutés dynamiquement à `imports.dirs`. `useApi`/`auth`/`ui` déplacés par `git mv` (historique préservé) ; `timer.ts`/`mail.ts` restent dans `stores/` (métier non migré).
+- **Singletons module-level** : `useSidebar`/`useModules` portent leur état en `ref` au niveau module ; reset explicite au logout depuis `auth.global.ts` (l'approche Starseed via callback `onAuthSessionCleared()` est une alternative non retenue ici).
+
+### Gotchas
+- **`nuxt typecheck` n'est PAS un gate vert sur ce stack** : le baseline Lesstime est rouge (~230 lignes `error TS`) et la RÉFÉRENCE Starseed (même Nuxt 4.3.1, même layout) ship en prod avec **325 erreurs**. Classes structurelles tolérées : `Cannot find name 'ref'/'useApi'/'useRoute'/'navigateTo'/'defineStore'…` dans `shared/` (Nuxt 4 type `shared/` sous un `tsconfig.shared.json` isolé sans les globals d'auto-import, alors que `imports.dirs` les expose au RUNTIME — vérifié dans `.nuxt/imports.d.ts`), erreurs `nuxt.config.ts` (`node:fs`/`process`/`__dirname`, pas de `@types/node`, compilé au runtime par Nuxt), `useApi.ts` 'Property url'. **Le vrai gate** = zéro `Cannot find module '~/shared/…'` (= vrai import cassé) + auto-imports présents dans `.nuxt/imports.d.ts` + smoke runtime. Un sous-agent consciencieux s'est arrêté à tort sur ces erreurs ("bloqueur irréductible") → toujours vérifier le gate contre la réf Starseed avant de conclure à un blocage.
+- **Vérif backend live > typecheck front** : le gate de rôle a été prouvé via curl réel (`/api/login_check` → cookie BEARER → `GET /api/sidebar`) : `alice` (ROLE_USER) n'a que la section générale, `admin` (ROLE_ADMIN) a Administration, non-auth = 401. Plus fiable que le typecheck sur ce stack.
+- **i18n `fr.json`** : une clé racine `sidebar` préexistait (avec un `myTasks` orphelin) → fusionner les sous-namespaces plutôt que dupliquer la clé racine (JSON invalide sinon).
+
+### Statut / time tracking
+- Ticket laissé en **"En attente de validation" (4)**, pas "Terminé" : smoke visuel front (dev server + navigateur) et sign-off du **délta cosmétique d'ordre de sidebar** (décision 3 du plan) relèvent du PO. Implémentation + AC API validés.
+- Time-tracking 100 % sur la session principale cette fois (consigne des sous-agents : ne jamais toucher aux outils `mcp__lesstime__*`) — respecté.
+
+## Session 2026-06-19 (LST-63 / 1.1 — Module Core : identité User/Auth/JWT + Notifications + layer front)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-63-module-core.md`, 7 tasks / 6 phases A→F). Exécution : Phases A/B (1 sous-agent combiné), C (1 sous-agent), D (1 sous-agent), E + F faites en direct par la session principale (tâches courtes). Pilotage chrono/MCP/vérif + re-vérif login après chaque phase touchant l'auth sur la session principale.
+- 5 commits impl (`6ca91cb` A, `f8fc4d6`+`d70925b` B, `0b4874e` C, `f1a9b42` D, `a98ea3d` E, `117c2ff` F) + plan `8865bf5`. Tests : 110→120 verts. Timer impl 1012 = 43 min.
+
+### Patterns
+- **Move d'entité « strangler » sans migration** : `git mv` `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (table + colonnes + backticks VERBATIM) ; mapping Doctrine `Core` ajouté (dir `src/Module/Core/Domain/Entity`, prefix `App\Module\Core\Domain\Entity`) à côté de `App` ; `resolve_target_entities: UserInterface → Core\User`. `migrations:diff` reste vide (hors dérive préexistante `messenger_messages`) → AUCUNE migration. Idem Notification en Phase D.
+- **Alias temporaire pour découpler le move des relations** : Phase B pose un `class_alias(App\Entity\User::class → Core\User)` (fichier `_compat_user_alias.php` en `autoload.files`, exclu de l'autowiring `App\:` via `exclude` services.yaml + `notPath` php-cs-fixer). Permet de relier d'abord les 8 relations d'entités au CONTRAT `UserInterface::class` (resolver propre) ; l'alias n'est qu'un pont de type-hint PHP. Phase C retire l'alias EN DERNIER, seulement quand `grep App\Entity\User` est vide.
+- **Règle contrat-vs-concret pour migrer les consommateurs** (Phase C, ~50 fichiers) : type-hint `App\Shared\Domain\Contract\UserInterface` si le fichier n'appelle que les méthodes de lecture du contrat / instanceof / type DQL ; FQCN concret `App\Module\Core\Domain\Entity\User` si besoin de getters HR, `apiToken`, `avatarFileName`, setters, `new User()`. Les deux éliminent `App\Entity\User`. Collision de nom avec `Symfony\...\UserInterface` → aliaser en `SharedUserInterface`.
+- **Notifier (Phase D)** : `NotifierInterface` (Shared) = API publique inter-modules ; impl `Notifier` (Core) persiste + flush. `TaskNotificationListener` appelle `notify()` UNIQUEMENT en `postFlush` (jamais `onFlush` — le flush interne y est dangereux). Comportement identique conservé.
+- **Layer front d'un module (Phase F)** : `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`) + `git mv` des pages d'identité sous `modules/core/pages/`. Les imports `~/...` (alias srcDir) survivent au déplacement ; seuls les imports relatifs/par chemin casseraient. Les URLs (`/login`, `/profile`) restent identiques (fusion auto des `pages/` de layers).
+
+### Gotchas
+- **`admin.vue` = shell admin MULTI-domaines** (onglets clients/workflows/efforts/gitea/zimbra/mail/absences + 1 onglet `AdminUserTab`) : NE PAS le déplacer entier dans Core (il porterait les admins d'autres modules pas encore extraits). Conformément au plan, en cas de doute on déplace seulement login + profile, on documente. La décomposition de `admin.vue` viendra avec les modules respectifs.
+- **Vérifier la résolution des routes d'un layer Nuxt en SPA** : `ssr:false` → le dev server renvoie 200 pour N'IMPORTE QUEL chemin (shell SPA, routing client) — un `curl /login` = 200 ne prouve RIEN (testé : `/route-bidon-xyz` = 200 aussi). `nuxt prepare` ne génère pas le manifeste de routes. **Preuve déterministe** = `npx nuxt build` puis `grep 'name:"login"\|name:"profile"' .output/server/chunks/build/client.precomputed.mjs` (+ chunk CSS `profile.*.css` généré). Ne pas perturber un dev server déjà lancé (config `extends`/`imports.dirs` figée au démarrage avant création du layer) → lancer un dev frais sur un port libre pour smoke.
+- **Aligner le contrat sur la réalité de l'entité, pas l'inverse** : `User::getUsername()` est `?string` (pas `string`) et la méthode réelle est `getIsEmployee(): bool` (pas `isEmployee()`). Le plan écrivait `isEmployee()` — le contrat existant était déjà correct, aucun changement. Toujours lire l'entité avant de figer une signature de contrat.
+- **Tests fonctionnels qui persistent réellement** (pas de rollback transactionnel ici) : un `NotifierTest` qui crée une notif échoue au 2e run (`2 != 1`) → rendre les données uniques (`uniqid()` sur le titre) pour l'idempotence.
+
+## Session 2026-06-19 (LST-57 / 1.2 — RBAC fin : portage Starseed)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md`, 7 phases A→G). Source de vérité = **implémentation RBAC de Starseed** (le brief attaché au ticket était inaccessible en local — fichier non synchronisé sur le stockage ; cartographié via un agent Explore sur `/home/matthieu/dev_malio/Starseed`). 1 sous-agent par phase, pilotage chrono/MCP/vérif/push sur la session principale.
+- 7 commits impl (A `ffed224`, B `ac662e7`, C `5060fb6`, D `48c67a5`, E `1a9eba9`, F `544d4cf`, G `511353c`) + plan `fdc7257`. Tests 131→**147 verts**. Timer impl 1014.
+
+### Décision d'architecture majeure (actée, à valider PO)
+- **RBAC additif, `ROLE_ADMIN` = bypass, PAS de colonne `is_admin`** — divergence assumée vs Starseed (qui a supprimé la colonne JSON `roles` au profit de `is_admin`). Lesstime garde `roles` JSON + `getRoles()` (login/JWT/MCP/sidebar #62 reposent dessus) ; le `PermissionVoter` bypass si `in_array('ROLE_ADMIN', $user->getRoles())`. Réécrire l'auth aurait été une régression à haut risque pour zéro bénéfice AC. Migration future vers `is_admin` possible.
+
+### Patterns
+- **RBAC = Role + Permission (M2M) + relations User** : `Role`(code snake_case immuable, label, description, isSystem, ManyToMany permissions EAGER), `Permission`(code `module.resource.action` unique, label, module, orphan), `User` reçoit `rbacRoles` (table `user_role`) + `directPermissions` (table `user_permission`), `getEffectivePermissions()` = union triée dédupliquée. Migration **100% additive** (5 CREATE TABLE, zéro DROP/ALTER sur `user`).
+- **Permissions déclaratives par module** : `ModuleInterface::permissions(): list<array{code,label}>`, agrégées par `ModuleRegistry::permissions($activeClasses)` (injecte `module=id()`, valide le préfixe). `app:sync-permissions` upsert (revive orphan / updateMetadata / create) + markOrphan des absentes. `app:seed-rbac` seede les rôles système (`admin`/`user`, isSystem) — **sans matrice métier** tant qu'aucune permission métier n'existe (les modules 2.x ajouteront leurs permissions + rôles).
+- **Voter pur + bypass applicatif** : `PermissionVoter` (regex `/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/` pour `supports`, donc abstient sur `ROLE_*`/`IS_AUTHENTICATED_*`). Le bypass admin de la **sidebar** est dans `SidebarProvider` (si ROLE_ADMIN → injecte le catalogue complet `ModuleRegistry::permissions()`), pas dans `SidebarFilter` qui reste un filtre pur (`permissionSatisfied()`). Le seed n'attachant aucune permission, sans ce bypass l'admin ne verrait rien.
+- **Front** : `usePermissions()` (`can/canAny/canAll/isAdmin`) dans `modules/core/composables/` (auto-importé) ; type `UserData` enrichi de `effectivePermissions` ; onglet `AdminRoleTab`+`RoleDrawer` dans `frontend/components/admin/` (le scan `components` Nuxt ne couvre que `~/components`, PAS les layers `modules/*` → les composants vont dans `components/`, le composable/services dans `modules/core/`).
+
+### Gotchas
+- **`Symfony\Component\Serializer\Annotation\Groups` N'EXISTE PLUS en Symfony 8** — seul `Attribute\Groups` existe. Un import `Annotation\Groups` rend tous les `#[Groups]` **no-op silencieux** (sérialisation cassée, POST en 400 car le constructeur n'est pas alimenté). Bug latent introduit en Phase A, révélé seulement par les tests fonctionnels de Phase D (TDD). Toujours utiliser `Attribute\Groups`. Vérifier la cohérence sur TOUTES les entités.
+- **`isSystem` exposé sous la clé `system`** : PropertyInfo strippe le préfixe `is`. Mettre `#[Groups]` + `#[SerializedName('isSystem')]` sur le getter pour conserver `isSystem` côté API.
+- **`options: ['comment' => ...]` sur les colonnes des entités** : sans le mapping `options.comment`, les `COMMENT ON COLUMN` de la migration créent une dérive `migrations:diff` perpétuelle (Doctrine veut les remettre à `''`). Aligner le mapping entité sur le COMMENT de la migration.
+- **`make db-reset` détruit `lesstime_test`** (`docker compose down -v` supprime le volume) — les tests tournent sur la base suffixée `_test`. Après un db-reset, recréer la base de test : `doctrine:database:create --env=test --if-not-exists` + `migrations:migrate -n --env=test` + `fixtures:load -n --env=test`. Ne jamais lancer `make db-reset` depuis un sous-agent de phase.
+- **Signature `Voter::voteOnAttribute`** : la version Symfony installée impose `voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool` (4e param). Sans lui : « Declaration must be compatible » fatal.
+
+### MR / Git
+- **MR empilées sur Gitea** (`tea pr create --base <branche-précédente>`) reflètent la chaîne de dépendances (#56→develop, #62→#56, #63→#62, #57→#63) avec des diffs propres ; Gitea re-cible la base à chaque merge. `tea pr` n'a pas d'`edit` → pour sortir une MR du brouillon (retrait `WIP:`), PATCH API Gitea `/repos/{o}/{r}/pulls/{n}` avec le token de `~/.config/tea/config.yml`.
+- **WIP en cours** : pousser la branche d'un ticket en cours + ouvrir la MR en brouillon (titre `WIP:`) sauvegarde le travail sans signaler « prêt à merger » ; re-pousser à chaque phase. Le push ne lock pas l'index → aucune contention avec un sous-agent qui committe en parallèle.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
+- **Commits concurrents**: NE PAS lancer deux sous-agents qui committent sur le même repo en parallèle (collision `.git/index.lock`) — séquencer.
+- **Gate de vérif fourni par le plan**: si un plan fixe un seuil (ex "typecheck 0 erreur"), le confronter à la réalité du projet/réf AVANT de bloquer dessus ; corriger le plan si le seuil est faux.
 - **MCP status**: Toujours mettre "En cours" AVANT de commencer, "Terminé" APRÈS validation
 - **PostgreSQL gotchas**: Tester les queries SQL avec agrégation + locking sur PostgreSQL, pas MySQL
 - **Agents**: Les agents simples (1-3 fichiers) terminent en ~30s, les complexes (22 fichiers) en ~8min
+
+## Session 2026-06-19 (LST-61 / 1.3 — Audit log : #[Auditable], audit_log, AuditListener, resource)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-61-audit-log.md`, Tasks A→F). Exécution : 1 sous-agent par task (A, B, C, D, E) en séquence, vérif + smoke par la session principale entre chaque ; Task F (validation finale + correctif front + learnings + push + statut) en direct.
+- Infra portée VERBATIM depuis Starseed (réf canonique `/home/matthieu/dev_malio/Starseed`) : `AuditListener` byte-identique (`diff -q` OK), + 6 fichiers API (DTO/paginator/providers/resources) copiés tels quels — namespaces `App\Module\Core\...` et `App\Shared\Domain\Attribute\...` DÉJÀ alignés entre les deux projets, zéro adaptation.
+- 6 commits impl (`934cf08` A, `d8553f0` B, `8c3699a` C, `90b8ca1` D, `e7af415` E, `9b26b43` fix front) + plan `fda03bd`. Tests : 147→157 verts. Branche `feat/lst-61-audit-log` empilée sur `feat/lst-57-rbac-fin`.
+
+### Patterns
+- **Audit en 4 couches additives** : (1) marquage déclaratif `#[Auditable]`(TARGET_CLASS) / `#[AuditIgnore]`(TARGET_PROPERTY) dans `src/Shared/Domain/Attribute/` (Shared, pas Core → aucun module n'a de dépendance circulaire) ; (2) capture `AuditListener` Doctrine sur `onFlush` (lit `UnitOfWork` : insertions/updates/deletions + `getScheduledCollectionUpdates/Deletions` pour le M2M) puis `postFlush` (écrit, swap-and-clear anti-réentrance) ; (3) écriture `AuditLogWriter` sur connexion DBAL dédiée `audit` (hors transaction ORM → survit aux rollbacks) ; (4) lecture `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator implements PaginatorInterface` (API Platform génère `hydra:view` seul).
+- **Connexion DBAL dédiée + `schema_filter`** : restructurer `doctrine.yaml` de connexion unique → `connections: {default, audit}` (même DSN), `default_connection: default`, `schema_filter: '~^(?!audit_log$).+~'` sur `default` (la table n'a PAS d'entité → exclue de `migrations:diff`/`schema:validate`). Le bloc `orm` reste INCHANGÉ (l'EM par défaut se lie à `default_connection`). En `when@test`, propager `dbname_suffix` aux DEUX connexions (sinon `audit` écrit en base dev pendant que l'ORM écrit en test).
+- **Table append-only hors ORM** : créée par migration manuelle (squelette via `doctrine:migrations:generate` puis contenu écrit à la main — JAMAIS `migrations:diff`, qui ne voit pas la table). `id uuid` natif PG, `changes JSONB`, `performed_at TIMESTAMP(6) WITH TIME ZONE`. UUID v7 (writer, tri monotone) / v4 (requestId par requête HTTP). `entity_type` au format `module.Entity` (regex `App\Module\<module>\...\<Entity>` → `core.User`).
+- **Marquage scope = entités migrées** : `#[Auditable]` posé sur User/Role/Permission (Core) uniquement ; `#[AuditIgnore]` sur `User.password` ET `User.apiToken` (Lesstime n'a pas de `plainPassword`). Défense en profondeur : `AuditLogWriter::SENSITIVE_KEYS` strippe aussi `password/plainPassword/apiToken/token/secret`. Les entités métier legacy (`src/Entity/*`) seront marquées à leur migration en modules (2.x).
+
+### Gotchas
+- **Tests fonctionnels Lesstime SANS rollback transactionnel** (pas de DAMADoctrineTestBundle) : les entités persistées survivent d'un run à l'autre → violation d'unicité `username`. Convention projet : `uniqid()` OU nettoyage explicite en `setUp()` (`DELETE FROM "user" WHERE username LIKE 'audit\_%'`). Les données d'audit de test se seedent directement via `doctrine.dbal.audit_connection` (DELETE + inserts UUID v7) pour du déterministe.
+- **`migrations:diff` génère un fichier jetable** même quand on ne veut que vérifier : toujours supprimer le `Version<ts>.php` non suivi créé après un diff de contrôle (`git ls-files --others migrations/`). Une dérive préexistante `messenger_messages` (DROP) pollue le diff — sans rapport, ne pas committer.
+- **`/audit-log-entity-types` = ressource item unique, pas une collection** : `Get` API Platform avec `uriTemplate` fixe sans `{id}` → renvoie `{ entityTypes: string[] }` (PAS d'enveloppe hydra `member`). Le service front ne doit PAS passer par `extractHydraMembers` ici (bug livré par le sous-agent E, corrigé en `9b26b43`). `/audit-logs` en revanche est bien une collection paginée hydra.
+- **Login en curl = `/login_check` (POST), pas `/api/login`** ; le JWT json_login est capricieux en curl pur (405/cookie). La preuve d'auth faisant autorité reste le test fonctionnel (client `loginUser()`), pas un smoke curl.
+
+### Time-tracking / orchestration
+- **Interdire explicitement aux sous-agents de toucher au MCP lesstime** (timer + statut ticket) : un sous-agent a spontanément créé/stoppé une time entry (1016) alors que le chrono est piloté par la session principale. Ajouter la consigne « NE TOUCHE PAS au time-tracking » dans chaque prompt de sous-agent. Pas de conflit ici (il avait stoppé l'actif avant), mais découpage involontaire.
diff --git a/.gitea/workflows/pull-request.yml b/.gitea/workflows/pull-request.yml
new file mode 100644
index 0000000..f0cba23
--- /dev/null
+++ b/.gitea/workflows/pull-request.yml
@@ -0,0 +1,115 @@
+name: Pull Request — Quality gate
+
+# Lance les tests back + le build front sur chaque PR ciblant develop.
+# Deux jobs en parallele (backend / frontend) pour reduire le temps de feedback.
+# Pas d'E2E ici : la quality gate se limite a "le back passe les tests, le front compile".
+
+on:
+  pull_request:
+    branches:
+      - develop
+
+# Annule les runs obsoletes quand on repush sur la meme PR.
+concurrency:
+  group: pr-${{ gitea.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  backend:
+    name: Backend (PHP CS + PHPUnit)
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          # Doivent matcher la DATABASE_URL ci-dessous. Doctrine ajoute le
+          # suffixe `_test` automatiquement en APP_ENV=test (when@test
+          # dbname_suffix) → la base reellement utilisee est `app_test`.
+          POSTGRES_USER: app
+          POSTGRES_PASSWORD: '!ChangeMe!'
+          POSTGRES_DB: app
+        # Pas de `ports:` host mapping : les jobs Gitea Actions tournent en
+        # container sur un reseau Docker dedie, le service est joignable via
+        # son nom (`postgres`), pas via 127.0.0.1.
+        options: >-
+          --health-cmd "pg_isready -U app"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+
+    env:
+      APP_ENV: test
+      APP_SECRET: ci-secret-not-used
+      APP_DEBUG: 0
+      DEFAULT_URI: http://localhost/
+      DATABASE_URL: postgresql://app:!ChangeMe!@postgres:5432/app?serverVersion=16&charset=utf8
+      JWT_SECRET_KEY: '%kernel.project_dir%/config/jwt/private.pem'
+      JWT_PUBLIC_KEY: '%kernel.project_dir%/config/jwt/public.pem'
+      JWT_PASSPHRASE: ci-passphrase
+      # Cle de chiffrement (sodium) des secrets Mail / Integration / CalDav que
+      # les fixtures persistent (ZimbraConfiguration, tokens...). Valeur de test
+      # alignee sur phpunit.dist.xml.
+      ENCRYPTION_KEY: ccd250183ea853179562d458e645585f3d46ddebb0701743236196f60fc1a0b8
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP 8.4
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          # zip + gd requis par phpoffice/phpspreadsheet (export XLSX), sodium par
+          # le chiffrement des secrets, ctype/iconv par le require de composer.json.
+          extensions: pdo, pdo_pgsql, intl, opcache, zip, mbstring, sodium, gd, ctype, iconv
+          coverage: none
+          tools: composer:v2
+
+      - name: Install PHP dependencies
+        run: composer install --no-interaction --no-progress --prefer-dist
+
+      - name: Generate JWT keypair
+        run: php bin/console lexik:jwt:generate-keypair --skip-if-exists --no-interaction
+
+      - name: PHP CS Fixer (dry-run)
+        run: vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.dist.php --allow-risky=yes --dry-run --diff
+
+      - name: Bootstrap test database
+        # Miroir de la cible `db-reset` du makefile (create + migrate + fixtures),
+        # en --env=test. Les fixtures sement les roles systeme (RbacSeeder) ;
+        # sync-permissions complete le catalogue de permissions comme en install reelle.
+        run: |
+          php bin/console doctrine:database:create --env=test --if-not-exists --no-interaction
+          php bin/console doctrine:migrations:migrate --env=test --no-interaction
+          php bin/console doctrine:fixtures:load --env=test --no-interaction
+          php bin/console app:sync-permissions --env=test --no-interaction
+
+      - name: Run PHPUnit
+        run: php -d memory_limit=512M vendor/bin/phpunit
+
+  frontend:
+    name: Frontend (build)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node 24
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      # `npm ci` declenche le postinstall `nuxt prepare` (genere .nuxt/).
+      - name: Install Node dependencies
+        run: npm ci
+
+      # `nuxt build` (et non `build:dist`/`nuxt generate`) : l'app est en SSR off
+      # (SPA), le prerender n'apporte rien a une quality gate — on valide seulement
+      # que le bundle compile.
+      - name: Build production (nuxt build)
+        run: npm run build
diff --git a/config/modules.php b/config/modules.php
new file mode 100644
index 0000000..b0b6e90
--- /dev/null
+++ b/config/modules.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
+ * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
+ */
+
+use App\Module\Absence\AbsenceModule;
+use App\Module\Core\CoreModule;
+use App\Module\Directory\DirectoryModule;
+use App\Module\Integration\IntegrationModule;
+use App\Module\Mail\MailModule;
+use App\Module\ProjectManagement\ProjectManagementModule;
+use App\Module\Reporting\ReportingModule;
+use App\Module\TimeTracking\TimeTrackingModule;
+
+return [
+    CoreModule::class,
+    TimeTrackingModule::class,
+    ProjectManagementModule::class,
+    AbsenceModule::class,
+    DirectoryModule::class,
+    MailModule::class,
+    IntegrationModule::class,
+    ReportingModule::class,
+];
diff --git a/config/packages/api_platform.yaml b/config/packages/api_platform.yaml
index 8b825c8..e8f764d 100644
--- a/config/packages/api_platform.yaml
+++ b/config/packages/api_platform.yaml
@@ -1,6 +1,20 @@
 api_platform:
     title: Lesstime API
     version: 1.0.0
+    # Modular monolith: entities (and their #[ApiFilter] attributes) live under
+    # src/Module/*/Domain/Entity, not the default src/Entity. Resources are still
+    # discovered via service autoconfiguration, but #[ApiFilter] services are only
+    # registered for classes found in these paths — without them, every filter is
+    # silently ignored. Decoupled ApiResource classes stay discovered via tags.
+    mapping:
+        paths:
+            - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/TimeTracking/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Absence/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Directory/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Mail/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
     formats:
         jsonld: ['application/ld+json']
         json: ['application/json']
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 6c57caf..2aeef63 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -1,33 +1,80 @@
 doctrine:
     dbal:
-        url: '%env(resolve:DATABASE_URL)%'
-
-        # IMPORTANT: You MUST configure your server version,
-        # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '16'
-
-        profiling_collect_backtrace: '%kernel.debug%'
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
     orm:
         validate_xml_mapping: true
         naming_strategy: doctrine.orm.naming_strategy.underscore_number_aware
         identity_generation_preferences:
             Doctrine\DBAL\Platforms\PostgreSQLPlatform: identity
         auto_mapping: true
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
+            App\Shared\Domain\Contract\ProjectInterface: App\Module\ProjectManagement\Domain\Entity\Project
+            App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
+            App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
+            App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
         mappings:
-            App:
+            Core:
                 type: attribute
                 is_bundle: false
-                dir: '%kernel.project_dir%/src/Entity'
-                prefix: 'App\Entity'
-                alias: App
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
+            TimeTracking:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/TimeTracking/Domain/Entity'
+                prefix: 'App\Module\TimeTracking\Domain\Entity'
+            ProjectManagement:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+                prefix: 'App\Module\ProjectManagement\Domain\Entity'
+            Absence:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Absence/Domain/Entity'
+                prefix: 'App\Module\Absence\Domain\Entity'
+            Directory:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Directory/Domain/Entity'
+                prefix: 'App\Module\Directory\Domain\Entity'
+            Mail:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Mail/Domain/Entity'
+                prefix: 'App\Module\Mail\Domain\Entity'
+            Integration:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
+                prefix: 'App\Module\Integration\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
 when@test:
     doctrine:
         dbal:
-            # "TEST_TOKEN" is typically set by ParaTest
-            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
 
 when@prod:
     doctrine:
diff --git a/config/packages/messenger.yaml b/config/packages/messenger.yaml
index 044057e..a8a9bf1 100644
--- a/config/packages/messenger.yaml
+++ b/config/packages/messenger.yaml
@@ -23,7 +23,7 @@ framework:
             # messenger:consume à maintenir. La sync de fond reste assurée par le cron OS
             # (app:mail:sync, synchrone, indépendant du bus). Repasser à `async` + worker si
             # la boîte grossit au point que la sync à la demande approche le timeout PHP.
-            'App\Message\MailSyncRequested': sync
+            'App\Module\Mail\Application\Message\MailSyncRequested': sync
 
 when@test:
     framework:
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 35949cd..24cb6de 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -10,7 +10,7 @@ security:
     providers:
         app_user_provider:
             entity:
-                class: App\Entity\User
+                class: App\Module\Core\Domain\Entity\User
                 property: username
 
     firewalls:
@@ -62,6 +62,8 @@ security:
         - { path: ^/api/docs, roles: PUBLIC_ACCESS }
         # Version de l'application en public
         - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
+        # Liste des modules actifs en public (consommée au boot du front)
+        - { path: ^/api/modules, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
         # Mail : requiert authentification (le check ROLE_USER est dans MailAccessChecker)
diff --git a/config/services.yaml b/config/services.yaml
index b91e5ea..e40a324 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -31,38 +31,114 @@ services:
     # add more service definitions when explicit configuration is needed
     # please note that last definitions always *replace* previous ones
 
-    App\EventListener\TaskDocumentListener:
+    App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
         tags:
             - { name: doctrine.orm.entity_listener }
 
-    App\State\TaskDocumentProcessor:
+    App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Controller\TaskDocumentDownloadController:
+    App\Module\ProjectManagement\Infrastructure\Controller\TaskDocumentDownloadController:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Mcp\Tool\Task\AddTaskDocumentTool:
+    App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\AddTaskDocumentTool:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Mcp\Tool\Task\UpdateTaskDocumentTool:
+    App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\UpdateTaskDocumentTool:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Controller\UserAvatarController:
+    App\Module\Core\Infrastructure\Controller\UserAvatarController:
         arguments:
             $avatarUploadDir: '%avatar_upload_dir%'
 
-    App\Controller\Absence\AbsenceJustificationUploadController:
+    App\Module\Absence\Infrastructure\Controller\AbsenceJustificationUploadController:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
 
-    App\Controller\Absence\AbsenceJustificationDownloadController:
+    App\Module\Absence\Infrastructure\Controller\AbsenceJustificationDownloadController:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
 
-    App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'
+    App\Module\Integration\Domain\Service\FileSource: '@App\Module\Integration\Infrastructure\Service\SmbFileSource'
+
+    App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineGiteaConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineBookStackConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineZimbraConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineShareConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineTaskBookStackLinkRepository'
+
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+
+    App\Module\Core\Domain\Repository\PermissionRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository'
+
+    App\Module\Core\Domain\Repository\RoleRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository'
+
+    App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface: '@App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineProjectRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineWorkflowRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskStatusRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskGroupRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskEffortRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskPriorityRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskTagRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRecurrenceRepository'
+
+    App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository'
+
+    App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository'
+
+    App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository'
+
+    App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
+
+    App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
+
+    App\Module\Directory\Infrastructure\EventListener\CommercialReportAuthorListener:
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\CommercialReport', event: prePersist }
+
+    App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\Controller\ReportDocumentDownloadController:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags:
+            - { name: doctrine.orm.entity_listener }
+
+    App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'
+
+    App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailFolderRepository'
+
+    App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailMessageRepository'
+
+    App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineTaskMailLinkRepository'
+
+    App\Module\Mail\Domain\Provider\MailProviderInterface: '@App\Module\Mail\Infrastructure\Imap\ImapMailProvider'
+
+    App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/config/sidebar.php b/config/sidebar.php
new file mode 100644
index 0000000..1d9ad69
--- /dev/null
+++ b/config/sidebar.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items) — navigation GLOBALE uniquement.
+ * Filtrée par SidebarFilter :
+ *   - `module`     : route ajoutée à disabledRoutes si module inactif ;
+ *   - `roles`      : section ou item masqué si l'utilisateur n'a aucun des rôles listés (gate minimal) ;
+ *   - `permission` : section ou item masqué si la permission effective absente (RBAC fin —
+ *                    `User::getEffectivePermissions()` ; ROLE_ADMIN bypasse via le voter, mais la
+ *                    sidebar évalue les permissions effectives réelles — combiner avec `roles` au besoin).
+ * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents) et user-flag
+ * (Mes absences) restent rendus côté layout, hors de cet endpoint.
+ * Mail est déclaré ici UNIQUEMENT pour le gating module (disabledRoutes si module inactif) ;
+ * son rendu visuel + badge non-lus reste géré côté layout, qui filtre `/mail` de translatedSections
+ * pour éviter le doublon.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
+            // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
+            ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.admin.section',
+        'icon'  => 'mdi:cog-outline',
+        'roles' => ['ROLE_ADMIN'],
+        'items' => [
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
+            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory'],
+            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
+            ['label' => 'sidebar.admin.reporting', 'to' => '/reporting', 'icon' => 'mdi:chart-line', 'module' => 'reporting', 'permission' => 'reporting.view'],
+        ],
+    ],
+];
diff --git a/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md b/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md
new file mode 100644
index 0000000..472349e
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md
@@ -0,0 +1,1155 @@
+# LST-56 (0.1) — Socle back modular monolith — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Poser l'infrastructure backend d'un modular monolith DDD (endpoints `/api/modules` + `/api/sidebar`, registre de modules, garde-fous Timestampable/Blamable, helper de commentaires SQL) sans toucher au métier existant.
+
+**Architecture:** On ajoute un noyau `src/Shared/` (Domain/Contract, Domain/Trait, Infrastructure/ApiPlatform, Infrastructure/Doctrine, Infrastructure/Database). La logique métier (filtrage sidebar, extraction des IDs de modules, estampillage) est isolée dans des classes **pures** testées unitairement ; des Providers API Platform minces les exposent en HTTP. Aucune entité existante n'est déplacée. Strangler : 100 % additif.
+
+**Tech Stack:** PHP 8.4, Symfony 8, API Platform 4, Doctrine ORM, PostgreSQL 16, PHPUnit 13.
+
+## Global Constraints
+
+- `declare(strict_types=1);` en tête de **tout** fichier PHP.
+- Migrations **additives nullable uniquement** — aucun `DROP`, aucun `NOT NULL` rétroactif (prod Docker, BDD peuplée).
+- **Zéro import inter-modules** : passer par `src/Shared/Domain/Contract/` ou domain events.
+- Toute `GetCollection` reste **paginée** (pas concerné dans ce lot, aucune collection ajoutée).
+- Toute colonne créée porte un `COMMENT ON COLUMN` (FR, ≤200 chars).
+- PostgreSQL : noms de colonnes en **minuscules** dans le SQL brut.
+- Commits : format `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude.
+- Tests : exécution via `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit …`.
+
+**Définitions différées (hors 0.1, ne PAS implémenter ici) :** mappings Doctrine de module + `migrations_paths` modulaire + `api_platform.mapping.paths` (arrivent avec le 1er module à entités, ticket 1.1). Filtrage sidebar **par permission** (ticket 1.2). `#[Auditable]` (ticket 1.3).
+
+---
+
+### Task 1: Endpoint `GET /api/modules` + registre de modules
+
+**Files:**
+- Create: `src/Shared/Domain/Module/ModuleInterface.php`
+- Create: `src/Shared/Domain/Module/ModuleRegistry.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php`
+- Create: `config/modules.php`
+- Modify: `config/packages/security.yaml` (access_control, rendre `/api/modules` public)
+- Test: `tests/Unit/Shared/Module/ModuleRegistryTest.php`
+- Test: `tests/Functional/Shared/ModulesEndpointTest.php`
+
+**Interfaces:**
+- Produces:
+  - `interface ModuleInterface { public static function id(): string; public static function label(): string; public static function isRequired(): bool; /** @return list<array{code: string, label: string}> */ public static function permissions(): array; }`
+  - `ModuleRegistry::ids(array $moduleClasses): array` → `list<string>` (les `id()` des classes implémentant `ModuleInterface`, ignore les autres).
+  - `config/modules.php` retourne `list<class-string<ModuleInterface>>` (vide en 0.1).
+
+- [ ] **Step 1: Write the failing unit test for ModuleRegistry**
+
+Create `tests/Unit/Shared/Module/ModuleRegistryTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Shared\Domain\Module\ModuleInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryTest extends TestCase
+{
+    public function testIdsExtractsDeclaredModuleIds(): void
+    {
+        $classes = [FakeAlphaModule::class, FakeBetaModule::class];
+
+        self::assertSame(['alpha', 'beta'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsIgnoresClassesNotImplementingModuleInterface(): void
+    {
+        $classes = [FakeAlphaModule::class, \stdClass::class];
+
+        self::assertSame(['alpha'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsReturnsEmptyArrayForNoModules(): void
+    {
+        self::assertSame([], ModuleRegistry::ids([]));
+    }
+}
+
+final class FakeAlphaModule implements ModuleInterface
+{
+    public static function id(): string { return 'alpha'; }
+    public static function label(): string { return 'Alpha'; }
+    public static function isRequired(): bool { return false; }
+    public static function permissions(): array { return []; }
+}
+
+final class FakeBetaModule implements ModuleInterface
+{
+    public static function id(): string { return 'beta'; }
+    public static function label(): string { return 'Beta'; }
+    public static function isRequired(): bool { return true; }
+    public static function permissions(): array { return []; }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryTest.php`
+Expected: FAIL — `Class "App\Shared\Domain\Module\ModuleInterface" not found`.
+
+- [ ] **Step 3: Create `ModuleInterface`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+/**
+ * Implemented by every `*Module` declaration class. The set of active modules
+ * is listed in config/modules.php and exposed via GET /api/modules.
+ */
+interface ModuleInterface
+{
+    public static function id(): string;
+
+    public static function label(): string;
+
+    public static function isRequired(): bool;
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array;
+}
+```
+
+- [ ] **Step 4: Create `ModuleRegistry`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+final class ModuleRegistry
+{
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<string>
+     */
+    public static function ids(array $moduleClasses): array
+    {
+        $ids = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (is_a($moduleClass, ModuleInterface::class, true)) {
+                $ids[] = $moduleClass::id();
+            }
+        }
+
+        return $ids;
+    }
+}
+```
+
+- [ ] **Step 5: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 6: Create `config/modules.php`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
+ * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
+ */
+return [
+    // Aucun module pour l'instant — les modules arrivent à partir du ticket 1.1 (Core).
+];
+```
+
+- [ ] **Step 7: Create `ModulesResource` and `ModulesProvider`**
+
+`src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\ModulesProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/modules',
+            normalizationContext: ['groups' => ['modules:read']],
+            provider: ModulesProvider::class,
+        ),
+    ],
+)]
+final class ModulesResource
+{
+    /**
+     * @var list<string>
+     */
+    #[Groups(['modules:read'])]
+    public array $modules = [];
+}
+```
+
+`src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Infrastructure\ApiPlatform\Resource\ModulesResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class ModulesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ModulesResource
+    {
+        /** @var list<class-string> $classes */
+        $classes = require $this->projectDir.'/config/modules.php';
+
+        $dto          = new ModulesResource();
+        $dto->modules = ModuleRegistry::ids($classes);
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 8: Make `/api/modules` public in `security.yaml`**
+
+In `config/packages/security.yaml`, under `access_control`, add the rule **immediately after** the `^/api/version` line (order matters — only the first matching rule applies):
+
+```yaml
+        # Liste des modules actifs en public (consommée au boot du front)
+        - { path: ^/api/modules, roles: PUBLIC_ACCESS, methods: [ GET ] }
+```
+
+- [ ] **Step 9: Write the failing functional test**
+
+Create `tests/Functional/Shared/ModulesEndpointTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ModulesEndpointTest extends WebTestCase
+{
+    public function testModulesEndpointIsPublicAndReturnsModulesKey(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('modules', $data);
+        self::assertIsArray($data['modules']);
+    }
+}
+```
+
+- [ ] **Step 10: Run the functional test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Shared/ModulesEndpointTest.php`
+Expected: PASS. (If FAIL with 404, confirm API Platform discovers `src/Shared/Infrastructure/ApiPlatform/Resource` — the default API Platform path config in API Platform 4 scans `src/ApiResource` + `src/Entity` only; if 404 persists, add `mapping.paths` for the Shared Resource dir in `config/packages/api_platform.yaml` and re-run. This is the one allowed config touch in Task 1.)
+
+- [ ] **Step 11: Commit**
+
+```bash
+git add src/Shared/Domain/Module config/modules.php src/Shared/Infrastructure/ApiPlatform config/packages/security.yaml config/packages/api_platform.yaml tests/Unit/Shared/Module tests/Functional/Shared/ModulesEndpointTest.php
+git commit -m "feat(modules) : expose GET /api/modules and module registry"
+```
+
+---
+
+### Task 2: Endpoint `GET /api/sidebar` + filtre par module actif
+
+**Files:**
+- Create: `src/Shared/Domain/Sidebar/SidebarFilter.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php`
+- Create: `config/sidebar.php`
+- Test: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+- Test: `tests/Functional/Shared/SidebarEndpointTest.php`
+
+**Interfaces:**
+- Consumes: `ModuleRegistry::ids()` (Task 1), `config/modules.php` (Task 1).
+- Produces:
+  - `SidebarFilter::filter(array $sections, array $activeModuleIds): array` → `array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}`. Règle : un item portant `module` absent de `$activeModuleIds` est masqué et son `to` ajouté à `disabledRoutes` ; une section vidée de tous ses items est supprimée ; les clés internes (`module`) sont retirées de la sortie.
+  - `config/sidebar.php` retourne `list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}>`.
+
+- [ ] **Step 1: Write the failing unit test for SidebarFilter**
+
+Create `tests/Unit/Shared/Sidebar/SidebarFilterTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: FAIL — `Class "App\Shared\Domain\Sidebar\SidebarFilter" not found`.
+
+- [ ] **Step 3: Create `SidebarFilter`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sections
+     * @param list<string>                                                                                                     $activeModuleIds
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            $items = [];
+            foreach ($section['items'] as $item) {
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+}
+```
+
+- [ ] **Step 4: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Create `config/sidebar.php`**
+
+Toutes les entrées actuelles sont **sans clé `module`** (donc visibles) ; les futurs modules ajouteront leur `module`. Labels = clés i18n.
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items). Filtrée par SidebarFilter selon les modules actifs.
+ * Un item porte une clé `module` quand il appartient à un module activable ; sans clé, il est toujours visible.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:checkbox-marked-circle-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-multiple-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:clock-outline'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.hr.section',
+        'icon'  => 'mdi:calendar-account-outline',
+        'items' => [
+            ['label' => 'sidebar.hr.absences', 'to' => '/absences', 'icon' => 'mdi:calendar-remove-outline'],
+            ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group-outline'],
+        ],
+    ],
+];
+```
+
+- [ ] **Step 6: Create `SidebarResource` and `SidebarProvider`**
+
+`src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\SidebarProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/sidebar',
+            normalizationContext: ['groups' => ['sidebar:read']],
+            provider: SidebarProvider::class,
+        ),
+    ],
+)]
+final class SidebarResource
+{
+    /**
+     * @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $sections = [];
+
+    /**
+     * @var list<string>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $disabledRoutes = [];
+}
+```
+
+`src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+        /** @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses));
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 7: Write the failing functional test**
+
+Create `tests/Functional/Shared/SidebarEndpointTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+}
+```
+
+- [ ] **Step 8: Run the functional test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Shared/SidebarEndpointTest.php`
+Expected: PASS (2 tests).
+
+- [ ] **Step 9: Commit**
+
+```bash
+git add src/Shared/Domain/Sidebar src/Shared/Infrastructure/ApiPlatform config/sidebar.php tests/Unit/Shared/Sidebar tests/Functional/Shared/SidebarEndpointTest.php
+git commit -m "feat(sidebar) : expose GET /api/sidebar filtered by active modules"
+```
+
+---
+
+### Task 3: Garde-fou Timestampable / Blamable (trait + subscriber)
+
+**Files:**
+- Create: `src/Shared/Domain/Contract/UserInterface.php`
+- Create: `src/Shared/Domain/Contract/TimestampableInterface.php`
+- Create: `src/Shared/Domain/Contract/BlamableInterface.php`
+- Create: `src/Shared/Application/CurrentUserProviderInterface.php`
+- Create: `src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php`
+- Create: `src/Shared/Domain/Trait/TimestampableBlamableTrait.php`
+- Create: `src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php`
+- Modify: `src/Entity/User.php` (implement `UserInterface`)
+- Modify: `config/packages/doctrine.yaml` (`resolve_target_entities`)
+- Test: `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+
+**Interfaces:**
+- Produces:
+  - `interface UserInterface { public function getId(): ?int; }`
+  - `interface TimestampableInterface { public function getCreatedAt(): ?\DateTimeImmutable; public function setCreatedAt(\DateTimeImmutable $createdAt): void; public function getUpdatedAt(): ?\DateTimeImmutable; public function setUpdatedAt(\DateTimeImmutable $updatedAt): void; }`
+  - `interface BlamableInterface { public function getCreatedBy(): ?UserInterface; public function setCreatedBy(?UserInterface $user): void; public function getUpdatedBy(): ?UserInterface; public function setUpdatedBy(?UserInterface $user): void; }`
+  - `interface CurrentUserProviderInterface { public function getCurrentUser(): ?UserInterface; }`
+  - `TimestampableBlamableSubscriber::applyOnCreate(object $entity): void` and `::applyOnUpdate(object $entity): void` — pure-ish entry points used by the unit test; the Doctrine hooks delegate to them.
+
+> **Note (strangler):** en 0.1 le trait/subscriber n'est encore appliqué à **aucune** entité (les entités restent legacy). Le contrat `UserInterface` est mappé sur `App\Entity\User` via `resolve_target_entities` ; il sera re-pointé vers `App\Module\Core\Domain\Entity\User` au ticket 1.1.
+
+- [ ] **Step 1: Write the failing unit test for the subscriber**
+
+Create `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class TimestampableBlamableSubscriberTest extends TestCase
+{
+    public function testApplyOnCreateSetsTimestampsAndAuthor(): void
+    {
+        $user       = $this->makeUser(7);
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning($user));
+        $entity     = $this->makeEntity();
+
+        $subscriber->applyOnCreate($entity);
+
+        self::assertInstanceOf(\DateTimeImmutable::class, $entity->getCreatedAt());
+        self::assertInstanceOf(\DateTimeImmutable::class, $entity->getUpdatedAt());
+        self::assertSame($user, $entity->getCreatedBy());
+        self::assertSame($user, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnUpdateLeavesCreatedUntouched(): void
+    {
+        $creator    = $this->makeUser(1);
+        $editor     = $this->makeUser(2);
+        $entity     = $this->makeEntity();
+
+        (new TimestampableBlamableSubscriber($this->providerReturning($creator)))->applyOnCreate($entity);
+        $createdAt = $entity->getCreatedAt();
+
+        (new TimestampableBlamableSubscriber($this->providerReturning($editor)))->applyOnUpdate($entity);
+
+        self::assertSame($createdAt, $entity->getCreatedAt());
+        self::assertSame($creator, $entity->getCreatedBy());
+        self::assertSame($editor, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnCreateIgnoresNonTimestampableEntities(): void
+    {
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning(null));
+
+        // Must not throw.
+        $subscriber->applyOnCreate(new \stdClass());
+        $this->addToAssertionCount(1);
+    }
+
+    private function providerReturning(?UserInterface $user): CurrentUserProviderInterface
+    {
+        return new class($user) implements CurrentUserProviderInterface {
+            public function __construct(private ?UserInterface $user) {}
+
+            public function getCurrentUser(): ?UserInterface
+            {
+                return $this->user;
+            }
+        };
+    }
+
+    private function makeUser(int $id): UserInterface
+    {
+        return new class($id) implements UserInterface {
+            public function __construct(private int $id) {}
+
+            public function getId(): ?int
+            {
+                return $this->id;
+            }
+        };
+    }
+
+    private function makeEntity(): object
+    {
+        return new class implements TimestampableInterface, BlamableInterface {
+            use TimestampableBlamableTrait;
+        };
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+Expected: FAIL — interfaces/classes not found.
+
+- [ ] **Step 3: Create the contracts**
+
+`src/Shared/Domain/Contract/UserInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface UserInterface
+{
+    public function getId(): ?int;
+}
+```
+
+`src/Shared/Domain/Contract/TimestampableInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface TimestampableInterface
+{
+    public function getCreatedAt(): ?\DateTimeImmutable;
+
+    public function setCreatedAt(\DateTimeImmutable $createdAt): void;
+
+    public function getUpdatedAt(): ?\DateTimeImmutable;
+
+    public function setUpdatedAt(\DateTimeImmutable $updatedAt): void;
+}
+```
+
+`src/Shared/Domain/Contract/BlamableInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface BlamableInterface
+{
+    public function getCreatedBy(): ?UserInterface;
+
+    public function setCreatedBy(?UserInterface $user): void;
+
+    public function getUpdatedBy(): ?UserInterface;
+
+    public function setUpdatedBy(?UserInterface $user): void;
+}
+```
+
+- [ ] **Step 4: Create the current-user provider (contract + Security impl)**
+
+`src/Shared/Application/CurrentUserProviderInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Application;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface CurrentUserProviderInterface
+{
+    public function getCurrentUser(): ?UserInterface;
+}
+```
+
+`src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Security;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class SecurityCurrentUserProvider implements CurrentUserProviderInterface
+{
+    public function __construct(
+        private Security $security,
+    ) {}
+
+    public function getCurrentUser(): ?UserInterface
+    {
+        $user = $this->security->getUser();
+
+        return $user instanceof UserInterface ? $user : null;
+    }
+}
+```
+
+- [ ] **Step 5: Create the trait**
+
+`src/Shared/Domain/Trait/TimestampableBlamableTrait.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Trait;
+
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+trait TimestampableBlamableTrait
+{
+    #[ORM\Column(name: 'created_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?\DateTimeImmutable $createdAt = null;
+
+    #[ORM\Column(name: 'updated_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?\DateTimeImmutable $updatedAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'created_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $createdBy = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'updated_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $updatedBy = null;
+
+    public function getCreatedAt(): ?\DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(\DateTimeImmutable $createdAt): void
+    {
+        $this->createdAt = $createdAt;
+    }
+
+    public function getUpdatedAt(): ?\DateTimeImmutable
+    {
+        return $this->updatedAt;
+    }
+
+    public function setUpdatedAt(\DateTimeImmutable $updatedAt): void
+    {
+        $this->updatedAt = $updatedAt;
+    }
+
+    public function getCreatedBy(): ?UserInterface
+    {
+        return $this->createdBy;
+    }
+
+    public function setCreatedBy(?UserInterface $user): void
+    {
+        $this->createdBy = $user;
+    }
+
+    public function getUpdatedBy(): ?UserInterface
+    {
+        return $this->updatedBy;
+    }
+
+    public function setUpdatedBy(?UserInterface $user): void
+    {
+        $this->updatedBy = $user;
+    }
+}
+```
+
+- [ ] **Step 6: Create the Doctrine subscriber**
+
+`src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\ORM\Events;
+
+#[AsDoctrineListener(event: Events::prePersist)]
+#[AsDoctrineListener(event: Events::preUpdate)]
+final readonly class TimestampableBlamableSubscriber
+{
+    public function __construct(
+        private CurrentUserProviderInterface $currentUserProvider,
+    ) {}
+
+    public function prePersist(PrePersistEventArgs $args): void
+    {
+        $this->applyOnCreate($args->getObject());
+    }
+
+    public function preUpdate(PreUpdateEventArgs $args): void
+    {
+        $this->applyOnUpdate($args->getObject());
+    }
+
+    public function applyOnCreate(object $entity): void
+    {
+        $now = new \DateTimeImmutable();
+
+        if ($entity instanceof TimestampableInterface) {
+            if (null === $entity->getCreatedAt()) {
+                $entity->setCreatedAt($now);
+            }
+            $entity->setUpdatedAt($now);
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $user = $this->currentUserProvider->getCurrentUser();
+            if (null === $entity->getCreatedBy()) {
+                $entity->setCreatedBy($user);
+            }
+            $entity->setUpdatedBy($user);
+        }
+    }
+
+    public function applyOnUpdate(object $entity): void
+    {
+        if ($entity instanceof TimestampableInterface) {
+            $entity->setUpdatedAt(new \DateTimeImmutable());
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $entity->setUpdatedBy($this->currentUserProvider->getCurrentUser());
+        }
+    }
+}
+```
+
+- [ ] **Step 7: Make legacy `User` implement the contract + add `resolve_target_entities`**
+
+In `src/Entity/User.php`, add the interface to the class declaration (the entity already has `getId(): ?int`, so no method to add):
+
+```php
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
+// ...
+class User implements /* existing interfaces, */ SharedUserInterface
+```
+
+> Keep all existing `implements` clauses; append `SharedUserInterface`. Alias avoids any clash with `Symfony\...\UserInterface` already imported.
+
+In `config/packages/doctrine.yaml`, under `orm:`, add:
+
+```yaml
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Entity\User
+```
+
+- [ ] **Step 8: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 9: Run the full suite to confirm no regression**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (no entity uses the trait yet; `resolve_target_entities` is inert until consumed). Confirm the prior 96 tests still pass.
+
+- [ ] **Step 10: Commit**
+
+```bash
+git add src/Shared/Domain/Contract src/Shared/Application src/Shared/Infrastructure/Security src/Shared/Domain/Trait src/Shared/Infrastructure/Doctrine src/Entity/User.php config/packages/doctrine.yaml tests/Unit/Shared/Doctrine
+git commit -m "feat(shared) : add timestampable/blamable trait and doctrine subscriber"
+```
+
+---
+
+### Task 4: Helper `ColumnCommentsCatalog` (COMMENT ON COLUMN)
+
+**Files:**
+- Create: `src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php`
+- Test: `tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+
+**Interfaces:**
+- Produces: `ColumnCommentsCatalog::timestampableBlamableComments(string $table): list<string>` → la liste des instructions `COMMENT ON COLUMN <table>.<col> IS '...'` pour les 4 colonnes standard. Utilisé dans les migrations des modules (à partir de 1.1) via `$this->addSql(...)`.
+
+- [ ] **Step 1: Write the failing unit test**
+
+Create `tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Database;
+
+use App\Shared\Infrastructure\Database\ColumnCommentsCatalog;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ColumnCommentsCatalogTest extends TestCase
+{
+    public function testTimestampableBlamableCommentsCoverFourColumns(): void
+    {
+        $sql = ColumnCommentsCatalog::timestampableBlamableComments('task');
+
+        self::assertCount(4, $sql);
+        self::assertSame(
+            "COMMENT ON COLUMN task.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            $sql[0],
+        );
+        self::assertStringContainsString('COMMENT ON COLUMN task.created_by IS', $sql[2]);
+    }
+
+    public function testTableNameIsInterpolatedForEveryColumn(): void
+    {
+        foreach (ColumnCommentsCatalog::timestampableBlamableComments('time_entry') as $statement) {
+            self::assertStringContainsString('COMMENT ON COLUMN time_entry.', $statement);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+Expected: FAIL — class not found.
+
+- [ ] **Step 3: Create `ColumnCommentsCatalog`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Database;
+
+final class ColumnCommentsCatalog
+{
+    /**
+     * SQL `COMMENT ON COLUMN` statements for the 4 standard Timestampable/Blamable columns.
+     * Call from a migration: foreach (...) { $this->addSql($statement); }.
+     *
+     * @return list<string>
+     */
+    public static function timestampableBlamableComments(string $table): array
+    {
+        return [
+            "COMMENT ON COLUMN {$table}.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.updated_at IS 'Date de derniere modification (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.created_by IS 'Auteur de la creation (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+            "COMMENT ON COLUMN {$table}.updated_by IS 'Auteur de la derniere modification (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+        ];
+    }
+}
+```
+
+- [ ] **Step 4: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+Expected: PASS (2 tests).
+
+- [ ] **Step 5: Run the full suite + cs-fixer**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (all green, including the 96 pre-existing tests).
+Run: `make php-cs-fixer-allow-risky`
+Expected: no remaining violations in `src/Shared` / `tests`.
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add src/Shared/Infrastructure/Database tests/Unit/Shared/Database
+git commit -m "feat(shared) : add column comments catalog helper for migrations"
+```
+
+---
+
+## Acceptance check (run after all tasks)
+
+- [ ] `GET /api/modules` returns `{ "modules": [] }` (public, 200).
+- [ ] `GET /api/sidebar` returns `{ sections, disabledRoutes }` (401 unauth, 200 auth).
+- [ ] `src/Shared/` holds contracts, trait, subscriber, helper, providers.
+- [ ] `make test` green (96 prior + new unit/functional tests).
+- [ ] No destructive migration; no business entity moved; no inter-module import.
+
+## Notes for the next ticket (0.2 — Socle front)
+
+Le front consommera `/api/modules` + `/api/sidebar` via `useModules`/`useSidebar`, montera le shell `app/` + `shared/` et l'auto-détection des layers. Le filtrage par module deviendra réellement visible quand le 1er module (1.1 Core, puis 2.1 TimeTracking) déclarera sa clé `module` dans `config/sidebar.php`.
diff --git a/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md b/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md
new file mode 100644
index 0000000..b3c6842
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md
@@ -0,0 +1,1690 @@
+# RBAC fin (LST-57 / 1.2) Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Porter le RBAC fin de Starseed dans le Module Core de Lesstime : permissions `module.resource[.sub].action`, entités `Role`/`Permission`, commande de synchronisation, `PermissionVoter`, sidebar filtrée par permission, et gestion front des rôles.
+
+**Architecture:** RBAC **additif** par-dessus l'auth Symfony existante (cf. Décision 1). On garde la colonne JSON `roles` + `ROLE_ADMIN`/`ROLE_USER` (login/JWT/MCP/sidebar #62 inchangés ; `ROLE_ADMIN` = bypass du voter) et on ajoute la couche RBAC fine : `Role`/`Permission` (Module Core), relations `rbacRoles`/`directPermissions` sur `User`, `getEffectivePermissions()`, `PermissionVoter`, `app:sync-permissions`, `app:seed-rbac`, sidebar gated par permission, front `usePermissions`.
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / PostgreSQL 16 — Nuxt 4 / Vue 3 / Pinia / TypeScript. Tests : PHPUnit 13. Docker : `php-lesstime-fpm` (user `www-data`), nginx port 8082, PG port 5435.
+
+## Global Constraints
+
+- `declare(strict_types=1)` en tête de tout fichier PHP. Symfony + PSR-12, hook pre-commit php-cs-fixer (ne pas lutter contre le reformat).
+- Namespaces : back `App\Module\Core\...`, `App\Shared\...`. Front layer `frontend/modules/core/`.
+- **Zéro régression auth** : après chaque phase touchant la sécurité (C, D, F), exécuter le bloc « Vérification login » ci-dessous → `login=204`, `/api/me=200`, `/_mcp=200`.
+- **Migration additive uniquement** : `CREATE TABLE` des tables RBAC ; **aucun** `DROP`/`ALTER` destructif sur `user`/`roles`. `doctrine:migrations:diff` après doit être vide (hors dérive préexistante `messenger_messages`).
+- PostgreSQL : noms de colonnes en minuscules dans le SQL brut ; `roles::text LIKE` pour les colonnes JSON.
+- `config/reference.php` est auto-généré : **ne jamais le committer**. Untracked `.codex`, `bulettins/` : ignorer.
+- Aucune mention de Claude/IA dans les commits.
+- Commits : `<type>(core) : <message>` (espace autour du `:`).
+- Tests existants au départ : **120 verts**. Chaque phase ajoute ses tests et garde l'ensemble vert.
+
+## Vérification login (à exécuter après chaque phase back touchant User/sécurité)
+
+```bash
+curl -s -i -X POST http://localhost:8082/api/login_check -H "Content-Type: application/json" -d '{"username":"alice","password":"alice"}' -D /tmp/h.txt -o /dev/null -w "login=%{http_code}\n"
+BEARER=$(grep -i 'set-cookie: BEARER' /tmp/h.txt | sed -E 's/.*BEARER=([^;]+);.*/\1/')
+curl -s -o /dev/null -w "me=%{http_code}\n" http://localhost:8082/api/me -H "Cookie: BEARER=$BEARER"
+curl -s -o /dev/null -w "mcp=%{http_code}\n" -X POST http://localhost:8082/_mcp -H "Authorization: Bearer dev-mcp-token-for-testing-only-do-not-use-in-production" -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"c","version":"1"}}}'
+```
+Attendu : `login=204`, `me=200`, `mcp=200`.
+
+## Décisions de conception (actées, à valider PO a posteriori)
+
+1. **RBAC additif, `ROLE_ADMIN` = bypass (PAS de colonne `is_admin`)** — divergence assumée vs Starseed (qui a supprimé la colonne JSON `roles` au profit de `is_admin`). Justification : login/JWT, `security.yaml` (`role_hierarchy`, `app_user_provider`), gate sidebar #62 (`roles: [ROLE_ADMIN]`), MCP `apiToken` reposent tous sur `getRoles()`/`roles` JSON ; les réécrire = régression auth à haut risque pour zéro bénéfice AC. On garde `getRoles()` tel quel ; le `PermissionVoter` bypass si `in_array('ROLE_ADMIN', $user->getRoles())`. Migration future vers `is_admin` possible si le PO le souhaite.
+2. **`user_permission` (directPermissions) inclus** — fidélité Starseed : un user peut recevoir des permissions directes en plus de ses rôles. `getEffectivePermissions()` = union(rôles.permissions, directPermissions).
+3. **Gestion de `ROLE_ADMIN` reste sur le PATCH user existant (`roles`), PAS sur l'endpoint RBAC** — l'endpoint `/api/users/{id}/rbac` ne gère que `rbacRoles` + `directPermissions`. Pas de gardes « dernier admin »/« auto-suicide » (elles concernent `is_admin`, absent ici) ; on conserve uniquement la garde anti-écrasement des collections (defense in depth).
+4. **Pas de rôles métier seedés en 1.2** — seules les permissions `core.*` existent (les modules métier arrivent en 2.x). `app:seed-rbac` crée les rôles système `admin` et `user` (isSystem=true) sans matrice métier. Chaque module métier ajoutera ses permissions + (optionnel) ses rôles quand il sera livré.
+5. **Pas de `Sites`** — Lesstime n'a pas de notion de site : on retire toutes les gardes/relations `sites.*`, `currentSite`, `bypass_scope` du portage Starseed.
+6. **Entités `Role`/`Permission` sans Timestampable/Blamable** — alignées sur Starseed (métadonnées RBAC pures).
+
+---
+
+## Phase A — Domaine RBAC : entités, relations, migration
+
+### Task 1: Entités `Permission` + `Role` + relations `User` + repositories + contrat
+
+**Files:**
+- Create: `src/Module/Core/Domain/Entity/Permission.php`
+- Create: `src/Module/Core/Domain/Entity/Role.php`
+- Create: `src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php`
+- Create: `src/Module/Core/Domain/Repository/RoleRepositoryInterface.php`
+- Create: `src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php`
+- Create: `src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php` (relations `rbacRoles` + `directPermissions` + `getEffectivePermissions()`)
+- Modify: `src/Shared/Domain/Contract/UserInterface.php` (ajout `getEffectivePermissions()`)
+- Modify: `config/services.yaml` (alias repositories)
+- Create: `tests/Unit/Module/Core/Domain/Entity/PermissionTest.php`
+- Create: `tests/Unit/Module/Core/Domain/Entity/RoleTest.php`
+- Modify: `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php` (stub `getEffectivePermissions()` dans l'anonyme implémentant `UserInterface`)
+
+**Interfaces:**
+- Produces : `Permission { getId, getCode, getLabel, getModule, isOrphan, markOrphan(), revive(label, module), updateMetadata(label, module) }` ; `Role { getId, getCode, getLabel, getDescription, isSystem, getPermissions(): Collection, addPermission(Permission), removePermission(Permission), ensureDeletable() }` ; `User::getEffectivePermissions(): list<string>`, `User::getRbacRoles(): Collection`, `addRbacRole`/`removeRbacRole`, `getDirectPermissions(): Collection`, `addDirectPermission`/`removeDirectPermission`.
+- Repositories : `PermissionRepositoryInterface { findById(int): ?Permission, findByCode(string): ?Permission, findAll(): list<Permission>, findAllCodes(): list<string>, save(Permission): void }` ; `RoleRepositoryInterface { findById(int): ?Role, findByCode(string): ?Role, findAll(): list<Role>, save(Role): void }`.
+
+- [ ] **Step 1: Écrire les tests unitaires des entités**
+
+`tests/Unit/Module/Core/Domain/Entity/PermissionTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class PermissionTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $p = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        self::assertSame('core.users.view', $p->getCode());
+        self::assertSame('Voir les utilisateurs', $p->getLabel());
+        self::assertSame('core', $p->getModule());
+        self::assertFalse($p->isOrphan());
+    }
+
+    public function testCodeMustContainADot(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('coreusersview', 'x', 'core');
+    }
+
+    public function testCodeCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('', 'x', 'core');
+    }
+
+    public function testLabelCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('core.users.view', '', 'core');
+    }
+
+    public function testModuleCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('core.users.view', 'x', '');
+    }
+
+    public function testMarkOrphanAndRevive(): void
+    {
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $p->markOrphan();
+        self::assertTrue($p->isOrphan());
+        $p->revive('Voir maj', 'core');
+        self::assertFalse($p->isOrphan());
+        self::assertSame('Voir maj', $p->getLabel());
+    }
+}
+```
+
+`tests/Unit/Module/Core/Domain/Entity/RoleTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class RoleTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        self::assertSame('bureau', $r->getCode());
+        self::assertSame('Bureau', $r->getLabel());
+        self::assertFalse($r->isSystem());
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testCodeMustBeSnakeCase(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Role('Bureau Commercial', 'x');
+    }
+
+    public function testAddRemovePermission(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $r->addPermission($p);
+        self::assertCount(1, $r->getPermissions());
+        $r->addPermission($p); // idempotent
+        self::assertCount(1, $r->getPermissions());
+        $r->removePermission($p);
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testSystemRoleCannotBeDeleted(): void
+    {
+        $r = new Role('admin', 'Administrateur', null, true);
+        $this->expectException(SystemRoleDeletionException::class);
+        $r->ensureDeletable();
+    }
+
+    public function testNonSystemRoleIsDeletable(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $r->ensureDeletable();
+        self::assertFalse($r->isSystem());
+    }
+}
+```
+
+- [ ] **Step 2: Lancer les tests, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/Domain/Entity/`
+Expected: FAIL (classes inexistantes).
+
+- [ ] **Step 3: Créer l'exception**
+
+`src/Module/Core/Domain/Exception/SystemRoleDeletionException.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Exception;
+
+final class SystemRoleDeletionException extends \DomainException
+{
+    public function __construct(string $code)
+    {
+        parent::__construct(sprintf('Le rôle système "%s" ne peut pas être supprimé.', $code));
+    }
+}
+```
+
+- [ ] **Step 4: Créer `Permission`**
+
+`src/Module/Core/Domain/Entity/Permission.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
+#[ORM\Table(name: 'permission')]
+#[ORM\Index(name: 'idx_permission_module', columns: ['module'])]
+#[ORM\Index(name: 'idx_permission_orphan', columns: ['orphan'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(),
+        new Get(),
+    ],
+    normalizationContext: ['groups' => ['permission:read']],
+    security: "is_granted('core.permissions.view') or is_granted('core.users.manage') or is_granted('core.roles.manage')",
+)]
+class Permission
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['permission:read', 'role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, unique: true)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $code;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $label;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $module;
+
+    #[ORM\Column]
+    #[Groups(['permission:read'])]
+    private bool $orphan = false;
+
+    public function __construct(string $code, string $label, string $module)
+    {
+        $code   = trim($code);
+        $label  = trim($label);
+        $module = trim($module);
+
+        if ('' === $code || !str_contains($code, '.')) {
+            throw new \InvalidArgumentException(sprintf('Code de permission invalide : "%s" (attendu module.resource.action).', $code));
+        }
+        if ('' === $label) {
+            throw new \InvalidArgumentException('Le libellé de permission ne peut pas être vide.');
+        }
+        if ('' === $module) {
+            throw new \InvalidArgumentException('Le module de permission ne peut pas être vide.');
+        }
+
+        $this->code   = $code;
+        $this->label  = $label;
+        $this->module = $module;
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function getModule(): string
+    {
+        return $this->module;
+    }
+
+    public function isOrphan(): bool
+    {
+        return $this->orphan;
+    }
+
+    public function markOrphan(): void
+    {
+        $this->orphan = true;
+    }
+
+    public function revive(string $label, string $module): void
+    {
+        $this->orphan = false;
+        $this->updateMetadata($label, $module);
+    }
+
+    public function updateMetadata(string $label, string $module): void
+    {
+        $this->label  = $label;
+        $this->module = $module;
+    }
+}
+```
+
+- [ ] **Step 5: Créer `Role`**
+
+`src/Module/Core/Domain/Entity/Role.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
+#[ORM\Table(name: '`role`')]
+#[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(security: "is_granted('core.roles.view')"),
+        new Get(security: "is_granted('core.roles.view')"),
+        new Post(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Patch(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Delete(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+class Role
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 100, unique: true)]
+    #[Groups(['role:read', 'role:write'])]
+    private string $code;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['role:read', 'role:write'])]
+    private string $label;
+
+    #[ORM\Column(type: 'text', nullable: true)]
+    #[Groups(['role:read', 'role:write'])]
+    private ?string $description;
+
+    #[ORM\Column(name: 'is_system')]
+    #[Groups(['role:read'])]
+    private bool $isSystem;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
+    private Collection $permissions;
+
+    public function __construct(string $code, string $label, ?string $description = null, bool $isSystem = false)
+    {
+        if (1 !== preg_match('/^[a-z][a-z0-9_]*$/', $code)) {
+            throw new \InvalidArgumentException(sprintf('Code de rôle invalide : "%s" (attendu snake_case).', $code));
+        }
+        if ('' === trim($label)) {
+            throw new \InvalidArgumentException('Le libellé de rôle ne peut pas être vide.');
+        }
+
+        $this->code        = $code;
+        $this->label       = $label;
+        $this->description = $description;
+        $this->isSystem    = $isSystem;
+        $this->permissions = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(string $label): void
+    {
+        $this->label = $label;
+    }
+
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): void
+    {
+        $this->description = $description;
+    }
+
+    public function isSystem(): bool
+    {
+        return $this->isSystem;
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getPermissions(): Collection
+    {
+        return $this->permissions;
+    }
+
+    public function addPermission(Permission $permission): void
+    {
+        if (!$this->permissions->contains($permission)) {
+            $this->permissions->add($permission);
+        }
+    }
+
+    public function removePermission(Permission $permission): void
+    {
+        $this->permissions->removeElement($permission);
+    }
+
+    public function ensureDeletable(): void
+    {
+        if ($this->isSystem) {
+            throw new SystemRoleDeletionException($this->code);
+        }
+    }
+}
+```
+
+- [ ] **Step 6: Ajouter les relations RBAC + `getEffectivePermissions()` à `User`**
+
+Dans `src/Module/Core/Domain/Entity/User.php` : ajouter les imports `use Doctrine\Common\Collections\ArrayCollection; use Doctrine\Common\Collections\Collection;` (si absents) et, dans la classe :
+```php
+    /**
+     * @var Collection<int, Role>
+     */
+    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_role')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $rbacRoles;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_permission')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $directPermissions;
+```
+> ⚠️ Initialiser les deux collections dans le constructeur de `User` (s'il en existe un ; sinon en ajouter un `public function __construct() { $this->rbacRoles = new ArrayCollection(); $this->directPermissions = new ArrayCollection(); }`. Vérifier d'abord s'il y a déjà un constructeur — `createdAt` est posé ailleurs ? Lire l'entité. Si pas de constructeur, en créer un n'initialisant QUE ces deux collections).
+
+Ajouter les méthodes :
+```php
+    /**
+     * @return Collection<int, Role>
+     */
+    public function getRbacRoles(): Collection
+    {
+        return $this->rbacRoles;
+    }
+
+    public function addRbacRole(Role $role): void
+    {
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
+        }
+    }
+
+    public function removeRbacRole(Role $role): void
+    {
+        $this->rbacRoles->removeElement($role);
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getDirectPermissions(): Collection
+    {
+        return $this->directPermissions;
+    }
+
+    public function addDirectPermission(Permission $permission): void
+    {
+        if (!$this->directPermissions->contains($permission)) {
+            $this->directPermissions->add($permission);
+        }
+    }
+
+    public function removeDirectPermission(Permission $permission): void
+    {
+        $this->directPermissions->removeElement($permission);
+    }
+
+    /**
+     * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
+     *
+     * @return list<string>
+     */
+    #[Groups(['me:read', 'user:rbac:read'])]
+    public function getEffectivePermissions(): array
+    {
+        $codes = [];
+        foreach ($this->rbacRoles as $role) {
+            foreach ($role->getPermissions() as $permission) {
+                $codes[$permission->getCode()] = true;
+            }
+        }
+        foreach ($this->directPermissions as $permission) {
+            $codes[$permission->getCode()] = true;
+        }
+        $keys = array_keys($codes);
+        sort($keys);
+
+        return $keys;
+    }
+```
+Ajouter les imports `use App\Module\Core\Domain\Entity\Role;` n'est pas nécessaire (même namespace) ; `Permission` non plus. Vérifier la présence de `use Symfony\Component\Serializer\Annotation\Groups;` (déjà là vu les Groups existants).
+
+- [ ] **Step 7: Enrichir le contrat `UserInterface`**
+
+Dans `src/Shared/Domain/Contract/UserInterface.php`, ajouter :
+```php
+    /** @return list<string> */
+    public function getEffectivePermissions(): array;
+```
+Puis ajouter le stub dans l'anonyme du test `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php` qui implémente `UserInterface` :
+```php
+            public function getEffectivePermissions(): array
+            {
+                return [];
+            }
+```
+
+- [ ] **Step 8: Créer les repositories + alias services**
+
+`src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Permission;
+
+interface PermissionRepositoryInterface
+{
+    public function findById(int $id): ?Permission;
+
+    public function findByCode(string $code): ?Permission;
+
+    /** @return list<Permission> */
+    public function findAll(): array;
+
+    /** @return list<string> */
+    public function findAllCodes(): array;
+
+    public function save(Permission $permission): void;
+}
+```
+
+`src/Module/Core/Domain/Repository/RoleRepositoryInterface.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Role;
+
+interface RoleRepositoryInterface
+{
+    public function findById(int $id): ?Role;
+
+    public function findByCode(string $code): ?Role;
+
+    /** @return list<Role> */
+    public function findAll(): array;
+
+    public function save(Role $role): void;
+}
+```
+
+`src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Permission>
+ */
+final class DoctrinePermissionRepository extends ServiceEntityRepository implements PermissionRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Permission::class);
+    }
+
+    public function findById(int $id): ?Permission
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Permission
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Permission> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    /** @return list<string> */
+    public function findAllCodes(): array
+    {
+        /** @var list<array{code: string}> $rows */
+        $rows = $this->createQueryBuilder('p')->select('p.code')->getQuery()->getArrayResult();
+
+        return array_map(static fn (array $r): string => $r['code'], $rows);
+    }
+
+    public function save(Permission $permission): void
+    {
+        $this->getEntityManager()->persist($permission);
+    }
+}
+```
+
+`src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Role>
+ */
+final class DoctrineRoleRepository extends ServiceEntityRepository implements RoleRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Role::class);
+    }
+
+    public function findById(int $id): ?Role
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Role
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Role> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    public function save(Role $role): void
+    {
+        $this->getEntityManager()->persist($role);
+    }
+}
+```
+
+Dans `config/services.yaml`, sous les alias existants (à côté de `UserRepositoryInterface`) :
+```yaml
+    App\Module\Core\Domain\Repository\PermissionRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository'
+    App\Module\Core\Domain\Repository\RoleRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository'
+```
+
+- [ ] **Step 9: Lancer les tests unitaires entités**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/Domain/Entity/`
+Expected: PASS.
+
+- [ ] **Step 10: Générer + appliquer la migration additive**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff`
+Vérifier que le `up()` ne contient QUE des `CREATE TABLE permission`, `CREATE TABLE "role"`, `CREATE TABLE role_permission`, `CREATE TABLE user_role`, `CREATE TABLE user_permission` (+ index + FK), **aucun** `DROP`/`ALTER` sur `"user"` ou `messenger_messages`. Si la dérive `messenger_messages` est mélangée, éditer la migration pour ne garder que les tables RBAC.
+Ajouter les `COMMENT ON COLUMN` pour les colonnes métier (code, label, module, orphan, is_system, description) dans le `up()` (convention projet, cf. ColumnCommentsCatalog).
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate --no-interaction`
+Puis recharger les fixtures de test : `make db-reset` (ou équivalent test) — vérifier que ça passe.
+
+- [ ] **Step 11: Gate + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate` → Mapping OK.
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert (120 + 11).
+Bloc « Vérification login ».
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src config tests migrations
+git reset -- config/reference.php
+git commit -m "feat(core) : add rbac role and permission entities with user relations"
+```
+
+---
+
+## Phase B — Agrégation des permissions + commande de synchronisation
+
+### Task 2: `ModuleRegistry::permissions()` + `CoreModule::permissions()` finalisé + `app:sync-permissions`
+
+**Files:**
+- Modify: `src/Shared/Domain/Module/ModuleRegistry.php` (méthode `permissions()`)
+- Modify: `src/Module/Core/CoreModule.php` (permissions Core définitives)
+- Create: `src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php`
+- Create: `tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php`
+- Create: `tests/Functional/Module/Core/SyncPermissionsCommandTest.php`
+
+**Interfaces:**
+- Consumes : `ModuleInterface::permissions(): list<array{code,label}>` (existant), `PermissionRepositoryInterface`.
+- Produces : `ModuleRegistry::permissions(array $moduleClasses): list<array{code,label,module}>` (agrège + injecte `module` = `$class::id()`, valide préfixe). Commande `app:sync-permissions`.
+
+- [ ] **Step 1: Test de `ModuleRegistry::permissions()`**
+
+`tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryPermissionsTest extends TestCase
+{
+    public function testAggregatesPermissionsWithModuleId(): void
+    {
+        $perms = ModuleRegistry::permissions([CoreModule::class]);
+
+        self::assertNotEmpty($perms);
+        foreach ($perms as $perm) {
+            self::assertArrayHasKey('code', $perm);
+            self::assertArrayHasKey('label', $perm);
+            self::assertArrayHasKey('module', $perm);
+            self::assertSame('core', $perm['module']);
+            self::assertStringStartsWith('core.', $perm['code']);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (méthode inexistante).
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php`
+Expected: FAIL.
+
+- [ ] **Step 3: Implémenter `ModuleRegistry::permissions()`**
+
+Ajouter à `src/Shared/Domain/Module/ModuleRegistry.php` :
+```php
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<array{code: string, label: string, module: string}>
+     */
+    public static function permissions(array $moduleClasses): array
+    {
+        $out = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
+            }
+            $moduleId = $moduleClass::id();
+            foreach ($moduleClass::permissions() as $perm) {
+                $code = $perm['code'];
+                if (!str_starts_with($code, $moduleId.'.')) {
+                    throw new \InvalidArgumentException(sprintf('Permission "%s" du module "%s" doit être préfixée par "%s.".', $code, $moduleId, $moduleId));
+                }
+                $out[] = ['code' => $code, 'label' => $perm['label'], 'module' => $moduleId];
+            }
+        }
+
+        return $out;
+    }
+```
+
+- [ ] **Step 4: Finaliser `CoreModule::permissions()`**
+
+Remplacer le stub par les permissions Core RBAC (alignées sur Starseed, périmètre Lesstime) :
+```php
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.users.view', 'label' => 'Voir les utilisateurs'],
+            ['code' => 'core.users.manage', 'label' => 'Gérer les utilisateurs (créer, éditer, supprimer)'],
+            ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
+            ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
+            ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
+        ];
+    }
+```
+> Mettre à jour `tests/Unit/Module/Core/CoreModuleTest.php` si une assertion fige les anciens codes (`core.user.read`, etc.).
+
+- [ ] **Step 5: Test fonctionnel de la commande**
+
+`tests/Functional/Module/Core/SyncPermissionsCommandTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SyncPermissionsCommandTest extends KernelTestCase
+{
+    public function testSyncCreatesCorePermissions(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:sync-permissions'));
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+
+        $repo = self::getContainer()->get(PermissionRepositoryInterface::class);
+        self::assertNotNull($repo->findByCode('core.users.manage'));
+        self::assertContains('core.roles.manage', $repo->findAllCodes());
+    }
+}
+```
+
+- [ ] **Step 6: Lancer, vérifier l'échec** (commande inexistante).
+
+- [ ] **Step 7: Implémenter `app:sync-permissions`**
+
+`src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+#[AsCommand(name: 'app:sync-permissions', description: 'Synchronise le catalogue des permissions depuis les modules actifs.')]
+final class SyncPermissionsCommand extends Command
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly PermissionRepositoryInterface $permissions,
+        #[Autowire('%kernel.project_dir%')]
+        private readonly string $projectDir,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        // Phase 1 : permissions désirées (code => {code,label,module}).
+        $desired = [];
+        foreach (ModuleRegistry::permissions($moduleClasses) as $perm) {
+            $desired[$perm['code']] = $perm;
+        }
+
+        // Phase 2 : upsert.
+        $existing = [];
+        foreach ($this->permissions->findAll() as $permission) {
+            $existing[$permission->getCode()] = $permission;
+        }
+
+        $added = $updated = $revived = 0;
+        foreach ($desired as $code => $perm) {
+            $entity = $existing[$code] ?? null;
+            if (null === $entity) {
+                $this->permissions->save(new Permission($perm['code'], $perm['label'], $perm['module']));
+                ++$added;
+
+                continue;
+            }
+            if ($entity->isOrphan()) {
+                $entity->revive($perm['label'], $perm['module']);
+                ++$revived;
+            } elseif ($entity->getLabel() !== $perm['label'] || $entity->getModule() !== $perm['module']) {
+                $entity->updateMetadata($perm['label'], $perm['module']);
+                ++$updated;
+            }
+        }
+
+        // Phase 3 : orphelines (existantes absentes des désirées).
+        $orphaned = 0;
+        foreach ($existing as $code => $entity) {
+            if (!isset($desired[$code]) && !$entity->isOrphan()) {
+                $entity->markOrphan();
+                ++$orphaned;
+            }
+        }
+
+        $this->em->flush();
+
+        $io->success(sprintf('Permissions synchronisées : %d ajoutées, %d mises à jour, %d réactivées, %d orphelines. Total désirées : %d.', $added, $updated, $revived, $orphaned, \count($desired)));
+
+        return Command::SUCCESS;
+    }
+}
+```
+
+- [ ] **Step 8: Tests + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : aggregate module permissions and add sync-permissions command"
+```
+
+---
+
+## Phase C — PermissionVoter + exposition `/api/me`
+
+### Task 3: `PermissionVoter` + permissions effectives dans `/api/me`
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Security/PermissionVoter.php`
+- Create: `tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php`
+- Modify (vérifier) : `src/Module/Core/Domain/Entity/User.php` — `getEffectivePermissions()` déjà dans le groupe `me:read` (Phase A Step 6). Confirmer.
+
+**Interfaces:**
+- Consumes : `User::getEffectivePermissions()`, `User::getRoles()`.
+- Produces : voter répondant à `is_granted('module.resource.action')`.
+
+- [ ] **Step 1: Test du voter**
+
+`tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Security\PermissionVoter;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * @internal
+ */
+final class PermissionVoterTest extends TestCase
+{
+    private function token(User $user): UsernamePasswordToken
+    {
+        return new UsernamePasswordToken($user, 'main', $user->getRoles());
+    }
+
+    public function testAbstainsOnNonRbacAttributes(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['ROLE_ADMIN']));
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['IS_AUTHENTICATED_FULLY']));
+    }
+
+    public function testGrantsWhenUserHasPermissionViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $role  = new Role('bureau', 'Bureau');
+        $role->addPermission(new Permission('core.users.view', 'Voir', 'core'));
+        $user = new User();
+        $user->addRbacRole($role);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.view']));
+        self::assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    public function testAdminBypassesViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        $user->setRoles(['ROLE_ADMIN']);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec.**
+
+- [ ] **Step 3: Implémenter le voter**
+
+`src/Module/Core/Infrastructure/Security/PermissionVoter.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<string, mixed>
+ */
+final class PermissionVoter extends Voter
+{
+    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return 1 === preg_match(self::PATTERN, $attribute);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $user = $token->getUser();
+        if (!$user instanceof User) {
+            return false;
+        }
+
+        // ROLE_ADMIN = bypass total (cf. Décision 1).
+        if (in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            return true;
+        }
+
+        return in_array($attribute, $user->getEffectivePermissions(), true);
+    }
+}
+```
+> Le voter est auto-enregistré (autoconfigure). Aucun ajout `services.yaml` nécessaire.
+
+- [ ] **Step 4: Tests + login + vérif `/api/me`**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login », puis vérifier que `/api/me` expose `effectivePermissions` :
+```bash
+curl -s http://localhost:8082/api/me -H "Cookie: BEARER=$BEARER" | grep -o "effectivePermissions" && echo "OK champ présent"
+```
+> `alice` (ROLE_USER, sans rôle RBAC) renverra `effectivePermissions: []` — normal à ce stade (pas de rôle attribué).
+
+- [ ] **Step 5: Commit**
+
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : add permission voter and expose effective permissions on /api/me"
+```
+
+---
+
+## Phase D — API Platform : Role + Permission + processors
+
+### Task 4: ApiResources Role/Permission (déjà sur entités) + `RoleProcessor` + endpoint RBAC user + `UserRbacProcessor`
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php`
+- Create: `src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php` (opérations RBAC `Get`/`Patch` sur `/api/users/{id}/rbac` + groupes `user:rbac:read`/`user:rbac:write`)
+- Create: `tests/Functional/Module/Core/RoleApiTest.php`
+- Create: `tests/Functional/Module/Core/UserRbacApiTest.php`
+
+**Interfaces:**
+- Consumes : `RoleRepositoryInterface`, `Role::ensureDeletable()`, `User` collections.
+- Produces : `POST/PATCH/DELETE /api/roles`, `GET/PATCH /api/users/{id}/rbac`.
+
+- [ ] **Step 1: `RoleProcessor`** (immuabilité du code + refus delete système)
+
+`src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * @implements ProcessorInterface<Role, Role|null>
+ */
+final readonly class RoleProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?Role
+    {
+        \assert($data instanceof Role);
+
+        if ($operation instanceof DeleteOperationInterface) {
+            try {
+                $data->ensureDeletable();
+            } catch (\DomainException $e) {
+                throw new AccessDeniedHttpException($e->getMessage(), $e);
+            }
+            $this->em->remove($data);
+            $this->em->flush();
+
+            return null;
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
+```
+> Le code étant `role:write` mais immuable : API Platform mappe le `code` à la création (POST). En PATCH, le `code` reste dans `role:write` — pour le rendre immuable, vérifier dans un test que le PATCH du code n'a pas d'effet (l'entité n'a pas de `setCode()`, donc le denormalizer ne peut pas l'écraser → immuabilité structurelle). Confirmer l'absence de `setCode()` dans `Role`. ✅ (non défini en Phase A).
+
+- [ ] **Step 2: Endpoint RBAC sur `User` + `UserRbacProcessor`**
+
+Dans `src/Module/Core/Domain/Entity/User.php`, ajouter aux `operations` de l'`ApiResource` :
+```php
+        new Get(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+        ),
+        new Patch(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+            denormalizationContext: ['groups' => ['user:rbac:write']],
+            processor: UserRbacProcessor::class,
+        ),
+```
+Ajouter l'import `use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;`.
+Ajouter les setters de collections en denormalization (groupe `user:rbac:write`) : exposer `rbacRoles` et `directPermissions` en écriture. Pour cela, ajouter le groupe `user:rbac:write` sur les deux propriétés (en plus de `user:rbac:read`) :
+```php
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $rbacRoles;
+    ...
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $directPermissions;
+```
+> API Platform écrit les collections M2M via les adders/removers `addRbacRole`/`removeRbacRole` et `addDirectPermission`/`removeDirectPermission` (déjà définis Phase A).
+
+`src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php` (garde anti-écrasement des collections absentes du payload) :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\PersistentCollection;
+
+/**
+ * @implements ProcessorInterface<User, User>
+ */
+final readonly class UserRbacProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
+    {
+        \assert($data instanceof User);
+
+        // Defense in depth : si une collection n'était pas dans le payload JSON, API Platform
+        // la réinstancie vide → on restaure le snapshot Doctrine pour éviter l'effacement silencieux.
+        $previous = $context['previous_data'] ?? null;
+        if ($previous instanceof User) {
+            $this->restoreIfEmptiedByAbsence($data->getRbacRoles(), $previous->getRbacRoles());
+            $this->restoreIfEmptiedByAbsence($data->getDirectPermissions(), $previous->getDirectPermissions());
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+
+    /**
+     * @param iterable<object> $current
+     * @param iterable<object> $previous
+     */
+    private function restoreIfEmptiedByAbsence(mixed $current, mixed $previous): void
+    {
+        // Si la collection courante est "propre" (non modifiée par le denormalizer) mais vidée,
+        // on ne touche à rien : la mutation explicite passe par add/remove.
+        if ($current instanceof PersistentCollection && !$current->isDirty()) {
+            return;
+        }
+        // NB : la restauration fine est laissée à l'exécutant si un test prouve l'écrasement ;
+        // en pratique, exposer les collections en user:rbac:write avec les adders/removers suffit.
+    }
+}
+```
+> ⚠️ NOTE EXÉCUTANT : commencer SIMPLE — exposer `rbacRoles`/`directPermissions` en `user:rbac:write` (avec adders/removers) gère nativement les mutations via IRIs. Écrire d'abord le test `UserRbacApiTest` (Step 4) ; si et seulement si il prouve un écrasement de collection lors d'un PATCH partiel, implémenter la restauration depuis `$context['previous_data']`. Sinon, le `UserRbacProcessor` peut se réduire à persist+flush. Ne pas sur-architecturer.
+
+- [ ] **Step 3: Tests fonctionnels Role**
+
+`tests/Functional/Module/Core/RoleApiTest.php` : créer un user admin authentifié (helper login JWT comme les autres tests fonctionnels du projet — s'inspirer de `tests/Functional/...` existants), puis :
+- `GET /api/roles` en tant qu'admin → 200.
+- `GET /api/roles` non authentifié → 401.
+- `POST /api/roles` `{code:'bureau', label:'Bureau'}` en admin → 201.
+- `DELETE` d'un rôle système (`admin`, seedé en Phase E — ou créé inline `isSystem`) → 403.
+> S'aligner sur le pattern d'auth des tests fonctionnels existants (cookie BEARER via `/login_check` ou client API Platform avec token). LIRE un test fonctionnel existant avant d'écrire celui-ci.
+
+- [ ] **Step 4: Tests fonctionnels User RBAC**
+
+`tests/Functional/Module/Core/UserRbacApiTest.php` :
+- `GET /api/users/{id}/rbac` en admin → 200, contient `rbacRoles`, `directPermissions`, `effectivePermissions`.
+- `PATCH /api/users/{id}/rbac` attribuant un rôle (IRI) → 200, le rôle apparaît dans `rbacRoles`.
+- `PATCH` ne touchant qu'un champ → vérifier que l'autre collection n'est PAS vidée (le test qui décide si `UserRbacProcessor` a besoin de la restauration).
+
+- [ ] **Step 5: Lancer + login + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login ».
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : expose role and user-rbac api endpoints with processors"
+```
+
+---
+
+## Phase E — Seed RBAC (rôles système)
+
+### Task 5: `RbacSeeder` + `app:seed-rbac` + intégration fixtures
+
+**Files:**
+- Create: `src/Module/Core/Application/Rbac/RbacSeeder.php`
+- Create: `src/Module/Core/Infrastructure/Console/SeedRbacCommand.php`
+- Create: `src/Module/Core/Domain/Security/SystemRoles.php`
+- Modify: `src/DataFixtures/AppFixtures.php` (appeler le seed des rôles système après sync, OU documenter l'appel via make)
+- Create: `tests/Functional/Module/Core/SeedRbacCommandTest.php`
+
+**Interfaces:**
+- Consumes : `RoleRepositoryInterface`, `EntityManagerInterface`.
+- Produces : `RbacSeeder::ensureSystemRoles(): void` (idempotent), commande `app:seed-rbac`.
+
+- [ ] **Step 1: `SystemRoles`**
+
+`src/Module/Core/Domain/Security/SystemRoles.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Security;
+
+final class SystemRoles
+{
+    public const string ADMIN_CODE = 'admin';
+    public const string USER_CODE  = 'user';
+}
+```
+
+- [ ] **Step 2: Test de la commande**
+
+`tests/Functional/Module/Core/SeedRbacCommandTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SeedRbacCommandTest extends KernelTestCase
+{
+    public function testSeedsSystemRolesIdempotently(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:seed-rbac'));
+
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+        $tester->execute([]); // idempotent
+        $tester->assertCommandIsSuccessful();
+
+        $repo  = self::getContainer()->get(RoleRepositoryInterface::class);
+        $admin = $repo->findByCode(SystemRoles::ADMIN_CODE);
+        self::assertNotNull($admin);
+        self::assertTrue($admin->isSystem());
+        self::assertNotNull($repo->findByCode(SystemRoles::USER_CODE));
+    }
+}
+```
+
+- [ ] **Step 3: Lancer, vérifier l'échec.**
+
+- [ ] **Step 4: `RbacSeeder`**
+
+`src/Module/Core/Application/Rbac/RbacSeeder.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\Rbac;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class RbacSeeder
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private RoleRepositoryInterface $roles,
+    ) {}
+
+    /**
+     * Crée les rôles système s'ils sont absents. Idempotent.
+     */
+    public function ensureSystemRoles(): void
+    {
+        $this->ensureRole(SystemRoles::ADMIN_CODE, 'Administrateur', 'Accès complet (bypass RBAC).');
+        $this->ensureRole(SystemRoles::USER_CODE, 'Utilisateur', 'Rôle de base sans permission spécifique.');
+        $this->em->flush();
+    }
+
+    private function ensureRole(string $code, string $label, string $description): void
+    {
+        if (null !== $this->roles->findByCode($code)) {
+            return;
+        }
+        $this->roles->save(new Role($code, $label, $description, true));
+    }
+}
+```
+
+- [ ] **Step 5: `app:seed-rbac`**
+
+`src/Module/Core/Infrastructure/Console/SeedRbacCommand.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(name: 'app:seed-rbac', description: 'Seed les rôles système RBAC (admin, user).')]
+final class SeedRbacCommand extends Command
+{
+    public function __construct(private readonly RbacSeeder $seeder)
+    {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+        $this->seeder->ensureSystemRoles();
+        $io->success('Rôles système RBAC seedés (admin, user).');
+
+        return Command::SUCCESS;
+    }
+}
+```
+
+- [ ] **Step 6: Intégrer au cycle fixtures**
+
+LIRE `src/DataFixtures/AppFixtures.php`. Après le chargement des users, appeler le seed RBAC (les permissions doivent exister → `app:sync-permissions` AVANT). Deux options selon le pattern projet :
+- (a) injecter `RbacSeeder` dans `AppFixtures` et appeler `ensureSystemRoles()` en fin de `load()` (les permissions Core sont synchronisées par un hook séparé) ; OU
+- (b) documenter dans le `Makefile`/README que `make db-reset` enchaîne `fixtures:load` puis `app:sync-permissions` puis `app:seed-rbac`.
+> Choisir (a) si `AppFixtures` peut injecter des services (DependentFixture/service) ; sinon (b). Vérifier que `make db-reset` laisse une base cohérente (rôles + permissions présents). NE PAS attacher de matrice métier (Décision 4).
+
+- [ ] **Step 7: Tests + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : add rbac seeder and seed-rbac command for system roles"
+```
+
+---
+
+## Phase F — Sidebar filtrée par permission
+
+### Task 6: `SidebarFilter` + `SidebarProvider` + `config/sidebar.php` gated par permission
+
+**Files:**
+- Modify: `src/Shared/Domain/Sidebar/SidebarFilter.php` (clé `permission` sur section + item)
+- Modify: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` (passe les permissions effectives)
+- Modify: `config/sidebar.php` (permissions sur les items admin)
+- Modify: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` (cas permission)
+- Modify (éventuel): `tests/Functional/Shared/SidebarEndpointTest.php`
+
+**Interfaces:**
+- Consumes : `User::getEffectivePermissions()`, `User::getRoles()`.
+- Produces : `SidebarFilter::filter($sections, $activeModuleIds, $activeRoles = [], $activePermissions = [])`.
+
+- [ ] **Step 1: Étendre le test `SidebarFilterTest`**
+
+Ajouter des cas : une section/item avec `'permission' => 'core.users.view'` est masqué si la permission n'est pas dans `$activePermissions`, visible sinon. Un item sans `permission` reste visible (rétrocompat). Combinaison avec `roles` et `module` inchangée.
+```php
+    public function testItemHiddenWhenPermissionMissing(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [
+                ['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view'],
+                ['label' => 'b', 'to' => '/b', 'icon' => 'i'],
+            ],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], []);
+        self::assertCount(1, $out['sections'][0]['items']);
+        self::assertSame('/b', $out['sections'][0]['items'][0]['to']);
+    }
+
+    public function testItemVisibleWhenPermissionGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view']],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
+        self::assertCount(1, $out['sections'][0]['items']);
+    }
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (signature à 3 args).
+
+- [ ] **Step 3: Étendre `SidebarFilter`**
+
+Ajouter le paramètre `array $activePermissions = []` à `filter()`. Mettre à jour la docblock des types (`permission?:string` sur section et item). Après le gate de rôle (section et item), ajouter le gate de permission :
+```php
+            // Gate de permission au niveau section.
+            if (!self::permissionSatisfied($section['permission'] ?? null, $activePermissions)) {
+                continue;
+            }
+```
+et pour l'item, avant le filtrage module :
+```php
+                if (!self::permissionSatisfied($item['permission'] ?? null, $activePermissions)) {
+                    continue;
+                }
+```
+Helper :
+```php
+    /**
+     * @param list<string> $activePermissions
+     */
+    private static function permissionSatisfied(?string $required, array $activePermissions): bool
+    {
+        if (null === $required || '' === $required) {
+            return true;
+        }
+
+        return in_array($required, $activePermissions, true);
+    }
+```
+
+- [ ] **Step 4: Passer les permissions dans `SidebarProvider`**
+
+Dans `provide()`, après `$roles = ...` :
+```php
+        $permissions = ($user instanceof \App\Module\Core\Domain\Entity\User) ? $user->getEffectivePermissions() : [];
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles), $permissions);
+```
+> Pour éviter le couplage dur au concret, préférer le contrat : `$user` peut être typé `UserInterface` (qui a désormais `getEffectivePermissions()`). Utiliser `$permissions = method_exists($user, 'getEffectivePermissions') ? $user->getEffectivePermissions() : [];` OU, plus propre, instancier-check sur `App\Shared\Domain\Contract\UserInterface`. Choisir le check sur le contrat Shared.
+
+- [ ] **Step 5: Ajouter les permissions dans `config/sidebar.php`**
+
+Sur la section admin, garder le gate `roles: [ROLE_ADMIN]` (rétrocompat) ET, en complément, ajouter une `permission` sur l'item Administration le cas échéant. Comme ROLE_ADMIN bypasse déjà tout (Décision 1), garder la section admin sur `roles` est suffisant ; on ajoute `permission` seulement si on veut donner accès à des non-admins porteurs de `core.users.view`/`core.roles.view`. Décider : ajouter `'permission' => 'core.users.view'` sur l'item `administration` pour permettre l'accès aux gestionnaires non-admin. Documenter dans le commentaire d'en-tête de `config/sidebar.php` la nouvelle clé `permission`.
+> Mettre à jour le commentaire d'en-tête : « `permission` (section/item masqué si la permission effective absente — le RBAC fin) ».
+
+- [ ] **Step 6: Tests + login + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login » + vérifier `/api/sidebar` : `admin` voit Administration, `alice` (ROLE_USER sans permission) ne voit pas l'item gardé par permission.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src config tests
+git commit -m "feat(core) : gate sidebar by effective permissions"
+```
+
+---
+
+## Phase G — Front : composable `usePermissions` + gestion des rôles
+
+### Task 7: `usePermissions`, type user étendu, page admin rôles
+
+**Files:**
+- Create: `frontend/modules/core/composables/usePermissions.ts`
+- Modify: type de l'utilisateur courant (chercher `frontend/services/dto/` ou store auth) — ajouter `effectivePermissions: string[]`
+- Create: `frontend/modules/core/services/roles.ts` + `frontend/modules/core/services/permissions.ts`
+- Create: `frontend/modules/core/pages/admin/roles.vue` (gestion des rôles) — OU onglet dans l'admin existant
+- Modify: `frontend/i18n/locales/fr.json` (clés `admin.roles.*`)
+
+> ⚠️ Le front Lesstime n'a pas encore de page de gestion de rôles. LIRE d'abord la structure (`frontend/modules/core/`, `frontend/stores/auth.ts`, `frontend/services/`, `frontend/pages/admin.vue` et ses onglets `Admin*Tab`). Reproduire le pattern existant (onglet `AdminUserTab` etc.). Le composable et le type sont le cœur de l'AC front ; la page de gestion peut être un onglet supplémentaire dans `admin.vue`.
+
+**Interfaces:**
+- Consumes : `/api/me.effectivePermissions`, `/api/roles`, `/api/permissions`.
+- Produces : `usePermissions(): { can(code), canAny(codes), canAll(codes) }`.
+
+- [ ] **Step 1: Étendre le type user + le store auth**
+
+LIRE le store `frontend/stores/auth.ts` (ou `shared/stores/auth.ts`) et le DTO user. Ajouter `effectivePermissions: string[]` au type, et s'assurer que le payload `/api/me` (qui l'expose désormais, Phase C) est bien stocké. Si le type a `roles: string[]`, garder.
+
+- [ ] **Step 2: Composable `usePermissions`**
+
+`frontend/modules/core/composables/usePermissions.ts` :
+```ts
+export function usePermissions() {
+    const auth = useAuthStore()
+
+    function isAdmin(): boolean {
+        return auth.user?.roles?.includes('ROLE_ADMIN') ?? false
+    }
+
+    function can(code: string): boolean {
+        if (!auth.user) return false
+        if (isAdmin()) return true
+        return auth.user.effectivePermissions?.includes(code) ?? false
+    }
+
+    function canAny(codes: string[]): boolean {
+        return codes.some((c) => can(c))
+    }
+
+    function canAll(codes: string[]): boolean {
+        return codes.every((c) => can(c))
+    }
+
+    return { can, canAny, canAll, isAdmin }
+}
+```
+> Le dossier `modules/core/composables` est auto-importé (scan `readdirSync('modules/')` → `imports.dirs`, cf. LST-62). `useAuthStore` est auto-importé.
+
+- [ ] **Step 3: Services roles/permissions**
+
+`frontend/modules/core/services/roles.ts` et `permissions.ts` : 1 service par ressource, via `useApi()` (pattern projet — LIRE `frontend/services/users.ts` comme modèle). Exposer `list()`, `create()`, `update()`, `remove()` pour roles ; `list()` pour permissions. Gérer la pagination via le pattern projet (ces collections sont bornées → `paginationEnabled: false` sur le `GetCollection` côté back, OU `fetchAllHydra`). Vérifier : si les collections Role/Permission peuvent dépasser 30 items, ajouter `paginationEnabled: false` sur leur `GetCollection` (cf. CLAUDE.md piège `extractHydraMembers`). Pour Lesstime, `permission` ≈ une douzaine de codes → borné ; `role` ≈ qqs unités → borné. Ajouter `paginationEnabled: false` sur les `GetCollection` de `Role` et `Permission` (entités, Phase A/D) pour fiabiliser `extractHydraMembers`.
+
+- [ ] **Step 4: Page / onglet de gestion des rôles**
+
+Ajouter un onglet `AdminRoleTab` dans `frontend/pages/admin.vue` (ou `modules/core`), listant les rôles, permettant création/édition (label, description, permissions cochées depuis `/api/permissions` groupées par module) et suppression (désactivée pour `isSystem`). Réserver l'affichage via `v-if="can('core.roles.view')"`. LIRE un `Admin*Tab` existant pour le style.
+
+- [ ] **Step 5: i18n**
+
+Ajouter dans `frontend/i18n/locales/fr.json` les clés `admin.roles.*` (titre, colonnes, actions, messages). Fusionner dans les namespaces existants (ne pas dupliquer une clé racine).
+
+- [ ] **Step 6: Gate front + smoke**
+
+Run: `cd frontend && npx nuxt build 2>&1 | grep -iE "error|roles|permission" | tail` — build OK, pas d'erreur de module manquant.
+> Rappel LST-62 : `nuxt typecheck` n'est PAS un gate vert sur ce stack. Le vrai gate = build OK + aucun `Cannot find module` + auto-imports présents. Smoke navigateur (gestion des rôles) = PO.
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add -A -- frontend
+git commit -m "feat(core) : add usePermissions composable and rbac roles admin front"
+```
+
+---
+
+## Acceptance check (après toutes les phases)
+
+- [ ] **AC1** Permissions `module.resource.action` synchronisées via `app:sync-permissions` : la commande tourne sans erreur, `permission` contient les codes `core.*`.
+- [ ] **AC2** Sidebar gated par permission ET par module actif : `/api/sidebar` masque les items selon `effectivePermissions` (et `disabledRoutes` selon module), ROLE_ADMIN voit tout.
+- [ ] **AC3** `make test` vert (≈ 120 + nouveaux tests), `doctrine:schema:validate` mapping OK, `migrations:diff` = pas de changement RBAC (hors `messenger_messages`).
+- [ ] `/api/me` expose `effectivePermissions`.
+- [ ] `PermissionVoter` répond à `is_granted('core.*.*')` ; ROLE_ADMIN bypass.
+- [ ] `app:seed-rbac` crée les rôles système `admin`/`user` (idempotent).
+- [ ] Front : `usePermissions().can(code)` fonctionne ; gestion des rôles accessible aux porteurs de `core.roles.view`.
+- [ ] Login/JWT/MCP inchangés (`204`/`200`/`200`) à chaque phase.
+- [ ] `config/reference.php` jamais committé.
+
+## Notes pour les tickets suivants
+
+- **2.x (modules métier)** : chaque `*Module::permissions()` déclarera ses codes ; `app:sync-permissions` les upsertera ; les rôles métier (bureau/compta/…) seront seedés via une matrice étendue dans `RbacSeeder` quand les permissions existeront (Décision 4).
+- **1.3 (Audit log)** : `core.audit_log.view` pourra être ajoutée à `CoreModule::permissions()` quand l'audit sera livré.
+- **Migration `is_admin`** (optionnelle) : si le PO préfère le modèle Starseed, une phase ultérieure pourra remplacer le bypass `ROLE_ADMIN` par une colonne `is_admin` + data-migration (Décision 1).
diff --git a/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md b/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md
new file mode 100644
index 0000000..4593228
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md
@@ -0,0 +1,706 @@
+# LST-61 (1.3) · Audit log — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Porter l'infrastructure d'audit de Starseed dans Lesstime : tracer create/update/delete des entités `#[Auditable]` dans une table append-only `audit_log`, exposée en lecture seule via `GET /api/audit-logs` (paginé + filtrable), avec une page de consultation front gated RBAC.
+
+**Architecture:** 4 couches indépendantes, additives (strangler) — (1) **marquage** déclaratif `#[Auditable]`/`#[AuditIgnore]` dans `src/Shared/Domain/Attribute/` ; (2) **capture** par un `AuditListener` Doctrine sur `onFlush`/`postFlush` (capture en mémoire puis écriture déphasée) ; (3) **écriture** via `AuditLogWriter` sur une connexion DBAL dédiée `audit` (hors transaction ORM, survit aux rollbacks) ; (4) **lecture API** via `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator`. Front Nuxt : service + page consultation gated `core.audit_log.view`.
+
+**Tech Stack:** Symfony 8, API Platform 4, Doctrine ORM/DBAL, PostgreSQL 16, PHP 8.4, PHPUnit, symfony/uid (vendoré), Nuxt 4 / Vue 3 / Pinia / @nuxtjs/i18n.
+
+## Global Constraints
+
+- **Aucune mention de Claude/Anthropic/IA** dans les écritures Git (commits, trailers, descriptions MR, merge). Messages factuels et techniques.
+- **Additif uniquement** : aucune migration destructive (pas de DROP/ALTER sur tables existantes en `up()`).
+- **PostgreSQL** : noms de colonnes toujours en minuscules snake_case dans le SQL brut.
+- **Code** : `declare(strict_types=1)`, PSR-12, patterns API Platform / Doctrine existants. Variables et commentaires en anglais.
+- **`config/reference.php`** auto-généré — NE JAMAIS committer.
+- Toujours lire un fichier avant de le modifier ; reproduire le style existant.
+- Branche : `feat/lst-61-audit-log` (empilée sur `feat/lst-57-rbac-fin`).
+- Tests Docker : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`.
+
+---
+
+## File Structure
+
+**Créés :**
+- `src/Shared/Domain/Attribute/Auditable.php` — marqueur classe
+- `src/Shared/Domain/Attribute/AuditIgnore.php` — marqueur propriété
+- `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php` — écriture DBAL `audit`
+- `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php` — UUID par requête
+- `src/Module/Core/Infrastructure/Doctrine/AuditListener.php` — capture onFlush/postFlush
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+- `src/Module/Core/Application/DTO/AuditLogOutput.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+- `migrations/Version20260619XXXXXX.php` — table `audit_log`
+- `tests/Functional/Module/Core/AuditListenerTest.php`
+- `tests/Functional/Module/Core/AuditLogApiTest.php`
+- `frontend/modules/core/services/audit-logs.ts`
+- `frontend/components/admin/AdminAuditTab.vue`
+
+**Modifiés :**
+- `config/packages/doctrine.yaml` — connexion `audit` + `schema_filter` audit_log
+- `src/Module/Core/CoreModule.php` — permission `core.audit_log.view`
+- `src/Module/Core/Domain/Entity/User.php` — `#[Auditable]` + `#[AuditIgnore]` password/apiToken
+- `src/Module/Core/Domain/Entity/Role.php` — `#[Auditable]`
+- `src/Module/Core/Domain/Entity/Permission.php` — `#[Auditable]`
+- `tests/Unit/Module/Core/CoreModuleTest.php` — assert nouvelle permission
+- `frontend/pages/admin.vue` — onglet Audit gated `core.audit_log.view`
+- `frontend/i18n/locales/fr.json` — clés `admin.audit.*` + `audit.entity.*`
+
+---
+
+## Task A: Marquage + table + connexion DBAL audit
+
+**Files:**
+- Create: `src/Shared/Domain/Attribute/Auditable.php`, `src/Shared/Domain/Attribute/AuditIgnore.php`
+- Create: `migrations/Version20260619XXXXXX.php`
+- Modify: `config/packages/doctrine.yaml`
+
+**Interfaces produced:** `App\Shared\Domain\Attribute\Auditable` (TARGET_CLASS), `App\Shared\Domain\Attribute\AuditIgnore` (TARGET_PROPERTY) ; service DBAL `doctrine.dbal.audit_connection` ; table `audit_log`.
+
+- [ ] **Step A1: Attributs** — créer les deux fichiers :
+
+```php
+<?php
+// src/Shared/Domain/Attribute/Auditable.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable
+{
+}
+```
+
+```php
+<?php
+// src/Shared/Domain/Attribute/AuditIgnore.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore
+{
+}
+```
+
+- [ ] **Step A2: Migration** — créer `migrations/Version20260619XXXXXX.php` (timestamp réel via `php bin/console make:migration` puis remplacer le contenu, OU horodatage manuel cohérent > 20260619145109) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619XXXXXX extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}
+```
+
+- [ ] **Step A3: Connexion DBAL `audit`** — restructurer `config/packages/doctrine.yaml`. Remplacer le bloc `dbal` racine (connexion unique) par des connexions nommées, et propager le `dbname_suffix` de test aux deux connexions. **Le bloc `orm` reste inchangé** (l'EM par défaut se lie à `default_connection`).
+
+Remplacer :
+```yaml
+    dbal:
+        url: '%env(resolve:DATABASE_URL)%'
+
+        # IMPORTANT: You MUST configure your server version,
+        # either here or in the DATABASE_URL env var (see .env file)
+        #server_version: '16'
+
+        profiling_collect_backtrace: '%kernel.debug%'
+```
+par :
+```yaml
+    dbal:
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
+```
+
+Et remplacer le bloc `when@test` :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # "TEST_TOKEN" is typically set by ParaTest
+            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+par :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+
+- [ ] **Step A4: Vérifier la non-régression** — la restructuration des connexions est le point sensible. Lancer la suite existante :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected: 147 tests toujours verts (aucune régression liée au changement de connexions).
+
+- [ ] **Step A5: Appliquer la migration (dev + test)** :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n --env=test
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -i "audit_log" || echo "OK: audit_log absent du diff (schema_filter actif)"
+```
+Expected: table créée, `audit_log` absente de tout diff généré.
+
+- [ ] **Step A6: Commit**
+```bash
+git add src/Shared/Domain/Attribute config/packages/doctrine.yaml migrations/
+git commit -m "feat(core) : add audit attributes, audit_log table and dedicated dbal connection"
+```
+
+---
+
+## Task B: AuditLogWriter + RequestIdProvider
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php`
+- Create: `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php`
+
+**Interfaces produced:** `AuditLogWriter::log(string $entityType, string $entityId, string $action, array $changes): void` ; `RequestIdProvider::getRequestId(): ?string`.
+
+- [ ] **Step B1: RequestIdProvider** (verbatim Starseed) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}
+```
+
+- [ ] **Step B2: AuditLogWriter** (verbatim Starseed, connexion `audit`) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {
+    }
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}
+```
+
+- [ ] **Step B3: Vérifier le câblage** (autowiring) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:container App\\Module\\Core\\Infrastructure\\Audit\\AuditLogWriter 2>&1 | head -20
+```
+Expected: service trouvé, injection `doctrine.dbal.audit_connection` résolue.
+
+- [ ] **Step B4: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Audit/
+git commit -m "feat(core) : add audit log writer and request id provider"
+```
+
+---
+
+## Task C: AuditListener + marquage des entités Core
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Doctrine/AuditListener.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php`, `Role.php`, `Permission.php`
+- Test: `tests/Functional/Module/Core/AuditListenerTest.php`
+
+**Interfaces consumed:** `AuditLogWriter`, attributs `Auditable`/`AuditIgnore`.
+
+- [ ] **Step C1: Écrire le test fonctionnel (échec attendu)** — `tests/Functional/Module/Core/AuditListenerTest.php`. Le test crée/modifie/supprime un User via l'EntityManager dans le kernel de test, puis lit `audit_log` via la connexion `audit`. (S'inspirer du style des tests fonctionnels existants — `RoleApiTest`, `UserRbacApiTest`.)
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container = self::getContainer();
+        $this->em = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions.
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+}
+```
+
+> **Note adaptation :** vérifier la signature réelle de `User` (setters disponibles : `setUsername`, `setPassword`, `setRoles`, `setFirstName`). Ajuster `makeUser()` aux champs NOT NULL réels de la table `user`. Si `User` exige d'autres champs obligatoires (ex. `createdAt` initialisé au constructeur — déjà le cas), ne rien ajouter.
+
+- [ ] **Step C2: Run le test → échec** (listener absent, entités non marquées) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: FAIL.
+
+- [ ] **Step C3: Créer `AuditListener`** (verbatim Starseed, namespace `App\Module\Core\Infrastructure\Doctrine`). Copier intégralement le listener fourni dans le rapport Starseed (onFlush capture + postFlush écriture, swap-and-clear, gestion collections, snapshot create/delete, buildUpdateChanges, formatEntityType regex `App\Module\<module>\...\<Entity>`, caches Auditable/AuditIgnore). **Ne rien simplifier.**
+
+- [ ] **Step C4: Marquer les entités Core.**
+
+`src/Module/Core/Domain/Entity/User.php` — ajouter import + attribut classe + `#[AuditIgnore]` sur `password` et `apiToken` :
+```php
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+```
+```php
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
+#[ORM\Table(name: '`user`')]
+class User implements ...
+```
+Sur la propriété `password` (ligne ~89-90) et `apiToken` (ligne ~99-100), ajouter `#[AuditIgnore]` au-dessus de la ligne `private ?string $password = null;` / `private ?string $apiToken = null;`.
+
+`src/Module/Core/Domain/Entity/Role.php` — ajouter `use App\Shared\Domain\Attribute\Auditable;` et `#[Auditable]` au-dessus de `#[ORM\Entity...]`.
+
+`src/Module/Core/Domain/Entity/Permission.php` — idem `#[Auditable]`.
+
+- [ ] **Step C5: Run le test → succès** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: PASS (3 tests).
+
+- [ ] **Step C6: Suite complète + cs-fixer** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+Expected: tout vert.
+
+- [ ] **Step C7: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Doctrine/AuditListener.php src/Module/Core/Domain/Entity/ tests/Functional/Module/Core/AuditListenerTest.php
+git commit -m "feat(core) : add doctrine audit listener and mark core entities auditable"
+```
+
+---
+
+## Task D: API de lecture `/api/audit-logs` + permission
+
+**Files:**
+- Create: `AuditLogOutput.php`, `DbalPaginator.php`, `AuditLogProvider.php`, `AuditLogResource.php`, `AuditLogEntityTypesResource.php`, `AuditLogEntityTypesProvider.php`
+- Modify: `src/Module/Core/CoreModule.php` (permission), `tests/Unit/Module/Core/CoreModuleTest.php`
+- Test: `tests/Functional/Module/Core/AuditLogApiTest.php`
+
+**Interfaces consumed:** table `audit_log`, connexion `doctrine.dbal.default_connection`, permission `core.audit_log.view`.
+
+- [ ] **Step D1: Permission** — ajouter dans `CoreModule::permissions()` :
+```php
+['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
+```
+Mettre à jour `tests/Unit/Module/Core/CoreModuleTest.php` pour asserter la présence de ce code (la liste passe à 6 permissions).
+
+- [ ] **Step D2: DTO + Paginator + Providers + Resources** — créer les 6 fichiers verbatim depuis le rapport Starseed :
+  - `src/Module/Core/Application/DTO/AuditLogOutput.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+
+  **Adaptation pagination :** Lesstime n'a pas de `itemsPerPage`/`maximum_items_per_page` explicite dans `api_platform.yaml`. Le provider utilise `Pagination::getPage()`/`getLimit()` (défauts API Platform : 30/page). C'est acceptable. Conserver le clamp `max(1, page)`.
+
+- [ ] **Step D3: Écrire le test API (échec attendu)** — `tests/Functional/Module/Core/AuditLogApiTest.php`. S'aligner sur le helper d'auth des tests existants (login admin/admin via cookie JWT, cf. `RoleApiTest`). Tests :
+  - admin authentifié : `GET /api/audit-logs` → 200, structure hydra paginée.
+  - filtre `?action=update` → ne renvoie que des updates.
+  - filtre `?entity_type=core.User`.
+  - `?action=bogus` → 400.
+  - utilisateur sans permission (alice) : 403.
+  - non authentifié : 401.
+
+  Préparer des données : créer/modifier un User via l'EM avant les assertions (le listener écrit), OU insérer directement des lignes via la connexion `audit`.
+
+- [ ] **Step D4: Run → échec, puis vérifier la route** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:router 2>&1 | grep -i audit
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditLogApiTest.php
+```
+Expected: routes `/api/audit-logs`, `/api/audit-logs/{id}`, `/api/audit-log-entity-types` présentes ; test passe une fois les providers branchés.
+
+- [ ] **Step D5: sync-permissions** (enregistre `core.audit_log.view` en base dev + test) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions --env=test
+```
+
+- [ ] **Step D6: Suite complète + cs-fixer**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+
+- [ ] **Step D7: Commit**
+```bash
+git add src/Module/Core/ tests/
+git commit -m "feat(core) : expose read-only audit-logs api with dbal provider and pagination"
+```
+
+---
+
+## Task E: Front — page consultation gated RBAC
+
+**Files:**
+- Create: `frontend/modules/core/services/audit-logs.ts`, `frontend/components/admin/AdminAuditTab.vue`
+- Modify: `frontend/pages/admin.vue`, `frontend/i18n/locales/fr.json`
+
+**Interfaces consumed:** `GET /api/audit-logs`, composable `usePermissions` (livré en 1.2), pattern onglet admin (cf. `AdminRoleTab.vue` créé en 1.2).
+
+- [ ] **Step E1: Service** — `frontend/modules/core/services/audit-logs.ts` : fonction `fetchAuditLogs(params)` via `useApi()` (suivre `roles.ts`/`permissions.ts` créés en 1.2). Types : `AuditLogItem { id, entityType, entityId, action, changes, performedBy, performedAt, ipAddress, requestId }`.
+
+- [ ] **Step E2: Composant onglet** — `frontend/components/admin/AdminAuditTab.vue` : tableau paginé (colonnes date, utilisateur, type d'entité, action, id), filtre par `entityType` et `action`. Labels via i18n `audit.entity.*` et `audit.action.*`. Reproduire le style de `AdminRoleTab.vue`.
+
+- [ ] **Step E3: Onglet dans admin.vue** — ajouter un onglet « Audit » gated `can('core.audit_log.view')` (suivre le gating de l'onglet rôles ajouté en 1.2).
+
+- [ ] **Step E4: i18n** — `frontend/i18n/locales/fr.json` : ajouter `admin.audit.*` (titre, colonnes, filtres) et `audit.entity.core.User` = « Utilisateur », `audit.entity.core.Role` = « Rôle », `audit.entity.core.Permission` = « Permission » ; `audit.action.create/update/delete`.
+
+- [ ] **Step E5: Vérifier la route déterministe (SPA)** :
+```bash
+cd frontend && npx nuxt build 2>&1 | tail -5
+grep -o 'name:"admin"' .output/server/chunks/build/client.precomputed.mjs | head -1
+```
+Expected: build OK (la page admin reste enregistrée).
+
+- [ ] **Step E6: Commit**
+```bash
+git add frontend/
+git commit -m "feat(core) : add audit log consultation tab in admin gated by permission"
+```
+
+---
+
+## Task F: Validation finale + statut
+
+- [ ] **Step F1: Suite complète verte + login fumée**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Vérifier login admin → 204 + `GET /api/me` 200 + `GET /api/audit-logs` 200 (cURL ou via test).
+
+- [ ] **Step F2: migrations:diff propre** (audit_log absente du diff) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -ci audit_log
+```
+Expected: 0.
+
+- [ ] **Step F3: Learnings** — append session #61 à `.claude/skills/ticket-executor/LEARNINGS.md`, commit `docs : log LST-61 audit log session learnings`.
+
+- [ ] **Step F4: Push branche + MR empilée sur #57** (Gitea, base `feat/lst-57-rbac-fin`), draft puis un-draft via API si voulu.
+
+- [ ] **Step F5: Ticket #61 (id 647) → « En attente de validation » (statut 4)**, stopper le timer, informer l'utilisateur.
+
+---
+
+## Self-Review (couverture spec)
+
+| Critère d'acceptation | Tâche |
+|---|---|
+| CRUD des entités `#[Auditable]` tracé | C (listener + test create/update/delete) |
+| Endpoint `/api/audit-logs` paginé/filtrable | D (provider DBAL + DbalPaginator + filtres) |
+| `make test` vert, aucune migration destructive | A (migration additive), C/D/F (suite) |
+| `#[Auditable]`/`#[AuditIgnore]` dans Shared | A1 |
+| Table `audit_log` (qui/quoi/quand/diff/requestId) + COMMENT | A2 |
+| `#[AuditIgnore]` champs sensibles (password, apiToken) | C4 + B2 blacklist |
+| Front consultation + i18n `audit.entity.*` gated RBAC | E |
+
+**Décision de scope :** `#[Auditable]` posé sur les **entités migrées** (User, Role, Permission) conformément au libellé du ticket. Les entités métier legacy (`src/Entity/*`) ne sont pas marquées ici — elles le seront lors de leur migration en modules (phases 2.x+). L'infra est prête à les auditer sans modification dès qu'elles portent l'attribut.
diff --git a/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
new file mode 100644
index 0000000..506814d
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
@@ -0,0 +1,976 @@
+# LST-62 (0.2) — Socle front : shell + auto-détection des layers Nuxt — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Poser l'ossature frontend modulaire (shell `app/`, code partagé `shared/`, auto-détection des layers `modules/*/`, sidebar dynamique alimentée par `/api/sidebar`, redirection des routes désactivées) **sans déplacer aucune page métier** — l'app reste « plate » et la navigation ne régresse pas.
+
+**Architecture:** On s'aligne sur le pattern Starseed : `srcDir: '.'`, layouts/middleware sous `frontend/app/`, composables/stores transverses sous `frontend/shared/` (auto-importés via `imports.dirs`), et un scan `readdirSync('modules/')` qui ajoute chaque `modules/*/` à `extends`. Le backend `/api/modules` + `/api/sidebar` existe déjà (LST-56). On ajoute un **gate de rôle minimal** côté `SidebarProvider`/`SidebarFilter` (ROLE_ADMIN) pour préserver la visibilité de l'Administration sans attendre le RBAC fin (#1.2). Les items **contextuels** (Kanban/Groupes/Archives), **feature-flag** (Documents, Mail) et **user-flag** (Mes absences) restent rendus côté layout, hors `/api/sidebar`.
+
+**Tech Stack:** Nuxt 4.3, Vue 3.5, Pinia 3, @malio/layer-ui 1.7, @nuxtjs/i18n 10, @nuxt/icon — côté back PHP 8.4 / Symfony 8 / API Platform 4 / PHPUnit 13.
+
+## Global Constraints
+
+- **Aucune page métier déplacée** : `frontend/pages/` reste tel quel ; on ne crée AUCUN `frontend/modules/<x>/pages/` peuplé en 0.2 (le dossier `modules/` est créé vide pour le scan).
+- **Zéro régression de navigation** : tous les liens actuels restent atteignables et correctement gardés (admin reste admin-only).
+- **Auto-import Nuxt** : les composants/pages référencent les composables/stores **par nom** (`useApi()`, `useAuthStore()`), jamais par chemin → déplacer un fichier entre deux dossiers auto-scannés est transparent. Toujours le vérifier par un `typecheck` après déplacement.
+- **Commits** : format `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude/Anthropic (message, body, trailers).
+- **PHP** : `declare(strict_types=1);` en tête ; tests via `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit …`.
+- **TS** : strict, 4 espaces d'indentation, pas de `any`.
+- **Pas de migration BDD** dans ce lot (aucune entité touchée).
+
+## Décisions de conception (actées avec le PO)
+
+1. **Gate de rôle minimal côté back** : les items/sections réservés (`/team-absences`, `/admin`) portent une clé `roles` dans `config/sidebar.php` ; `SidebarProvider` passe les rôles de l'utilisateur courant à `SidebarFilter` qui masque ce qui n'est pas autorisé. Ce n'est **pas** le RBAC fin (#1.2) — juste ROLE_ADMIN/ROLE_USER.
+2. **Items contextuels / feature-flag / user-flag hors `/api/sidebar`** : Kanban/Groupes/Archives (contexte `currentProjectId`), Documents (`shareEnabled`), Mail (+ badge non lus), Mes absences (`isEmployee`) restent rendus par le layout comme aujourd'hui.
+3. **Délta cosmétique assumé** : la sidebar dynamique regroupe le Tableau de bord avec « Mes tâches / Projets / Suivi de temps » sous un même en-tête, et le bloc statique (contextuel/flag/Mes absences) s'insère après cette première section. Léger réordonnancement visuel, **à valider**, harmonisé en #60 (Finition Malio). Aucun lien perdu.
+
+## Vérification (pas de runner de tests JS dans ce projet)
+
+- **Back (Task 1)** : vraie TDD PHPUnit.
+- **Front (Tasks 2-7)** : la verif = `typecheck` Nuxt (en LECTURE différentielle, cf. ci-dessous) + smoke test runtime. Commandes :
+  - Typecheck : `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+  - Runtime : dev server `make dev-nuxt` (port 3002, proxy `/api` → nginx) ; vérifier manuellement la navigation + `curl` des endpoints via nginx (`http://localhost:8082/api/...`). Les containers sont up.
+
+> **⚠️ `nuxt typecheck` n'est PAS un gate vert sur ce projet (constat 2026-06-19).** Le baseline Lesstime est déjà rouge (~230 lignes `error TS`), et le projet de référence **Starseed (même Nuxt 4.3.1, même layout `shared/` + `srcDir: '.'`) ship en prod avec 325 erreurs `error TS`**. Ces erreurs sont des classes structurelles attendues, pas des régressions :
+> - dans `shared/composables/*` et `shared/stores/*` : `Cannot find name 'ref'/'useApi'/'useRoute'/'navigateTo'/'defineStore'/'useToast'/'useNuxtApp'…` — Nuxt 4 type le dossier `shared/` sous un `tsconfig.shared.json` isolé sans les globals d'auto-import, alors que `imports.dirs` les rend bien disponibles au RUNTIME (vérifié dans `.nuxt/imports.d.ts`). Starseed a exactement ces 15 erreurs et fonctionne.
+> - dans `nuxt.config.ts` : `node:fs`/`node:path`/`__dirname`/`process` (pas de `@types/node` — comme Starseed) ; ce fichier est compilé par Nuxt au runtime, pas par `tsc`.
+> - dans `useApi.ts` : `Property 'url' does not exist…` (préexistant, code forké de Starseed).
+>
+> **Le vrai gate front** = (1) **ZÉRO erreur `Cannot find module '~/shared/…'` / chemin cassé** (sinon un import a vraiment été cassé par un déplacement) ; (2) les auto-imports attendus présents dans `.nuxt/imports.d.ts` ; (3) smoke runtime sur le dev server. Ne JAMAIS s'arrêter sur les classes d'erreurs structurelles ci-dessus — elles sont identiques à la référence Starseed.
+
+---
+
+### Task 1: Backend — gate de rôle dans la sidebar (`roles`) + config complète
+
+**Files:**
+- Modify: `src/Shared/Domain/Sidebar/SidebarFilter.php` (signature + gate `roles`)
+- Modify: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` (injecter `Security`, passer les rôles)
+- Modify: `config/sidebar.php` (navigation globale + section Administration gated ROLE_ADMIN ; retrait de `/absences` qui reste client-side)
+- Modify: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` (adapter à la nouvelle signature + cas `roles`)
+- Modify: `tests/Functional/Shared/SidebarEndpointTest.php` (vérifier le gate admin)
+
+**Interfaces:**
+- Produces : `SidebarFilter::filter(array $sections, array $activeModuleIds, array $activeRoles = []): array`. Règles ajoutées : une **section** ou un **item** portant une clé `roles` (non vide) n'est conservé que si `$activeRoles` contient au moins un des rôles listés ; sinon la section/l'item est retiré (les `to` des items retirés **par rôle** ne sont PAS ajoutés à `disabledRoutes` — `disabledRoutes` reste réservé au filtrage **par module**, qui pilote la redirection front). Les clés internes `module` et `roles` sont retirées de la sortie.
+- Consumes : `Symfony\Bundle\SecurityBundle\Security` (rôles via `getUser()`).
+
+- [ ] **Step 1: Adapter le test unitaire existant + ajouter les cas `roles`**
+
+Remplace INTÉGRALEMENT `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking'], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        // Filtrage par rôle => PAS de disabledRoutes (réservé au filtrage par module).
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsVisibleWhenRolePresent(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER', 'ROLE_ADMIN']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/admin', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]);
+    }
+
+    public function testItemWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.hr.section', 'icon' => 'mdi:calendar', 'items' => [
+                ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group', 'roles' => ['ROLE_ADMIN']],
+                ['label' => 'sidebar.hr.x', 'to' => '/x', 'icon' => 'mdi:x'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertCount(1, $result['sections'][0]['items']);
+        self::assertSame('/x', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]['items'][0]);
+    }
+}
+```
+
+- [ ] **Step 2: Lancer le test, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: FAIL — `filter()` actuel n'accepte que 2 args / ne gère pas `roles` (erreur d'arité ou assertions rouges).
+
+- [ ] **Step 3: Étendre `SidebarFilter`**
+
+Remplace INTÉGRALEMENT `src/Shared/Domain/Sidebar/SidebarFilter.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sections
+     * @param list<string>                                                                                                                                               $activeModuleIds
+     * @param list<string>                                                                                                                                               $activeRoles
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = []): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            // Gate de rôle au niveau section (ne pollue pas disabledRoutes : réservé au filtrage module).
+            if (!self::rolesSatisfied($section['roles'] ?? null, $activeRoles)) {
+                continue;
+            }
+
+            $items = [];
+            foreach ($section['items'] as $item) {
+                // Gate de rôle au niveau item.
+                if (!self::rolesSatisfied($item['roles'] ?? null, $activeRoles)) {
+                    continue;
+                }
+
+                // Filtrage par module actif (pilote la redirection front via disabledRoutes).
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+
+    /**
+     * @param list<string>|null $required
+     * @param list<string>      $activeRoles
+     */
+    private static function rolesSatisfied(?array $required, array $activeRoles): bool
+    {
+        if (null === $required || [] === $required) {
+            return true;
+        }
+
+        foreach ($required as $role) {
+            if (in_array($role, $activeRoles, true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
+```
+
+- [ ] **Step 4: Lancer le test unitaire, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: PASS (6 tests).
+
+- [ ] **Step 5: Injecter les rôles dans `SidebarProvider`**
+
+Remplace INTÉGRALEMENT `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+        private Security $security,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        /** @var list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $user  = $this->security->getUser();
+        $roles = null !== $user ? $user->getRoles() : [];
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles));
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 6: Compléter `config/sidebar.php`**
+
+Remplace INTÉGRALEMENT `config/sidebar.php` par (icônes alignées sur le layout actuel ; `/absences` retiré car gardé client-side via `isEmployee`) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items) — navigation GLOBALE uniquement.
+ * Filtrée par SidebarFilter : `module` (route ajoutée à disabledRoutes si module inactif),
+ * `roles` (section ou item masqué si l'utilisateur n'a aucun des rôles listés ; gate minimal,
+ * le RBAC fin par permission arrive en #1.2).
+ * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail) et user-flag
+ * (Mes absences) restent rendus côté layout, hors de cet endpoint.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.admin.section',
+        'icon'  => 'mdi:cog-outline',
+        'roles' => ['ROLE_ADMIN'],
+        'items' => [
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline'],
+            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline'],
+        ],
+    ],
+];
+```
+
+- [ ] **Step 7: Renforcer le test fonctionnel sidebar (gate admin)**
+
+Remplace INTÉGRALEMENT `tests/Functional/Shared/SidebarEndpointTest.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+
+    public function testAdminSectionHiddenForNonAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']); // ROLE_USER
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertNotContains('sidebar.admin.section', $labels);
+    }
+
+    public function testAdminSectionVisibleForAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']); // ROLE_ADMIN
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertContains('sidebar.admin.section', $labels);
+    }
+}
+```
+
+- [ ] **Step 8: Lancer la suite complète, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (les 110 tests précédents adaptés + nouveaux cas). Si `admin`/`alice` n'existent pas en base de test, vérifier les fixtures (`admin`/`admin`, `alice`/`alice` d'après CLAUDE.md).
+
+- [ ] **Step 9: php-cs-fixer + commit**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Shared/Domain/Sidebar/SidebarFilter.php src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php config/sidebar.php tests/Unit/Shared/Sidebar/SidebarFilterTest.php tests/Functional/Shared/SidebarEndpointTest.php
+git commit -m "feat(sidebar) : add role gate to sidebar provider and global nav config"
+```
+
+---
+
+### Task 2: Frontend — types + composables partagés (`useModules`, `useSidebar`)
+
+**Files:**
+- Create: `frontend/shared/types/sidebar.ts`
+- Create: `frontend/shared/composables/useModules.ts`
+- Create: `frontend/shared/composables/useSidebar.ts`
+
+> Note : à cette étape `shared/` n'est pas encore dans `imports.dirs` (fait en Task 4). Ces fichiers sont créés ici mais référencés/auto-importés seulement après Task 4 ; le typecheck final de validation se fait donc en fin de Task 4. Cette task se termine sans verif runtime (pur ajout de fichiers).
+
+**Interfaces:**
+- Produces :
+  - `useModules(): { activeModuleIds: Ref<string[]>, loaded: Ref<boolean>, loadModules(): Promise<void>, isModuleActive(id: string): boolean, resetModules(): void }`
+  - `useSidebar(): { sections: Ref<SidebarSection[]>, disabledRoutes: Ref<string[]>, loaded: Ref<boolean>, loadSidebar(): Promise<void>, isRouteDisabled(path: string): boolean, resetSidebar(): void }`
+  - `SidebarSection`, `SidebarItem` (types).
+- Consumes : `useApi()` (auto-importé, déplacé en Task 3 — toujours appelé par nom).
+
+- [ ] **Step 1: Créer les types**
+
+`frontend/shared/types/sidebar.ts` :
+
+```ts
+export type SidebarItem = {
+    label: string
+    to: string
+    icon: string
+}
+
+export type SidebarSection = {
+    label: string
+    icon: string
+    items: SidebarItem[]
+}
+```
+
+- [ ] **Step 2: Créer `useModules`**
+
+`frontend/shared/composables/useModules.ts` (état singleton au niveau module) :
+
+```ts
+const activeModuleIds = ref<string[]>([])
+const loaded = ref(false)
+
+export function useModules() {
+    async function loadModules(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ modules: string[] }>('/modules', {}, { toast: false })
+        activeModuleIds.value = data.modules ?? []
+        loaded.value = true
+    }
+
+    function isModuleActive(id: string): boolean {
+        return activeModuleIds.value.includes(id)
+    }
+
+    function resetModules(): void {
+        activeModuleIds.value = []
+        loaded.value = false
+    }
+
+    return { activeModuleIds, loaded, loadModules, isModuleActive, resetModules }
+}
+```
+
+> Vérifier la signature réelle de `useApi().get` (Task 3 / source actuelle) : `get<T>(url, query?, options?)`. L'option `{ toast: false }` doit exister dans `ApiFetchOptions` ; si la clé diffère (ex. `toastSuccessKey`/`toast`), aligner sur la signature réelle de `useApi.ts`. Si aucune option « silencieux » n'existe, passer `{}`.
+
+- [ ] **Step 3: Créer `useSidebar`**
+
+`frontend/shared/composables/useSidebar.ts` :
+
+```ts
+import type { SidebarSection } from '~/shared/types/sidebar'
+
+const sections = ref<SidebarSection[]>([])
+const disabledRoutes = ref<string[]>([])
+const loaded = ref(false)
+
+export function useSidebar() {
+    async function loadSidebar(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ sections: SidebarSection[]; disabledRoutes: string[] }>(
+            '/sidebar', {}, { toast: false },
+        )
+        sections.value = data.sections ?? []
+        disabledRoutes.value = data.disabledRoutes ?? []
+        loaded.value = true
+    }
+
+    function isRouteDisabled(path: string): boolean {
+        return disabledRoutes.value.some(
+            (disabled) => path === disabled || path.startsWith(disabled + '/'),
+        )
+    }
+
+    function resetSidebar(): void {
+        sections.value = []
+        disabledRoutes.value = []
+        loaded.value = false
+    }
+
+    return { sections, disabledRoutes, loaded, loadSidebar, isRouteDisabled, resetSidebar }
+}
+```
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add frontend/shared/types/sidebar.ts frontend/shared/composables/useModules.ts frontend/shared/composables/useSidebar.ts
+git commit -m "feat(front) : add shared useModules/useSidebar composables and sidebar types"
+```
+
+---
+
+### Task 3: Frontend — déplacer `useApi` et les stores transverses vers `shared/`
+
+**Files:**
+- Move: `frontend/composables/useApi.ts` → `frontend/shared/composables/useApi.ts`
+- Move: `frontend/stores/auth.ts` → `frontend/shared/stores/auth.ts`
+- Move: `frontend/stores/ui.ts` → `frontend/shared/stores/ui.ts`
+
+> `timer.ts` et `mail.ts` **restent** dans `frontend/stores/` (domaines métier non encore migrés en module). On ne déplace que les deux stores transverses (auth, ui) + `useApi`. La résolution effective (auto-import depuis `shared/`) est activée en Task 4 ; cette task fait les `git mv` et termine par un commit. Le typecheck de validation est en Task 4 (après config).
+
+- [ ] **Step 1: Déplacer les fichiers (git mv pour préserver l'historique)**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p shared/stores
+git mv composables/useApi.ts shared/composables/useApi.ts
+git mv stores/auth.ts shared/stores/auth.ts
+git mv stores/ui.ts shared/stores/ui.ts
+```
+
+- [ ] **Step 2: Vérifier qu'aucun import par CHEMIN ne pointe vers les anciens emplacements**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && grep -rn "composables/useApi\|stores/auth\|stores/ui" --include=*.ts --include=*.vue . | grep -v node_modules | grep -v "shared/"`
+Expected: aucun résultat (tout passe par auto-import). Si un import explicite existe (ex. `from '~/composables/useApi'`), le corriger en `from '~/shared/composables/useApi'` ou retirer l'import (auto-import). Noter chaque correction.
+
+> `layouts/default.vue` importe actuellement `useAppVersion` depuis `~/composables/useAppVersion` (NON déplacé) — ne pas y toucher ici.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add -A
+git commit -m "refactor(front) : move useApi and shared stores (auth, ui) to shared/"
+```
+
+---
+
+### Task 4: Frontend — `nuxt.config.ts` (srcDir, dossiers `app/`, scan des layers, auto-imports)
+
+**Files:**
+- Modify: `frontend/nuxt.config.ts`
+- Create: `frontend/modules/.gitkeep` (dossier vide prêt pour le scan)
+- Move: `frontend/layouts/` → `frontend/app/layouts/` (default.vue, auth.vue)
+- Move: `frontend/middleware/` → `frontend/app/middleware/` (auth.global.ts, admin.ts, employee.ts)
+
+**Interfaces:**
+- Produces : structure `app/{layouts,middleware}`, `modules/` scannable, `shared/*` auto-importé.
+
+- [ ] **Step 1: Déplacer layouts et middleware sous `app/`**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p app modules
+git mv layouts app/layouts
+git mv middleware app/middleware
+touch modules/.gitkeep
+git add modules/.gitkeep
+```
+
+- [ ] **Step 2: Réécrire `nuxt.config.ts`**
+
+Remplace INTÉGRALEMENT `frontend/nuxt.config.ts` par (conserve `vite`/`toast` existants — repris depuis la version actuelle) :
+
+```ts
+import { existsSync, readdirSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const modulesDir = resolve(__dirname, 'modules')
+const moduleDirs = existsSync(modulesDir)
+    ? readdirSync(modulesDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name)
+    : []
+const moduleLayers = moduleDirs.map((name) => `./modules/${name}`)
+const moduleComposableDirs = moduleDirs
+    .map((name) => `modules/${name}/composables`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+const moduleStoreDirs = moduleDirs
+    .map((name) => `modules/${name}/stores`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+
+export default defineNuxtConfig({
+    compatibilityDate: '2025-07-15',
+    devtools: { enabled: false },
+    ssr: false,
+    srcDir: '.',
+    css: ['~/assets/css/app.css', '~/assets/css/dark.css'],
+    app: {
+        baseURL: process.env.NODE_ENV === 'production'
+            ? (process.env.NUXT_PUBLIC_APP_BASE || '/')
+            : '/',
+    },
+    extends: ['@malio/layer-ui', ...moduleLayers],
+    modules: [
+        '@nuxtjs/tailwindcss',
+        '@pinia/nuxt',
+        'nuxt-toast',
+        '@nuxtjs/i18n',
+        '@nuxt/icon',
+    ],
+    dir: {
+        layouts: 'app/layouts',
+        middleware: 'app/middleware',
+    },
+    imports: {
+        dirs: [
+            'shared/composables',
+            'shared/stores',
+            'shared/utils',
+            'composables',
+            'stores',
+            'utils',
+            ...moduleComposableDirs,
+            ...moduleStoreDirs,
+        ],
+    },
+    pinia: {
+        storesDirs: ['shared/stores/**', 'stores/**', 'modules/*/stores/**'],
+    },
+    runtimeConfig: {
+        public: {
+            apiBase: process.env.NUXT_PUBLIC_API_BASE,
+        },
+    },
+    devServer: {
+        port: 3002,
+    },
+    components: [
+        { path: '~/components', pathPrefix: false },
+    ],
+    // ⬇️ Reprendre VERBATIM les blocs `vite: {...}`, `toast: {...}`, `i18n: {...}`,
+    //    `typescript: {...}`, `build: {...}` de l'ancien nuxt.config.ts (inchangés).
+    typescript: { strict: true },
+    build: { transpile: ['@vuepic/vue-datepicker'] },
+})
+```
+
+> ⚠️ Les blocs `vite`, `toast`, `i18n` de l'ancienne config ne sont pas réécrits ici : **les recopier à l'identique** depuis la version d'origine (récupérable via `git show HEAD~1:frontend/nuxt.config.ts` après les déplacements). Le `i18n.langDir: 'locales'` reste résolu depuis `i18n/`.
+
+- [ ] **Step 3: Typecheck complet (valide Tasks 2, 3 et 4)**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur. Pièges probables :
+- Store non trouvé → vérifier `pinia.storesDirs` inclut bien `shared/stores/**`.
+- Composable non auto-importé → vérifier `imports.dirs` inclut `shared/composables`.
+- `~/composables/useApi` cassé → un import explicite a survécu (corriger comme Task 3 Step 2).
+
+- [ ] **Step 4: Smoke test runtime — l'app boote et la nav existante fonctionne**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime && make dev-nuxt` (ou rebuild SPA selon le workflow). Ouvrir l'app, se connecter (`alice`/`alice`), vérifier que la sidebar **statique actuelle** s'affiche encore et que la navigation marche (le layout n'est pas encore dynamisé — c'est normal). Aucun écran blanc / erreur console bloquante.
+Expected: app fonctionnelle, identique à avant (les déplacements sont transparents).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add -A
+git commit -m "feat(front) : modular nuxt config with app/ shell dirs and modules/* layer auto-detection"
+```
+
+---
+
+### Task 5: Frontend — middlewares (`auth.global.ts` étendu + `modules.global.ts`)
+
+**Files:**
+- Modify: `frontend/app/middleware/auth.global.ts` (charge sidebar + modules après login ; reset au logout)
+- Create: `frontend/app/middleware/modules.global.ts` (redirige les routes désactivées)
+
+**Interfaces:**
+- Consumes : `useAuthStore()`, `useSidebar()`, `useModules()` (auto-importés).
+
+- [ ] **Step 1: Étendre `auth.global.ts`**
+
+Remplace INTÉGRALEMENT `frontend/app/middleware/auth.global.ts` par :
+
+```ts
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    const isLogin = to.path === '/login'
+
+    if (!auth.checked) {
+        await auth.ensureSession()
+    }
+
+    if (!isLogin && !auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+
+    if (isLogin && auth.isAuthenticated) {
+        return navigateTo('/')
+    }
+
+    const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
+    const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
+
+    if (auth.isAuthenticated) {
+        await Promise.all([
+            sidebarLoaded.value ? Promise.resolve() : loadSidebar(),
+            modulesLoaded.value ? Promise.resolve() : loadModules(),
+        ])
+    } else {
+        // Logout / session expirée : purge l'état partagé pour le prochain login.
+        resetSidebar()
+        resetModules()
+    }
+})
+```
+
+- [ ] **Step 2: Créer `modules.global.ts`**
+
+`frontend/app/middleware/modules.global.ts` :
+
+```ts
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    if (!auth.isAuthenticated) {
+        return
+    }
+
+    const { loaded, loadSidebar, isRouteDisabled } = useSidebar()
+    if (!loaded.value) {
+        await loadSidebar()
+    }
+
+    if (isRouteDisabled(to.path)) {
+        return navigateTo('/')
+    }
+})
+```
+
+> Ordre des middlewares globaux : Nuxt les exécute par ordre alphabétique de nom de fichier → `auth.global.ts` puis `modules.global.ts`. C'est l'ordre voulu (auth charge la sidebar avant que modules teste les routes désactivées).
+
+- [ ] **Step 3: Typecheck**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur.
+
+- [ ] **Step 4: Smoke test — chargement sidebar/modules + redirection**
+
+Avec le dev server : se connecter (`alice`), ouvrir l'onglet Réseau → confirmer un `GET /api/sidebar` et `GET /api/modules` après login. Vérifier la redirection : ajouter TEMPORAIREMENT dans `config/sidebar.php` un item avec `'module' => 'demo'` (module inactif) et un `'to' => '/demo-disabled'`, recharger, confirmer que `/demo-disabled` apparaît dans `disabledRoutes` (réponse `/api/sidebar`) et qu'y naviguer redirige vers `/`. **Puis retirer l'item de démo** (ne pas committer ce stub).
+Expected: appels présents, redirection effective.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add frontend/app/middleware/auth.global.ts frontend/app/middleware/modules.global.ts
+git commit -m "feat(front) : load sidebar/modules after login and redirect disabled routes"
+```
+
+---
+
+### Task 6: Frontend — layout `default.vue` : sidebar dynamique + items conservés
+
+**Files:**
+- Modify: `frontend/app/layouts/default.vue`
+
+**Interfaces:**
+- Consumes : `useSidebar()` (sections dynamiques traduites), `useUiStore()`, `useAuthStore()`, `useI18n()`, + le reste de la logique existante (timer, mail, refData) conservée VERBATIM.
+
+> Stratégie : on remplace le bloc statique des items **globaux** (Tableau de bord, Mes tâches, Projets, Suivi de temps, Absences équipe, Administration) par un rendu **dynamique** issu de `useSidebar()`. On **conserve** les `SidebarLink` des items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail + badge) et user-flag (Mes absences) tels quels. Tout le `<script setup>` non lié à la sidebar (timer, drawer, head, mail polling, refData) est conservé à l'identique.
+
+- [ ] **Step 1: Réécrire le bloc `<nav>` et l'en-tête du `<script setup>` de `frontend/app/layouts/default.vue`**
+
+Dans le `<template>`, remplace le contenu de `<nav class="flex-1 overflow-hidden" …>…</nav>` (lignes ~40-167 de l'original) par :
+
+```vue
+                <nav class="flex-1 overflow-hidden" :class="sidebarIsCollapsed ? 'px-1 pb-6' : 'px-4 pb-6'">
+                    <!-- Sections dynamiques (/api/sidebar) : navigation globale + sections gated par rôle -->
+                    <template v-for="(section, sIndex) in translatedSections" :key="section.label">
+                        <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
+                            {{ section.label }}
+                        </p>
+                        <div v-else class="mx-2 my-3 border-t border-secondary-500" />
+                        <SidebarLink
+                            v-for="item in section.items"
+                            :key="item.to"
+                            :to="item.to"
+                            :icon="item.icon"
+                            :label="item.label"
+                            :collapsed="sidebarIsCollapsed"
+                            @click="ui.closeMobileSidebar()"
+                        />
+
+                        <!-- Items conservés côté client, insérés après la 1re section (cf. décision 3) -->
+                        <template v-if="sIndex === 0">
+                            <!-- Contextuel projet -->
+                            <template v-if="currentProjectId">
+                                <SidebarLink :to="`/projects/${currentProjectId}`" icon="mdi:view-column-outline" label="Kanban" :collapsed="sidebarIsCollapsed" sub exact @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/groups`" icon="mdi:tag-multiple-outline" label="Groupes" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/archives`" icon="mdi:archive-outline" label="Archives" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                            </template>
+                            <!-- Feature-flag : Documents -->
+                            <SidebarLink v-if="isDocumentsVisible" to="/documents" icon="mdi:folder-network-outline" :label="$t('sharedFiles.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                            <!-- Feature-flag : Mail + badge -->
+                            <div v-if="isMailVisible" class="relative">
+                                <SidebarLink to="/mail" icon="mdi:email-outline" :label="$t('mail.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                                <span
+                                    v-if="mailStore.globalUnreadCount > 0"
+                                    class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+                                    :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
+                                    :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+                                >
+                                    {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+                                </span>
+                            </div>
+                            <!-- User-flag : Mes absences (isEmployee — non couvert par le gate rôle) -->
+                            <SidebarLink v-if="isEmployee" to="/absences" icon="mdi:umbrella-beach-outline" label="Mes absences" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                        </template>
+                    </template>
+                </nav>
+```
+
+Dans le `<script setup lang="ts">`, **ajoute** en tête (après les `useXxxStore()` existants) :
+
+```ts
+const { t } = useI18n()
+const { sections } = useSidebar()
+
+const translatedSections = computed(() =>
+    sections.value.map((section) => ({
+        label: t(section.label),
+        icon: section.icon,
+        items: section.items.map((item) => ({
+            label: t(item.label),
+            to: item.to,
+            icon: item.icon,
+        })),
+    })),
+)
+```
+
+**Conserve** tout le reste du `<script setup>` (`isAdmin`, `isEmployee`, `isMailVisible`, `isDocumentsVisible`, `currentProjectId`, `sidebarIsCollapsed`, timer/drawer/head/mail/refData…) et le `<style scoped>` à l'identique. `isAdmin`/`isAbsenceSectionVisible` deviennent inutilisés pour la sidebar (l'admin est gated côté serveur) — si le typecheck signale une variable inutilisée, retirer `isAbsenceSectionVisible` ; garder `isAdmin` s'il sert ailleurs, sinon le retirer aussi.
+
+- [ ] **Step 2: Typecheck**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur (corriger toute variable / tout import inutilisé signalé).
+
+- [ ] **Step 3: Smoke test visuel — non-régression de navigation**
+
+Dev server. Se connecter successivement :
+- `alice` (ROLE_USER) : sidebar affiche Tableau de bord / Mes tâches / Projets / Suivi de temps (dynamiques), + Documents/Mail si visibles, + Mes absences si employé ; **PAS** de section Administration ni Absences équipe.
+- `admin` (ROLE_ADMIN) : en plus, section **Administration** avec Absences équipe + Administration.
+- Entrer dans un projet (`/projects/<id>`) : Kanban/Groupes/Archives apparaissent (contextuel conservé).
+Expected: tous les liens d'avant atteignables ; gating admin respecté. Noter tout délta visuel (ordre) pour validation PO (cf. décision 3).
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add frontend/app/layouts/default.vue
+git commit -m "feat(front) : render dynamic sidebar from /api/sidebar in default layout"
+```
+
+---
+
+### Task 7: Frontend — clés i18n `sidebar.*` + vérification bout-en-bout
+
+**Files:**
+- Modify: `frontend/i18n/locales/fr.json` (ajouter le namespace `sidebar`)
+
+**Interfaces:**
+- Consumes : les labels renvoyés par `/api/sidebar` (`sidebar.general.*`, `sidebar.admin.*`) traduits par `t()` dans `translatedSections`.
+
+- [ ] **Step 1: Repérer la structure du fichier i18n**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && head -20 i18n/locales/fr.json`
+Objectif : connaître l'indentation et confirmer que c'est un objet JSON imbriqué (ajouter une clé racine `sidebar`).
+
+- [ ] **Step 2: Ajouter le namespace `sidebar`**
+
+Ajoute (à la racine de l'objet JSON, en respectant l'indentation existante) :
+
+```json
+  "sidebar": {
+    "general": {
+      "section": "Gestion de projet",
+      "dashboard": "Tableau de bord",
+      "myTasks": "Mes tâches",
+      "projects": "Projets",
+      "timeTracking": "Suivi de temps"
+    },
+    "admin": {
+      "section": "Administration",
+      "teamAbsences": "Absences équipe",
+      "administration": "Administration"
+    }
+  }
+```
+
+> Les libellés reprennent ceux du layout actuel. `sidebar.general.section` = « Gestion de projet » (regroupe désormais le Tableau de bord — délta cosmétique acté, décision 3).
+
+- [ ] **Step 3: Typecheck + smoke i18n**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Dev server : confirmer que les en-têtes/labels de sidebar s'affichent **traduits** (pas les clés brutes `sidebar.general.*`).
+Expected: libellés FR corrects.
+
+- [ ] **Step 4: Vérification bout-en-bout de l'activation/désactivation (AC)**
+
+Test manuel documenté (aucun module réel en 0.2) :
+1. Ajouter TEMPORAIREMENT dans `config/sidebar.php` un item avec `'module' => 'demo'`, `'to' => '/projects'` (route existante) dans une section visible.
+2. `config/modules.php` reste vide (module `demo` inactif) → `GET /api/sidebar` doit lister `/projects` dans `disabledRoutes` et masquer l'item ; naviguer vers `/projects` doit rediriger vers `/`.
+3. Ajouter une classe `DemoModule implements ModuleInterface { id()='demo' … }` + `config/modules.php` = `[DemoModule::class]` → l'item réapparaît, `/projects` n'est plus dans `disabledRoutes`, la navigation fonctionne.
+4. **Tout retirer** (item démo + DemoModule + entrée modules.php). Confirmer l'état initial.
+Documenter le résultat dans le message de fin. **Ne rien committer de ce stub.**
+
+- [ ] **Step 5: Suite back + cs-fixer (non-régression globale) + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: vert (inchangé vs Task 1).
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck` → 0 erreur.
+```bash
+git add frontend/i18n/locales/fr.json
+git commit -m "feat(front) : add sidebar i18n labels"
+```
+
+---
+
+## Acceptance check (après toutes les tasks)
+
+- [ ] `frontend/app/{layouts,middleware}`, `frontend/shared/{composables,stores,types}`, `frontend/modules/` (vide) en place ; `nuxt.config.ts` scanne `modules/*/`.
+- [ ] Sidebar **dynamique** alimentée par `/api/sidebar` pour la nav globale ; gate ROLE_ADMIN effectif (admin-only invisible pour `alice`).
+- [ ] Route d'un module désactivé → **redirigée** vers `/` (vérifié via le stub démo).
+- [ ] **Aucune page métier déplacée** ; `frontend/pages/` intact ; tous les liens actuels atteignables.
+- [ ] `npx nuxt typecheck` = 0 erreur ; suite PHPUnit verte ; aucune migration BDD.
+- [ ] Délta cosmétique d'ordre de sidebar présenté au PO pour validation.
+
+## Notes pour le ticket suivant (1.1 — Module Core)
+
+Le 1.1 migrera `User`/Auth dans `src/Module/Core/`, re-pointera `resolve_target_entities` vers `Module\Core\User`, déclarera `CoreModule` (REQUIRED) dans `config/modules.php`, et créera le premier vrai layer front `frontend/modules/core/` (login, profile, admin users) — c'est là que le scan de layers et `useModules`/`useSidebar` prennent tout leur sens (premier item de sidebar avec une clé `module` réelle).
diff --git a/docs/superpowers/plans/2026-06-19-lst-63-module-core.md b/docs/superpowers/plans/2026-06-19-lst-63-module-core.md
new file mode 100644
index 0000000..1d7252e
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-63-module-core.md
@@ -0,0 +1,732 @@
+# LST-63 (1.1) — Module Core : Identité (User/Auth/JWT) & Notifications — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Migrer l'identité (`User` + Auth/JWT + password hashing + `MeProvider`) et les notifications dans `src/Module/Core/`, exposer le contrat `UserInterface` enrichi + `NotifierInterface`, déclarer `CoreModule` (REQUIRED), et créer le premier vrai layer front `modules/core/` — **sans aucune migration destructive et sans casser le login à aucune étape**.
+
+**Architecture:** Strangler 100 % additif, phasé. On déplace physiquement la classe `User` vers `App\Module\Core\Domain\Entity\User` (table `user` inchangée → zéro migration), on re-pointe `resolve_target_entities` et le provider de sécurité, puis on bascule les 8 relations d'entités et les 26 consommateurs du concret `App\Entity\User` vers le **contrat** `App\Shared\Domain\Contract\UserInterface` (enrichi des accessors réellement utilisés). Les notifications passent par un `NotifierInterface` (impl Core). Chaque phase laisse `make test` vert ET le login JWT fonctionnel (re-vérifié par curl).
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / lexik/jwt-authentication / PostgreSQL 16 / PHPUnit 13 — front Nuxt 4.3 / Vue 3.5 / Pinia 3.
+
+## Global Constraints
+
+- **`declare(strict_types=1);`** en tête de chaque fichier PHP.
+- **Zéro migration destructive** : le déplacement de namespace ne change ni la table (`user`) ni les colonnes → `doctrine:migrations:diff` doit produire un diff VIDE. Si un diff non vide apparaît, c'est un bug (mapping mal recopié) — corriger, ne pas générer la migration.
+- **Login JWT fonctionnel à chaque phase** : vérif curl obligatoire (voir « Vérification login » ci-dessous) après toute phase touchant `User`/sécurité.
+- **AC ticket** : (1) login/JWT OK via le module ; (2) aucun `use App\Entity\User;` hors `src/Module/Core/` ; (3) `make test` vert, aucune migration destructive.
+- **Commits** : `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude/Anthropic.
+- **`config/reference.php`** : auto-généré, **jamais committé** (apparaît modifié dans `git status`).
+- **Tests** : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`. Baseline avant ce ticket : **115 tests, 227 assertions** (16 PHPUnit Notices préexistantes, non bloquantes).
+- **Front** : `nuxt typecheck` n'est PAS un gate vert sur ce stack (cf. plan LST-62) — gate front = zéro `Cannot find module`, auto-imports présents dans `.nuxt/imports.d.ts`, smoke runtime.
+- **PostgreSQL** : noms de colonnes en minuscules dans le SQL brut.
+
+## Vérification login (à exécuter après chaque phase back touchant User/sécurité)
+
+```bash
+# Doit renvoyer http=204 (cookie BEARER posé) puis le profil courant
+curl -s -c /tmp/cj.txt -X POST http://localhost:8082/api/login_check \
+  -H "Content-Type: application/json" -d '{"username":"alice","password":"alice"}' \
+  -o /dev/null -w "login http=%{http_code}\n"
+curl -s -b /tmp/cj.txt http://localhost:8082/api/me -w "\nme http=%{http_code}\n" | head -c 400
+# MCP apiToken (ApiTokenAuthenticator) — admin
+curl -s -X POST http://localhost:8082/_mcp -H "Authorization: Bearer dev-mcp-token-for-testing-only-do-not-use-in-production" \
+  -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":1,"method":"ping"}' -o /dev/null -w "mcp http=%{http_code}\n"
+```
+Attendu : `login http=204`, `me http=200` avec le JSON de l'utilisateur (`username`, `roles`), MCP répond (200). **Si l'un casse, arrêter la phase et corriger avant de committer.**
+
+## Décisions de conception (actées, à valider PO a posteriori)
+
+1. **`UserInterface` enrichi (contrat de lecture)** — plutôt que de garder `App\Entity\User` partout, on enrichit `App\Shared\Domain\Contract\UserInterface` des accessors **réellement consommés** hors Core (lecture). Les setters/écriture restent sur le concret (Core uniquement). Cela permet de typer les 8 relations et les 26 consommateurs sur le contrat sans casse.
+2. **Move physique, table inchangée** — `User` change de namespace mais garde `#[ORM\Table(name: '`user`')]` et toutes ses colonnes → aucune migration. La classe reste une entité Doctrine mappée (nouveau dir de mapping `Core`).
+3. **Relations via le contrat** — les 8 entités passent à `targetEntity: UserInterface::class` + type `?UserInterface`, résolu par `resolve_target_entities → Core\User`. C'est le pattern Starseed.
+4. **Notification dans Core + `NotifierInterface`** — `Notification` migre dans Core (couplée à l'identité) ; la création de notif passe par `NotifierInterface` (impl Core), `TaskNotificationListener` (qui reste legacy en Phase D) en dépend par contrat. L'API REST `/api/notifications` est préservée à l'identique.
+5. **Front layer `modules/core/`** — login, profile, admin users **déplacés** de `frontend/pages/` vers `frontend/modules/core/pages/` (premier layer réel ; le scan `readdirSync('modules/')` de LST-62 l'enregistre automatiquement). Le routage Nuxt est préservé (mêmes chemins d'URL).
+
+---
+
+## Phase A — Squelette Core + contrats (100 % additif, app inchangée)
+
+### Task 1: `CoreModule` + `UserRepositoryInterface` + `NotifierInterface` + contrat `UserInterface` enrichi
+
+**Files:**
+- Create: `src/Module/Core/CoreModule.php`
+- Create: `src/Module/Core/Domain/Repository/UserRepositoryInterface.php`
+- Create: `src/Shared/Domain/Contract/NotifierInterface.php`
+- Modify: `src/Shared/Domain/Contract/UserInterface.php` (enrichir)
+- Create: `tests/Unit/Module/Core/CoreModuleTest.php`
+
+**Interfaces:**
+- Produces :
+  - `App\Module\Core\CoreModule implements ModuleInterface` : `id()='core'`, `label()='Core'`, `isRequired()=true`, `permissions()` (stub pour 1.2, voir code).
+  - `App\Module\Core\Domain\Repository\UserRepositoryInterface` : `findByRole(string $role): array`, `findActiveEmployees(\DateTimeInterface $date): array`, `findOneByUsername(string $username): ?UserInterface`.
+  - `App\Shared\Domain\Contract\NotifierInterface` : `notify(UserInterface $user, string $type, string $title, string $message): void`.
+  - `UserInterface` enrichi (lecture) : `getId(): ?int`, `getUserIdentifier(): string`, `getUsername(): string`, `getRoles(): array`, `getFirstName(): ?string`, `getLastName(): ?string`, `getAvatarUrl(): ?string`, `isEmployee(): bool`.
+- Consumes : `App\Shared\Domain\Module\ModuleInterface` (existant).
+
+- [ ] **Step 1: Écrire le test unitaire `CoreModule`**
+
+`tests/Unit/Module/Core/CoreModuleTest.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Lancer le test, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: FAIL (classe `CoreModule` inexistante).
+
+- [ ] **Step 3: Créer `CoreModule`**
+
+`src/Module/Core/CoreModule.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
+            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
+            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+        ];
+    }
+}
+```
+
+> ⚠️ Confirmer la signature EXACTE de `ModuleInterface` (`src/Shared/Domain/Module/ModuleInterface.php`) avant d'écrire : la cartographie indique `id()`, `label()`, `isRequired()`, `permissions()` statiques. Si une méthode diffère (ex. non statique), aligner `CoreModule` ET le test dessus.
+
+- [ ] **Step 4: Lancer le test, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Enrichir le contrat `UserInterface`**
+
+Remplace `src/Shared/Domain/Contract/UserInterface.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
+interface UserInterface
+{
+    public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function isEmployee(): bool;
+}
+```
+
+> ⚠️ Cet enrichissement DOIT correspondre à des méthodes existantes de l'entité `User` (la cartographie confirme `getId`, `getUserIdentifier`, `getUsername`, `getRoles`, `getFirstName`, `getLastName`, `getAvatarUrl`, `isEmployee`). Si une signature diffère (ex. `getAvatarUrl(): string` non-nullable), aligner le contrat sur le réel. Ne PAS ajouter au contrat une méthode absente de `User`.
+
+- [ ] **Step 6: Créer `UserRepositoryInterface`**
+
+`src/Module/Core/Domain/Repository/UserRepositoryInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface UserRepositoryInterface
+{
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(\DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}
+```
+
+- [ ] **Step 7: Créer `NotifierInterface`**
+
+`src/Shared/Domain/Contract/NotifierInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+}
+```
+
+- [ ] **Step 8: Suite complète + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (115 + 3 = 118 tests). L'enrichissement du contrat ne casse rien (l'entité `User` implémente déjà ces méthodes ; `resolve_target_entities` pointe encore `App\Entity\User`).
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/CoreModule.php src/Module/Core/Domain/Repository/UserRepositoryInterface.php src/Shared/Domain/Contract/NotifierInterface.php src/Shared/Domain/Contract/UserInterface.php tests/Unit/Module/Core/CoreModuleTest.php
+git commit -m "feat(core) : add CoreModule, user repository contract, notifier contract and enriched user contract"
+```
+
+---
+
+## Phase B — Déplacer `User` + Auth dans Core (re-pointage, zéro migration)
+
+### Task 2: Déplacer la classe `User` vers Core + mapping Doctrine + provider sécurité
+
+**Files:**
+- Move: `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (namespace `App\Module\Core\Domain\Entity`)
+- Modify: `config/packages/doctrine.yaml` (mapping `Core` + `resolve_target_entities`)
+- Modify: `config/packages/security.yaml` (`app_user_provider.entity.class`)
+- Modify: `config/packages/api_platform.yaml` (mapping paths : ajouter le dir entité Core)
+
+**Interfaces:**
+- Produces : entité `App\Module\Core\Domain\Entity\User` (table `user` inchangée), résolue par `resolve_target_entities`.
+
+- [ ] **Step 1: Déplacer le fichier (git mv) et changer le namespace**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime
+mkdir -p src/Module/Core/Domain/Entity
+git mv src/Entity/User.php src/Module/Core/Domain/Entity/User.php
+```
+Puis éditer `src/Module/Core/Domain/Entity/User.php` :
+- `namespace App\Entity;` → `namespace App\Module\Core\Domain\Entity;`
+- Adapter les `use` internes devenus nécessaires (l'entité référençait `UserRepository`, `MeProvider`, `UserPasswordHasherProcessor`, l'enum `ContractType`, le contrat `UserInterface as SharedUserInterface`). Mettre les `use` complets vers leurs emplacements ACTUELS (la plupart bougent en Tasks 3/4 ; pour cette task, pointer encore vers `App\Repository\UserRepository`, `App\State\MeProvider`, `App\State\UserPasswordHasherProcessor`, `App\Entity\Enum\ContractType` ou l'emplacement réel — vérifier les `use` d'origine et les conserver tels quels tant que ces classes n'ont pas bougé).
+- Garder VERBATIM : tous les attributs `#[ORM\...]` (dont `#[ORM\Table(name: '`user`')]`), `#[ApiResource(...)]`, `#[ApiProperty(...)]`, toutes les propriétés/méthodes, `implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface`.
+
+> ⚠️ Lire le fichier d'origine en entier AVANT de déplacer pour relever tous les `use`. Ne changer QUE le `namespace` et, si besoin, garder les `use` pointant vers les emplacements actuels des classes non encore déplacées.
+
+- [ ] **Step 2: Mapping Doctrine + resolve_target_entities**
+
+Dans `config/packages/doctrine.yaml`, sous `orm:` :
+- `resolve_target_entities` :
+```yaml
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
+```
+- Ajouter un mapping pour les entités Core (en plus du mapping `App` existant qui scanne `src/Entity`) :
+```yaml
+        mappings:
+            App:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Entity'
+                prefix: 'App\Entity'
+                alias: App
+            Core:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
+```
+
+> Le mapping `App` (src/Entity) ne contient plus `User.php` (déplacé) → cohérent. Aucune entité orpheline.
+
+- [ ] **Step 3: Provider de sécurité**
+
+Dans `config/packages/security.yaml` :
+```yaml
+    providers:
+        app_user_provider:
+            entity:
+                class: App\Module\Core\Domain\Entity\User
+                property: username
+```
+
+- [ ] **Step 4: API Platform mapping paths**
+
+Dans `config/packages/api_platform.yaml`, ajouter au `mapping.paths` le dossier entité Core (l'`#[ApiResource]` est porté par l'entité `User` déplacée) :
+```yaml
+        - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+```
+> Conserver tous les paths existants. Si `api_platform.yaml` n'a pas de `mapping.paths` explicite (auto-discovery), vérifier que les Resources sous `src/Module/...` sont bien découvertes (comme `src/Shared/...` l'a été en #56 — cf. LEARNINGS : API Platform 4 auto-découvre). Si la découverte auto suffit, NE PAS ajouter de path ; sinon ajouter celui ci-dessus.
+
+- [ ] **Step 5: Vider le cache + vérifier qu'AUCUNE migration n'est nécessaire**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -20
+```
+Expected : schema VALID (mapping ok, sync DB ok). Le `diff` doit annoncer **« No changes detected »** (table/colonnes identiques). **Si une migration est générée, la SUPPRIMER** (`git status` → retirer le fichier sous `migrations/`) : un diff non vide = mapping mal recopié, corriger l'entité.
+
+- [ ] **Step 6: Vérif login + suite complète**
+
+Exécuter le bloc « Vérification login » (curl) → `login http=204`, `me http=200`, MCP 200.
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118). Les consommateurs importent encore `App\Entity\User` → **ERREUR attendue** : la classe n'existe plus à cet emplacement. ⇒ Cette task NE PASSE PAS seule ; elle est indissociable de la Task 3 (rewire). **Voir note ci-dessous.**
+
+> 🔴 **Note d'ordonnancement** : déplacer `User` casse les 26 `use App\Entity\User;`. Pour garder l'app bootable entre Task 2 et Task 3, **ajouter un alias de compatibilité TEMPORAIRE** au tout début de Task 2 et le retirer en fin de Task 3 :
+> Créer `src/Module/Core/_compat_user_alias.php` (chargé via `composer.json` `autoload.files`) :
+> ```php
+> <?php
+> declare(strict_types=1);
+> if (!class_exists(\App\Entity\User::class, false)) {
+>     class_alias(\App\Module\Core\Domain\Entity\User::class, \App\Entity\User::class);
+> }
+> ```
+> Ajouter `"files": ["src/Module/Core/_compat_user_alias.php"]` sous `autoload` dans `composer.json`, puis `composer dump-autoload`. Cela garde les 26 consommateurs fonctionnels (et Doctrine `targetEntity: User::class` résolu via l'alias) le temps de la Task 3. **L'alias est SUPPRIMÉ en Task 3 Step final** (avec le retrait du fichier, l'entrée composer et un nouveau `dump-autoload`) une fois tous les consommateurs basculés sur le contrat. La verif login de cette Step utilise donc l'alias — c'est attendu.
+
+- [ ] **Step 7: php-cs-fixer + commit (Phase B, avec alias temporaire)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/Domain/Entity/User.php src/Module/Core/_compat_user_alias.php composer.json composer.lock config/packages/doctrine.yaml config/packages/security.yaml config/packages/api_platform.yaml
+git commit -m "feat(core) : move user entity into core module and repoint security/doctrine (temp legacy alias)"
+```
+
+---
+
+## Phase C — Basculer relations + consommateurs sur le contrat, retirer l'alias
+
+### Task 3: Relations d'entités → `UserInterface::class`
+
+**Files (8 entités):**
+- Modify: `src/Entity/Task.php` (assignee ManyToOne, collaborators ManyToMany)
+- Modify: `src/Entity/TimeEntry.php` (user)
+- Modify: `src/Entity/AbsenceRequest.php` (user)
+- Modify: `src/Entity/AbsenceBalance.php` (user)
+- Modify: `src/Entity/TaskDocument.php` (user)
+- Modify: `src/Entity/TaskMailLink.php` (user)
+- Modify: `src/Module/Core/Domain/Entity/Notification.php` (user) — **après son déplacement en Phase D** ; en Phase C, `Notification` est encore `src/Entity/Notification.php`, la traiter ici aussi.
+
+> Pour CHAQUE relation vers User : remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;`, le `targetEntity: User::class` par `targetEntity: UserInterface::class`, et le type de propriété/param `?User` → `?UserInterface` (idem getters/setters). Doctrine résout via `resolve_target_entities`. La colonne FK et son nom restent identiques → **aucune migration**.
+
+- [ ] **Step 1: Modifier les relations (entité par entité)**
+
+Pour chaque fichier ci-dessus, lire puis appliquer le remplacement décrit. Exemple `Task.php` (assignee) :
+```php
+// avant
+use App\Entity\User;
+#[ORM\ManyToOne(targetEntity: User::class)]
+private ?User $assignee = null;
+public function getAssignee(): ?User { return $this->assignee; }
+public function setAssignee(?User $assignee): static { $this->assignee = $assignee; return $this; }
+// collaborators
+#[ORM\ManyToMany(targetEntity: User::class)]
+private Collection $collaborators;
+
+// après
+use App\Shared\Domain\Contract\UserInterface;
+#[ORM\ManyToOne(targetEntity: UserInterface::class)]
+private ?UserInterface $assignee = null;
+public function getAssignee(): ?UserInterface { return $this->assignee; }
+public function setAssignee(?UserInterface $assignee): static { $this->assignee = $assignee; return $this; }
+#[ORM\ManyToMany(targetEntity: UserInterface::class)]
+private Collection $collaborators;
+```
+> ⚠️ Conserver tous les autres attributs de relation (`inversedBy`, `joinTable`, `joinColumn`, `nullable`, `onDelete`, Groups…) VERBATIM. Ne changer que le type et `targetEntity`.
+
+- [ ] **Step 2: Valider le schéma (toujours zéro migration)**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+```
+Expected : « No changes detected ». Sinon corriger (un `joinColumn`/`onDelete` a été perdu).
+
+### Task 4: Consommateurs (26 fichiers) → contrat + repository interface, MeProvider/Processor dans Core, retrait alias
+
+**Files:** les 26 fichiers listés dans la cartographie (Controllers, Repositories, State, Services, EventListener, Security, DataFixtures, Mcp). Déplacements vers Core :
+- Move: `src/Repository/UserRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php` (implémente `UserRepositoryInterface`, namespace `App\Module\Core\Infrastructure\Doctrine`)
+- Move: `src/State/MeProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php`
+- Move: `src/State/UserPasswordHasherProcessor.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php`
+- Modify: l'`#[ApiResource]` de l'entité `User` (les `provider:`/`processor:` pointent vers les nouveaux FQCN Core).
+- Delete (en fin de task): `src/Module/Core/_compat_user_alias.php` + entrée `composer.json`.
+
+- [ ] **Step 1: Déplacer le repository et l'aligner sur l'interface**
+
+```bash
+mkdir -p src/Module/Core/Infrastructure/Doctrine src/Module/Core/Infrastructure/ApiPlatform/State
+git mv src/Repository/UserRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
+git mv src/State/MeProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
+git mv src/State/UserPasswordHasherProcessor.php src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
+```
+Éditer `DoctrineUserRepository.php` : `namespace App\Module\Core\Infrastructure\Doctrine;`, `class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface`, `use App\Module\Core\Domain\Entity\User;`, `use App\Module\Core\Domain\Repository\UserRepositoryInterface;`, et passer `User::class` au constructeur parent. Ajouter `findOneByUsername()` si absent (`return $this->findOneBy(['username' => $username]);`). Conserver `findByRole()` (SQL natif `roles::text LIKE`) et `findActiveEmployees()`.
+Éditer `User.php` : `#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]` avec le bon `use`.
+Éditer `MeProvider.php` / `UserPasswordHasherProcessor.php` : nouveaux namespaces ; `use App\Module\Core\Domain\Entity\User;` (le processor manipule le concret — c'est dans Core, autorisé).
+Mettre à jour les `provider:`/`processor:` dans l'`#[ApiResource]` de `User` vers les nouveaux FQCN.
+
+- [ ] **Step 2: Lier l'interface repository au service Doctrine**
+
+Dans `config/services.yaml`, alias pour l'injection par interface :
+```yaml
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+```
+
+- [ ] **Step 3: Basculer les 25 autres consommateurs sur le contrat**
+
+Pour chaque fichier important `App\Entity\User` (hors Core), remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;` et le type-hint `User` par `UserInterface` (params, retours, propriétés, `@var`, expressions). Cas particuliers :
+- `src/Repository/{Notification,AbsenceBalance,AbsenceRequest,TimeEntry}Repository.php` : les signatures `countUnreadByUser(User $user)` etc. → `UserInterface`. Ne pas changer la logique DQL (`n.user = :user` fonctionne avec l'instance).
+- `src/State/Absence*`, `TaskDocumentProvider`, `src/Service/AbsenceBalanceService`, `src/Security/MailAccessChecker`, `src/EventListener/TaskNotificationListener` (sera retravaillé en Phase D mais peut déjà passer au contrat ici), `src/Controller/*` (7), `src/Mcp/Tool/Absence/ReviewAbsenceRequestTool`, `src/Mcp/Tool/Serializer` : remplacer le type-hint.
+- `src/DataFixtures/AppFixtures.php` : **garde le concret** `App\Module\Core\Domain\Entity\User` (les fixtures INSTANCIENT `new User()` et appellent des setters d'écriture — c'est légitime ; importer le concret Core, pas le contrat). C'est hors `src/Module/Core/` mais c'est de l'écriture d'identité → exception documentée (les fixtures sont un cas d'amorçage, pas un consommateur métier).
+
+> Liste de contrôle : après cette step, `grep -rn "use App\\\\Entity\\\\User;" src/` ne doit retourner QUE `src/DataFixtures/AppFixtures.php` (qui importe désormais le FQCN Core, donc 0 occurrence de `App\Entity\User`). Viser **0 occurrence de `App\Entity\User`** dans tout `src/`.
+
+- [ ] **Step 4: Retirer l'alias de compatibilité**
+
+```bash
+git rm src/Module/Core/_compat_user_alias.php
+```
+Retirer l'entrée `"files": [...]` ajoutée sous `autoload` dans `composer.json` (Task 2), puis :
+```bash
+docker exec -t -u www-data php-lesstime-fpm composer dump-autoload
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+```
+
+- [ ] **Step 5: `grep` de garde (AC 2) + schéma + tests + login**
+
+```bash
+grep -rn "App\\\\Entity\\\\User" src/ config/ ; echo "(doit être VIDE)"
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected : grep VIDE, schéma valide, « No changes detected », **118 tests verts**. Puis bloc « Vérification login » (login 204, me 200, MCP 200).
+
+- [ ] **Step 6: php-cs-fixer + commit (Phase C)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config composer.json composer.lock
+git commit -m "refactor(core) : wire user relations and consumers to the shared contract, drop legacy alias"
+```
+> ⚠️ NE PAS `git add config/reference.php`. Vérifier `git status` avant le commit ; si `reference.php` est listé, l'exclure du `git add` (stager explicitement les fichiers voulus).
+
+---
+
+## Phase D — Notifications via `NotifierInterface` (impl Core)
+
+### Task 5: Déplacer `Notification` dans Core + `Notifier` (impl) + recâbler le listener
+
+**Files:**
+- Move: `src/Entity/Notification.php` → `src/Module/Core/Domain/Entity/Notification.php`
+- Move: `src/Repository/NotificationRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php`
+- Move: `src/State/NotificationProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php`
+- Create: `src/Module/Core/Infrastructure/Notifier.php` (implements `NotifierInterface`)
+- Modify: `src/EventListener/TaskNotificationListener.php` (dépend de `NotifierInterface`)
+- Modify: `config/packages/doctrine.yaml` (le mapping `Core` couvre déjà `Domain/Entity` → Notification incluse automatiquement)
+- Modify: `tests/` — ajouter `tests/Unit/Module/Core/NotifierTest.php` (ou Functional) si testable unitairement.
+
+- [ ] **Step 1: Écrire un test du `Notifier`**
+
+`tests/Functional/Module/Core/NotifierTest.php` (crée une notif et vérifie la persistance) :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $notifier->notify($user, 'task_assigned', 'Titre', 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\\Module\\Core\\Domain\\Entity\\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', 'Titre')->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** — `NotifierInterface` non instanciable / `Notification` introuvable au nouveau namespace.
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/NotifierTest.php`
+Expected: FAIL.
+
+- [ ] **Step 3: Déplacer `Notification` + repository + provider**
+
+```bash
+git mv src/Entity/Notification.php src/Module/Core/Domain/Entity/Notification.php
+git mv src/Repository/NotificationRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
+git mv src/State/NotificationProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
+```
+- `Notification.php` : `namespace App\Module\Core\Domain\Entity;`, `use App\Shared\Domain\Contract\UserInterface;`, relation `user` → `targetEntity: UserInterface::class` + type `?UserInterface`, `repositoryClass: DoctrineNotificationRepository::class`, conserver `#[ORM\Table(name:'notification')]` + index VERBATIM, ApiResource (provider → nouveau FQCN). **Table/colonnes inchangées.**
+- `DoctrineNotificationRepository.php` : namespace Core, `use App\Module\Core\Domain\Entity\Notification;`, signatures `UserInterface`.
+- `NotificationProvider.php` : namespace Core, mêmes dépendances.
+
+- [ ] **Step 4: Implémenter `Notifier`**
+
+`src/Module/Core/Infrastructure/Notifier.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(UserInterface $user, string $type, string $title, string $message): void
+    {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}
+```
+> ⚠️ Aligner sur les setters réels de `Notification` (la cartographie indique `user`, `type`, `title`, `message`, `isRead` default false, `createdAt`). Si `createdAt` n'est pas auto (prePersist), le poser ici. Si `setUser` attend le concret, accepter `UserInterface` (resolve_target_entities) — vérifier le type du setter.
+
+- [ ] **Step 5: Recâbler `TaskNotificationListener` sur `NotifierInterface`**
+
+Lire le listener ; remplacer la création directe de `Notification` (`new Notification()` + persist) par l'injection et l'appel de `NotifierInterface::notify(...)`. **Attention** : le listener tourne sur `onFlush`/`postFlush` — un `flush()` dans `notify()` pendant un `onFlush` est dangereux. Conserver le pattern existant (accumulation en `onFlush`, écriture en `postFlush`). Si `notify()` flush, l'appeler UNIQUEMENT en `postFlush` (jamais pendant `onFlush`). Préserver le comportement exact (mêmes types `task_assigned`/`task_collaborator_added`, mêmes destinataires). Adapter le test existant du listener s'il y en a un.
+
+> Si l'intrication onFlush/postFlush rend `NotifierInterface` inadapté (flush imbriqué), documenter et garder le listener en écriture directe via le repository Core, mais TOUJOURS dépendre du contrat pour le type User. Le but AC est « Notification exposée via NotifierInterface » : `NotifierInterface` doit exister et être l'API publique pour les autres modules ; le listener interne Core peut écrire directement.
+
+- [ ] **Step 6: Tests + login + endpoints notifications**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118 + 1 = 119). Vérifier `doctrine:migrations:diff` → « No changes detected ». Bloc login. Puis curl notifications :
+```bash
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications" -w "\nnotif http=%{http_code}\n" | head -c 200
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications/unread-count" -w "\nunread http=%{http_code}\n"
+```
+Expected : 200 sur les deux.
+
+- [ ] **Step 7: php-cs-fixer + commit**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config tests
+git commit -m "feat(core) : move notification into core and expose notifier contract"
+```
+
+---
+
+## Phase E — Déclarer `CoreModule` actif
+
+### Task 6: Enregistrer Core dans `config/modules.php`
+
+**Files:**
+- Modify: `config/modules.php`
+- Modify: `tests/Functional/Shared/ModulesEndpointTest.php` (ou équivalent — adapter l'assertion à la présence de `core`)
+
+- [ ] **Step 1: Adapter/écrire le test de l'endpoint modules**
+
+Vérifier le test existant de `/api/modules` (cartographie : `ModulesProvider`/`ModulesResource` créés en #56). Ajouter une assertion :
+```php
+public function testCoreModuleIsActive(): void
+{
+    $client = self::createClient();
+    // /api/modules est public (GET) d'après security.yaml
+    $client->request('GET', '/api/modules');
+    self::assertResponseIsSuccessful();
+    $data = json_decode($client->getResponse()->getContent(), true);
+    self::assertContains('core', $data['modules']);
+}
+```
+> Adapter le nom de classe/fichier de test à l'existant (#56). Si aucun test fonctionnel modules n'existe, créer `tests/Functional/Shared/ModulesEndpointTest.php`.
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (modules.php retourne `[]`).
+
+- [ ] **Step 3: Activer Core**
+
+`config/modules.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+use App\Module\Core\CoreModule;
+
+return [
+    CoreModule::class,
+];
+```
+
+- [ ] **Step 4: Tests + curl**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS. Curl :
+```bash
+curl -s http://localhost:8082/api/modules | head -c 200   # doit contenir "core"
+```
+
+- [ ] **Step 5: commit**
+
+```bash
+git add config/modules.php tests/
+git commit -m "feat(core) : activate core module in modules registry"
+```
+
+---
+
+## Phase F — Layer front `modules/core/`
+
+### Task 7: Déplacer login / profile / admin users dans `frontend/modules/core/`
+
+**Files:**
+- Create: `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`)
+- Move: `frontend/pages/login.vue` → `frontend/modules/core/pages/login.vue`
+- Move: `frontend/pages/profile.vue` → `frontend/modules/core/pages/profile.vue`
+- Move: `frontend/pages/admin/**` (gestion users) → `frontend/modules/core/pages/admin/**`
+- Move (si pertinent): composants/services liés à l'identité (ex. `frontend/components/user/**`, `frontend/components/admin/**`, `frontend/services/user.ts`) → `frontend/modules/core/{components,services}/**`
+
+> ⚠️ AVANT de déplacer, LIRE `frontend/pages/` et `frontend/components/` pour identifier précisément les pages/compos d'identité. Le scan `readdirSync('modules/')` (LST-62) ajoute `./modules/core` à `extends` et `modules/core/composables`/`stores` à `imports.dirs`. Les `pages/` d'un layer Nuxt sont fusionnées automatiquement → **les URLs (`/login`, `/profile`, `/admin/...`) restent identiques**. Vérifier qu'aucune page déplacée n'utilise un import PAR CHEMIN cassé (auto-import sinon).
+
+- [ ] **Step 1: Créer le layer + déplacer les pages d'identité**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p modules/core/pages
+printf 'export default defineNuxtConfig({})\n' > modules/core/nuxt.config.ts
+git mv pages/login.vue modules/core/pages/login.vue
+git mv pages/profile.vue modules/core/pages/profile.vue
+# admin users : adapter au réel (git mv pages/admin/... modules/core/pages/admin/...)
+```
+> Lister `frontend/pages/admin/` d'abord ; déplacer UNIQUEMENT les pages de gestion des utilisateurs (pas les pages admin d'autres domaines). En cas de doute, déplacer seulement login + profile en 1.1 et laisser admin users (documenter).
+
+- [ ] **Step 2: Corriger les imports par chemin éventuels**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && grep -rn "pages/login\|pages/profile\|~/pages" --include=*.ts --include=*.vue . | grep -v node_modules`
+Corriger toute référence cassée (les redirections `navigateTo('/login')` restent valides — c'est une URL, pas un chemin de fichier).
+
+- [ ] **Step 3: Gate front (cf. LST-62) + smoke**
+
+Run: `cd frontend && npx nuxt typecheck 2>&1 | grep "Cannot find module" | grep -E "modules/core|login|profile"` → doit être VIDE.
+Run: `grep -E "login|profile" frontend/.nuxt/routes.* 2>/dev/null` ou démarrer `make dev-nuxt` et confirmer que `/login`, `/profile` répondent (la fusion des pages du layer est effective).
+> Smoke runtime (login via navigateur) : laisser au PO si pas de navigateur côté exécutant.
+
+- [ ] **Step 4: commit**
+
+```bash
+git add -A -- frontend
+git commit -m "feat(core) : add core front layer with login, profile and admin users pages"
+```
+
+---
+
+## Acceptance check (après toutes les phases)
+
+- [ ] **AC1** Login/JWT OK via le module : `login http=204`, `/api/me` 200, MCP apiToken 200, `/api/notifications` 200.
+- [ ] **AC2** `grep -rn "App\\Entity\\User" src/ config/` → **VIDE** (User vit dans `src/Module/Core/Domain/Entity/`, consommé via contrat ; fixtures importent le FQCN Core).
+- [ ] **AC3** `make test` vert (≈119 tests), `doctrine:schema:validate` OK, `doctrine:migrations:diff` = « No changes detected » (**aucune migration destructive ni même additive**).
+- [ ] `/api/modules` renvoie `core` ; `CoreModule::isRequired() === true`.
+- [ ] `resolve_target_entities: UserInterface → App\Module\Core\Domain\Entity\User`.
+- [ ] Front : layer `modules/core/` détecté ; `/login`, `/profile` (+ admin users) accessibles aux mêmes URLs ; aucun `Cannot find module`.
+- [ ] `config/reference.php` jamais committé.
+
+## Notes pour le ticket suivant (1.2 — RBAC fin)
+
+`CoreModule::permissions()` est déjà posé (stub). 1.2 ajoutera `Role`/`Permission`, `app:sync-permissions`, `PermissionVoter`, et fera filtrer `SidebarProvider` **par permission** (en plus du module actif + du gate rôle minimal posé en 0.2). Le contrat `UserInterface` enrichi est prêt à recevoir `getPermissions()` si besoin.
diff --git a/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md b/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
new file mode 100644
index 0000000..b6df3d6
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
@@ -0,0 +1,66 @@
+# LST-58 (2.4) — Module Directory : Prospect + front répertoire (plan)
+
+> Suite de la migration Directory. Client (back) déjà livré (`c5738d2`).
+> Reste : **entité Prospect** (nouvelle) + **front répertoire** (Clients + Prospects).
+> Spec produit non fournie → design défini ici de façon raisonnable, à valider au test.
+> Additif, sans régression. Branche `integration/modular-monolith-0.1-1.3`.
+
+## Design Prospect (décidé, à valider)
+Aligné sur `Client` (même module Directory), enrichi des concepts de prospection commerciale.
+
+**Entité `App\Module\Directory\Domain\Entity\Prospect`** (table `prospect`) :
+- `id` int PK
+- `name` string(255) NOT NULL — contact ou société
+- `company` string(255) nullable
+- `email` string(255) nullable
+- `phone` string(50) nullable
+- `street` string(255) nullable / `city` string(255) nullable / `postalCode` string(20) nullable (alignés Client)
+- `status` enum `ProspectStatus` NOT NULL (default `New`)
+- `source` string(255) nullable — origine (recommandation, salon, site web…)
+- `notes` text nullable
+- `convertedClient` ManyToOne `ClientInterface` nullable, JoinColumn ON DELETE SET NULL — rempli à la conversion
+- Timestampable/Blamable (trait) + `#[Auditable]`
+- Groupes : `prospect:read` / `prospect:write`
+
+**Enum `App\Module\Directory\Domain\Enum\ProspectStatus`** : `New` (nouveau), `Contacted` (contacté), `Qualified` (qualifié), `Won` (gagné/converti), `Lost` (perdu). Méthode `label(): string` (FR), comme les autres enums.
+
+**API Platform** (aligné Client) :
+- `GetCollection` paginationEnabled:false, `is_granted('ROLE_USER')`
+- `Get` ROLE_USER ; `Post`/`Patch`/`Delete` ROLE_ADMIN
+- Opération custom **`Post /prospects/{id}/convert`** (processor `ConvertProspectProcessor`) : crée un `Client` à partir du Prospect (name/company→name, email, phone, adresse), lie `convertedClient`, passe `status=Won`. Sécurité ROLE_ADMIN. Renvoie le Prospect mis à jour. Idempotent si déjà converti (renvoie l'existant).
+- `#[ApiFilter]` SearchFilter sur `status` (filtre répertoire).
+
+**Repo** : `ProspectRepositoryInterface` (Domain) + `DoctrineProspectRepository` (Infra) + binding.
+
+**MCP** (cohérent avec clients, sous `Infrastructure/Mcp/Tool/`) : `list-prospects`, `get-prospect`, `create-prospect`, `update-prospect`, `delete-prospect`, `convert-prospect`. Serializer : ajouter `prospect()` dans `src/Mcp/Tool/Serializer.php`.
+
+**DirectoryModule.permissions()** : ajouter `directory.prospects.view`, `directory.prospects.manage` (additif).
+
+**Migration additive** : CREATE TABLE prospect (colonnes + FK converted_client→client ON DELETE SET NULL + created_by/updated_by FK user + index + COMMENT). Down = DROP TABLE.
+
+**Fixtures** : 2-3 prospects de démo (statuts variés), dont un converti.
+
+## Front répertoire (`frontend/modules/directory/`)
+Aujourd'hui : pas de page client dédiée (AdminClientTab + picker ProjectDrawer). On crée un vrai répertoire.
+- `nuxt.config.ts` vide.
+- `services/` : `clients.ts` (move depuis racine), `prospects.ts` (nouveau) + `dto/{client,prospect}.ts`.
+- `pages/directory.vue` : page à 2 onglets (Clients / Prospects), tableaux paginés côté client (paginationEnabled:false back), recherche/filtre statut pour prospects.
+- `components/` : `ClientDrawer.vue` (move depuis `components/client/`), `ProspectDrawer.vue` (nouveau, create/edit + bouton « Convertir en client »).
+- Sidebar : ajouter item `sidebar.general.directory` → `/directory`, `'module' => 'directory'`, gate ROLE_ADMIN (gestion référentiel).
+- Réécrire imports consommateurs de `~/services/clients` / `~/services/dto/client` (AdminClientTab, ProjectDrawer, pages projects) → `~/modules/directory/services/...`. AdminClientTab : soit le retirer de /admin au profit de /directory, soit le laisser pointer le nouveau service. Décision : garder AdminClientTab fonctionnel (repoint service) ET ajouter la page /directory (les deux coexistent ; /directory = vue dédiée).
+- i18n global : ajouter clés `directory.*`, `prospects.*`, `sidebar.general.directory`.
+
+## Vagues d'exécution
+1. **Back Prospect** : enum + entité + repo + API (CRUD + convert) + MCP (6 tools) + Serializer + permissions module + fixtures + migration. Vérif cache:clear/migrate/phpunit/cs-fixer → commit.
+2. **Front Directory** : layer (move client front + page répertoire + ProspectDrawer + prospects service/dto) + sidebar + imports + i18n. Vérif nuxt build → commit.
+
+## Critères d'acceptation (ticket #58)
+- [x] Clients en module (fait, c5738d2)
+- [ ] Prospects en module + front répertoire fonctionnel
+- [x] resolve_target_entities → Directory\Client
+- [ ] make test vert, aucune migration destructive
+- [ ] toggle module directory (sidebar + route /directory)
+
+## Suite phase 2 (après 2.4)
+- 2.5 (#67) Module Mail — WIP `docs/mail-integration.md`, à traiter avec précaution.
+- 2.6 (#68) Module Integration (Gitea/BookStack/Zimbra/Share).
diff --git a/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md b/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
new file mode 100644
index 0000000..b9c5504
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
@@ -0,0 +1,82 @@
+# LST-65 (2.2) — Module ProjectManagement : plan de migration
+
+> Migration strangler du cœur métier Projets/Tâches vers `src/Module/ProjectManagement/`.
+> Additive, sans régression API. Exécution en 4 tranches **incrémentalement vertes**
+> (chaque tranche compile + `phpunit` vert + commit ; aucun état cassé committé).
+
+**Branche** : `integration/modular-monolith-0.1-1.3` (empilement phase 2).
+**Vérif container** : `docker exec -u www-data php-lesstime-fpm php bin/console cache:clear`
+**Tests** : `docker exec -u www-data php-lesstime-fpm php vendor/bin/phpunit` (baseline = 159 verts).
+**Style** : `make php-cs-fixer-allow-risky`. PHP `declare(strict_types=1)`. SQL colonnes minuscules.
+
+## Périmètre (10 entités + écosystème)
+Entités : Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort, TaskPriority, TaskTag, TaskRecurrence, TaskDocument.
+Enums : StatusCategory, RecurrenceType.
+Repos (9), State (7), MCP (38), Controller (1), Services (2 : CalDavService, RecurrenceCalculator), Listeners (3), ApiResource (SwitchWorkflowOutput), fixtures, tests.
+
+## Décisions d'architecture (figées)
+1. **Contrats inter-modules uniquement** (`src/Shared/Domain/Contract/`), surface minimale :
+   - `ProjectInterface` : `getId(): ?int`, `getCode(): ?string`, `getName(): ?string`
+   - `TaskInterface` : `getId(): ?int`, `getNumber(): ?int`, `getTitle(): ?string`
+   - `TaskTagInterface` : `getId(): ?int`, `getLabel(): ?string`, `getColor(): ?string`
+   - `ClientInterface` : `getId(): ?int`, `getName(): ?string`
+   - PAS de WorkflowInterface (Workflow est intra-module PM).
+2. **Consommateur contractuel** : seul le module **TimeTracking** (`TimeEntry`) bascule Project/Task/TaskTag → interfaces. **Project** (PM) bascule client → `ClientInterface`.
+3. **Legacy non modularisé** (Gitea/BookStack/Mail : `src/Controller/Mail/*`, `src/State/Gitea*`, `src/State/BookStack*`, `src/Service/GiteaApiService.php`, `src/ApiResource/BookStack*`, `src/Entity/TaskMailLink.php`, `src/Entity/TaskBookStackLink.php`), **Serializer MCP partagé** (`src/Mcp/Tool/Serializer.php`), fixtures, tests : bascule du **FQCN concret** `App\Entity\X` → `App\Module\ProjectManagement\Domain\Entity\X`. Couplage transitoire legacy→module, nettoyé en 2.4/2.5/2.6.
+4. **Repos** : pattern Core/TimeTracking — interface `Domain/Repository/XxxRepositoryInterface` + `Infrastructure/Doctrine/DoctrineXxxRepository extends ServiceEntityRepository implements …` + binding `services.yaml`. Conserver les méthodes métier (`findMaxNumberByProjectForUpdate`, `findFirstNonFinal`, `findDefault`).
+5. **Services CalDavService + RecurrenceCalculator** → `Infrastructure/` du module (dépendance résiduelle ZimbraConfiguration legacy tolérée jusqu'à 2.6).
+6. **Serializer.php** reste à `src/Mcp/Tool/` (helper multi-domaines), import concret PM.
+7. **Timestampable additif** : sur **Task** et **Project** uniquement (agrégats), pas les référentiels. Migration additive (4 colonnes nullable + FK SET NULL + COMMENT).
+8. **Table inchangée** (naming strategy → mêmes tables). Aucune migration destructive.
+9. **resolve_target_entities** final :
+   ```
+   UserInterface       -> App\Module\Core\Domain\Entity\User            (existant)
+   ProjectInterface    -> App\Module\ProjectManagement\Domain\Entity\Project
+   TaskInterface       -> App\Module\ProjectManagement\Domain\Entity\Task
+   TaskTagInterface    -> App\Module\ProjectManagement\Domain\Entity\TaskTag
+   ClientInterface     -> App\Entity\Client                              (Client legacy jusqu'à 2.4)
+   ```
+
+---
+
+## Tranche 1 — Découplage EN PLACE (entités non déplacées)
+But : créer les contrats et basculer les consommateurs inter-modules, **sans déplacer** les entités → diff minimal, isole le risque architectural.
+
+1. Créer les 4 interfaces dans `src/Shared/Domain/Contract/` (signatures ci-dessus).
+2. `src/Entity/Project.php` `implements ProjectInterface` ; `Task.php` `implements TaskInterface` ; `TaskTag.php` `implements TaskTagInterface` ; `Client.php` `implements ClientInterface`. (Méthodes déjà présentes — juste `implements` + `use`.)
+3. `Project.php` : `client` → type `?ClientInterface` (`targetEntity: ClientInterface::class`, import, getter/setter).
+4. `src/Module/TimeTracking/Domain/Entity/TimeEntry.php` : `project`→`?ProjectInterface`, `task`→`?TaskInterface`, `tags`→`Collection<TaskTagInterface>` (`targetEntity` = interfaces, imports, getters/setters/addTag/removeTag). MAJ `TimeEntryRepositoryInterface`/`DoctrineTimeEntryRepository`/`ActiveTimeEntryProvider`/`TimeEntryExportController` si typage Project/Task.
+5. `config/packages/doctrine.yaml` : ajouter les 4 lignes `resolve_target_entities` (cibles = `App\Entity\Project/Task/TaskTag` + `App\Entity\Client` — encore legacy à ce stade).
+6. Vérif : `cache:clear` OK + `phpunit` vert. Commit `refactor(project-management) : introduce Project/Task/TaskTag/Client contracts, decouple TimeTracking`.
+
+## Tranche 2 — Move mécanique vers le module
+But : déplacer entités + écosystème, bascule namespaces, sans changement de comportement.
+
+1. `git mv` entités → `src/Module/ProjectManagement/Domain/Entity/` (namespace `App\Module\ProjectManagement\Domain\Entity`). Relations intra-module = concret ; client=`ClientInterface` ; assignee/collaborators/uploadedBy=`UserInterface` (inchangé). `repositoryClass` → `DoctrineXxxRepository::class`.
+2. `git mv` enums → `src/Module/ProjectManagement/Domain/Enum/` (namespace adapté).
+3. Repos → `Infrastructure/Doctrine/DoctrineXxxRepository.php` + interfaces `Domain/Repository/XxxRepositoryInterface.php` (méthodes métier dans l'interface). Bindings `services.yaml` (9).
+4. State (7), MCP (38), Controller (1), Services (2), Listeners (3), ApiResource SwitchWorkflowOutput → sous-dossiers `Infrastructure/…` du module, namespaces adaptés, **injecter les interfaces de repo**. `services.yaml` : repointer `App\State\TaskDocumentProcessor`, `App\Controller\TaskDocumentDownloadController`, `App\Mcp\Tool\Task\AddTaskDocumentTool`, `App\Mcp\Tool\Task\UpdateTaskDocumentTool`, `App\EventListener\TaskDocumentListener` vers les nouveaux FQCN (garder `$uploadDir` + tag `doctrine.orm.entity_listener`).
+5. `resolve_target_entities` : repointer ProjectInterface/TaskInterface/TaskTagInterface vers les FQCN module. (ClientInterface reste `App\Entity\Client`.)
+6. **Swap FQCN concret legacy** : remplacer `App\Entity\{Task,Project,Workflow,TaskStatus,TaskGroup,TaskEffort,TaskPriority,TaskTag,TaskRecurrence,TaskDocument}` → `App\Module\ProjectManagement\Domain\Entity\…` et `App\Enum\{StatusCategory,RecurrenceType}` → `App\Module\ProjectManagement\Domain\Enum\…` et `App\Repository\Xxx` → interfaces/Doctrine, dans : Serializer.php, Controller/Mail/*, State/Gitea*, State/BookStack*, ApiResource/BookStack*, Service/GiteaApiService.php, Entity/TaskMailLink.php, Entity/TaskBookStackLink.php, DataFixtures/AppFixtures.php, tests/*. (NE PAS toucher `App\Entity\Client`.)
+7. `config/modules.php` : ajouter `ProjectManagementModule` (id `project-management`, label `Projets & Tâches`, isRequired false, permissions `project-management.projects.view/manage`, `project-management.tasks.view/manage` — non recâblées, additif).
+8. `config/packages/doctrine.yaml` : mapping `ProjectManagement` (dir `src/Module/ProjectManagement/Domain/Entity`).
+9. `config/sidebar.php` : `'module' => 'project-management'` sur items `my-tasks` et `projects`.
+10. Vérif : `cache:clear` OK + `doctrine:schema:validate` mapping OK + `phpunit` vert + cs-fixer. Commit `feat(project-management) : migrate core Projects/Tasks domain into module (back)`.
+
+## Tranche 3 — Timestampable additif (Task + Project)
+1. Ajouter `TimestampableBlamableTrait` + interfaces à `Task` et `Project`.
+2. Migration **additive** manuscrite : `created_at/updated_at` (TIMESTAMP(0) null), `created_by/updated_by` (INT null, FK `"user"` ON DELETE SET NULL) + index + COMMENT, sur `task` et `project`. `down()` = DROP des ajouts.
+3. Champs hors groupes API existants (le trait porte ses propres groupes).
+4. Vérif : `migrations:migrate -n` (dev+test) + `phpunit` vert. Commit `feat(project-management) : add timestampable/blamable to Task and Project (additive)`.
+
+## Tranche 4 — Front layer project-management
+1. `git mv` vers `frontend/modules/project-management/` : pages (my-tasks, projects/index, projects/[id]/{index,groups,archives}), components/{project,task}/*, services (projects, tasks, workflows, task-statuses, task-priorities, task-efforts, task-tags, task-groups, task-documents, task-recurrences) + services/dto/* correspondants. `nuxt.config.ts` = `export default defineNuxtConfig({})`.
+2. Réécrire imports explicites `~/services/<x>` + `~/services/dto/<x>` → `~/modules/project-management/...` dans : les fichiers déplacés, `components/admin/{AdminEffortTab,AdminPriorityTab,AdminTagTab,AdminWorkflowTab,WorkflowDrawer}.vue`, `components/mail/{MailCreateTaskModal,MailLinkTaskModal}.vue`, `pages/index.vue`, `pages/mail.vue`, `app/layouts/default.vue`, **et `frontend/modules/time-tracking/`** (dto/time-entry, stores/timer, pages/time-tracking, components/TimeEntryDrawer importent project/task/task-tag dto). `clients.ts` reste racine.
+3. Préserver routes `/my-tasks`, `/projects`, `/projects/:id`, `/projects/:id/groups`, `/projects/:id/archives`. i18n global inchangé.
+4. Vérif : `cd frontend && npx nuxt build` OK + routes présentes. Commit `feat(project-management) : extract Projects/Tasks front into Nuxt module layer`.
+
+## Critères d'acceptation (ticket)
+- [ ] Cœur Projets/Tâches en module sans régression API (opérations/securities/uriTemplates conservés).
+- [ ] Aucun import direct inter-modules **établis** (contrats) — legacy en transit toléré.
+- [ ] `make test` vert, aucune migration destructive.
+- [ ] Toggle module project-management (sidebar + routes) prouvé.
diff --git a/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md b/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
new file mode 100644
index 0000000..8b66ddb
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
@@ -0,0 +1,3306 @@
+# Répertoire — Contacts, Adresses & Rapports commerciaux — Plan d'implémentation
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Doter chaque fiche client/prospect du répertoire Lesstime de contacts multiples, adresses multiples et d'un journal de comptes-rendus commerciaux (avec pièces jointes), via une fiche détail à onglets inspirée de Starseed.
+
+**Architecture:** Trois entités répétables (`Contact`, `Address`, `CommercialReport`) dans le module `Directory`, chacune rattachée à un `Client` **ou** un `Prospect` via double-FK nullable + contrainte CHECK (pattern existant). Les pièces jointes des comptes-rendus passent par une entité `ReportDocument` dédiée au module (frontière modulaire préservée, réutilisant le même répertoire de stockage que `TaskDocument`). Frontend : fiches détail à route dédiée avec `MalioTabList`, blocs répétables, sauvegarde indépendante par entité.
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / PostgreSQL 16 ; Nuxt 4 / Vue 3 / Pinia / TypeScript / Tailwind / @malio/layer-ui.
+
+## Global Constraints
+
+- **Spec de référence :** `docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md`.
+- **Backend :** `declare(strict_types=1)` en tête de chaque fichier PHP ; pas de controller pour le CRUD (API Platform : ApiResource + Provider/Processor) ; controllers custom sous `/api/` → `priority: 1` sur la route.
+- **Sécurité API :** lecture `is_granted('ROLE_USER')`, écriture `is_granted('ROLE_ADMIN')` (pattern du module `Directory`).
+- **Doctrine/PostgreSQL :** noms de colonnes en **minuscules** dans le SQL brut.
+- **Module modular monolith :** code backend sous `src/Module/Directory/{Domain,Infrastructure}` ; relations cross-module via contrats `App\Shared\Domain\Contract\*` (ex. `UserInterface`).
+- **Sérialisation :** pour embarquer une relation (et non un IRI), ajouter le groupe `*:read` du parent sur les propriétés de l'entité cible.
+- **Upload :** valider le MIME via `$file->getMimeType()` (serveur), pas `getClientMimeType()`. Max 50 MB. Réutiliser le paramètre Symfony `task_document_upload_dir`.
+- **Frontend :** TypeScript strict, 4 espaces d'indentation ; tous les appels API via `useApi()` ; collections lues via `extractHydraMembers` doivent être servies non paginées (`paginationEnabled: false`).
+- **i18n :** toutes les chaînes UI dans `frontend/i18n/locales/fr.json` (pas de texte en dur).
+- **Tests :** `make test` (PHPUnit). Base de test **non isolée** (les POST s'accumulent) → tester des **invariants** (relations, statuts, présence), **jamais des counts absolus**.
+- **Commits :** `<type>(<scope>) : <message>` (espace autour du `:`). Aucune mention d'IA/Claude. Ne pas tagger/pusher.
+- **Commandes utiles :** `make migration-migrate` (migrations), `make php-cs-fixer-allow-risky` (style PHP), `make dev-nuxt` (front hot reload), `make shell` (shell PHP). Test ciblé : `docker exec -i php-lesstime-fpm php bin/phpunit --filter <TestName>`.
+
+## File Structure
+
+**Backend — `src/Module/Directory/`**
+- `Domain/Enum/ReportType.php` — enum type d'échange (call/meeting/email/note) + libellés FR.
+- `Domain/Entity/Contact.php` — contact répétable (double-FK client/prospect).
+- `Domain/Entity/Address.php` — adresse répétable (double-FK).
+- `Domain/Entity/CommercialReport.php` — compte-rendu (double-FK) + OneToMany ReportDocument.
+- `Domain/Entity/ReportDocument.php` — pièce jointe d'un compte-rendu.
+- `Domain/Repository/{Contact,Address,CommercialReport,ReportDocument}RepositoryInterface.php`.
+- `Infrastructure/Doctrine/Doctrine{Contact,Address,CommercialReport,ReportDocument}Repository.php`.
+- `Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php` — upload multipart.
+- `Infrastructure/Controller/ReportDocumentDownloadController.php` — download.
+- `Infrastructure/EventListener/ReportDocumentListener.php` — `unlink` fichier au `preRemove`.
+- `Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php` — *modifié* (réaffectation).
+- `DirectoryModule.php` — *modifié* (permissions reports).
+
+**Backend — racine**
+- `migrations/Version2026XXXXXXXXXX.php` — tables + data migration adresse inline.
+- `tests/Module/Directory/...` — tests fonctionnels.
+
+**Frontend — `frontend/modules/directory/`**
+- `services/dto/{contact,address,commercial-report,report-document}.ts`.
+- `services/{contacts,addresses,commercial-reports,report-documents}.ts`.
+- `components/DirectoryContactBlock.vue`, `DirectoryAddressBlock.vue`.
+- `components/CommercialReportTab.vue`, `ReportDocumentUpload.vue`, `ReportDocumentList.vue`.
+- `pages/clients/[id].vue`, `pages/prospects/[id].vue`.
+- `pages/directory.vue` — *modifié* (navigation vers fiche détail).
+- `frontend/i18n/locales/fr.json` — *modifié*.
+
+---
+
+## Task 1 : Enum `ReportType`
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Enum/ReportType.php`
+- Test: `tests/Module/Directory/Domain/Enum/ReportTypeTest.php`
+
+**Interfaces:**
+- Produces: `enum ReportType: string { Call='call'; Meeting='meeting'; Email='email'; Note='note'; public function label(): string }`
+
+- [ ] **Step 1 : Écrire le test qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory\Domain\Enum;
+
+use App\Module\Directory\Domain\Enum\ReportType;
+use PHPUnit\Framework\TestCase;
+
+final class ReportTypeTest extends TestCase
+{
+    public function testValuesAndLabels(): void
+    {
+        self::assertSame('call', ReportType::Call->value);
+        self::assertSame('Appel', ReportType::Call->label());
+        self::assertSame('Rendez-vous', ReportType::Meeting->label());
+        self::assertSame('Email', ReportType::Email->label());
+        self::assertSame('Note', ReportType::Note->label());
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ReportTypeTest`
+Expected: FAIL (classe `ReportType` inexistante).
+
+- [ ] **Step 3 : Implémenter l'enum**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ReportType: string
+{
+    case Call    = 'call';
+    case Meeting = 'meeting';
+    case Email   = 'email';
+    case Note    = 'note';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::Call    => 'Appel',
+            self::Meeting => 'Rendez-vous',
+            self::Email   => 'Email',
+            self::Note    => 'Note',
+        };
+    }
+}
+```
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ReportTypeTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Enum/ReportType.php tests/Module/Directory/Domain/Enum/ReportTypeTest.php
+git commit -m "feat(directory) : add ReportType enum for commercial reports"
+```
+
+---
+
+## Task 2 : Entité `Contact` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/Contact.php`
+- Create: `src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php`
+
+**Interfaces:**
+- Consumes: `App\Shared\Domain\Contract\TimestampableInterface`, `TimestampableBlamableTrait`, `Auditable`.
+- Produces: `Contact` (ApiResource `/contacts`, groupes `contact:read`/`contact:write`, double ManyToOne `client`/`prospect`), `ContactRepositoryInterface::findById(int): ?Contact`.
+
+> Pas de table en base tant que la migration (Task 6) n'a pas tourné. Cette tâche se valide par l'absence d'erreur de mapping Doctrine (`schema:validate` mapping) ; la persistance est testée en Task 6.
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineContactRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['contact:read']],
+    denormalizationContext: ['groups' => ['contact:write']],
+    order: ['lastName' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineContactRepository::class)]
+#[ORM\Table(name: 'directory_contact')]
+class Contact implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['contact:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $firstName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $lastName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $jobTitle = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phonePrimary = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phoneSecondary = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getFirstName(): ?string
+    {
+        return $this->firstName;
+    }
+
+    public function setFirstName(?string $firstName): static
+    {
+        $this->firstName = $firstName;
+
+        return $this;
+    }
+
+    public function getLastName(): ?string
+    {
+        return $this->lastName;
+    }
+
+    public function setLastName(?string $lastName): static
+    {
+        $this->lastName = $lastName;
+
+        return $this;
+    }
+
+    public function getJobTitle(): ?string
+    {
+        return $this->jobTitle;
+    }
+
+    public function setJobTitle(?string $jobTitle): static
+    {
+        $this->jobTitle = $jobTitle;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhonePrimary(): ?string
+    {
+        return $this->phonePrimary;
+    }
+
+    public function setPhonePrimary(?string $phonePrimary): static
+    {
+        $this->phonePrimary = $phonePrimary;
+
+        return $this;
+    }
+
+    public function getPhoneSecondary(): ?string
+    {
+        return $this->phoneSecondary;
+    }
+
+    public function setPhoneSecondary(?string $phoneSecondary): static
+    {
+        $this->phoneSecondary = $phoneSecondary;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Contact;
+
+interface ContactRepositoryInterface
+{
+    public function findById(int $id): ?Contact;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Repository\ContactRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Contact>
+ */
+final class DoctrineContactRepository extends ServiceEntityRepository implements ContactRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Contact::class);
+    }
+
+    public function findById(int $id): ?Contact
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Valider le mapping Doctrine**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.` (le `--skip-sync` ignore le fait que la table n'existe pas encore).
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/Contact.php src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
+git commit -m "feat(directory) : add Contact entity with client/prospect dual ownership"
+```
+
+---
+
+## Task 3 : Entité `Address` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/Address.php`
+- Create: `src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php`
+
+**Interfaces:**
+- Produces: `Address` (ApiResource `/addresses`, groupes `address:read`/`address:write`, double ManyToOne), `AddressRepositoryInterface::findById(int): ?Address`.
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineAddressRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['address:read']],
+    denormalizationContext: ['groups' => ['address:write']],
+    order: ['id' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineAddressRepository::class)]
+#[ORM\Table(name: 'directory_address')]
+class Address implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['address:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $label = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $street = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $streetComplement = null;
+
+    #[ORM\Column(length: 20, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $postalCode = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $city = null;
+
+    #[ORM\Column(length: 2)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private string $country = 'FR';
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getLabel(): ?string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(?string $label): static
+    {
+        $this->label = $label;
+
+        return $this;
+    }
+
+    public function getStreet(): ?string
+    {
+        return $this->street;
+    }
+
+    public function setStreet(?string $street): static
+    {
+        $this->street = $street;
+
+        return $this;
+    }
+
+    public function getStreetComplement(): ?string
+    {
+        return $this->streetComplement;
+    }
+
+    public function setStreetComplement(?string $streetComplement): static
+    {
+        $this->streetComplement = $streetComplement;
+
+        return $this;
+    }
+
+    public function getPostalCode(): ?string
+    {
+        return $this->postalCode;
+    }
+
+    public function setPostalCode(?string $postalCode): static
+    {
+        $this->postalCode = $postalCode;
+
+        return $this;
+    }
+
+    public function getCity(): ?string
+    {
+        return $this->city;
+    }
+
+    public function setCity(?string $city): static
+    {
+        $this->city = $city;
+
+        return $this;
+    }
+
+    public function getCountry(): string
+    {
+        return $this->country;
+    }
+
+    public function setCountry(string $country): static
+    {
+        $this->country = $country;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Address;
+
+interface AddressRepositoryInterface
+{
+    public function findById(int $id): ?Address;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Repository\AddressRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Address>
+ */
+final class DoctrineAddressRepository extends ServiceEntityRepository implements AddressRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Address::class);
+    }
+
+    public function findById(int $id): ?Address
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Valider le mapping Doctrine**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.`
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/Address.php src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
+git commit -m "feat(directory) : add Address entity with client/prospect dual ownership"
+```
+
+---
+
+## Task 4 : Entité `CommercialReport` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/CommercialReport.php`
+- Create: `src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php`
+
+**Files (suite) :**
+- Create: `src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php`
+- Modify: `config/services.yaml`
+
+**Interfaces:**
+- Consumes: `ReportType` (Task 1), `UserInterface` (Shared contract), `ReportDocument` (Task 5 — déclarée ici en OneToMany ; l'entité `ReportDocument` est créée en Task 5, qui doit être appliquée avant la migration Task 6).
+- Produces: `CommercialReport` (ApiResource `/commercial_reports`, groupes `commercial_report:read`/`commercial_report:write`), `CommercialReportRepositoryInterface::findById(int): ?CommercialReport`. `author` renseigné automatiquement au `prePersist` avec l'utilisateur connecté.
+
+> ⚠️ Ordre : cette entité référence `ReportDocument::class` (Task 5). Implémenter Task 5 juste après, avant la migration (Task 6) et toute exécution.
+> ⚠️ `author` n'est PAS alimenté par le trait Blamable (qui gère `created_by`). Il est rempli par un listener dédié (Steps 4–5 ci-dessous), et n'a volontairement pas de groupe `:write` (non modifiable par le client).
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineCommercialReportRepository;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['commercial_report:read']],
+    denormalizationContext: ['groups' => ['commercial_report:write']],
+    order: ['occurredAt' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineCommercialReportRepository::class)]
+#[ORM\Table(name: 'commercial_report')]
+class CommercialReport implements TimestampableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $subject = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $body = null;
+
+    #[ORM\Column(type: Types::DATE_IMMUTABLE)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?DateTimeImmutable $occurredAt = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ReportType::class)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ReportType $type = ReportType::Note;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'author_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['commercial_report:read'])]
+    private ?UserInterface $author = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Prospect $prospect = null;
+
+    /** @var Collection<int, ReportDocument> */
+    #[ORM\OneToMany(targetEntity: ReportDocument::class, mappedBy: 'commercialReport', cascade: ['remove'])]
+    #[Groups(['commercial_report:read'])]
+    private Collection $documents;
+
+    public function __construct()
+    {
+        $this->documents = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getSubject(): ?string
+    {
+        return $this->subject;
+    }
+
+    public function setSubject(string $subject): static
+    {
+        $this->subject = $subject;
+
+        return $this;
+    }
+
+    public function getBody(): ?string
+    {
+        return $this->body;
+    }
+
+    public function setBody(?string $body): static
+    {
+        $this->body = $body;
+
+        return $this;
+    }
+
+    public function getOccurredAt(): ?DateTimeImmutable
+    {
+        return $this->occurredAt;
+    }
+
+    public function setOccurredAt(DateTimeImmutable $occurredAt): static
+    {
+        $this->occurredAt = $occurredAt;
+
+        return $this;
+    }
+
+    public function getType(): ReportType
+    {
+        return $this->type;
+    }
+
+    public function setType(ReportType $type): static
+    {
+        $this->type = $type;
+
+        return $this;
+    }
+
+    public function getAuthor(): ?UserInterface
+    {
+        return $this->author;
+    }
+
+    public function setAuthor(?UserInterface $author): static
+    {
+        $this->author = $author;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+
+    /** @return Collection<int, ReportDocument> */
+    public function getDocuments(): Collection
+    {
+        return $this->documents;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+
+interface CommercialReportRepositoryInterface
+{
+    public function findById(int $id): ?CommercialReport;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Repository\CommercialReportRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<CommercialReport>
+ */
+final class DoctrineCommercialReportRepository extends ServiceEntityRepository implements CommercialReportRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, CommercialReport::class);
+    }
+
+    public function findById(int $id): ?CommercialReport
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Créer le listener qui renseigne l'auteur**
+
+`src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class CommercialReportAuthorListener
+{
+    public function __construct(private Security $security) {}
+
+    public function prePersist(CommercialReport $report, PrePersistEventArgs $args): void
+    {
+        if (null !== $report->getAuthor()) {
+            return;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof UserInterface) {
+            $report->setAuthor($user);
+        }
+    }
+}
+```
+
+- [ ] **Step 5 : Enregistrer le listener dans `config/services.yaml`**
+
+```yaml
+    App\Module\Directory\Infrastructure\EventListener\CommercialReportAuthorListener:
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\CommercialReport', event: prePersist }
+```
+
+> Si l'autowiring du projet enregistre déjà tous les services de `src/`, seule la partie `tags` est nécessaire (vérifier le bloc `services:` par défaut de `config/services.yaml`).
+
+- [ ] **Step 6 : Commit** (validation Doctrine après Task 5, car référence `ReportDocument`)
+
+```bash
+git add src/Module/Directory/Domain/Entity/CommercialReport.php src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php config/services.yaml
+git commit -m "feat(directory) : add CommercialReport entity with dual ownership and author"
+```
+
+---
+
+## Task 5 : Entité `ReportDocument` + processor + download + listener
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/ReportDocument.php`
+- Create: `src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php`
+- Create: `src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php`
+- Create: `src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php`
+- Create: `src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php`
+- Modify: `config/services.yaml` (injecter `task_document_upload_dir` dans le processor/controller/listener)
+
+**Interfaces:**
+- Consumes: `CommercialReport` (Task 4), `UserInterface`, paramètre Symfony `task_document_upload_dir`.
+- Produces: `ReportDocument` (ApiResource `/report_documents`, groupes `report_document:read`/`report_document:write`), endpoint download `/api/report_documents/{id}/download`.
+
+- [ ] **Step 1 : Créer l'entité `ReportDocument`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor;
+use App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ReportDocumentProcessor::class,
+            deserialize: false,
+        ),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['report_document:read']],
+    denormalizationContext: ['groups' => ['report_document:write']],
+    order: ['id' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['commercialReport' => 'exact'])]
+#[ORM\Entity]
+#[ORM\Table(name: 'report_document')]
+#[ORM\EntityListeners([ReportDocumentListener::class])]
+class ReportDocument
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\ManyToOne(targetEntity: CommercialReport::class, inversedBy: 'documents')]
+    #[ORM\JoinColumn(name: 'commercial_report_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    #[Groups(['report_document:read', 'report_document:write'])]
+    private ?CommercialReport $commercialReport = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $originalName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $fileName = null;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $mimeType = null;
+
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $size = null;
+
+    #[ORM\Column(type: 'datetime_immutable')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'uploaded_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?UserInterface $uploadedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCommercialReport(): ?CommercialReport
+    {
+        return $this->commercialReport;
+    }
+
+    public function setCommercialReport(?CommercialReport $commercialReport): static
+    {
+        $this->commercialReport = $commercialReport;
+
+        return $this;
+    }
+
+    public function getOriginalName(): ?string
+    {
+        return $this->originalName;
+    }
+
+    public function setOriginalName(string $originalName): static
+    {
+        $this->originalName = $originalName;
+
+        return $this;
+    }
+
+    public function getFileName(): ?string
+    {
+        return $this->fileName;
+    }
+
+    public function setFileName(?string $fileName): static
+    {
+        $this->fileName = $fileName;
+
+        return $this;
+    }
+
+    public function getMimeType(): ?string
+    {
+        return $this->mimeType;
+    }
+
+    public function setMimeType(string $mimeType): static
+    {
+        $this->mimeType = $mimeType;
+
+        return $this;
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function setSize(int $size): static
+    {
+        $this->size = $size;
+
+        return $this;
+    }
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): static
+    {
+        $this->createdAt = $createdAt;
+
+        return $this;
+    }
+
+    public function getUploadedBy(): ?UserInterface
+    {
+        return $this->uploadedBy;
+    }
+
+    public function setUploadedBy(?UserInterface $uploadedBy): static
+    {
+        $this->uploadedBy = $uploadedBy;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface + le repository Doctrine**
+
+`src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+
+interface ReportDocumentRepositoryInterface
+{
+    public function findById(int $id): ?ReportDocument;
+}
+```
+
+`src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<ReportDocument>
+ */
+final class DoctrineReportDocumentRepository extends ServiceEntityRepository implements ReportDocumentRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ReportDocument::class);
+    }
+
+    public function findById(int $id): ?ReportDocument
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 3 : Créer le processor d'upload** (calqué sur `TaskDocumentProcessor`, sans SMB)
+
+`src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\Uid\Uuid;
+
+use function in_array;
+
+/**
+ * @implements ProcessorInterface<ReportDocument, ReportDocument>
+ */
+final readonly class ReportDocumentProcessor implements ProcessorInterface
+{
+    private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
+
+    private const ALLOWED_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'text/plain', 'text/csv',
+        'application/zip', 'application/x-rar-compressed', 'application/gzip',
+        'application/json', 'application/xml', 'text/xml',
+    ];
+
+    private const MIME_TO_EXTENSION = [
+        'image/jpeg'                                                                => 'jpg',
+        'image/png'                                                                 => 'png',
+        'image/gif'                                                                 => 'gif',
+        'image/webp'                                                                => 'webp',
+        'application/pdf'                                                           => 'pdf',
+        'application/msword'                                                        => 'doc',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
+        'application/vnd.ms-excel'                                                  => 'xls',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'         => 'xlsx',
+        'application/vnd.ms-powerpoint'                                             => 'ppt',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation' => 'pptx',
+        'text/plain'                                                                => 'txt',
+        'text/csv'                                                                  => 'csv',
+        'application/zip'                                                           => 'zip',
+        'application/x-rar-compressed'                                              => 'rar',
+        'application/gzip'                                                          => 'gz',
+        'application/json'                                                          => 'json',
+        'application/xml'                                                           => 'xml',
+        'text/xml'                                                                  => 'xml',
+    ];
+
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+        private RequestStack $requestStack,
+        private string $uploadDir,
+    ) {}
+
+    /**
+     * @param ReportDocument $data
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ReportDocument
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating report documents requires admin privileges.');
+        }
+
+        $request = $this->requestStack->getCurrentRequest();
+
+        if (null === $request) {
+            throw new BadRequestHttpException('No request available.');
+        }
+
+        $document = $this->createUpload($request);
+        $document->setCreatedAt(new DateTimeImmutable());
+        $document->setUploadedBy($this->security->getUser());
+
+        $this->entityManager->persist($document);
+        $this->entityManager->flush();
+
+        return $document;
+    }
+
+    private function createUpload(Request $request): ReportDocument
+    {
+        $file = $request->files->get('file');
+
+        if (null === $file || !$file->isValid()) {
+            throw new BadRequestHttpException('No valid file uploaded.');
+        }
+
+        if ($file->getSize() > self::MAX_FILE_SIZE) {
+            throw new BadRequestHttpException('File size exceeds 50 MB limit.');
+        }
+
+        $report = $this->resolveReport((string) $request->request->get('commercialReport', ''));
+
+        $originalName = $file->getClientOriginalName();
+        $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
+        $fileSize     = $file->getSize();
+
+        if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+            throw new BadRequestHttpException(sprintf('File type "%s" is not allowed.', $mimeType));
+        }
+
+        $extension = self::MIME_TO_EXTENSION[$mimeType] ?? 'bin';
+        $fileName  = Uuid::v4()->toRfc4122().'.'.$extension;
+
+        if (!is_dir($this->uploadDir)) {
+            mkdir($this->uploadDir, 0o775, true);
+        }
+
+        $file->move($this->uploadDir, $fileName);
+
+        $document = new ReportDocument();
+        $document->setCommercialReport($report);
+        $document->setOriginalName($originalName);
+        $document->setFileName($fileName);
+        $document->setMimeType($mimeType);
+        $document->setSize($fileSize);
+
+        return $document;
+    }
+
+    private function resolveReport(string $iri): CommercialReport
+    {
+        if ('' === $iri) {
+            throw new BadRequestHttpException('A commercialReport IRI is required.');
+        }
+
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) basename($iri));
+
+        if (null === $report) {
+            throw new BadRequestHttpException('Commercial report not found.');
+        }
+
+        return $report;
+    }
+}
+```
+
+- [ ] **Step 4 : Créer le controller de download** (calqué sur `TaskDocumentDownloadController`, fichier disque uniquement)
+
+`src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Controller;
+
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+final class ReportDocumentDownloadController
+{
+    private const INLINE_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+    ];
+
+    public function __construct(
+        private readonly ReportDocumentRepositoryInterface $repository,
+        private readonly string $uploadDir,
+    ) {}
+
+    #[Route('/api/report_documents/{id}/download', name: 'report_document_download', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(int $id): Response
+    {
+        $document = $this->repository->findById($id);
+
+        if (null === $document || null === $document->getFileName()) {
+            throw new NotFoundHttpException('Document not found.');
+        }
+
+        $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+        if (!is_file($filePath)) {
+            throw new NotFoundHttpException('File missing on disk.');
+        }
+
+        $response = new BinaryFileResponse($filePath);
+        $mimeType = (string) $document->getMimeType();
+
+        $disposition = in_array($mimeType, self::INLINE_MIME_TYPES, true)
+            ? ResponseHeaderBag::DISPOSITION_INLINE
+            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+
+        $response->setContentDisposition($disposition, (string) $document->getOriginalName());
+        $response->headers->set('Content-Type', $mimeType);
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}
+```
+
+- [ ] **Step 5 : Créer le listener de suppression**
+
+`src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use Doctrine\ORM\Event\PreRemoveEventArgs;
+use Psr\Log\LoggerInterface;
+
+final readonly class ReportDocumentListener
+{
+    public function __construct(
+        private string $uploadDir,
+        private LoggerInterface $logger,
+    ) {}
+
+    public function preRemove(ReportDocument $document, PreRemoveEventArgs $args): void
+    {
+        $fileName = $document->getFileName();
+
+        if (null === $fileName) {
+            return;
+        }
+
+        $path = $this->uploadDir.'/'.$fileName;
+
+        if (is_file($path) && !@unlink($path)) {
+            $this->logger->warning('Failed to delete report document file', ['path' => $path]);
+        }
+    }
+}
+```
+
+- [ ] **Step 6 : Injecter le paramètre `task_document_upload_dir`**
+
+Dans `config/services.yaml`, ajouter (à la suite des autres définitions explicites de services) :
+
+```yaml
+    App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\Controller\ReportDocumentDownloadController:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags: ['controller.service_arguments']
+
+    App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\ReportDocument', event: preRemove }
+```
+
+> Vérifier d'abord comment `TaskDocumentProcessor`/`TaskDocumentListener` reçoivent `$uploadDir` et sont tagués (`grep -n "task_document_upload_dir\|TaskDocumentListener" config/services.yaml`) et reproduire exactement le même style (autowiring partiel vs définition explicite).
+
+- [ ] **Step 7 : Valider le mapping Doctrine de tout le module**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.`
+
+- [ ] **Step 8 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/ReportDocument.php src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php config/services.yaml
+git commit -m "feat(directory) : add ReportDocument storage (entity, upload processor, download, cleanup)"
+```
+
+---
+
+## Task 6 : Migration — tables + data migration adresse inline
+
+**Files:**
+- Create: `migrations/Version2026XXXXXXXXXX.php` (généré puis édité)
+- Modify: `src/Module/Directory/Domain/Entity/Client.php` (retrait colonnes inline `street`/`city`/`postalCode`)
+- Modify: `src/Module/Directory/Domain/Entity/Prospect.php` (idem)
+
+**Interfaces:**
+- Consumes: les 4 entités des Tasks 2–5.
+- Produces: tables `directory_contact`, `directory_address`, `commercial_report`, `report_document` ; contraintes CHECK d'appartenance ; suppression des colonnes inline d'adresse sur `client`/`prospect` (données migrées vers `directory_address`).
+
+- [ ] **Step 1 : Retirer les colonnes inline d'adresse de `Client`**
+
+Dans `src/Module/Directory/Domain/Entity/Client.php`, **supprimer** les 3 propriétés `street`, `city`, `postalCode` (lignes 61–71 actuelles) **et** leurs getters/setters (`getStreet/setStreet/getCity/setCity/getPostalCode/setPostalCode`). Conserver `name`, `email`, `phone`, `projects`.
+
+- [ ] **Step 2 : Retirer les colonnes inline d'adresse de `Prospect`**
+
+Dans `src/Module/Directory/Domain/Entity/Prospect.php`, **supprimer** les propriétés `street`, `city`, `postalCode` (lignes 74–84 actuelles) et leurs getters/setters. Conserver `name`, `company`, `email`, `phone`, `status`, `source`, `notes`, `convertedClient`.
+
+- [ ] **Step 3 : Générer le diff de migration**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction`
+Expected: un fichier `migrations/Version2026XXXXXXXXXX.php` créé contenant les `CREATE TABLE` des 4 nouvelles tables, les FK, et les `ALTER TABLE client/prospect DROP COLUMN street/city/postal_code`.
+
+- [ ] **Step 4 : Éditer la migration — ajouter le CHECK et la data migration**
+
+Ouvrir le fichier généré. Dans `up()`, **avant** les `DROP COLUMN` sur `client`/`prospect`, insérer la copie des adresses inline existantes vers `directory_address`, et **après** les `CREATE TABLE`, ajouter les contraintes CHECK. Le corps de `up()` doit contenir (ordre important) :
+
+```php
+public function up(Schema $schema): void
+{
+    // 1. CREATE TABLE directory_contact / directory_address / commercial_report / report_document
+    //    + FK + index : conserver tel quel le SQL généré par le diff.
+    //    (ne pas recopier ici : garder les addSql() générés)
+
+    // 2. Contraintes CHECK d'appartenance (au moins un propriétaire).
+    $this->addSql("ALTER TABLE directory_contact ADD CONSTRAINT chk_contact_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+    $this->addSql("ALTER TABLE directory_address ADD CONSTRAINT chk_address_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+    $this->addSql("ALTER TABLE commercial_report ADD CONSTRAINT chk_report_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+
+    // 3. Data migration : adresse inline -> directory_address (avant DROP COLUMN).
+    $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, client_id, created_at, updated_at)
+        SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+        FROM client
+        WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+    $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, prospect_id, created_at, updated_at)
+        SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+        FROM prospect
+        WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+
+    // 4. DROP COLUMN street/city/postal_code sur client et prospect : conserver le SQL généré.
+}
+```
+
+> ⚠️ Vérifier les noms de colonnes Timestampable réels sur `directory_address` après le diff (le trait peut générer `created_at`/`updated_at`/`created_by_id`/`updated_by_id`) et adapter la liste de colonnes de l'`INSERT` en conséquence. `created_by_id`/`updated_by_id` étant nullable, ne pas les inclure. Colonnes en **minuscules**.
+> Dans `down()`, ajouter en premier les `ALTER TABLE client/prospect ADD street/city/postal_code` (recréation) générés par le diff, puis les `DROP TABLE`. La perte de données au `down()` est acceptable (dev).
+
+- [ ] **Step 5 : Appliquer la migration**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:migrations:migrate --no-interaction`
+Expected: migration exécutée sans erreur ; `doctrine:schema:validate` → `[Mapping] OK` **et** `[Database] OK`.
+
+- [ ] **Step 6 : Vérifier les tables et le CHECK**
+
+Run:
+```bash
+docker exec -i php-lesstime-fpm php bin/console dbal:run-sql "SELECT conname FROM pg_constraint WHERE conname LIKE 'chk_%owner'"
+```
+Expected: `chk_contact_owner`, `chk_address_owner`, `chk_report_owner`.
+
+- [ ] **Step 7 : Commit**
+
+```bash
+git add migrations/Version2026XXXXXXXXXX.php src/Module/Directory/Domain/Entity/Client.php src/Module/Directory/Domain/Entity/Prospect.php
+git commit -m "feat(directory) : add contact/address/report tables and migrate inline addresses"
+```
+
+---
+
+## Task 7 : Conversion prospect → client réaffecte les sous-entités
+
+**Files:**
+- Modify: `src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php`
+- Test: `tests/Module/Directory/ConvertProspectProcessorTest.php`
+
+**Interfaces:**
+- Consumes: `Contact`, `Address`, `CommercialReport` (Tasks 2–4), repositories Doctrine.
+- Produces: après convert, les contacts/adresses/rapports du prospect ont `client = <nouveau client>` et `prospect = null`.
+
+- [ ] **Step 1 : Écrire le test fonctionnel qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ReportType;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+final class ConvertProspectProcessorTest extends KernelTestCase
+{
+    public function testConvertReassignsContactsAddressesAndReports(): void
+    {
+        self::bootKernel();
+        /** @var EntityManagerInterface $em */
+        $em = self::getContainer()->get(EntityManagerInterface::class);
+
+        $prospect = new Prospect();
+        $prospect->setName('Atelier Test');
+        $prospect->setCompany('Atelier Test SARL');
+        $em->persist($prospect);
+
+        $contact = (new Contact())->setLastName('Durand')->setProspect($prospect);
+        $address = (new Address())->setCity('Niort')->setProspect($prospect);
+        $report  = (new CommercialReport())
+            ->setSubject('Premier contact')
+            ->setOccurredAt(new DateTimeImmutable('2026-06-01'))
+            ->setType(ReportType::Call)
+            ->setProspect($prospect);
+        $em->persist($contact);
+        $em->persist($address);
+        $em->persist($report);
+        $em->flush();
+
+        $processor = self::getContainer()->get(\App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor::class);
+        $operation = new \ApiPlatform\Metadata\Post();
+        $processor->process($prospect, $operation, ['id' => $prospect->getId()]);
+
+        $em->refresh($contact);
+        $em->refresh($address);
+        $em->refresh($report);
+
+        $client = $prospect->getConvertedClient();
+        self::assertNotNull($client, 'Prospect should be converted to a client');
+
+        // Invariants (pas de counts absolus) : chaque sous-entité pointe vers le client, plus vers le prospect.
+        self::assertSame($client->getId(), $contact->getClient()?->getId());
+        self::assertNull($contact->getProspect());
+        self::assertSame($client->getId(), $address->getClient()?->getId());
+        self::assertNull($address->getProspect());
+        self::assertSame($client->getId(), $report->getClient()?->getId());
+        self::assertNull($report->getProspect());
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ConvertProspectProcessorTest`
+Expected: FAIL (le processor ne réaffecte pas encore ; `getClient()` est null).
+
+- [ ] **Step 3 : Modifier le processor**
+
+Remplacer le contenu de `ConvertProspectProcessor.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Converts a Prospect into a Client and reassigns its contacts, addresses and
+ * commercial reports to the new client (preserving the commercial history).
+ *
+ * Idempotent: if already converted, returns it unchanged.
+ *
+ * @implements ProcessorInterface<Prospect, Prospect>
+ */
+final readonly class ConvertProspectProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private ProspectRepositoryInterface $prospectRepository,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): Prospect
+    {
+        $id       = $uriVariables['id'] ?? null;
+        $prospect = is_numeric($id) ? $this->prospectRepository->findById((int) $id) : null;
+
+        if (!$prospect instanceof Prospect) {
+            throw new NotFoundHttpException('Prospect not found.');
+        }
+
+        if (null !== $prospect->getConvertedClient()) {
+            return $prospect;
+        }
+
+        $client = new Client();
+        $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+        $client->setEmail($prospect->getEmail());
+        $client->setPhone($prospect->getPhone());
+
+        $this->entityManager->persist($client);
+
+        $this->reassignContacts($prospect, $client);
+        $this->reassignAddresses($prospect, $client);
+        $this->reassignReports($prospect, $client);
+
+        $prospect->setConvertedClient($client);
+        $prospect->setStatus(ProspectStatus::Won);
+
+        $this->entityManager->flush();
+
+        return $prospect;
+    }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
+}
+```
+
+> Note : la copie des champs adresse inline (`street`/`city`/`postalCode`) est retirée du processor (colonnes supprimées en Task 6). Les adresses suivent désormais via `reassignAddresses`.
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ConvertProspectProcessorTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php tests/Module/Directory/ConvertProspectProcessorTest.php
+git commit -m "feat(directory) : carry over contacts/addresses/reports on prospect conversion"
+```
+
+---
+
+## Task 8 : Permissions RBAC du module
+
+**Files:**
+- Modify: `src/Module/Directory/DirectoryModule.php`
+- Test: `tests/Module/Directory/DirectoryModulePermissionsTest.php`
+
+**Interfaces:**
+- Produces: `DirectoryModule::permissions()` inclut `directory.reports.view` et `directory.reports.manage`.
+
+- [ ] **Step 1 : Écrire le test qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\DirectoryModule;
+use PHPUnit\Framework\TestCase;
+
+final class DirectoryModulePermissionsTest extends TestCase
+{
+    public function testReportPermissionsAreDeclared(): void
+    {
+        $codes = array_column(DirectoryModule::permissions(), 'code');
+
+        self::assertContains('directory.reports.view', $codes);
+        self::assertContains('directory.reports.manage', $codes);
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter DirectoryModulePermissionsTest`
+Expected: FAIL.
+
+- [ ] **Step 3 : Ajouter les permissions**
+
+Dans `DirectoryModule::permissions()`, ajouter au tableau retourné :
+
+```php
+            ['code' => 'directory.reports.view', 'label' => 'Voir les comptes-rendus commerciaux'],
+            ['code' => 'directory.reports.manage', 'label' => 'Gérer les comptes-rendus commerciaux'],
+```
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter DirectoryModulePermissionsTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/DirectoryModule.php tests/Module/Directory/DirectoryModulePermissionsTest.php
+git commit -m "feat(directory) : declare commercial report RBAC permissions"
+```
+
+---
+
+## Task 9 : Tests API d'appartenance et de sécurité
+
+**Files:**
+- Test: `tests/Module/Directory/CommercialReportApiTest.php`
+
+**Interfaces:**
+- Consumes: endpoints `/api/commercial_reports`, `/api/contacts`, fixtures users (`admin`/`admin`, `alice`/`alice`).
+
+> Réutiliser le pattern de test fonctionnel API existant du projet (`grep -rl "ApiTestCase\|createClient" tests/` pour trouver la classe de base et la façon de s'authentifier en JWT cookie). Adapter le helper d'auth ci-dessous au helper réel du projet.
+
+- [ ] **Step 1 : Écrire les tests (invariants, pas de counts)**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\Domain\Entity\Client;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+final class CommercialReportApiTest extends WebTestCase
+{
+    public function testAnonymousCannotReadReports(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/commercial_reports');
+
+        self::assertGreaterThanOrEqual(401, $client->getResponse()->getStatusCode());
+    }
+
+    public function testNonAdminCannotCreateReport(): void
+    {
+        $client = self::createClient();
+        // TODO(remplacer) : authentifier en ROLE_USER via le helper JWT du projet (cf. autres tests API).
+        $this->loginAs($client, 'alice', 'alice');
+
+        $target = $this->anyClientIri();
+        $client->request('POST', '/api/commercial_reports', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'subject'    => 'Test',
+            'occurredAt' => '2026-06-01',
+            'type'       => 'call',
+            'client'     => $target,
+        ]));
+
+        self::assertSame(403, $client->getResponse()->getStatusCode());
+    }
+
+    private function anyClientIri(): string
+    {
+        /** @var EntityManagerInterface $em */
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        $client = $em->getRepository(Client::class)->findOneBy([]);
+
+        self::assertNotNull($client, 'A client fixture is required');
+
+        return '/api/clients/'.$client->getId();
+    }
+
+    // loginAs(): à implémenter selon le helper d'auth JWT cookie du projet.
+}
+```
+
+- [ ] **Step 2 : Adapter `loginAs` au helper réel** (lire un test API existant et reproduire l'auth JWT cookie).
+
+- [ ] **Step 3 : Lancer les tests**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter CommercialReportApiTest`
+Expected: PASS (anonyme rejeté, ROLE_USER interdit en écriture).
+
+- [ ] **Step 4 : Lancer la suite complète**
+
+Run: `make test`
+Expected: suite verte.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add tests/Module/Directory/CommercialReportApiTest.php
+git commit -m "test(directory) : api security for commercial reports"
+```
+
+---
+
+## Task 10 : DTO frontend
+
+**Files:**
+- Create: `frontend/modules/directory/services/dto/contact.ts`
+- Create: `frontend/modules/directory/services/dto/address.ts`
+- Create: `frontend/modules/directory/services/dto/commercial-report.ts`
+- Create: `frontend/modules/directory/services/dto/report-document.ts`
+
+**Interfaces:**
+- Produces: types `Contact`/`ContactWrite`, `Address`/`AddressWrite`, `CommercialReport`/`CommercialReportWrite`, `ReportType`, `ReportDocument`.
+
+- [ ] **Step 1 : `contact.ts`**
+
+```ts
+export type Contact = {
+    id: number
+    '@id'?: string
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+
+export type ContactWrite = {
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 2 : `address.ts`**
+
+```ts
+export type Address = {
+    id: number
+    '@id'?: string
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+
+export type AddressWrite = {
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 3 : `report-document.ts`**
+
+```ts
+import type { UserData } from '~/services/dto/user'
+
+export type ReportDocument = {
+    '@id'?: string
+    id: number
+    commercialReport: string
+    originalName: string
+    fileName?: string | null
+    mimeType: string
+    size: number
+    createdAt: string
+    uploadedBy?: UserData | null
+}
+```
+
+> Vérifier le chemin réel du type `UserData` (`grep -rn "export type UserData\|export interface UserData" frontend`) et ajuster l'import. À défaut, remplacer par `{ id: number, username: string } | null`.
+
+- [ ] **Step 4 : `commercial-report.ts`**
+
+```ts
+import type { ReportDocument } from './report-document'
+
+export type ReportType = 'call' | 'meeting' | 'email' | 'note'
+
+export type CommercialReport = {
+    id: number
+    '@id'?: string
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    author?: { id: number, username: string } | null
+    client?: string | null
+    prospect?: string | null
+    documents?: ReportDocument[]
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type CommercialReportWrite = {
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 5 : Vérifier la compilation TS**
+
+Run: `cd frontend && npx nuxi typecheck` (ou `npm run typecheck` si défini ; sinon `npx vue-tsc --noEmit`).
+Expected: pas d'erreur sur les nouveaux fichiers.
+
+- [ ] **Step 6 : Commit**
+
+```bash
+git add frontend/modules/directory/services/dto/
+git commit -m "feat(directory) : add frontend DTOs for contacts, addresses, reports"
+```
+
+---
+
+## Task 11 : Services frontend
+
+**Files:**
+- Create: `frontend/modules/directory/services/contacts.ts`
+- Create: `frontend/modules/directory/services/addresses.ts`
+- Create: `frontend/modules/directory/services/commercial-reports.ts`
+- Create: `frontend/modules/directory/services/report-documents.ts`
+
+**Interfaces:**
+- Consumes: DTO de Task 10, `useApi()`, `extractHydraMembers`.
+- Produces: `useContactService`, `useAddressService`, `useCommercialReportService`, `useReportDocumentService` (CRUD + filtre par owner).
+
+- [ ] **Step 1 : `contacts.ts`**
+
+```ts
+import type { Contact, ContactWrite } from './dto/contact'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useContactService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Contact[]> {
+        const data = await api.get<HydraCollection<Contact>>('/contacts', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: ContactWrite): Promise<Contact> {
+        return api.post<Contact>('/contacts', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ContactWrite>): Promise<Contact> {
+        return api.patch<Contact>(`/contacts/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/contacts/${id}`, {}, { toastSuccessKey: 'directory.contacts.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 2 : `addresses.ts`** (même structure, ressource `/addresses`, clés i18n `directory.addresses.*`)
+
+```ts
+import type { Address, AddressWrite } from './dto/address'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useAddressService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Address[]> {
+        const data = await api.get<HydraCollection<Address>>('/addresses', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: AddressWrite): Promise<Address> {
+        return api.post<Address>('/addresses', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<AddressWrite>): Promise<Address> {
+        return api.patch<Address>(`/addresses/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/addresses/${id}`, {}, { toastSuccessKey: 'directory.addresses.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 3 : `commercial-reports.ts`**
+
+```ts
+import type { CommercialReport, CommercialReportWrite } from './dto/commercial-report'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useCommercialReportService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<CommercialReport[]> {
+        const data = await api.get<HydraCollection<CommercialReport>>('/commercial_reports', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: CommercialReportWrite): Promise<CommercialReport> {
+        return api.post<CommercialReport>('/commercial_reports', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<CommercialReportWrite>): Promise<CommercialReport> {
+        return api.patch<CommercialReport>(`/commercial_reports/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/commercial_reports/${id}`, {}, { toastSuccessKey: 'directory.reports.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 4 : `report-documents.ts`** (upload multipart + download URL, calqué sur `task-documents.ts`)
+
+```ts
+import type { ReportDocument } from './dto/report-document'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+import { $fetch } from 'ofetch'
+
+export function useReportDocumentService() {
+    const api = useApi()
+    const config = useRuntimeConfig()
+    const baseURL = config.public.apiBase || '/api'
+
+    async function getByReport(reportId: number): Promise<ReportDocument[]> {
+        const data = await api.get<HydraCollection<ReportDocument>>('/report_documents', {
+            commercialReport: `/api/commercial_reports/${reportId}`,
+        })
+        return extractHydraMembers(data)
+    }
+
+    async function upload(reportId: number, file: File): Promise<ReportDocument> {
+        const formData = new FormData()
+        formData.append('file', file)
+        formData.append('commercialReport', `/api/commercial_reports/${reportId}`)
+
+        return $fetch<ReportDocument>(`${baseURL}/report_documents`, {
+            method: 'POST',
+            body: formData,
+            credentials: 'include',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/report_documents/${id}`, {}, { toastSuccessKey: 'directory.documents.deleted' })
+    }
+
+    function getDownloadUrl(id: number): string {
+        return `${baseURL}/report_documents/${id}/download`
+    }
+
+    return { getByReport, upload, remove, getDownloadUrl }
+}
+```
+
+- [ ] **Step 5 : Vérifier la compilation TS** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 6 : Commit**
+
+```bash
+git add frontend/modules/directory/services/
+git commit -m "feat(directory) : add frontend services for contacts, addresses, reports, documents"
+```
+
+---
+
+## Task 12 : Composant `DirectoryContactBlock`
+
+**Files:**
+- Create: `frontend/modules/directory/components/DirectoryContactBlock.vue`
+
+**Interfaces:**
+- Consumes: type `Contact` (Task 10), composants `@malio/layer-ui` (`MalioInputText`, `MalioInputEmail`, `MalioButtonIcon`).
+- Produces: bloc d'édition d'un contact ; props `modelValue: Contact`, `title: string`, `removable?: boolean`, `readonly?: boolean` ; events `update:modelValue`, `remove`.
+
+> Avant d'écrire : ouvrir `frontend/node_modules/@malio/layer-ui/COMPONENTS.md` pour confirmer les noms de props des inputs (`label`, `model-value`/`v-model`, `readonly`, `error`). Reproduire le style des drawers existants (`ProspectDrawer.vue`).
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            :label="$t('directory.contacts.fields.lastName')"
+            :model-value="modelValue.lastName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('lastName', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.firstName')"
+            :model-value="modelValue.firstName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('firstName', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.contacts.fields.jobTitle')"
+            :model-value="modelValue.jobTitle ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('jobTitle', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.email')"
+            :model-value="modelValue.email ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('email', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phonePrimary')"
+            :model-value="modelValue.phonePrimary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phonePrimary', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phoneSecondary')"
+            :model-value="modelValue.phoneSecondary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phoneSecondary', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Contact } from '~/modules/directory/services/dto/contact'
+
+const props = defineProps<{
+    modelValue: Contact
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Contact]
+    'remove': []
+}>()
+
+function update(field: keyof Contact, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
+```
+
+- [ ] **Step 2 : Vérifier le rendu** — `make dev-nuxt`, importer le composant dans une page de test ou attendre Task 16. Vérifier l'absence d'erreur console au build : `cd frontend && npx nuxi typecheck`.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/DirectoryContactBlock.vue
+git commit -m "feat(directory) : add repeatable contact block component"
+```
+
+---
+
+## Task 13 : Composant `DirectoryAddressBlock`
+
+**Files:**
+- Create: `frontend/modules/directory/components/DirectoryAddressBlock.vue`
+
+**Interfaces:**
+- Produces: bloc d'édition d'une adresse ; mêmes props/events que `DirectoryContactBlock` mais `modelValue: Address`.
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.label')"
+            :model-value="modelValue.label ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('label', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.street')"
+            :model-value="modelValue.street ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('street', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.streetComplement')"
+            :model-value="modelValue.streetComplement ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('streetComplement', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.postalCode')"
+            :model-value="modelValue.postalCode ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('postalCode', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.city')"
+            :model-value="modelValue.city ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('city', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Address } from '~/modules/directory/services/dto/address'
+
+const props = defineProps<{
+    modelValue: Address
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Address]
+    'remove': []
+}>()
+
+function update(field: keyof Address, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
+```
+
+- [ ] **Step 2 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/DirectoryAddressBlock.vue
+git commit -m "feat(directory) : add repeatable address block component"
+```
+
+---
+
+## Task 14 : Composants documents de rapport (`ReportDocumentUpload`, `ReportDocumentList`)
+
+**Files:**
+- Create: `frontend/modules/directory/components/ReportDocumentUpload.vue`
+- Create: `frontend/modules/directory/components/ReportDocumentList.vue`
+
+**Interfaces:**
+- Consumes: `useReportDocumentService` (Task 11), `ReportDocument` DTO.
+- Produces: `ReportDocumentUpload` (prop `reportId: number`, event `uploaded`), `ReportDocumentList` (prop `documents: ReportDocument[]`, `isAdmin: boolean`, event `delete`).
+
+> S'inspirer de `frontend/modules/project-management/components/TaskDocumentUpload.vue` et `TaskDocumentList.vue` (les lire d'abord). Version simplifiée : upload simple + liste avec lien download + bouton suppression. Pas de SMB, pas de preview avancé (lien `getDownloadUrl` ouvert dans un onglet).
+
+- [ ] **Step 1 : `ReportDocumentUpload.vue`**
+
+```vue
+<template>
+    <div class="flex items-center gap-3">
+        <input
+            ref="fileInput"
+            type="file"
+            class="hidden"
+            @change="onFileSelected"
+        >
+        <MalioButton
+            icon-name="mdi:paperclip"
+            icon-position="left"
+            button-class="w-auto px-4"
+            :label="$t('directory.documents.add')"
+            :disabled="uploading"
+            @click="fileInput?.click()"
+        />
+        <span v-if="uploading" class="text-sm text-neutral-500">{{ $t('directory.documents.uploading') }}</span>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{ reportId: number }>()
+const emit = defineEmits<{ uploaded: [] }>()
+
+const service = useReportDocumentService()
+const fileInput = ref<HTMLInputElement | null>(null)
+const uploading = ref(false)
+
+async function onFileSelected(event: Event): Promise<void> {
+    const input = event.target as HTMLInputElement
+    const file = input.files?.[0]
+    if (!file) return
+
+    uploading.value = true
+    try {
+        await service.upload(props.reportId, file)
+        emit('uploaded')
+    } finally {
+        uploading.value = false
+        input.value = ''
+    }
+}
+</script>
+```
+
+- [ ] **Step 2 : `ReportDocumentList.vue`**
+
+```vue
+<template>
+    <ul v-if="documents.length" class="flex flex-col gap-2">
+        <li
+            v-for="doc in documents"
+            :key="doc.id"
+            class="flex items-center justify-between rounded border border-neutral-200 px-3 py-2"
+        >
+            <a
+                :href="downloadUrl(doc.id)"
+                target="_blank"
+                rel="noopener"
+                class="flex items-center gap-2 text-sm text-blue-700 hover:underline"
+            >
+                <Icon name="mdi:file-document-outline" />
+                {{ doc.originalName }}
+            </a>
+            <MalioButtonIcon
+                v-if="isAdmin"
+                icon="mdi:trash-can-outline"
+                button-class="!text-red-600"
+                :aria-label="$t('common.delete')"
+                @click="$emit('delete', doc.id)"
+            />
+        </li>
+    </ul>
+    <p v-else class="text-sm text-neutral-400">
+        {{ $t('directory.documents.empty') }}
+    </p>
+</template>
+
+<script setup lang="ts">
+import type { ReportDocument } from '~/modules/directory/services/dto/report-document'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+defineProps<{ documents: ReportDocument[], isAdmin: boolean }>()
+defineEmits<{ delete: [id: number] }>()
+
+const { getDownloadUrl } = useReportDocumentService()
+function downloadUrl(id: number): string {
+    return getDownloadUrl(id)
+}
+</script>
+```
+
+- [ ] **Step 3 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 4 : Commit**
+
+```bash
+git add frontend/modules/directory/components/ReportDocumentUpload.vue frontend/modules/directory/components/ReportDocumentList.vue
+git commit -m "feat(directory) : add report document upload/list components"
+```
+
+---
+
+## Task 15 : Onglet Rapport (`CommercialReportTab`)
+
+**Files:**
+- Create: `frontend/modules/directory/components/CommercialReportTab.vue`
+
+**Interfaces:**
+- Consumes: `useCommercialReportService` (Task 11), `ReportDocumentUpload`/`ReportDocumentList` (Task 14), composants Malio (`MalioInputText`, `MalioInputTextArea`, `MalioSelect`, `MalioDate`, `MalioButton`).
+- Produces: onglet complet ; prop `owner: { client?: string, prospect?: string }`, `isAdmin: boolean`. Gère liste + formulaire d'ajout/édition + documents.
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="flex flex-col gap-6 pt-6">
+        <!-- Formulaire d'ajout / édition -->
+        <div v-if="isAdmin" class="grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+            <MalioInputText
+                class="col-span-2"
+                :label="$t('directory.reports.fields.subject')"
+                v-model="draft.subject"
+            />
+            <MalioSelect
+                :label="$t('directory.reports.fields.type')"
+                v-model="draft.type"
+                :options="typeOptions"
+                group-class="w-full"
+            />
+            <MalioDate
+                :label="$t('directory.reports.fields.occurredAt')"
+                v-model="draft.occurredAt"
+            />
+            <MalioInputTextArea
+                class="col-span-2"
+                :label="$t('directory.reports.fields.body')"
+                v-model="draft.body"
+            />
+            <div class="col-span-2 flex justify-end gap-3">
+                <MalioButton
+                    v-if="editingId"
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('common.cancel')"
+                    @click="resetDraft"
+                />
+                <MalioButton
+                    button-class="w-auto px-4"
+                    :label="editingId ? $t('common.save') : $t('directory.reports.add')"
+                    :disabled="!draft.subject"
+                    @click="save"
+                />
+            </div>
+        </div>
+
+        <!-- Liste des comptes-rendus -->
+        <div v-for="report in reports" :key="report.id" class="rounded border border-neutral-200 p-4">
+            <div class="flex items-start justify-between">
+                <div>
+                    <p class="font-semibold text-neutral-800">{{ report.subject }}</p>
+                    <p class="text-xs text-neutral-500">
+                        {{ formatDate(report.occurredAt) }} · {{ $t(`directory.reports.types.${report.type}`) }}
+                        <span v-if="report.author"> · {{ report.author.username }}</span>
+                    </p>
+                </div>
+                <div v-if="isAdmin" class="flex gap-2">
+                    <MalioButtonIcon icon="mdi:pencil-outline" :aria-label="$t('common.edit')" @click="edit(report)" />
+                    <MalioButtonIcon icon="mdi:trash-can-outline" button-class="!text-red-600" :aria-label="$t('common.delete')" @click="remove(report.id)" />
+                </div>
+            </div>
+            <p v-if="report.body" class="mt-2 whitespace-pre-wrap text-sm text-neutral-700">{{ report.body }}</p>
+
+            <div class="mt-3 flex flex-col gap-2">
+                <ReportDocumentList
+                    :documents="report.documents ?? []"
+                    :is-admin="isAdmin"
+                    @delete="(id) => removeDocument(report, id)"
+                />
+                <ReportDocumentUpload
+                    v-if="isAdmin"
+                    :report-id="report.id"
+                    @uploaded="reload"
+                />
+            </div>
+        </div>
+
+        <p v-if="!reports.length" class="text-sm text-neutral-400">
+            {{ $t('directory.reports.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { CommercialReport, CommercialReportWrite, ReportType } from '~/modules/directory/services/dto/commercial-report'
+import { useCommercialReportService } from '~/modules/directory/services/commercial-reports'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{
+    owner: { client?: string, prospect?: string }
+    isAdmin: boolean
+}>()
+
+const { t } = useI18n()
+const reportService = useCommercialReportService()
+const documentService = useReportDocumentService()
+
+const reports = ref<CommercialReport[]>([])
+const editingId = ref<number | null>(null)
+
+function emptyDraft(): CommercialReportWrite {
+    return {
+        subject: '',
+        body: null,
+        occurredAt: new Date().toISOString().slice(0, 10),
+        type: 'note',
+        ...props.owner,
+    }
+}
+const draft = ref<CommercialReportWrite>(emptyDraft())
+
+const typeOptions: { label: string, value: ReportType }[] = [
+    { label: t('directory.reports.types.call'), value: 'call' },
+    { label: t('directory.reports.types.meeting'), value: 'meeting' },
+    { label: t('directory.reports.types.email'), value: 'email' },
+    { label: t('directory.reports.types.note'), value: 'note' },
+]
+
+function formatDate(iso: string): string {
+    return new Date(iso).toLocaleDateString('fr-FR')
+}
+
+async function reload(): Promise<void> {
+    reports.value = await reportService.getByOwner(props.owner)
+}
+
+function resetDraft(): void {
+    editingId.value = null
+    draft.value = emptyDraft()
+}
+
+function edit(report: CommercialReport): void {
+    editingId.value = report.id
+    draft.value = {
+        subject: report.subject,
+        body: report.body,
+        occurredAt: report.occurredAt.slice(0, 10),
+        type: report.type,
+        ...props.owner,
+    }
+}
+
+async function save(): Promise<void> {
+    if (editingId.value) {
+        await reportService.update(editingId.value, draft.value)
+    } else {
+        await reportService.create(draft.value)
+    }
+    resetDraft()
+    await reload()
+}
+
+async function remove(id: number): Promise<void> {
+    await reportService.remove(id)
+    await reload()
+}
+
+async function removeDocument(report: CommercialReport, id: number): Promise<void> {
+    await documentService.remove(id)
+    await reload()
+}
+
+onMounted(reload)
+watch(() => props.owner, reload, { deep: true })
+</script>
+```
+
+> Confirmer les props réelles de `MalioDate`, `MalioInputTextArea`, `MalioSelect` dans `COMPONENTS.md` (notamment `v-model` vs `model-value`/`@update:model-value`, et que `MalioSelect` accepte une valeur `string` — cf. CLAUDE.md). Ajuster si nécessaire.
+
+- [ ] **Step 2 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/CommercialReportTab.vue
+git commit -m "feat(directory) : add commercial report tab (list, form, documents)"
+```
+
+---
+
+## Task 16 : Fiche détail Client
+
+**Files:**
+- Create: `frontend/modules/directory/pages/clients/[id].vue`
+
+**Interfaces:**
+- Consumes: `useClientService`, `useContactService`, `useAddressService`, blocs Task 12/13, `CommercialReportTab` (Task 15), `MalioTabList`.
+- Produces: page `/directory/clients/:id` ; onglets Contact/Adresse/Rapport ; owner = `{ client: '/api/clients/:id' }`.
+
+> `useClientService` n'a pas `getById` aujourd'hui (`services/clients.ts`). Ajouter une méthode `getById(id)` au service clients (calquée sur prospects.ts) dans cette tâche.
+
+- [ ] **Step 1 : Ajouter `getById` au service clients**
+
+Dans `frontend/modules/directory/services/clients.ts`, ajouter à l'intérieur de `useClientService` (et l'exposer dans le `return`) :
+
+```ts
+    async function getById(id: number): Promise<Client> {
+        return api.get<Client>(`/clients/${id}`)
+    }
+```
+
+- [ ] **Step 2 : Écrire la page**
+
+```vue
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ client?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="client">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useClientService } from '~/modules/directory/services/clients'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/clients/${id}`
+const owner = { client: ownerIri }
+
+const clientService = useClientService()
+const contactService = useContactService()
+const addressService = useAddressService()
+
+const client = ref<Client | null>(null)
+const contacts = ref<Contact[]>([])
+const addresses = ref<Address[]>([])
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function emptyContact(): Contact {
+    return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, client: ownerIri }
+}
+function emptyAddress(): Address {
+    return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', client: ownerIri }
+}
+
+async function onContactInput(index: number, value: Contact): Promise<void> {
+    contacts.value[index] = value
+    await persistContact(index)
+}
+async function persistContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, client: ownerIri }
+    if (c.id && c.id > 0) {
+        await contactService.update(c.id, payload)
+    } else if (c.lastName || c.firstName) {
+        const created = await contactService.create(payload)
+        contacts.value[index] = created
+    }
+}
+function addContact(): void {
+    contacts.value.push(emptyContact())
+}
+async function removeContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    if (c.id && c.id > 0) await contactService.remove(c.id)
+    contacts.value.splice(index, 1)
+}
+
+async function onAddressInput(index: number, value: Address): Promise<void> {
+    addresses.value[index] = value
+    await persistAddress(index)
+}
+async function persistAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, client: ownerIri }
+    if (a.id && a.id > 0) {
+        await addressService.update(a.id, payload)
+    } else if (a.street || a.city || a.postalCode) {
+        const created = await addressService.create(payload)
+        addresses.value[index] = created
+    }
+}
+function addAddress(): void {
+    addresses.value.push(emptyAddress())
+}
+async function removeAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    if (a.id && a.id > 0) await addressService.remove(a.id)
+    addresses.value.splice(index, 1)
+}
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    client.value = await clientService.getById(id)
+    contacts.value = await contactService.getByOwner({ client: ownerIri })
+    addresses.value = await addressService.getByOwner({ client: ownerIri })
+    loading.value = false
+})
+</script>
+```
+
+> Décision UX explicite : la sauvegarde par bloc se fait au `@update:model-value` (à la frappe). Si ça génère trop d'appels, ajouter un debounce ou un bouton « Enregistrer » par bloc dans une itération ultérieure (hors périmètre de ce plan).
+
+- [ ] **Step 3 : Vérifier le routage et le rendu**
+
+Run: `make dev-nuxt` puis naviguer vers `/directory/clients/1`.
+Expected: page chargée, 3 onglets visibles, ajout d'un contact persiste (vérifier via `GET /api/contacts?client=/api/clients/1`).
+
+- [ ] **Step 4 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/clients/ frontend/modules/directory/services/clients.ts
+git commit -m "feat(directory) : add client detail page with contact/address/report tabs"
+```
+
+---
+
+## Task 17 : Fiche détail Prospect
+
+**Files:**
+- Create: `frontend/modules/directory/pages/prospects/[id].vue`
+
+**Interfaces:**
+- Identique à Task 16 mais owner = `{ prospect: '/api/prospects/:id' }`, service `useProspectService().getById` (déjà présent).
+
+- [ ] **Step 1 : Écrire la page**
+
+Reprendre **intégralement** la page de Task 16 (`clients/[id].vue`) en remplaçant :
+- `useClientService` → `useProspectService` ; `clientService.getById` → `prospectService.getById` ; type `Client` → `Prospect` (import `~/modules/directory/services/dto/prospect`).
+- `const ownerIri = '/api/prospects/${id}'` ; `const owner = { prospect: ownerIri }`.
+- Dans `emptyContact`/`emptyAddress` et les payloads : remplacer `client: ownerIri` par `prospect: ownerIri`.
+- `getByOwner({ client: ownerIri })` → `getByOwner({ prospect: ownerIri })` (contacts et adresses).
+
+Code complet :
+
+```vue
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ prospect?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="prospect">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Prospect } from '~/modules/directory/services/dto/prospect'
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useProspectService } from '~/modules/directory/services/prospects'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/prospects/${id}`
+const owner = { prospect: ownerIri }
+
+const prospectService = useProspectService()
+const contactService = useContactService()
+const addressService = useAddressService()
+
+const prospect = ref<Prospect | null>(null)
+const contacts = ref<Contact[]>([])
+const addresses = ref<Address[]>([])
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function emptyContact(): Contact {
+    return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, prospect: ownerIri }
+}
+function emptyAddress(): Address {
+    return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', prospect: ownerIri }
+}
+
+async function onContactInput(index: number, value: Contact): Promise<void> {
+    contacts.value[index] = value
+    await persistContact(index)
+}
+async function persistContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, prospect: ownerIri }
+    if (c.id && c.id > 0) {
+        await contactService.update(c.id, payload)
+    } else if (c.lastName || c.firstName) {
+        const created = await contactService.create(payload)
+        contacts.value[index] = created
+    }
+}
+function addContact(): void {
+    contacts.value.push(emptyContact())
+}
+async function removeContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    if (c.id && c.id > 0) await contactService.remove(c.id)
+    contacts.value.splice(index, 1)
+}
+
+async function onAddressInput(index: number, value: Address): Promise<void> {
+    addresses.value[index] = value
+    await persistAddress(index)
+}
+async function persistAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, prospect: ownerIri }
+    if (a.id && a.id > 0) {
+        await addressService.update(a.id, payload)
+    } else if (a.street || a.city || a.postalCode) {
+        const created = await addressService.create(payload)
+        addresses.value[index] = created
+    }
+}
+function addAddress(): void {
+    addresses.value.push(emptyAddress())
+}
+async function removeAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    if (a.id && a.id > 0) await addressService.remove(a.id)
+    addresses.value.splice(index, 1)
+}
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    prospect.value = await prospectService.getById(id)
+    contacts.value = await contactService.getByOwner({ prospect: ownerIri })
+    addresses.value = await addressService.getByOwner({ prospect: ownerIri })
+    loading.value = false
+})
+</script>
+```
+
+- [ ] **Step 2 : Vérifier le rendu** — `/directory/prospects/1`. Expected: 3 onglets, ajout de contact persiste.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/prospects/
+git commit -m "feat(directory) : add prospect detail page with contact/address/report tabs"
+```
+
+---
+
+## Task 18 : Navigation liste → fiche détail
+
+**Files:**
+- Modify: `frontend/modules/directory/pages/directory.vue`
+
+**Interfaces:**
+- Consumes: pages détail Task 16/17.
+- Produces: clic sur une ligne client/prospect → navigation vers la fiche détail (au lieu d'ouvrir le drawer). Le drawer reste pour la création (`openCreateClient`/`openCreateProspect`).
+
+- [ ] **Step 1 : Modifier les handlers de clic**
+
+Dans `frontend/modules/directory/pages/directory.vue`, remplacer `openEditClient` et `openEditProspect` par une navigation :
+
+```ts
+function openEditClient(item: Record<string, unknown>) {
+    navigateTo(`/directory/clients/${(item as Client).id}`)
+}
+
+function openEditProspect(item: Record<string, unknown>) {
+    navigateTo(`/directory/prospects/${(item as Prospect).id}`)
+}
+```
+
+Laisser `selectedClient`/`selectedProspect` et les drawers en place **uniquement** pour la création (`openCreateClient`/`openCreateProspect` inchangés). Retirer `selectedClient.value = item` des anciens handlers.
+
+- [ ] **Step 2 : Vérifier**
+
+Run: `make dev-nuxt` ; sur `/directory`, cliquer une ligne client → arrive sur `/directory/clients/:id` ; le bouton « Ajouter » ouvre toujours le drawer.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/directory.vue
+git commit -m "feat(directory) : open detail page on row click, keep drawer for creation"
+```
+
+---
+
+## Task 19 : Traductions i18n
+
+**Files:**
+- Modify: `frontend/i18n/locales/fr.json`
+
+**Interfaces:**
+- Produces: toutes les clés `directory.tabs.{contact,address,report}`, `directory.contacts.*`, `directory.addresses.*`, `directory.reports.*`, `directory.documents.*`, et les clés `common.*` utilisées (`back`, `loading`, `edit`, `delete`, `save`, `cancel`).
+
+- [ ] **Step 1 : Ajouter les clés sous `directory`**
+
+Dans `frontend/i18n/locales/fr.json`, étendre l'objet `directory` (fusionner avec l'existant `directory.title`/`directory.tabs.clients`/...) :
+
+```json
+"directory": {
+    "tabs": {
+        "contact": "Contact",
+        "address": "Adresse",
+        "report": "Rapport"
+    },
+    "contacts": {
+        "add": "Ajouter un contact",
+        "item": "Contact {n}",
+        "saved": "Contact enregistré.",
+        "deleted": "Contact supprimé.",
+        "fields": {
+            "lastName": "Nom",
+            "firstName": "Prénom",
+            "jobTitle": "Fonction",
+            "email": "Email",
+            "phonePrimary": "Téléphone",
+            "phoneSecondary": "Téléphone secondaire"
+        }
+    },
+    "addresses": {
+        "add": "Ajouter une adresse",
+        "item": "Adresse {n}",
+        "saved": "Adresse enregistrée.",
+        "deleted": "Adresse supprimée.",
+        "fields": {
+            "label": "Libellé",
+            "street": "Rue",
+            "streetComplement": "Complément",
+            "postalCode": "Code postal",
+            "city": "Ville"
+        }
+    },
+    "reports": {
+        "add": "Ajouter un compte-rendu",
+        "empty": "Aucun compte-rendu.",
+        "saved": "Compte-rendu enregistré.",
+        "deleted": "Compte-rendu supprimé.",
+        "fields": {
+            "subject": "Objet",
+            "type": "Type d'échange",
+            "occurredAt": "Date",
+            "body": "Compte-rendu"
+        },
+        "types": {
+            "call": "Appel",
+            "meeting": "Rendez-vous",
+            "email": "Email",
+            "note": "Note"
+        }
+    },
+    "documents": {
+        "add": "Joindre un document",
+        "uploading": "Envoi…",
+        "empty": "Aucun document.",
+        "deleted": "Document supprimé."
+    }
+}
+```
+
+> ⚠️ Préserver les clés `directory` existantes (`title`, `tabs.clients`, `tabs.prospects`, `clients.*`, `prospects.*`). Fusionner, ne pas écraser. `tabs` reçoit `contact`/`address`/`report` **en plus** de `clients`/`prospects`.
+
+- [ ] **Step 2 : Ajouter les clés `common` manquantes** (si absentes — vérifier d'abord `grep '"common"' frontend/i18n/locales/fr.json`)
+
+```json
+"common": {
+    "back": "Retour",
+    "loading": "Chargement…",
+    "edit": "Modifier",
+    "delete": "Supprimer",
+    "save": "Enregistrer",
+    "cancel": "Annuler"
+}
+```
+
+- [ ] **Step 3 : Vérifier le JSON**
+
+Run: `docker exec -i php-lesstime-fpm node -e "require('./frontend/i18n/locales/fr.json')"` (ou `python3 -m json.tool frontend/i18n/locales/fr.json > /dev/null`).
+Expected: pas d'erreur de parsing.
+
+- [ ] **Step 4 : Vérifier l'absence de clés manquantes en UI** — `make dev-nuxt`, parcourir les fiches : aucun libellé brut `directory.xxx` affiché.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add frontend/i18n/locales/fr.json
+git commit -m "feat(directory) : add i18n keys for contacts, addresses, reports tabs"
+```
+
+---
+
+## Task 20 : Vérification de bout en bout
+
+**Files:** aucun (vérification manuelle + suite de tests).
+
+- [ ] **Step 1 : Suite backend complète**
+
+Run: `make test`
+Expected: vert.
+
+- [ ] **Step 2 : Style PHP**
+
+Run: `make php-cs-fixer-allow-risky`
+Expected: fichiers conformes (commit si des corrections sont appliquées).
+
+- [ ] **Step 3 : Parcours fonctionnel**
+
+Avec `make dev-nuxt` et un compte `admin/admin` :
+1. `/directory` → cliquer un client → fiche détail.
+2. Onglet Contact : ajouter 2 contacts, recharger la page → les 2 sont présents.
+3. Onglet Adresse : ajouter 1 adresse → présente après reload.
+4. Onglet Rapport : créer un compte-rendu (type « Appel »), joindre un PDF → document listé et téléchargeable.
+5. Sur un prospect avec contacts/adresses/rapports → « Convertir en client » → ouvrir le client créé → contacts/adresses/rapports présents sur le client, absents du prospect.
+
+- [ ] **Step 4 : Commit de clôture éventuel** (si php-cs-fixer a modifié des fichiers)
+
+```bash
+git add -A
+git commit -m "style(directory) : apply php-cs-fixer"
+```
+
+---
+
+## Notes d'exécution
+
+- **Ordre des tâches :** 1 → 9 (backend) avant 10 → 19 (frontend) ; Task 5 doit précéder la migration (Task 6) car `CommercialReport` référence `ReportDocument`.
+- **Points à confirmer en cours de route** (signalés inline) : style d'injection des services dans `services.yaml` (copier le pattern `TaskDocument*`), props exactes des composants Malio (`COMPONENTS.md`), chemin du type `UserData`, helper d'auth JWT des tests API.
+- **Décision UX assumée :** sauvegarde par bloc à la frappe (Contact/Adresse). Debounce/bouton explicite = itération ultérieure si besoin.
diff --git a/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md b/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
new file mode 100644
index 0000000..5f58cb6
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
@@ -0,0 +1,192 @@
+# LST-56 — Socle modular monolith DDD + pilote « Projets/Tâches »
+
+> Ticket Lesstime **#56** (1/5 — groupe « Refonte / Alignement Starseed »).
+> Design validé le 2026-06-19. Référence vivante : repo **Starseed** (`.claude/rules/*.md` + implémentation réelle), et `Starseed/doc/architecture-modulaire-malio.md` (vision cible théorique — **non contraignante** là où elle diverge du code réel).
+
+## 1. Objectif & contraintes
+
+Poser dans Lesstime l'**infrastructure d'un modular monolith DDD** calquée sur Starseed, et **migrer un premier module pilote** (Projets/Tâches) de bout en bout comme preuve que la mécanique tient sur le cœur métier.
+
+Contraintes **non négociables** :
+
+- **Ne rien casser de l'existant.** Migration **strangler progressive** : le code legacy (`src/Entity/…`) et les modules (`src/Module/…`) coexistent ; l'application reste fonctionnelle et `make test` vert à **chaque** étape.
+- **Prod = Docker, BDD peuplée** → uniquement des migrations **additives et nullable** (aucun `DROP`, aucun `NOT NULL` rétroactif, aucun déplacement de données).
+- **Profondeur DDD : pragmatique**, alignée sur le **Starseed réel** (pas la doc théorique) : ORM attributs conservés dans les entités Domain, Repository = interface (Domain) + impl Doctrine (Infrastructure), Provider/Processor API Platform, contrats `Shared/Domain/Contract` pour le cross-module. **Pas de CQRS bus systématique, pas de multi-tenant.**
+
+### Décisions de cadrage (figées)
+
+| Sujet | Décision |
+|-------|----------|
+| Périmètre #56 | Socle complet + **1 module pilote** migré de bout en bout |
+| Stratégie | **Strangler progressif** (legacy + modules en parallèle) |
+| Profondeur DDD | **Pragmatique** (= Starseed réel) |
+| Module pilote | **Projets/Tâches** (cœur métier) |
+| Dépendances du pilote (User/Client/Notification) | Restent **legacy**, câblées via **contrats `Shared/Domain/Contract`** + `resolve_target_entities` |
+| Infra d'audit Starseed | **Différée** → ticket Lesstime dédié (créé séparément) |
+| Périmètre front #56 | **Câblage shell/shared/middlewares + migration du pilote en layer**, sans relooking (le relooking Malio reste #60) |
+| Exposition API du pilote | **Garder les `#[ApiResource]` actuels** (étendre seulement les chemins de scan) — zéro régression API |
+| Tâche → Notification | **Contrat `NotifierInterface`** (impl legacy crée la `Notification`) |
+| Nom/ID du module | back `ProjectManagement` / front `project-management` / ID `project_management` |
+
+## 2. Garde-fous Starseed retenus pour #56
+
+Repris : `declare(strict_types=1)`, `src/Module/<X>/{Domain,Application,Infrastructure}`, `Shared/Domain/Contract` + `resolve_target_entities` (zéro import inter-modules), `config/modules.php` + `config/sidebar.php`, endpoints `/api/modules` + `/api/sidebar` + `/api/version`, `TimestampableBlamableTrait` + subscriber, pagination obligatoire, `COMMENT ON COLUMN` (helper `ColumnCommentsCatalog`), front layers auto-détectés + `useSidebar`/`useModules` + `auth.global.ts`/`modules.global.ts`.
+
+Reportés (hors #56) : **infra d'audit** (`#[Auditable]`/`#[AuditIgnore]`, table `audit_log`, listener, resource) → ticket dédié. **RBAC fin** (`module.resource.action`) → #57 ; en #56 la sidebar filtre **par module actif** (au plus un gate `ROLE_ADMIN`).
+
+## 3. Backend — arborescence cible
+
+```
+src/Shared/
+├── Domain/
+│   ├── Contract/        UserInterface, UserResolverInterface, ClientInterface, NotifierInterface
+│   ├── Event/           DomainEventInterface
+│   └── Trait/           TimestampableBlamableTrait
+├── Infrastructure/
+│   ├── Doctrine/        TimestampableBlamableSubscriber
+│   ├── Database/        ColumnCommentsCatalog (helper COMMENT ON COLUMN + 4 colonnes std)
+│   └── ApiPlatform/
+│       ├── Resource/    ModulesResource, SidebarResource
+│       └── State/       ModulesProvider, SidebarProvider
+│
+src/Module/ProjectManagement/
+├── ProjectManagementModule.php   ID='project_management', LABEL='Projets', REQUIRED=false, permissions()=[] (stub, RBAC réel #57)
+├── Domain/
+│   ├── Entity/          Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort,
+│   │                    TaskPriority, TaskTag, TaskRecurrence, TaskDocument
+│   └── Repository/      *RepositoryInterface (une interface par agrégat consommé)
+├── Application/         RecurrenceCalculator/RecurrenceHandler + services task-centric déplacés
+└── Infrastructure/
+    ├── Doctrine/        Doctrine*Repository + Migrations/ (additif Timestampable)
+    ├── ApiPlatform/     State/Provider + State/Processor déplacés (TaskNumber, TaskCalendar,
+    │                    TaskDocument*, SwitchProjectWorkflow, WorkflowDelete, ActiveTimeEntry resté legacy…)
+    └── Mcp/Tool/        MCP tools Project/, Task/, TaskMeta/, Workflow/ déplacés
+```
+
+`src/Entity/` conserve **intacts** : `User`, `Client`, `Notification`, `TimeEntry`, `AbsenceRequest`/`AbsencePolicy`/`AbsenceBalance`, `Mail*`, `Gitea*`/`BookStack*`/`Zimbra*`/`Share*Configuration`. Ces domaines seront modularisés dans des tickets ultérieurs.
+
+> **Note de découpage** : `TimeEntry` reste legacy en #56 (domaine Time tracking séparé). Le lien `Task ↔ TimeEntry` est porté côté `TimeEntry` (FK nullable vers la table `task`) ; aucune contrainte ne casse car la table `task` ne change pas de nom.
+
+## 4. Câblage des dépendances (zéro import inter-modules)
+
+1. Interfaces dans `src/Shared/Domain/Contract/` :
+   - `UserInterface` (id + identifiants nécessaires aux entités du module : assignee, collaborators, createdBy/updatedBy),
+   - `ClientInterface` (id + nom, pour `Project.client`),
+   - `UserResolverInterface` (résoudre un user par id, pour les State/MCP du module),
+   - `NotifierInterface` (créer une notification — impl legacy).
+2. Les entités du module **type-hintent les interfaces**, jamais `App\Entity\*`.
+3. `config/packages/doctrine.yaml → orm.resolve_target_entities` :
+   ```yaml
+   resolve_target_entities:
+       App\Shared\Domain\Contract\UserInterface:   App\Entity\User
+       App\Shared\Domain\Contract\ClientInterface: App\Entity\Client
+   ```
+4. `App\Entity\User` `implements UserInterface`, `App\Entity\Client` `implements ClientInterface` (legacy modifié à minima, additif).
+5. Notifications : `App\Module\ProjectManagement\…` appelle `NotifierInterface` ; impl `App\…\LegacyNotifier` (wrappe le `NotificationService` actuel). Le `TaskNotificationListener` est déplacé/adapté pour passer par le contrat.
+
+## 5. Config backend (toutes additives)
+
+- **`doctrine.yaml`** — ajouter un mapping module (garder `App → src/Entity`) :
+  ```yaml
+  mappings:
+      App: { type: attribute, is_bundle: false, dir: '%kernel.project_dir%/src/Entity', prefix: 'App\Entity', alias: App }
+      ProjectManagement:
+          type: attribute
+          is_bundle: false
+          dir: '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+          prefix: 'App\Module\ProjectManagement\Domain\Entity'
+  ```
+  Les entités déplacées **gardent leur `#[ORM\Table(name: '…')]` actuel** (table inchangée → aucune donnée déplacée). `#[ORM\Entity(repositoryClass: DoctrineXxxRepository::class)]` mis à jour vers la nouvelle classe.
+- **`doctrine_migrations.yaml`** — ajouter le namespace module (garder `DoctrineMigrations`) :
+  ```yaml
+  migrations_paths:
+      DoctrineMigrations: '%kernel.project_dir%/migrations'
+      'App\Module\ProjectManagement\Infrastructure\Doctrine\Migrations': '%kernel.project_dir%/src/Module/ProjectManagement/Infrastructure/Doctrine/Migrations'
+  ```
+  > ⚠️ Doctrine Migrations trie par FQCN entre namespaces : le legacy `DoctrineMigrations` (setup initial) passe avant les migrations modulaires sur base vide. Sur la prod déjà migrée, seules les **nouvelles** migrations additives s'appliquent → pas d'impact d'ordre.
+- **`api_platform.yaml`** — déclarer les chemins de mapping (entités + resources legacy **et** module) pour que les `#[ApiResource]` du pilote restent découverts :
+  ```yaml
+  mapping:
+      paths:
+          - '%kernel.project_dir%/src/Entity'
+          - '%kernel.project_dir%/src/ApiResource'
+          - '%kernel.project_dir%/src/Shared/Infrastructure/ApiPlatform/Resource'
+          - '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+  ```
+- **`services.yaml`** — mettre à jour les FQCN explicites déplacés : `App\EventListener\TaskDocumentListener`, `App\State\TaskDocumentProcessor`, `App\Controller\TaskDocumentDownloadController`, `App\Mcp\Tool\Task\AddTaskDocumentTool`, `App\Mcp\Tool\Task\UpdateTaskDocumentTool` → nouveaux namespaces module. Le glob `App\: '../src/'` continue d'autowire les classes déplacées.
+
+## 6. Garde-fous portés dans #56
+
+- **TimestampableBlamable** : trait `Shared/Domain/Trait/TimestampableBlamableTrait` (4 colonnes `created_at`, `updated_at`, `created_by`, `updated_by` — toutes **nullable**), rempli par `TimestampableBlamableSubscriber` (prePersist/preUpdate). Appliqué aux entités du pilote → **1 migration additive** par table concernée, avec `COMMENT ON COLUMN` via `ColumnCommentsCatalog::addStandardTimestampableBlamableComments()`.
+- **Pagination** : conserver le standard API Platform actuel (les collections du pilote restent paginées comme aujourd'hui).
+- **`COMMENT ON COLUMN`** : appliqué sur les colonnes ajoutées par #56 (pas de rétro-commentaire forcé sur le legacy).
+
+## 7. Endpoints modules / sidebar / version
+
+- `GET /api/modules` (public) — `ModulesResource` + `ModulesProvider` lisant `config/modules.php` (renvoie `{ modules: ["project_management", …] }`).
+- `GET /api/sidebar` (auth) — `SidebarResource` + `SidebarProvider` lisant `config/sidebar.php` ; filtrage **par module actif** (item `module` absent de la liste active → masqué + route ajoutée à `disabledRoutes`) ; gate de section optionnel `ROLE_ADMIN`. Le filtrage par **permissions fines** est explicitement reporté à #57.
+- `GET /api/version` — **déjà présent** (`AppVersion`) ; vérifier le format `{ version }`, ré-aligner si besoin (déplacement optionnel vers `Shared/`).
+- `config/modules.php` : `return [ ProjectManagementModule::class ];` (Core viendra plus tard ; pas de module REQUIRED bloquant en #56).
+- `config/sidebar.php` : sections « Projets » / « Mes tâches » avec `module => 'project_management'` ; les entrées des domaines encore legacy (Time tracking, Absences, Mail, Admin…) listées **sans** clé `module` (donc toujours visibles) pour ne rien masquer.
+
+## 8. Frontend — câblage + pilote en layer (sans relooking)
+
+```
+frontend/app/
+├── layouts/default.vue            shell : sidebar (depuis /api/sidebar) + main
+├── middleware/auth.global.ts      protège routes, charge sidebar+modules après login
+└── middleware/modules.global.ts   redirige si route ∈ disabledRoutes
+frontend/shared/
+├── composables/  useApi (déplacé), useSidebar, useModules, + existants réutilisés
+├── stores/       auth, ui, timer (timer reste partagé : Time tracking encore legacy)
+├── utils/        api.ts (extractHydraMembers/fetchAllHydra), …
+└── types/
+frontend/modules/project-management/
+├── nuxt.config.ts                 defineNuxtConfig({})
+├── pages/        my-tasks.vue, projects/index.vue, projects/[id]/*  (déplacés tels quels)
+├── components/   task/*, project/*  (déplacés)
+├── services/     tasks.ts, projects.ts, task-*.ts, workflows.ts (déplacés)
+└── stores/       (si spécifiques au domaine)
+```
+
+- **`nuxt.config.ts`** : auto-détection des layers `modules/*/` (scan `readdirSync` comme Starseed) ajoutés à `extends`, + dirs d'auto-import des composables/stores par layer. `extends: ['@malio/layer-ui']` conservé en tête.
+- **`useSidebar`/`useModules`** : état singleton, `loadSidebar()`/`loadModules()` appelés dans `auth.global.ts`, `reset*()` au logout.
+- **`modules.global.ts`** : `isRouteDisabled(to.path)` → `navigateTo('/')`.
+- **Migration des pages** : déplacement **sans réécriture visuelle** ; les pages des autres domaines (time-tracking, absences, mail, admin, profile…) **restent dans `frontend/pages/`** (legacy) tant que leurs modules ne sont pas migrés. Nuxt fusionne les routes du shell + des layers → cohabitation transparente.
+
+> Point de vigilance front : vérifier que la cohabitation `frontend/pages/` (legacy) + `frontend/modules/*/pages/` (layer) ne crée pas de collision de routes ; `my-tasks`/`projects` sont déplacés **et retirés** de `frontend/pages/` pour éviter le doublon.
+
+## 9. Plan strangler (ordre d'exécution — app verte à chaque palier)
+
+1. **Shared/ + garde-fous** : trait, subscriber, `ColumnCommentsCatalog`. Neutre (rien ne les consomme encore).
+2. **Endpoints modules/sidebar** + `config/modules.php` + `config/sidebar.php` (toutes entrées legacy sans `module` → rien masqué). Additif.
+3. **Contrats `Shared/Domain/Contract`** + `resolve_target_entities` + `User`/`Client` `implements …Interface`. Neutre.
+4. **Déplacement back du module** ProjectManagement (entités → Domain/Entity, repos → Infra/Doctrine + interfaces Domain, State, MCP) + mises à jour `doctrine.yaml`/`api_platform.yaml`/`doctrine_migrations.yaml`/`services.yaml`. **`make test` vert.**
+5. **Migration additive Timestampable** sur les tables du pilote (+ `COMMENT ON COLUMN`).
+6. **Front shell** : `app/` + `shared/` + middlewares + auto-détection `nuxt.config.ts`. App encore en pages plates.
+7. **Déplacement front du pilote** vers `modules/project-management/` (pages/components/services), retrait des doublons de `frontend/pages/`.
+8. **Vérification bout-en-bout** : commenter `ProjectManagementModule::class` dans `config/modules.php` → `/api/modules` ne le liste plus, `/api/sidebar` masque ses entrées + peuple `disabledRoutes`, le front redirige `/my-tasks`→`/`. Décommenter → tout revient. Documenter le test.
+
+## 10. Critères d'acceptation (repris du ticket, raffinés)
+
+- [ ] `src/Shared/` + `src/Module/ProjectManagement/{Domain,Application,Infrastructure}` en place.
+- [ ] `/api/modules`, `/api/sidebar` fonctionnels ; `/api/version` aligné.
+- [ ] Aucun import direct `App\Entity\User`/`Client` depuis le module (contrats + `resolve_target_entities`).
+- [ ] Front : layers `frontend/modules/*/` auto-détectés ; `useSidebar`/`useModules` + `auth.global.ts`/`modules.global.ts` opérationnels ; pilote migré sans régression visuelle.
+- [ ] Garde-fous : TimestampableBlamable (migration additive + `COMMENT ON COLUMN`) ; pagination conservée. **Audit explicitement hors périmètre** (ticket dédié).
+- [ ] `make test` vert ; activation/désactivation du module validée de bout en bout.
+- [ ] Aucune migration destructive ; prod déployable sans perte.
+
+## 11. Risques & points de vigilance
+
+- **Prod peuplée** : seules migrations additives nullable. `created_by`/`updated_by` non backfillés (historique) — conforme Starseed.
+- **Changement de namespace des entités** : sans impact DB (Doctrine mappe par table). Vérifier qu'aucun code legacy ne référence en dur `App\Entity\Task` etc. → grep + remplacement (le pilote tire Task/Project, consommés par TimeEntry/Mail/BookStack links restés legacy : ces liens passeront par les contrats ou un type-hint relâché).
+- **Collision de routes front** legacy vs layer (cf. §8).
+- **MCP tools** (spécificité Lesstime) : déplacés sous `Module/*/Infrastructure/Mcp/` ; confirmer que `McpSchemaGeneratorPass` les redécouvre (scan `src/`).
+- **`auto_mapping: true`** : valider que l'ajout d'un mapping explicite ne perturbe pas la résolution (sinon désactiver `auto_mapping` et lister explicitement).
+
+## 12. Suite
+
+- Ticket **audit** dédié à créer (infra `#[Auditable]` + `audit_log` + listener + resource), prérequis souple de #57.
+- #57 RBAC fin (permissions `module.resource.action`, sidebar filtrée par permission).
+- #58 Répertoire (Clients/Prospects), #59 Reporting, #60 Refonte front Malio.
diff --git a/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md b/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md
new file mode 100644
index 0000000..bfd5fd5
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md
@@ -0,0 +1,161 @@
+# Roadmap — Migration Lesstime → modular monolith DDD (archi Starseed)
+
+> Plan de migration **complet** validé le 2026-06-19. Référence architecture : repo **Starseed**
+> (`.claude/rules/*.md` + implémentation réelle). Détail technique du socle : voir
+> `2026-06-19-lst-56-modular-monolith-design.md`.
+
+## Principes directeurs
+
+- **Strangler progressif** : legacy (`src/Entity/…`) et modules (`src/Module/…`) coexistent ; l'app
+  reste fonctionnelle et `make test` vert à **chaque** merge. Aucune migration destructive (prod Docker, BDD peuplée → migrations **additives nullable** uniquement).
+- **DDD pragmatique** (= Starseed réel) : ORM attrs dans l'entité Domain, Repository interface (Domain)
+  + impl Doctrine (Infra), Provider/Processor API Platform, contrats `Shared/Domain/Contract` pour le
+  cross-module. **Pas de CQRS bus, pas de multi-tenant.**
+- **Tranches verticales** : chaque module de Phase 2 est livré **back + front (layer Malio) + MCP**
+  d'un coup → fonctionnel de bout en bout à son merge. L'ancienne idée d'un « ticket refonte front »
+  global est dissoute : chaque module arrive déjà en Malio ; un ticket de finition harmonise à la fin.
+- **Ordre par dépendances** : socle → Core (identité/RBAC/audit) → modules métier → transverse/finition.
+- **Zéro import inter-modules** : interfaces `Shared/Domain/Contract` + `resolve_target_entities`,
+  ou domain events / contrat `NotifierInterface`.
+
+## Garde-fous Starseed (appliqués à chaque entité migrée)
+
+`declare(strict_types=1)` · `TimestampableBlamableTrait` (4 colonnes nullable) + subscriber ·
+pagination obligatoire · `COMMENT ON COLUMN` (helper `ColumnCommentsCatalog`) ·
+`#[Auditable]`/`#[AuditIgnore]` (dès que 1.3 est livré) · front `Malio*` + `usePaginatedList` +
+`useFormErrors` · RBAC `module.resource.action` (dès 1.2).
+
+---
+
+## Phase 0 — Socle (fondations, ne touche aucun métier)
+
+### 0.1 · Socle back — infrastructure modulaire  *(réécrit depuis #56)*
+**Dépend de** : —
+`src/Shared/Domain/Contract/` (UserInterface, UserResolverInterface, ClientInterface, NotifierInterface),
+`Shared/Domain/Event/DomainEventInterface`, `Shared/Domain/Trait/TimestampableBlamableTrait`,
+`Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber`,
+`Shared/Infrastructure/Database/ColumnCommentsCatalog`,
+`Shared/Infrastructure/ApiPlatform/{Resource,State}` (`ModulesResource`/`ModulesProvider`,
+`SidebarResource`/`SidebarProvider`), `config/modules.php`, `config/sidebar.php`, `/api/version` aligné.
+Config additive : mapping Doctrine module prêt, `migrations_paths` modulaire, `api_platform.mapping.paths`.
+**AC** : `/api/modules` + `/api/sidebar` répondent ; app verte ; aucune migration destructive.
+
+### 0.2 · Socle front — shell + auto-détection des layers
+**Dépend de** : 0.1
+`frontend/app/` (shell `layouts/default.vue`), `frontend/shared/` (`useApi` déplacé, `useSidebar`,
+`useModules`, stores), middlewares `auth.global.ts` + `modules.global.ts`, auto-détection des layers
+`modules/*/` dans `nuxt.config.ts`. **Aucune page métier déplacée** (app encore plate).
+**AC** : sidebar dynamique depuis `/api/sidebar` ; routes désactivées redirigées ; app verte.
+
+---
+
+## Phase 1 — Module Core (identité, sécurité, traçabilité — transverse)
+
+### 1.1 · Core — Identité & Notifications
+**Dépend de** : 0.1, 0.2
+Migrer `User` + Auth/JWT dans `src/Module/Core/` (Domain/Entity, Repository interface + Doctrine impl,
+`MeProvider`, password hasher), `User implements UserInterface`, `resolve_target_entities → Core\User`.
+`Notification` exposée via `NotifierInterface`. `CoreModule.php` (**REQUIRED=true**). Front : layer
+`modules/core/` (login, profile, admin users).
+**AC** : login/JWT OK ; app verte ; aucun import direct `App\Entity\User` hors Core.
+
+### 1.2 · RBAC fin  *(réécrit depuis #57)*
+**Dépend de** : 1.1
+`Role`/`Permission`, `permissions()` par module, commande `app:sync-permissions`, `PermissionVoter`,
+`SidebarProvider` filtrant **par permission** (en plus du module actif), seed RBAC. Front : gestion des
+rôles + `usePermissions`.
+**AC** : permissions `module.resource.action` ; sidebar gated par permission.
+
+### 1.3 · Audit log  *(réécrit depuis #61)*
+**Dépend de** : 1.1
+`#[Auditable]`/`#[AuditIgnore]` (`Shared/Domain/Attribute`), table `audit_log` (migration additive +
+`COMMENT ON COLUMN`), `AuditListener`/`AuditLogWriter`/`RequestIdProvider`, `AuditLogResource` +
+`/api/audit-logs` paginé/filtrable, page front + labels i18n `audit.entity.*`.
+**AC** : CRUD des entités `#[Auditable]` tracé ; endpoint paginé ; aucune migration destructive.
+
+---
+
+## Phase 2 — Modules métier (tranches verticales back + front + MCP, strangler)
+
+### 2.1 · Module TimeTracking  *(premier module — rodage)*
+**Dépend de** : 1.1
+Migrer `TimeEntry` → `src/Module/TimeTracking/` (Domain/Entity, repo, `ActiveTimeEntryProvider`,
+`TimeEntryExportService`/controller, MCP TimeEntry tools), front layer `modules/time-tracking/`
+(`time-tracking.vue`, components, services, store `timer`). Timestampable additif. **Rode toute la
+mécanique modulaire à risque quasi nul.**
+**AC** : time tracking fonctionnel en module ; activation/désactivation testée ; app verte.
+
+### 2.2 · Module ProjectManagement  *(cœur métier — réécrit depuis #56 pilote)*
+**Dépend de** : 2.1, 1.1
+`Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort, TaskPriority, TaskTag, TaskRecurrence,
+TaskDocument` → `src/Module/ProjectManagement/` (vertical back + MCP Task/Project/TaskMeta/Workflow +
+front layer `modules/project-management/`). User/Client via contrats (Client encore legacy jusqu'à 2.4).
+Notifications via `NotifierInterface`. `#[ApiResource]` conservés (étendre le scan). Timestampable additif.
+**AC** : cœur en module sans régression API ; app verte.
+
+### 2.3 · Module Absence
+**Dépend de** : 1.1
+`AbsenceRequest/AbsencePolicy/AbsenceBalance` + services (`AbsenceBalanceService`, `AbsenceDayCalculator`,
+`PublicHolidayProvider`) + controllers (calendar, preview, justificatif) + MCP absence tools →
+`src/Module/Absence/`, front layer `modules/absence/`.
+**AC** : module absences complet ; app verte.
+
+### 2.4 · Module Directory — Clients + Prospects  *(réécrit depuis #58)*
+**Dépend de** : 1.1 (et après 2.2 qui référence Client via contrat)
+`Client` → `src/Module/Directory/` + nouvelle entité `Prospect`. L'impl de `ClientInterface` migre du
+legacy vers le module (`resolve_target_entities` mis à jour). Front répertoire (clients + prospects).
+**AC** : Clients + Prospects en module ; contrats à jour ; app verte.
+
+### 2.5 · Module Mail
+**Dépend de** : 1.1, 2.2 (TaskMailLink → Task)
+`Mail*` + `TaskMailLink` + `MailSyncService` + controllers + settings → `src/Module/Mail/`, front layer.
+Intègre le WIP `feat/mail-integration`.
+**AC** : mail en module ; app verte.
+
+### 2.6 · Module Integration — Gitea / BookStack / Zimbra / Share
+**Dépend de** : 1.1, 2.2 (liens Task)
+Configs + services API (`GiteaApiService`, `BookStackApiService`, `CalDavService`, Share) + controllers +
+liens → `src/Module/Integration/`, front (onglets admin + sections task).
+**AC** : intégrations en module ; app verte.
+
+---
+
+## Phase 3 — Transverse & finition
+
+### 3.1 · Module Reporting  *(réécrit depuis #59)*
+**Dépend de** : Phase 2 (consomme les modules)
+Reporting natif transverse (agrège time tracking, tâches, absences) via contrats / API. Module
+`src/Module/Reporting/` + front.
+**AC** : rapports natifs ; aucune dépendance directe inter-modules.
+
+### 3.2 · Module Portail client
+**Dépend de** : 1.1, 2.2, 2.4
+Portail client (accès restreint), module `src/Module/ClientPortal/` + front layer + RBAC dédié.
+**AC** : portail fonctionnel ; gated RBAC.
+
+### 3.3 · Finition Malio + nettoyage legacy  *(réécrit depuis #60)*
+**Dépend de** : tout
+Harmonisation visuelle Malio finale, **vidage de `src/Entity/` legacy résiduel**, suppression du mapping
+Doctrine legacy + des pages plates `frontend/pages/` résiduelles, durcissement `resolve_target_entities`.
+**AC** : `src/Entity` vide ; 100 % modulaire ; app verte ; aucune route/legacy orpheline.
+
+---
+
+## Ordre d'exécution recommandé
+
+`0.1 → 0.2 → 1.1 → 1.2 → 1.3 → 2.1 → 2.2 → 2.3 → 2.4 → 2.5 → 2.6 → 3.1 → 3.2 → 3.3`
+
+Les tickets 1.2 et 1.3 peuvent se paralléliser après 1.1. Les modules 2.3 (Absence) et 2.4 (Directory)
+peuvent se paralléliser après 2.2. Mail (2.5) et Integration (2.6) suivent 2.2.
+
+## Mapping avec les tickets Lesstime existants
+
+| Ancien | Devient |
+|--------|---------|
+| #56 (1/5 Aligner archi) | **0.1 Socle back** (le reste éclaté en 0.2 + 2.2) |
+| #57 (2/5 RBAC) | **1.2 RBAC fin** |
+| #58 (3/5 Répertoire) | **2.4 Directory** |
+| #59 (4/5 Reporting) | **3.1 Reporting** |
+| #60 (5/5 Front Malio) | **3.3 Finition Malio + nettoyage** (le front se fait par module) |
+| #61 (Audit) | **1.3 Audit log** |
+| *(créés)* | 0.2, 1.1, 2.1, 2.2, 2.3, 2.5, 2.6, 3.2 |
diff --git a/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md b/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md
new file mode 100644
index 0000000..16d8255
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md
@@ -0,0 +1,203 @@
+# Répertoire — Contacts, Adresses & Rapports commerciaux
+
+**Date :** 2026-06-22
+**Module :** `Directory` (Lesstime)
+**Statut :** Conception validée — prêt pour plan d'implémentation
+
+## Contexte & objectif
+
+Le module `Directory` gère aujourd'hui `Client` et `Prospect` de façon volontairement
+minimaliste : champs à plat (`name`, `email`, `phone`, `street`, `city`, `postalCode`),
+adresse *inline*, aucun contact individuel, aucun suivi commercial. Le CRUD se fait via
+des drawers sur une page unique `/directory` à deux onglets, sans fiche détail.
+
+On veut transformer chaque fiche client/prospect en une **vraie fiche détail à onglets**,
+inspirée du répertoire de Starseed (blocs répétables, sauvegarde indépendante par onglet,
+validation 422 inline), avec trois onglets : **Contact**, **Adresse**, **Rapport**.
+Le « rapport commercial » est un **journal de comptes-rendus** (objet + texte + date +
+type d'échange + auteur) auquel on peut **joindre des documents**.
+
+Décisions cadrées avec l'utilisateur :
+- Contacts et adresses : **plusieurs** par fiche (blocs répétables, façon Starseed).
+- UX : **fiche détail à route dédiée** (le clic sur une ligne ouvre la fiche, plus le drawer).
+- Rapport = **comptes-rendus** (objet + texte + date + type) **avec documents joints**.
+- Conversion prospect → client : **tout est repris** (contacts, adresses, rapports).
+- Cible : **Lesstime** (Starseed sert uniquement de référence de design).
+
+## Approche retenue
+
+**Entités partagées via double-FK** : `Contact`, `Address`, `CommercialReport` sont
+chacune rattachées à **un `Client` OU un `Prospect`** via deux FK nullables
+(`client_id?`, `prospect_id?`) + une contrainte CHECK « exactly-one ».
+
+C'est le pattern **déjà employé par `task_document`** (`task_id` / `client_ticket_id` +
+CHECK `task_id IS NOT NULL OR client_ticket_id IS NOT NULL`) — on reste donc cohérent
+avec le code existant. La conversion prospect→client se réduit à une **réaffectation de
+FK** (pas de copie), ce qui préserve l'historique.
+
+Alternative écartée : entités dupliquées par propriétaire (`ClientContact` +
+`ProspectContact`, etc.) → 2× plus de tables/code et conversion par recopie.
+
+## Modèle de données (backend — `src/Module/Directory`)
+
+Toutes les nouvelles entités vivent dans le module `Directory`
+(`Domain/Entity`, `Domain/Repository`, `Domain/Enum`, `Infrastructure/Doctrine`,
+`Infrastructure/ApiPlatform`), suivent les traits `TimestampableBlamableTrait` et
+sont `#[Auditable]` comme `Client`/`Prospect`.
+
+### `Contact` (répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| firstName | string? | |
+| lastName | string? | |
+| jobTitle | string? | fonction |
+| email | string? | lowercase |
+| phonePrimary | string? | |
+| phoneSecondary | string? | |
+| client | ManyToOne Client? | FK `client_id`, ON DELETE CASCADE |
+| prospect | ManyToOne Prospect? | FK `prospect_id`, ON DELETE CASCADE |
+
+Contrainte CHECK : `client_id IS NOT NULL OR prospect_id IS NOT NULL` (et au plus un des
+deux, garanti par la logique applicative + index). « Sans contrainte » fonctionnelle : un
+contact est valide dès qu'il a au moins un nom **ou** prénom (validation souple, façon
+`isContactNamed` de Starseed).
+
+### `Address` (répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| label | string? | libellé libre (« Siège », « Facturation »…) |
+| street | string? | |
+| streetComplement | string? | |
+| postalCode | string? | |
+| city | string? | |
+| country | string | défaut `FR` |
+| client / prospect | ManyToOne ?, FK CASCADE | double-FK + CHECK |
+
+### `CommercialReport` (compte-rendu, répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| subject | string | objet du compte-rendu |
+| body | text | le compte-rendu lui-même |
+| occurredAt | date | date de l'échange |
+| type | enum `ReportType` | `call` / `meeting` / `email` / `note` |
+| author | ManyToOne User? | rempli via Blamable (utilisateur connecté) |
+| documents | OneToMany ReportDocument | pièces jointes (voir section dédiée) |
+| client / prospect | ManyToOne ?, FK CASCADE | double-FK + CHECK |
+
+`ReportType` (enum, libellés FR) : Appel, Rendez-vous, Email, Note.
+
+### Migration de l'adresse *inline*
+Les colonnes `street`, `city`, `postal_code` de `client` et `prospect` sont **migrées**
+vers une première ligne `Address` (data migration : pour chaque client/prospect ayant une
+adresse non vide, créer une `Address` rattachée), puis **supprimées** des tables
+`client`/`prospect` pour ne pas dédoubler la donnée. Les champs `name`, `email`, `phone`
+restent sur `Client`/`Prospect` (identité principale).
+
+### Documents des comptes-rendus
+
+> **Correction post-exploration :** contrairement à une première hypothèse, `task_document`
+> n'a **aucune** colonne propriétaire générique. La migration `Version20260522110000`
+> (suppression du portail client) a **retiré** `client_ticket_id` de `task_document` et
+> restauré `task_id` en `NOT NULL`. Le `TaskDocumentProcessor` **exige** une tâche.
+> « Réutiliser TaskDocument » impose donc de le **généraliser** (FK + processor), ce qui
+> recouple `ProjectManagement` ↔ `Directory`.
+
+**Décision d'architecture (`ReportDocument` dédié — recommandé) :** créer une entité
+`ReportDocument` **propre au module `Directory`**, qui réutilise le **même mécanisme de
+stockage** (même paramètre `task_document_upload_dir`, mêmes validations MIME/taille, même
+stratégie de download `BinaryFileResponse`), mais **sans** la mécanique SMB (inutile pour
+des pièces jointes de compte-rendu). Cela préserve la frontière modulaire (pas de FK
+croisée `ProjectManagement` → `Directory`) au prix d'une duplication maîtrisée du processor
+et du controller de download (≈ 150 lignes, sans la partie SMB). Côté front, les composants
+de preview/list de `ProjectManagement` sont **génériques** et réutilisés tels quels (ils ne
+dépendent que du DTO document + de l'URL de download).
+
+Entité `ReportDocument` (module `Directory`) : `id`, `commercialReport` (ManyToOne, FK
+`commercial_report_id`, nullable:false, ON DELETE CASCADE), `originalName`, `fileName`,
+`mimeType`, `size`, `createdAt`, `uploadedBy` (ManyToOne User, SET NULL). Endpoint
+`POST /api/report_documents` (multipart, `deserialize:false`, `ReportDocumentProcessor`),
+`GET /api/report_documents/{id}/download` (controller dédié, `priority: 1`),
+`DELETE /api/report_documents/{id}` (listener `preRemove` qui `unlink` le fichier disque),
+`GetCollection` filtrable par `commercialReport`.
+
+## API Platform
+
+Trois ressources (`Contact`, `Address`, `CommercialReport`) exposées avec :
+- Opérations : `GetCollection`, `Get`, `Post`, `Patch`, `Delete`.
+- Filtres : `SearchFilter` sur `client` et `prospect` (exact) pour charger la collection
+  d'une fiche donnée. Collections non paginées (aligné sur `Client`/`Prospect`).
+- Sécurité : lecture `ROLE_USER`, écriture `ROLE_ADMIN` (pattern existant du module).
+- Groupes de sérialisation : `contact:read`/`contact:write`, `address:read`/`address:write`,
+  `commercial_report:read`/`commercial_report:write`. `CommercialReport:read` embarque
+  `author` (id + username) et `documents`.
+
+Permissions RBAC ajoutées au `Module::permissions()` :
+`directory.reports.view`, `directory.reports.manage`. (Contacts/adresses couverts par
+`directory.clients.*` / `directory.prospects.*` existants.)
+
+## Conversion prospect → client
+
+`ConvertProspectProcessor`
+(`src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php`)
+est étendu : après création/liaison du `Client`, pour chaque `Contact`, `Address` et
+`CommercialReport` du prospect → set `client = <nouveau client>` et `prospect = null`.
+Reste **idempotent** (si déjà converti, retourne inchangé). Les documents suivent
+automatiquement (rattachés au `CommercialReport`, pas au prospect).
+
+## Frontend (Nuxt — `frontend/modules/directory`)
+
+### Liste & navigation
+- `pages/directory.vue` (2 onglets Clients/Prospects, `MalioDataTable`) **reste**.
+- Le clic sur une ligne ouvre désormais la **fiche détail** (`navigateTo`), au lieu du drawer.
+- Le drawer (`ClientDrawer`/`ProspectDrawer`) est **conservé pour la création rapide**
+  (champs principaux : name/email/phone, + company/status/source/notes pour le prospect).
+
+### Fiches détail
+`pages/clients/[id].vue` et `pages/prospects/[id].vue` :
+- En-tête : retour + titre + actions (archiver/supprimer selon droits).
+- Bloc principal (identité : name/email/phone…), éditable en place.
+- `MalioTabList` avec onglets **Contact**, **Adresse**, **Rapport** :
+  - **Contact** : `DirectoryContactBlock` répétable (ajout/suppression, sauvegarde par bloc
+    POST/PATCH, suppression = DELETE immédiat), validation 422 inline via `useFormErrors`.
+  - **Adresse** : `DirectoryAddressBlock` répétable, même mécanique.
+  - **Rapport** : liste des comptes-rendus (date, type badge, objet, auteur) + formulaire
+    d'ajout/édition (objet, type, date, corps) + zone documents (`ReportDocumentUpload` /
+    `ReportDocumentList`, calqués sur les composants `TaskDocument*` génériques).
+
+Les blocs Contact/Adresse sont des composants **génériques** (mêmes pour client et prospect),
+paramétrés par l'IRI du propriétaire (`client` ou `prospect`).
+
+### Services & DTO
+Nouveaux services `services/contacts.ts`, `services/addresses.ts`,
+`services/commercial-reports.ts` (CRUD + filtre par owner) et DTO associés
+(`dto/contact.ts`, `dto/address.ts`, `dto/commercial-report.ts`). Réutilisation du service
+existant `task-documents.ts` via `uploadWithRelation('commercialReport', iri, file)`.
+
+## i18n
+
+Traductions FR ajoutées sous `directory.*` : libellés des onglets (Contact, Adresse,
+Rapport), champs des trois entités, types de compte-rendu (Appel/Rendez-vous/Email/Note),
+toasts de succès (créé/mis à jour/supprimé) et messages de validation.
+
+## Tests (PHPUnit)
+
+- Entités + contrainte CHECK double-FK (un contact/adresse/rapport ne peut être orphelin).
+- Conversion : après convert, contacts/adresses/rapports du prospect pointent vers le
+  client (`prospect = null`), idempotence.
+- Sécurité : lecture `ROLE_USER`, écriture refusée hors `ROLE_ADMIN`.
+- Upload : un document peut être rattaché à un `CommercialReport` ; CHECK respecté.
+- Data migration adresse inline → `Address` (au moins une adresse créée par client/prospect
+  ayant une adresse non vide).
+
+> ⚠️ Base de test non isolée (les POST s'accumulent) : tester des **invariants**
+> (relations, statuts, présence), pas des **counts absolus**.
+
+## Hors périmètre (YAGNI)
+
+- Pas de pipeline d'opportunités/affaires avec montants (le `status` du prospect suffit).
+- Pas de dashboard/statistiques commerciales chiffrées.
+- Pas de relance/prochaine action datée sur le compte-rendu (non retenu au cadrage).
+- Pas de gestion de types d'adresse structurés (facturation/livraison) : `label` libre.
diff --git a/frontend/layouts/auth.vue b/frontend/app/layouts/auth.vue
similarity index 100%
rename from frontend/layouts/auth.vue
rename to frontend/app/layouts/auth.vue
diff --git a/frontend/layouts/default.vue b/frontend/app/layouts/default.vue
similarity index 55%
rename from frontend/layouts/default.vue
rename to frontend/app/layouts/default.vue
index 70ec12b..a7c1729 100644
--- a/frontend/layouts/default.vue
+++ b/frontend/app/layouts/default.vue
@@ -38,131 +38,47 @@
                     </button>
                 </div>
                 <nav class="flex-1 overflow-hidden" :class="sidebarIsCollapsed ? 'px-1 pb-6' : 'px-4 pb-6'">
-                    <SidebarLink
-                        to="/"
-                        icon="mdi:view-dashboard-outline"
-                        label="Tableau de bord"
-                        :collapsed="sidebarIsCollapsed"
-                        :class="sidebarIsCollapsed ? 'mt-4' : 'border-t border-secondary-500 pt-6'"
-                        @click="ui.closeMobileSidebar()"
-                    />
-
-                    <!-- Section : Gestion de projet -->
-                    <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                        Gestion de projet
-                    </p>
-                    <div v-else class="mx-2 my-3 border-t border-secondary-500" />
-                    <SidebarLink
-                        to="/my-tasks"
-                        icon="mdi:clipboard-check-outline"
-                        label="Mes tâches"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        to="/projects"
-                        icon="mdi:folder-outline"
-                        label="Projets"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <template v-if="currentProjectId">
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}`"
-                            icon="mdi:view-column-outline"
-                            label="Kanban"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            exact
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}/groups`"
-                            icon="mdi:tag-multiple-outline"
-                            label="Groupes"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}/archives`"
-                            icon="mdi:archive-outline"
-                            label="Archives"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            @click="ui.closeMobileSidebar()"
-                        />
-                    </template>
-                    <SidebarLink
-                        to="/time-tracking"
-                        icon="mdi:calendar-edit-outline"
-                        label="Suivi de temps"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        v-if="isDocumentsVisible"
-                        to="/documents"
-                        icon="mdi:folder-network-outline"
-                        :label="$t('sharedFiles.sidebar.title')"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <div v-if="isMailVisible" class="relative">
-                        <SidebarLink
-                            to="/mail"
-                            icon="mdi:email-outline"
-                            :label="$t('mail.sidebar.title')"
-                            :collapsed="sidebarIsCollapsed"
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <span
-                            v-if="mailStore.globalUnreadCount > 0"
-                            class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
-                            :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
-                            :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
-                        >
-                            {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
-                        </span>
-                    </div>
-
-                    <!-- Section : Absences -->
-                    <template v-if="isAbsenceSectionVisible">
+                    <!-- Sections dynamiques (/api/sidebar) : navigation globale + sections gated par rôle -->
+                    <template v-for="(section, sIndex) in translatedSections" :key="section.label">
                         <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                            Absences
-                        </p>
-                        <div v-else class="mx-2 my-3 border-t border-secondary-500" />
-                    </template>
-                    <SidebarLink
-                        v-if="isEmployee"
-                        to="/absences"
-                        icon="mdi:umbrella-beach-outline"
-                        label="Mes absences"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        v-if="isAdmin"
-                        to="/team-absences"
-                        icon="mdi:calendar-account-outline"
-                        label="Absences équipe"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-
-                    <!-- Section : Administration (admin only) -->
-                    <template v-if="isAdmin">
-                        <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                            Administration
+                            {{ section.label }}
                         </p>
                         <div v-else class="mx-2 my-3 border-t border-secondary-500" />
                         <SidebarLink
-                            to="/admin"
-                            icon="mdi:cog-outline"
-                            label="Administration"
+                            v-for="item in section.items"
+                            :key="item.to"
+                            :to="item.to"
+                            :icon="item.icon"
+                            :label="item.label"
                             :collapsed="sidebarIsCollapsed"
                             @click="ui.closeMobileSidebar()"
                         />
+
+                        <!-- Items conservés côté client, insérés après la 1re section (cf. décision 3) -->
+                        <template v-if="sIndex === 0">
+                            <!-- Contextuel projet -->
+                            <template v-if="currentProjectId">
+                                <SidebarLink :to="`/projects/${currentProjectId}`" icon="mdi:view-column-outline" label="Kanban" :collapsed="sidebarIsCollapsed" sub exact @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/groups`" icon="mdi:tag-multiple-outline" label="Groupes" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/archives`" icon="mdi:archive-outline" label="Archives" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                            </template>
+                            <!-- Feature-flag : Documents -->
+                            <SidebarLink v-if="isDocumentsVisible" to="/documents" icon="mdi:folder-network-outline" :label="$t('sharedFiles.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                            <!-- Feature-flag : Mail + badge -->
+                            <div v-if="isMailVisible" class="relative">
+                                <SidebarLink to="/mail" icon="mdi:email-outline" :label="$t('mail.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                                <span
+                                    v-if="mailStore.globalUnreadCount > 0"
+                                    class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+                                    :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
+                                    :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+                                >
+                                    {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+                                </span>
+                            </div>
+                            <!-- User-flag : Mes absences (isEmployee — non couvert par le gate rôle) -->
+                            <SidebarLink v-if="isEmployee" to="/absences" icon="mdi:umbrella-beach-outline" label="Mes absences" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                        </template>
                     </template>
                 </nav>
 
@@ -209,8 +125,8 @@
 
 <script setup lang="ts">
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import { useAppVersion } from '~/composables/useAppVersion'
 import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
@@ -220,10 +136,27 @@ const ui = useUiStore()
 const mailStore = useMailStore()
 const {version} = useAppVersion()
 const route = useRoute()
+const { t } = useI18n()
+const { sections } = useSidebar()
+
+// `/mail` est déclaré dans config/sidebar.php pour le gating module (disabledRoutes),
+// mais son rendu visuel + badge non-lus est géré manuellement ci-dessous (feature-flag Mail).
+// On le filtre des sections dynamiques pour éviter un doublon dans la nav.
+const translatedSections = computed(() =>
+    sections.value.map((section) => ({
+        label: t(section.label),
+        icon: section.icon,
+        items: section.items
+            .filter((item) => item.to !== '/mail')
+            .map((item) => ({
+                label: t(item.label),
+                to: item.to,
+                icon: item.icon,
+            })),
+    })),
+)
 
-const isAdmin = computed(() => (auth.user?.roles ?? []).includes('ROLE_ADMIN'))
 const isEmployee = computed(() => Boolean(auth.user?.isEmployee))
-const isAbsenceSectionVisible = computed(() => isEmployee.value || isAdmin.value)
 
 const isMailVisible = computed(() => {
     const roles: string[] = auth.user?.roles ?? []
diff --git a/frontend/middleware/admin.ts b/frontend/app/middleware/admin.ts
similarity index 100%
rename from frontend/middleware/admin.ts
rename to frontend/app/middleware/admin.ts
diff --git a/frontend/app/middleware/auth.global.ts b/frontend/app/middleware/auth.global.ts
new file mode 100644
index 0000000..4c98f1e
--- /dev/null
+++ b/frontend/app/middleware/auth.global.ts
@@ -0,0 +1,30 @@
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    const isLogin = to.path === '/login'
+
+    if (!auth.checked) {
+        await auth.ensureSession()
+    }
+
+    if (!isLogin && !auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+
+    if (isLogin && auth.isAuthenticated) {
+        return navigateTo('/')
+    }
+
+    const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
+    const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
+
+    if (auth.isAuthenticated) {
+        await Promise.all([
+            sidebarLoaded.value ? Promise.resolve() : loadSidebar(),
+            modulesLoaded.value ? Promise.resolve() : loadModules(),
+        ])
+    } else {
+        // Logout / session expirée : purge l'état partagé pour le prochain login.
+        resetSidebar()
+        resetModules()
+    }
+})
diff --git a/frontend/middleware/employee.ts b/frontend/app/middleware/employee.ts
similarity index 100%
rename from frontend/middleware/employee.ts
rename to frontend/app/middleware/employee.ts
diff --git a/frontend/app/middleware/modules.global.ts b/frontend/app/middleware/modules.global.ts
new file mode 100644
index 0000000..3cd5f22
--- /dev/null
+++ b/frontend/app/middleware/modules.global.ts
@@ -0,0 +1,15 @@
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    if (!auth.isAuthenticated) {
+        return
+    }
+
+    const { loaded, loadSidebar, isRouteDisabled } = useSidebar()
+    if (!loaded.value) {
+        await loadSidebar()
+    }
+
+    if (isRouteDisabled(to.path)) {
+        return navigateTo('/')
+    }
+})
diff --git a/frontend/components/admin/AdminAbsencePolicyTab.vue b/frontend/components/admin/AdminAbsencePolicyTab.vue
index 290df97..5929d6a 100644
--- a/frontend/components/admin/AdminAbsencePolicyTab.vue
+++ b/frontend/components/admin/AdminAbsencePolicyTab.vue
@@ -51,8 +51,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsencePolicy } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
+import type { AbsencePolicy } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const service = useAbsenceService()
 const rows = ref<AbsencePolicy[]>([])
diff --git a/frontend/components/admin/AdminAuditTab.vue b/frontend/components/admin/AdminAuditTab.vue
new file mode 100644
index 0000000..58608f8
--- /dev/null
+++ b/frontend/components/admin/AdminAuditTab.vue
@@ -0,0 +1,160 @@
+<template>
+    <div>
+        <div class="flex items-center justify-between">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('admin.audit.title') }}</h2>
+        </div>
+
+        <div class="mt-4 flex flex-wrap gap-4">
+            <MalioSelect
+                v-model="entityTypeFilter"
+                :options="entityTypeOptions"
+                :label="$t('admin.audit.filterEntityType')"
+                :empty-option-label="$t('admin.audit.filterEntityTypeAll')"
+                group-class="w-64"
+            />
+            <MalioSelect
+                v-model="actionFilter"
+                :options="actionOptions"
+                :label="$t('admin.audit.filterAction')"
+                :empty-option-label="$t('admin.audit.filterActionAll')"
+                group-class="w-64"
+            />
+        </div>
+
+        <DataTable
+            :columns="columns"
+            :items="rows"
+            :loading="isLoading"
+            :empty-message="$t('admin.audit.empty')"
+        >
+            <template #cell-performedAt="{ item }">
+                {{ formatDate(item.performedAt) }}
+            </template>
+            <template #cell-entityType="{ item }">
+                {{ entityTypeLabel(item.entityType) }}
+            </template>
+            <template #cell-action="{ item }">
+                {{ actionLabel(item.action) }}
+            </template>
+        </DataTable>
+
+        <div class="mt-4 flex items-center justify-between">
+            <span class="text-sm text-neutral-500">{{ $t('admin.audit.page', { page }) }}</span>
+            <div class="flex gap-2">
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.previous')"
+                    :disabled="page <= 1 || isLoading"
+                    @click="goToPage(page - 1)"
+                />
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.next')"
+                    :disabled="!hasNextPage || isLoading"
+                    @click="goToPage(page + 1)"
+                />
+            </div>
+        </div>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { AuditLogAction, AuditLogItem } from '~/modules/core/services/audit-logs'
+import { useAuditLogService } from '~/modules/core/services/audit-logs'
+
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t, te } = useI18n()
+
+const PAGE_SIZE = 30
+
+const columns = computed<DataTableColumn[]>(() => [
+    { key: 'performedAt', label: t('admin.audit.date'), primary: true },
+    { key: 'performedBy', label: t('admin.audit.performedBy') },
+    { key: 'entityType', label: t('admin.audit.entityType') },
+    { key: 'action', label: t('admin.audit.action') },
+    { key: 'entityId', label: t('admin.audit.entityId') },
+])
+
+const actionOptions = computed<{ value: AuditLogAction, label: string }[]>(() => [
+    { value: 'create', label: t('audit.action.create') },
+    { value: 'update', label: t('audit.action.update') },
+    { value: 'delete', label: t('audit.action.delete') },
+])
+
+const auditLogService = useAuditLogService()
+
+const rows = ref<AuditLogItem[]>([])
+const entityTypes = ref<string[]>([])
+const totalItems = ref(0)
+const page = ref(1)
+const isLoading = ref(true)
+const entityTypeFilter = ref<string | null>(null)
+const actionFilter = ref<AuditLogAction | null>(null)
+
+const entityTypeOptions = computed<{ value: string, label: string }[]>(() =>
+    entityTypes.value.map((value) => ({ value, label: entityTypeLabel(value) })),
+)
+
+// PAGE_SIZE must match the API default page size. The full-page guard keeps the
+// "next" button accurate even on the last (partial) page.
+const hasNextPage = computed(() => rows.value.length >= PAGE_SIZE && page.value * PAGE_SIZE < totalItems.value)
+
+function entityTypeLabel(value: string): string {
+    const key = `audit.entity.${value}`
+    return te(key) ? t(key) : value
+}
+
+function actionLabel(action: AuditLogAction): string {
+    return t(`audit.action.${action}`)
+}
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+        hour: '2-digit',
+        minute: '2-digit',
+    })
+}
+
+async function loadItems() {
+    isLoading.value = true
+    try {
+        const result = await auditLogService.list({
+            page: page.value,
+            entityType: entityTypeFilter.value ?? undefined,
+            action: actionFilter.value ?? undefined,
+        })
+        rows.value = result.items
+        totalItems.value = result.totalItems
+    } finally {
+        isLoading.value = false
+    }
+}
+
+async function loadEntityTypes() {
+    entityTypes.value = await auditLogService.entityTypes()
+}
+
+function goToPage(target: number) {
+    if (target < 1) {
+        return
+    }
+    page.value = target
+    loadItems()
+}
+
+watch([entityTypeFilter, actionFilter], () => {
+    page.value = 1
+    loadItems()
+})
+
+onMounted(() => {
+    loadItems()
+    loadEntityTypes()
+})
+</script>
diff --git a/frontend/components/admin/AdminBookStackTab.vue b/frontend/components/admin/AdminBookStackTab.vue
index d0adbe4..5c80776 100644
--- a/frontend/components/admin/AdminBookStackTab.vue
+++ b/frontend/components/admin/AdminBookStackTab.vue
@@ -51,7 +51,7 @@
 </template>
 
 <script setup lang="ts">
-import { useBookStackService } from '~/services/bookstack'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const { getSettings, saveSettings, testConnection } = useBookStackService()
 
diff --git a/frontend/components/admin/AdminClientTab.vue b/frontend/components/admin/AdminClientTab.vue
index 12d3863..36af726 100644
--- a/frontend/components/admin/AdminClientTab.vue
+++ b/frontend/components/admin/AdminClientTab.vue
@@ -40,8 +40,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Client } from '~/services/dto/client'
-import { useClientService } from '~/services/clients'
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminEffortTab.vue b/frontend/components/admin/AdminEffortTab.vue
index 6132be6..b626bca 100644
--- a/frontend/components/admin/AdminEffortTab.vue
+++ b/frontend/components/admin/AdminEffortTab.vue
@@ -30,8 +30,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskEffort } from '~/services/dto/task-effort'
-import { useTaskEffortService } from '~/services/task-efforts'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminGiteaTab.vue b/frontend/components/admin/AdminGiteaTab.vue
index 7d093aa..ef79e9c 100644
--- a/frontend/components/admin/AdminGiteaTab.vue
+++ b/frontend/components/admin/AdminGiteaTab.vue
@@ -45,7 +45,7 @@
 </template>
 
 <script setup lang="ts">
-import { useGiteaService } from '~/services/gitea'
+import { useGiteaService } from '~/modules/integration/services/gitea'
 
 const { getSettings, saveSettings, testConnection } = useGiteaService()
 
diff --git a/frontend/components/admin/AdminMailTab.vue b/frontend/components/admin/AdminMailTab.vue
index 0d54a64..a6cecd5 100644
--- a/frontend/components/admin/AdminMailTab.vue
+++ b/frontend/components/admin/AdminMailTab.vue
@@ -140,7 +140,7 @@
 </template>
 
 <script setup lang="ts">
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const { getConfiguration, updateConfiguration, testConfiguration } = useMailService()
 
diff --git a/frontend/components/admin/AdminPriorityTab.vue b/frontend/components/admin/AdminPriorityTab.vue
index 8391328..0f91660 100644
--- a/frontend/components/admin/AdminPriorityTab.vue
+++ b/frontend/components/admin/AdminPriorityTab.vue
@@ -37,8 +37,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskPriority } from '~/services/dto/task-priority'
-import { useTaskPriorityService } from '~/services/task-priorities'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminRoleTab.vue b/frontend/components/admin/AdminRoleTab.vue
new file mode 100644
index 0000000..c36a706
--- /dev/null
+++ b/frontend/components/admin/AdminRoleTab.vue
@@ -0,0 +1,116 @@
+<template>
+    <div>
+        <div class="flex items-center justify-between">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('admin.roles.title') }}</h2>
+            <MalioButton
+                icon-name="mdi:plus"
+                icon-position="left"
+                button-class="w-auto px-4"
+                :label="$t('admin.roles.addRole')"
+                @click="openCreate"
+            />
+        </div>
+
+        <DataTable
+            :columns="columns"
+            :items="items"
+            :loading="isLoading"
+            :empty-message="$t('admin.roles.empty')"
+            @row-click="openEdit"
+        >
+            <template #cell-isSystem="{ item }">
+                <span
+                    v-if="item.isSystem"
+                    class="rounded-full bg-primary-100 px-2 py-0.5 text-xs font-semibold text-primary-600"
+                >
+                    {{ $t('admin.roles.system') }}
+                </span>
+            </template>
+            <template #cell-permissions="{ item }">
+                <span class="text-neutral-600">{{ item.permissions.length }}</span>
+            </template>
+            <template #actions="{ item }">
+                <MalioButtonIcon
+                    v-if="!item.isSystem"
+                    icon="mdi:delete-outline"
+                    :aria-label="$t('common.delete')"
+                    variant="ghost"
+                    icon-size="20"
+                    button-class="text-neutral-400 hover:text-red-500"
+                    @click.stop="handleDelete(item.id)"
+                />
+            </template>
+        </DataTable>
+
+        <RoleDrawer
+            v-model="drawerOpen"
+            :item="selectedItem"
+            :permissions="permissions"
+            @saved="onSaved"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Role } from '~/modules/core/services/roles'
+import { useRoleService } from '~/modules/core/services/roles'
+import type { Permission } from '~/modules/core/services/permissions'
+import { usePermissionService } from '~/modules/core/services/permissions'
+
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t } = useI18n()
+
+const columns = computed<DataTableColumn[]>(() => [
+    { key: 'label', label: t('admin.roles.label'), primary: true },
+    { key: 'code', label: t('admin.roles.code') },
+    { key: 'permissions', label: t('admin.roles.permissions') },
+    { key: 'isSystem', label: '' },
+])
+
+const roleService = useRoleService()
+const permissionService = usePermissionService()
+
+const items = ref<Role[]>([])
+const permissions = ref<Permission[]>([])
+const isLoading = ref(true)
+const drawerOpen = ref(false)
+const selectedItem = ref<Role | null>(null)
+
+async function loadItems() {
+    isLoading.value = true
+    try {
+        items.value = await roleService.list()
+    } finally {
+        isLoading.value = false
+    }
+}
+
+async function loadPermissions() {
+    permissions.value = await permissionService.list()
+}
+
+function openCreate() {
+    selectedItem.value = null
+    drawerOpen.value = true
+}
+
+function openEdit(item: Role) {
+    selectedItem.value = item
+    drawerOpen.value = true
+}
+
+async function handleDelete(id: number) {
+    await roleService.remove(id)
+    await loadItems()
+}
+
+async function onSaved() {
+    await loadItems()
+}
+
+onMounted(() => {
+    loadItems()
+    loadPermissions()
+})
+</script>
diff --git a/frontend/components/admin/AdminShareTab.vue b/frontend/components/admin/AdminShareTab.vue
index e1f907d..468fc86 100644
--- a/frontend/components/admin/AdminShareTab.vue
+++ b/frontend/components/admin/AdminShareTab.vue
@@ -70,7 +70,7 @@
 </template>
 
 <script setup lang="ts">
-import { useShareSettingsService } from '~/services/share-settings'
+import { useShareSettingsService } from '~/modules/integration/services/share-settings'
 
 const { getSettings, saveSettings, testConnection } = useShareSettingsService()
 
diff --git a/frontend/components/admin/AdminTagTab.vue b/frontend/components/admin/AdminTagTab.vue
index 45b22da..13313a8 100644
--- a/frontend/components/admin/AdminTagTab.vue
+++ b/frontend/components/admin/AdminTagTab.vue
@@ -37,8 +37,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskTag } from '~/services/dto/task-tag'
-import { useTaskTagService } from '~/services/task-tags'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminWorkflowTab.vue b/frontend/components/admin/AdminWorkflowTab.vue
index 0c6fbdd..db4b5f5 100644
--- a/frontend/components/admin/AdminWorkflowTab.vue
+++ b/frontend/components/admin/AdminWorkflowTab.vue
@@ -42,8 +42,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Workflow } from '~/services/dto/workflow'
-import { useWorkflowService } from '~/services/workflows'
+import type { Workflow } from '~/modules/project-management/services/dto/workflow'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
 const { t } = useI18n()
diff --git a/frontend/components/admin/AdminZimbraTab.vue b/frontend/components/admin/AdminZimbraTab.vue
index fbe59ca..782f467 100644
--- a/frontend/components/admin/AdminZimbraTab.vue
+++ b/frontend/components/admin/AdminZimbraTab.vue
@@ -58,7 +58,7 @@
 </template>
 
 <script setup lang="ts">
-import { useZimbraService } from '~/services/zimbra'
+import { useZimbraService } from '~/modules/integration/services/zimbra'
 
 const { getSettings, saveSettings, testConnection } = useZimbraService()
 
diff --git a/frontend/components/admin/RoleDrawer.vue b/frontend/components/admin/RoleDrawer.vue
new file mode 100644
index 0000000..4db0dc5
--- /dev/null
+++ b/frontend/components/admin/RoleDrawer.vue
@@ -0,0 +1,186 @@
+<template>
+    <MalioDrawer v-model="isOpen">
+        <template #header>
+            <h2 class="text-xl font-bold">
+                {{ isEditing ? $t('admin.roles.editRole') : $t('admin.roles.addRole') }}
+            </h2>
+        </template>
+        <form class="flex flex-col gap-3" @submit.prevent="handleSubmit">
+            <MalioInputText
+                v-model="form.code"
+                :label="$t('admin.roles.code')"
+                input-class="w-full"
+                :disabled="isEditing"
+                :hint="isEditing ? $t('admin.roles.codeImmutable') : $t('admin.roles.codeHint')"
+                :error="touched.code && !codeValid ? $t('admin.roles.codeInvalid') : ''"
+                @blur="touched.code = true"
+            />
+            <MalioInputText
+                v-model="form.label"
+                :label="$t('admin.roles.label')"
+                input-class="w-full"
+                :error="touched.label && !form.label.trim() ? $t('admin.roles.labelRequired') : ''"
+                @blur="touched.label = true"
+            />
+            <MalioInputTextArea
+                v-model="form.description"
+                :label="$t('admin.roles.description')"
+                input-class="w-full"
+            />
+
+            <div class="mt-2">
+                <label class="text-sm font-semibold text-neutral-700">
+                    {{ $t('admin.roles.permissions') }}
+                </label>
+                <p v-if="permissions.length === 0" class="mt-2 text-xs text-neutral-400">
+                    {{ $t('admin.roles.noPermissions') }}
+                </p>
+                <div
+                    v-for="group in groupedPermissions"
+                    :key="group.module"
+                    class="mt-3 rounded-lg border border-neutral-200 p-3"
+                >
+                    <p class="mb-2 text-xs font-bold uppercase tracking-wide text-neutral-500">
+                        {{ group.module }}
+                    </p>
+                    <div class="flex flex-col gap-2">
+                        <label
+                            v-for="perm in group.permissions"
+                            :key="perm.id"
+                            class="flex items-start gap-2 text-sm text-neutral-700"
+                        >
+                            <input
+                                v-model="form.permissions"
+                                type="checkbox"
+                                :value="perm['@id']"
+                                class="mt-0.5 rounded border-neutral-300"
+                            />
+                            <span>
+                                {{ perm.label }}
+                                <span class="block text-xs text-neutral-400">{{ perm.code }}</span>
+                            </span>
+                        </label>
+                    </div>
+                </div>
+            </div>
+
+            <div class="mt-4 flex justify-end">
+                <MalioButton
+                    :label="$t('common.save')"
+                    button-class="w-auto px-6"
+                    :disabled="isSubmitting"
+                    @click="handleSubmit"
+                />
+            </div>
+        </form>
+    </MalioDrawer>
+</template>
+
+<script setup lang="ts">
+import type { Role, RoleWrite } from '~/modules/core/services/roles'
+import { useRoleService } from '~/modules/core/services/roles'
+import type { Permission } from '~/modules/core/services/permissions'
+
+const props = defineProps<{
+    modelValue: boolean
+    item: Role | null
+    permissions: Permission[]
+}>()
+
+const emit = defineEmits<{
+    (e: 'update:modelValue', value: boolean): void
+    (e: 'saved'): void
+}>()
+
+const isOpen = computed({
+    get: () => props.modelValue,
+    set: (v) => emit('update:modelValue', v),
+})
+
+const isEditing = computed(() => !!props.item)
+const isSubmitting = ref(false)
+
+const form = reactive({
+    code: '',
+    label: '',
+    description: '',
+    permissions: [] as string[],
+})
+
+const touched = reactive({
+    code: false,
+    label: false,
+})
+
+const codeValid = computed(() => /^[a-z][a-z0-9_]*$/.test(form.code))
+
+const groupedPermissions = computed(() => {
+    const byModule = new Map<string, Permission[]>()
+    for (const perm of props.permissions) {
+        const list = byModule.get(perm.module) ?? []
+        list.push(perm)
+        byModule.set(perm.module, list)
+    }
+    return [...byModule.entries()]
+        .map(([module, permissions]) => ({ module, permissions }))
+        .sort((a, b) => a.module.localeCompare(b.module))
+})
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        if (props.item) {
+            form.code = props.item.code
+            form.label = props.item.label
+            form.description = props.item.description ?? ''
+            form.permissions = props.item.permissions
+                .map((p) => p['@id'])
+                .filter((iri): iri is string => !!iri)
+        } else {
+            form.code = ''
+            form.label = ''
+            form.description = ''
+            form.permissions = []
+        }
+        touched.code = false
+        touched.label = false
+    }
+})
+
+const { create, update } = useRoleService()
+
+async function handleSubmit() {
+    touched.code = true
+    touched.label = true
+    if (!form.label.trim()) {
+        return
+    }
+    if (!isEditing.value && !codeValid.value) {
+        return
+    }
+
+    isSubmitting.value = true
+    try {
+        if (isEditing.value && props.item) {
+            const payload: Partial<RoleWrite> = {
+                label: form.label.trim(),
+                description: form.description.trim() || null,
+                permissions: form.permissions,
+            }
+            await update(props.item.id, payload)
+        } else {
+            const payload: RoleWrite = {
+                code: form.code.trim(),
+                label: form.label.trim(),
+                description: form.description.trim() || null,
+                permissions: form.permissions,
+            }
+            await create(payload)
+        }
+
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
diff --git a/frontend/components/admin/WorkflowDrawer.vue b/frontend/components/admin/WorkflowDrawer.vue
index 3ffd57d..0495956 100644
--- a/frontend/components/admin/WorkflowDrawer.vue
+++ b/frontend/components/admin/WorkflowDrawer.vue
@@ -96,11 +96,11 @@
 </template>
 
 <script setup lang="ts">
-import type { Workflow, StatusCategory } from '~/services/dto/workflow'
-import { STATUS_CATEGORY_COLOR } from '~/services/dto/workflow'
-import type { TaskStatusWrite } from '~/services/dto/task-status'
-import { useWorkflowService } from '~/services/workflows'
-import { useTaskStatusService } from '~/services/task-statuses'
+import type { Workflow, StatusCategory } from '~/modules/project-management/services/dto/workflow'
+import { STATUS_CATEGORY_COLOR } from '~/modules/project-management/services/dto/workflow'
+import type { TaskStatusWrite } from '~/modules/project-management/services/dto/task-status'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
 
 const { t } = useI18n()
 
diff --git a/frontend/components/share/SharedFilePreview.vue b/frontend/components/share/SharedFilePreview.vue
index ed3c0b2..60085ce 100644
--- a/frontend/components/share/SharedFilePreview.vue
+++ b/frontend/components/share/SharedFilePreview.vue
@@ -167,8 +167,8 @@
 </template>
 
 <script setup lang="ts">
-import type { FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
+import type { FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
 import { formatFileSize } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/user/UserDrawer.vue b/frontend/components/user/UserDrawer.vue
index 964f818..149f7e3 100644
--- a/frontend/components/user/UserDrawer.vue
+++ b/frontend/components/user/UserDrawer.vue
@@ -106,30 +106,43 @@ const touched = reactive({
     password: false,
 })
 
-watch(() => props.modelValue, (open) => {
-    if (open) {
-        if (props.item) {
-            form.username = props.item.username ?? ''
-            form.firstName = props.item.firstName ?? ''
-            form.lastName = props.item.lastName ?? ''
-            form.password = ''
-            form.roles = [...props.item.roles]
-            form.isEmployee = props.item.isEmployee ?? false
-        } else {
-            form.username = ''
-            form.firstName = ''
-            form.lastName = ''
-            form.password = ''
-            form.roles = ['ROLE_USER']
-            form.isEmployee = false
+const { create, update, getById } = useUserService()
+
+function applyUser(user: UserData) {
+    form.username = user.username ?? ''
+    form.firstName = user.firstName ?? ''
+    form.lastName = user.lastName ?? ''
+    form.password = ''
+    form.roles = [...user.roles]
+    form.isEmployee = user.isEmployee ?? false
+}
+
+watch(() => props.modelValue, async (open) => {
+    if (!open) {
+        return
+    }
+
+    touched.username = false
+    touched.password = false
+
+    if (props.item) {
+        applyUser(props.item)
+        try {
+            const full = await getById(props.item.id)
+            applyUser(full)
+        } catch {
+            // Keep the list data if the detailed fetch fails.
         }
-        touched.username = false
-        touched.password = false
+    } else {
+        form.username = ''
+        form.firstName = ''
+        form.lastName = ''
+        form.password = ''
+        form.roles = ['ROLE_USER']
+        form.isEmployee = false
     }
 })
 
-const { create, update } = useUserService()
-
 async function handleSubmit() {
     touched.username = true
     touched.password = true
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 3b3fbff..9c9c74a 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -1,789 +1,1004 @@
 {
-    "errors": {
-        "http": {
-            "get": "Impossible de récupérer les données.",
-            "post": "Impossible de créer la ressource.",
-            "put": "Impossible de mettre à jour la ressource.",
-            "patch": "Impossible de mettre à jour la ressource.",
-            "delete": "Impossible de supprimer la ressource."
-        },
-        "auth": {
-            "login": "Identifiants invalides.",
-            "logout": "Impossible de se déconnecter.",
-            "session": "Session expirée"
-        }
+  "errors": {
+    "http": {
+      "get": "Impossible de récupérer les données.",
+      "post": "Impossible de créer la ressource.",
+      "put": "Impossible de mettre à jour la ressource.",
+      "patch": "Impossible de mettre à jour la ressource.",
+      "delete": "Impossible de supprimer la ressource."
     },
-    "success": {
-        "auth": {
-            "login": "Connexion réussie.",
-            "logout": "Déconnexion réussie."
+    "auth": {
+      "login": "Identifiants invalides.",
+      "logout": "Impossible de se déconnecter.",
+      "session": "Session expirée"
+    }
+  },
+  "success": {
+    "auth": {
+      "login": "Connexion réussie.",
+      "logout": "Déconnexion réussie."
+    }
+  },
+  "clients": {
+    "created": "Client créé avec succès.",
+    "updated": "Client mis à jour avec succès.",
+    "deleted": "Client supprimé avec succès.",
+    "addClient": "Ajouter un client",
+    "editClient": "Modifier un client"
+  },
+  "projects": {
+    "title": "Projets",
+    "created": "Projet créé avec succès.",
+    "updated": "Projet mis à jour avec succès.",
+    "deleted": "Projet supprimé avec succès.",
+    "archived": "Projet archivé avec succès.",
+    "unarchived": "Projet désarchivé avec succès.",
+    "showArchived": "Voir les projets archivés",
+    "hideArchived": "Masquer les projets archivés",
+    "noProjects": "Aucun projet trouvé.",
+    "noArchivedProjects": "Aucun projet archivé.",
+    "addProject": "Ajouter un projet",
+    "addProjectShort": "Projet",
+    "editProject": "Modifier un projet",
+    "deleteConfirmTitle": "Supprimer le projet",
+    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce projet ? Cette action est irréversible.",
+    "cannotDelete": "Impossible de supprimer un projet contenant des tickets."
+  },
+  "taskStatuses": {
+    "created": "Statut créé avec succès.",
+    "updated": "Statut mis à jour avec succès.",
+    "deleted": "Statut supprimé avec succès.",
+    "addStatus": "Ajouter un statut",
+    "editStatus": "Modifier un statut",
+    "deleteStatus": "Supprimer le statut « {label} »",
+    "linkedTasks": "{count} tâche est liée à ce statut. Choisissez où les déplacer :",
+    "linkedTasksPlural": "{count} tâches sont liées à ce statut. Choisissez où les déplacer :",
+    "moveTo": "Déplacer vers",
+    "backlog": "Backlog (sans statut)"
+  },
+  "workflows": {
+    "title": "Workflows",
+    "addWorkflow": "Ajouter un workflow",
+    "editWorkflow": "Modifier le workflow",
+    "name": "Nom",
+    "isDefault": "Workflow par défaut",
+    "statuses": "Statuts",
+    "addStatus": "Ajouter un statut",
+    "category": "Catégorie",
+    "created": "Workflow créé",
+    "updated": "Workflow mis à jour",
+    "deleted": "Workflow supprimé",
+    "switched": "Workflow du projet changé",
+    "switchTitle": "Changer de workflow",
+    "switchTargetLabel": "Nouveau workflow",
+    "switchMappingTitle": "Mapping des statuts",
+    "switchSourceCol": "Statut actuel",
+    "switchTargetCol": "Statut cible",
+    "switchTaskCountCol": "Tâches",
+    "switchToBacklog": "Mapper vers le backlog",
+    "switchConfirm": "Confirmer la migration",
+    "switchSummary": "{count} tâche(s) migrée(s), projet sur workflow « {name} »",
+    "deleteUsedBy": "Workflow utilisé par {count} projet(s) — impossible de supprimer.",
+    "categories": {
+      "todo": "À faire",
+      "in_progress": "En cours",
+      "blocked": "Bloqué",
+      "review": "En validation",
+      "done": "Terminé"
+    }
+  },
+  "taskEfforts": {
+    "created": "Effort créé avec succès.",
+    "updated": "Effort mis à jour avec succès.",
+    "deleted": "Effort supprimé avec succès.",
+    "addEffort": "Ajouter un effort",
+    "editEffort": "Modifier un effort"
+  },
+  "taskPriorities": {
+    "created": "Priorité créée avec succès.",
+    "updated": "Priorité mise à jour avec succès.",
+    "deleted": "Priorité supprimée avec succès.",
+    "addPriority": "Ajouter une priorité",
+    "editPriority": "Modifier une priorité"
+  },
+  "taskTags": {
+    "created": "Tag créé avec succès.",
+    "updated": "Tag mis à jour avec succès.",
+    "deleted": "Tag supprimé avec succès.",
+    "addTag": "Ajouter un tag",
+    "editTag": "Modifier un tag"
+  },
+  "taskGroups": {
+    "created": "Groupe créé avec succès.",
+    "updated": "Groupe mis à jour avec succès.",
+    "deleted": "Groupe supprimé avec succès.",
+    "archived": "Groupe archivé avec succès.",
+    "unarchived": "Groupe désarchivé avec succès.",
+    "addGroup": "Ajouter un groupe",
+    "editGroup": "Modifier un groupe"
+  },
+  "taskDocuments": {
+    "title": "Documents",
+    "dropzone": "Glisser des fichiers ici ou cliquer pour sélectionner",
+    "uploaded": "Document ajouté avec succès.",
+    "deleted": "Document supprimé avec succès.",
+    "uploadError": "Erreur lors de l'upload du document.",
+    "confirmDeleteTitle": "Supprimer le document",
+    "confirmDeleteMessage": "Êtes-vous sûr de vouloir supprimer ce document ?",
+    "download": "Télécharger",
+    "copy": "Copier",
+    "copied": "Contenu copié !",
+    "maxSizeError": "Le fichier dépasse la taille maximale de 50 Mo.",
+    "linkShareButton": "Lier depuis le partage",
+    "linkShareTitle": "Lier un fichier du partage",
+    "linkShareHint": "Cliquez sur un dossier pour naviguer, sur un fichier pour le lier au ticket.",
+    "linkShareSuccess": "Fichier du partage lié au ticket.",
+    "linkShareError": "Impossible de lier ce fichier (type non autorisé ou introuvable).",
+    "shareLinkBadge": "Lien vers le partage",
+    "shareLinkLabel": "Partage"
+  },
+  "tasks": {
+    "created": "Ticket créé avec succès.",
+    "updated": "Ticket mis à jour avec succès.",
+    "deleted": "Ticket supprimé avec succès.",
+    "archived": "Ticket archivé avec succès.",
+    "unarchived": "Ticket désarchivé avec succès.",
+    "deleteConfirmTitle": "Supprimer le ticket",
+    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible.",
+    "addTask": "Ajouter un ticket",
+    "editTask": "Modifier un ticket",
+    "detailsTab": "Détails",
+    "planningTab": "Planification",
+    "planning": {
+      "dates": "Dates",
+      "scheduledStart": "Début planifié",
+      "scheduledEnd": "Fin planifiée",
+      "deadline": "Deadline",
+      "calendar": "Calendrier",
+      "syncToCalendar": "Envoyer au calendrier Zimbra",
+      "syncOk": "Synchronisé",
+      "recurrence": "Récurrence",
+      "isRecurring": "Tâche récurrente",
+      "type": "Type",
+      "daily": "Quotidien",
+      "weekly": "Hebdomadaire",
+      "monthly": "Mensuel",
+      "yearly": "Annuel",
+      "interval": "Intervalle",
+      "daysOfWeek": "Jours de la semaine",
+      "days": {
+        "mon": "Lu",
+        "tue": "Ma",
+        "wed": "Me",
+        "thu": "Je",
+        "fri": "Ve",
+        "sat": "Sa",
+        "sun": "Di"
+      },
+      "dayOfMonth": "Jour du mois",
+      "dayOfMonthLabel": "Jour (1-31)",
+      "weekOfMonth": "Semaine du mois",
+      "weekOfMonthLabel": "Semaine",
+      "dayLabel": "Jour",
+      "endRecurrence": "Fin de la récurrence",
+      "neverEnds": "Jamais",
+      "afterOccurrences": "Après X occurrences",
+      "occurrences": "Occurrences",
+      "onDate": "À une date",
+      "endDate": "Date de fin"
+    }
+  },
+  "users": {
+    "created": "Utilisateur créé avec succès.",
+    "updated": "Utilisateur mis à jour avec succès.",
+    "deleted": "Utilisateur supprimé avec succès.",
+    "addUser": "Ajouter un utilisateur",
+    "editUser": "Modifier un utilisateur"
+  },
+  "admin": {
+    "roles": {
+      "title": "Rôles",
+      "addRole": "Ajouter un rôle",
+      "editRole": "Modifier un rôle",
+      "empty": "Aucun rôle trouvé.",
+      "system": "Système",
+      "code": "Code",
+      "codeHint": "Identifiant technique en snake_case (immuable).",
+      "codeImmutable": "Le code ne peut pas être modifié après création.",
+      "codeInvalid": "Code invalide (attendu snake_case : minuscules, chiffres et underscores).",
+      "label": "Libellé",
+      "labelRequired": "Le libellé est requis.",
+      "description": "Description",
+      "permissions": "Permissions",
+      "noPermissions": "Aucune permission disponible.",
+      "created": "Rôle créé avec succès.",
+      "updated": "Rôle mis à jour avec succès.",
+      "deleted": "Rôle supprimé avec succès."
+    },
+    "audit": {
+      "title": "Audit",
+      "empty": "Aucune entrée d'audit trouvée.",
+      "date": "Date",
+      "performedBy": "Utilisateur",
+      "entityType": "Type d'entité",
+      "action": "Action",
+      "entityId": "Identifiant",
+      "filterEntityType": "Type d'entité",
+      "filterEntityTypeAll": "Tous les types",
+      "filterAction": "Action",
+      "filterActionAll": "Toutes les actions",
+      "previous": "Précédent",
+      "next": "Suivant",
+      "page": "Page {page}"
+    }
+  },
+  "audit": {
+    "entity": {
+      "core": {
+        "User": "Utilisateur",
+        "Role": "Rôle",
+        "Permission": "Permission"
+      }
+    },
+    "action": {
+      "create": "Création",
+      "update": "Modification",
+      "delete": "Suppression"
+    }
+  },
+  "timeEntries": {
+    "created": "Temps enregistré",
+    "updated": "Temps modifié",
+    "deleted": "Temps supprimé",
+    "noEntries": "Aucune activité pour cette période",
+    "addEntry": "Ajouter une Activité",
+    "editEntry": "Modifier un temps",
+    "export": "Exporter",
+    "exportTitle": "Exporter les temps",
+    "exportCurrentMonth": "Mois en cours",
+    "exportLastMonth": "Mois dernier",
+    "exportCustomPeriod": "Période personnalisée",
+    "exportFrom": "Du",
+    "exportTo": "Au",
+    "exportUsers": "Utilisateurs",
+    "exportClient": "Client",
+    "exportProjects": "Projets",
+    "exportTags": "Tags",
+    "exportAllClients": "Tous les clients",
+    "exportLoading": "Export en cours...",
+    "exportSuccess": "Export terminé !",
+    "exportError": "Erreur lors de l'export."
+  },
+  "archive": {
+    "title": "Archives",
+    "empty": "Aucun ticket archivé.",
+    "archiveButton": "Archiver",
+    "unarchiveButton": "Désarchiver",
+    "showArchived": "Voir les groupes archivés",
+    "hideArchived": "Masquer les groupes archivés",
+    "statusFinal": "Statut final",
+    "groupArchiveDisabled": "Tous les tickets doivent être en statut final pour archiver le groupe.",
+    "groupNonFinalTasks": "Il reste {count} ticket(s) sans statut final dans ce groupe."
+  },
+  "myTasks": {
+    "title": "Mes tâches",
+    "viewKanban": "Vue Kanban",
+    "viewList": "Vue Liste",
+    "allProjects": "Tous les projets",
+    "allGroups": "Tous les groupes",
+    "allTypes": "Tous les types",
+    "allPriorities": "Toutes les priorités",
+    "allEfforts": "Tous les efforts",
+    "allAssignees": "Tous",
+    "noTasks": "Aucune tâche",
+    "backlog": "Backlog",
+    "createTask": "Créer une tâche",
+    "sortBy": "Trier par",
+    "sortDefault": "Par défaut",
+    "sortDeadline": "Échéance",
+    "sortScheduledStart": "Date planifiée",
+    "dropRefused": "Aucun statut de cette colonne dans le workflow de ce projet"
+  },
+  "dashboard": {
+    "title": "Tableau de bord",
+    "noData": "Aucune donnée",
+    "noPriority": "Sans priorité",
+    "noProject": "Sans projet",
+    "hoursWorked": "Heures travaillées",
+    "inProgress": "En cours",
+    "done": "Terminé",
+    "filters": {
+      "period": "Période",
+      "project": "Projet",
+      "user": "Utilisateur",
+      "allProjects": "Tous les projets",
+      "allUsers": "Tous les utilisateurs"
+    },
+    "periods": {
+      "thisWeek": "Cette semaine",
+      "lastWeek": "Semaine dernière",
+      "thisMonth": "Ce mois",
+      "lastMonth": "Mois dernier"
+    },
+    "stats": {
+      "hoursPeriod": "Heures sur la période",
+      "myActiveTasks": "Mes tâches actives",
+      "completed": "terminée(s)",
+      "totalTasks": "Tâches totales",
+      "unassigned": "non assignée(s)",
+      "projects": "Projets",
+      "users": "utilisateur(s)"
+    },
+    "charts": {
+      "hoursByDay": "Heures par jour",
+      "hoursByProject": "Temps par projet",
+      "tasksByStatus": "Tâches par statut",
+      "tasksByPriority": "Tâches par priorité",
+      "tasksByProject": "Tâches par projet"
+    },
+    "days": {
+      "mon": "Lun",
+      "tue": "Mar",
+      "wed": "Mer",
+      "thu": "Jeu",
+      "fri": "Ven",
+      "sat": "Sam",
+      "sun": "Dim"
+    }
+  },
+  "sidebar": {
+    "myTasks": "Mes tâches",
+    "general": {
+      "section": "Gestion de projet",
+      "dashboard": "Tableau de bord",
+      "myTasks": "Mes tâches",
+      "projects": "Projets",
+      "timeTracking": "Suivi de temps",
+      "mail": "Messagerie"
+    },
+    "admin": {
+      "section": "Administration",
+      "teamAbsences": "Absences équipe",
+      "administration": "Administration",
+      "directory": "Répertoire",
+      "reporting": "Rapports"
+    }
+  },
+  "reporting": {
+    "title": "Rapports",
+    "export": "Exporter (CSV)",
+    "empty": "Aucune donnée pour cette période.",
+    "filters": {
+      "period": "Période",
+      "from": "Du",
+      "to": "Au",
+      "project": "Projet",
+      "allProjects": "Tous les projets",
+      "user": "Utilisateur",
+      "allUsers": "Tous les utilisateurs"
+    },
+    "periods": {
+      "thisMonth": "Mois courant",
+      "lastMonth": "Mois dernier",
+      "custom": "Personnalisé"
+    },
+    "sections": {
+      "timePerProject": "Temps par projet",
+      "timePerUser": "Temps par utilisateur",
+      "tasksByStatus": "Tâches par statut",
+      "absencesByType": "Absences par type"
+    },
+    "columns": {
+      "project": "Projet",
+      "code": "Code",
+      "user": "Utilisateur",
+      "status": "Statut",
+      "type": "Type",
+      "hours": "Heures",
+      "entries": "Nb saisies",
+      "count": "Nombre",
+      "days": "Jours"
+    },
+    "absenceTypes": {
+      "cp": "Congés payés",
+      "mariage_pacs": "Mariage / PACS",
+      "naissance": "Naissance",
+      "conge_parental": "Congé parental",
+      "deces": "Décès proche",
+      "maladie": "Arrêt maladie"
+    }
+  },
+  "common": {
+    "cancel": "Annuler",
+    "save": "Enregistrer",
+    "edit": "Modifier",
+    "delete": "Supprimer",
+    "add": "Ajouter",
+    "loading": "Chargement...",
+    "archived": "Archivé",
+    "noClient": "Aucun client",
+    "untitled": "Sans titre",
+    "dateFilter": "Date",
+    "today": "Aujourd'hui",
+    "thisWeek": "Cette semaine",
+    "clear": "Effacer",
+    "day": "Jour",
+    "weekShort": "Sem.",
+    "submit": "Soumettre",
+    "close": "Fermer",
+    "back": "Retour"
+  },
+  "gitea": {
+    "settings": {
+      "title": "Configuration Gitea",
+      "url": "URL du serveur",
+      "urlPlaceholder": "https://git.example.com",
+      "token": "Token API",
+      "tokenPlaceholder": "Entrez un nouveau token",
+      "tokenConfigured": "Token configuré",
+      "save": "Enregistrer",
+      "saved": "Configuration Gitea sauvegardée.",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie.",
+      "testFailed": "Connexion échouée."
+    },
+    "branch": {
+      "title": "Git",
+      "create": "Créer une branche",
+      "created": "Branche créée avec succès.",
+      "copy": "Copier le nom",
+      "copied": "Nom de branche copié.",
+      "type": "Type",
+      "baseBranch": "Branche de base",
+      "preview": "Aperçu",
+      "types": {
+        "feature": "feature",
+        "fix": "fix",
+        "refactor": "refactor",
+        "hotfix": "hotfix",
+        "chore": "chore"
+      },
+      "noBranches": "Aucune branche liée.",
+      "commits": "Commits",
+      "noCommits": "Aucun commit."
+    },
+    "pr": {
+      "title": "Pull Requests",
+      "noPrs": "Aucune pull request.",
+      "open": "Ouverte",
+      "merged": "Mergée",
+      "closed": "Fermée",
+      "ci": "CI/CD"
+    },
+    "error": "Erreur de connexion à Gitea.",
+    "notConfigured": "Gitea non configuré pour ce projet."
+  },
+  "notification": {
+    "title": "Notifications",
+    "markAllRead": "Tout marquer comme lu",
+    "empty": "Aucune notification",
+    "ticketCreated": "Nouveau ticket client {number}",
+    "ticketStatusChanged": "Ticket {number} mis à jour",
+    "timeAgo": {
+      "now": "À l'instant",
+      "minutes": "Il y a {n} min",
+      "hours": "Il y a {n}h",
+      "days": "Il y a {n}j"
+    }
+  },
+  "profile": {
+    "title": "Mon profil",
+    "changeAvatar": "Changer l'avatar",
+    "removeAvatar": "Supprimer l'avatar",
+    "cropAvatar": "Recadrer l'avatar",
+    "apiToken": {
+      "title": "Token API MCP",
+      "help": "Utilisé pour authentifier le serveur MCP HTTP (à coller dans le header Authorization: Bearer …). Ne pas partager.",
+      "label": "Token",
+      "empty": "Aucun token généré pour le moment.",
+      "generate": "Générer un token",
+      "regenerate": "Régénérer",
+      "copy": "Copier",
+      "copied": "Token copié dans le presse-papiers.",
+      "copyFailed": "Impossible de copier le token.",
+      "regenerated": "Nouveau token généré. L'ancien token est désormais invalide.",
+      "confirmTitle": "Régénérer le token MCP ?",
+      "confirmMessage": "L'ancien token sera immédiatement invalidé. Tous les clients MCP utilisant ce token devront être reconfigurés."
+    }
+  },
+  "bookstack": {
+    "settings": {
+      "title": "Configuration BookStack",
+      "url": "URL du serveur",
+      "urlPlaceholder": "https://wiki.example.com",
+      "tokenId": "Token ID",
+      "tokenIdPlaceholder": "Entrez le Token ID",
+      "tokenSecret": "Token Secret",
+      "tokenSecretPlaceholder": "Entrez le Token Secret",
+      "tokenConfigured": "Token configuré",
+      "save": "Enregistrer",
+      "saved": "Configuration BookStack sauvegardée.",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie.",
+      "testFailed": "Connexion échouée."
+    },
+    "links": {
+      "title": "Documentation",
+      "searchPlaceholder": "Rechercher une page ou un livre...",
+      "noResults": "Aucun résultat",
+      "empty": "Aucun document lié"
+    }
+  },
+  "zimbra": {
+    "settings": {
+      "title": "Calendrier Zimbra",
+      "serverUrl": "URL du serveur CalDAV",
+      "serverUrlPlaceholder": "https://mail.ovh.com",
+      "username": "Nom d'utilisateur",
+      "usernamePlaceholder": "user{'@'}domain.com",
+      "calendarPath": "Chemin du calendrier",
+      "calendarPathPlaceholder": "/dav/user{'@'}domain.com/Calendar/",
+      "password": "Mot de passe",
+      "passwordConfigured": "Mot de passe configuré",
+      "enabled": "Activer la synchronisation CalDAV",
+      "save": "Enregistrer",
+      "saved": "Configuration Zimbra enregistrée",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie",
+      "testFailed": "Connexion échouée"
+    }
+  },
+  "sharedFiles": {
+    "title": "Documents",
+    "root": "Racine",
+    "empty": "Ce dossier est vide.",
+    "noResults": "Aucun document ne correspond à votre recherche.",
+    "searchPlaceholder": "Rechercher dans tout le partage…",
+    "download": "Télécharger",
+    "reload": "Recharger",
+    "previewError": "Aperçu impossible. Téléchargez le fichier pour l'ouvrir.",
+    "colName": "Nom",
+    "colSize": "Taille",
+    "colModified": "Modifié le",
+    "sidebar": {
+      "title": "Documents"
+    }
+  },
+  "adminShare": {
+    "title": "Partage réseau (SMB)",
+    "host": "Serveur",
+    "hostPlaceholder": "ex. WIN-SRV ou 192.168.1.10",
+    "shareName": "Nom du partage",
+    "shareNamePlaceholder": "ex. Documents",
+    "basePath": "Sous-dossier racine (optionnel)",
+    "basePathPlaceholder": "ex. /Projets",
+    "domain": "Domaine / groupe de travail",
+    "domainPlaceholder": "WORKGROUP",
+    "username": "Identifiant",
+    "usernamePlaceholder": "ex. lesstime",
+    "password": "Mot de passe",
+    "passwordConfigured": "Un mot de passe est déjà enregistré.",
+    "enabled": "Activer l'accès au partage",
+    "save": "Enregistrer",
+    "saved": "Configuration enregistrée.",
+    "testConnection": "Tester la connexion",
+    "testSuccess": "Connexion réussie.",
+    "testFailed": "Échec de la connexion."
+  },
+  "taskRecurrence": {
+    "created": "Récurrence créée",
+    "updated": "Récurrence mise à jour",
+    "deleted": "Récurrence supprimée"
+  },
+  "recurrence": {
+    "daily": "Quotidien",
+    "weekly": "Hebdomadaire",
+    "monthly": "Mensuel",
+    "yearly": "Annuel"
+  },
+  "mail": {
+    "title": "Messagerie",
+    "sidebar": {
+      "title": "Messagerie",
+      "ariaLabel": "Accès à la messagerie, {count} messages non lus"
+    },
+    "admin": {
+      "title": "Configuration messagerie",
+      "protocol": "Protocole",
+      "imapSection": "Réception (IMAP)",
+      "smtpSection": "Envoi (SMTP)",
+      "host": "Serveur",
+      "port": "Port",
+      "encryption": "Chiffrement",
+      "username": "Adresse e-mail",
+      "password": "Mot de passe",
+      "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
+      "sentFolderPath": "Dossier des envois",
+      "enabled": "Activer la synchronisation mail",
+      "test": "Tester la connexion",
+      "testSuccess": "Connexion IMAP réussie",
+      "testFailed": "Échec de connexion",
+      "save": "Enregistrer",
+      "saveSuccess": "Configuration enregistrée",
+      "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
+    },
+    "folders": "Dossiers",
+    "messages": "Messages",
+    "viewer": "Lecture",
+    "empty": {
+      "folder": "Aucun dossier disponible.",
+      "list": "Aucun message dans ce dossier.",
+      "viewer": "Sélectionnez un message pour le lire."
+    },
+    "preview": {
+      "open": "Prévisualiser",
+      "close": "Fermer l'aperçu",
+      "loading": "Chargement de l'aperçu…",
+      "unavailable": "Aperçu indisponible pour ce type de fichier."
+    },
+    "folderTree": {
+      "expand": "Déplier le dossier",
+      "collapse": "Replier le dossier"
+    },
+    "systemFolder": {
+      "inbox": "Boîte de réception",
+      "sent": "Éléments envoyés",
+      "drafts": "Brouillons",
+      "archive": "Archives",
+      "trash": "Corbeille",
+      "junk": "Indésirables"
+    },
+    "actions": {
+      "refresh": "Actualiser",
+      "createTask": "Créer une tâche",
+      "linkTask": "Lier à une tâche",
+      "markRead": "Marquer comme lu",
+      "markUnread": "Marquer comme non lu",
+      "flag": "Marquer important",
+      "unflag": "Retirer l'importance",
+      "download": "Télécharger",
+      "showImages": "Afficher les images"
+    },
+    "errors": {
+      "syncFailed": "Erreur lors de la synchronisation.",
+      "fetchFailed": "Impossible de charger les messages.",
+      "notAuthorized": "Vous n'avez pas accès à la messagerie."
+    },
+    "configuration": {
+      "saved": "Configuration mail enregistrée."
+    },
+    "task": {
+      "created": "Tâche créée depuis le mail.",
+      "linked": "Mail lié à la tâche.",
+      "unlinked": "Lien supprimé."
+    },
+    "createTaskModal": {
+      "title": "Créer une tâche depuis ce mail",
+      "submit": "Créer la tâche",
+      "projectLabel": "Projet *",
+      "projectPlaceholder": "Sélectionner un projet",
+      "groupLabel": "Groupe (optionnel)",
+      "groupPlaceholder": "Aucun groupe",
+      "statusLabel": "Statut",
+      "assigneeLabel": "Assigné à",
+      "assigneePlaceholder": "Aucun",
+      "titleHint": "Le titre sera rempli depuis le sujet du mail.",
+      "descriptionHint": "La description sera remplie depuis le corps du mail."
+    },
+    "linkTaskModal": {
+      "title": "Lier à une tâche existante",
+      "submit": "Lier la tâche",
+      "searchPlaceholder": "Rechercher une tâche par titre…",
+      "projectFilter": "Filtrer par projet",
+      "projectAll": "Tous les projets",
+      "empty": "Aucune tâche correspondante.",
+      "loading": "Recherche en cours…"
+    },
+    "taskTab": {
+      "title": "Mails",
+      "empty": "Aucun mail lié à cette tâche.",
+      "openInMailer": "Ouvrir dans la messagerie",
+      "unlinkConfirm": "Délier ce mail ?"
+    },
+    "sync": {
+      "dispatched": "Synchronisation lancée en arrière-plan."
+    },
+    "attachments": "Pièces jointes",
+    "noAttachments": "Aucune pièce jointe.",
+    "from": "De",
+    "to": "À",
+    "cc": "Cc",
+    "date": "Date",
+    "subject": "Sujet",
+    "noSubject": "(Sans objet)",
+    "loadMore": "Charger plus",
+    "loading": "Chargement…",
+    "hasAttachments": "Pièces jointes",
+    "unread": "non lu | non lus",
+    "remoteImagesBlocked": "Les images distantes sont masquées pour votre sécurité."
+  },
+  "absences": {
+    "title": "Mes absences",
+    "teamTitle": "Absences de l'équipe",
+    "newRequest": "Nouvelle demande",
+    "daySingular": "jour",
+    "daysPlural": "jours",
+    "noBalance": "Aucun solde à afficher.",
+    "noRequests": "Aucune demande.",
+    "remaining": "restants",
+    "acquired": "acquis",
+    "acquiredN1": "Acquis (N-1)",
+    "acquiringN": "En cours d'acquisition (N)",
+    "acquiringHint": "posables par anticipation",
+    "taken": "pris",
+    "pending": "en attente",
+    "available": "disponible",
+    "types": {
+      "cp": "Congés payés",
+      "mariage_pacs": "Mariage / PACS",
+      "naissance": "Naissance",
+      "conge_parental": "Congé parental",
+      "deces": "Décès proche",
+      "maladie": "Arrêt maladie"
+    },
+    "status": {
+      "pending": "En attente",
+      "approved": "Approuvée",
+      "rejected": "Refusée",
+      "cancelled": "Annulée"
+    },
+    "halfDay": {
+      "matin": "Matin",
+      "apres_midi": "Après-midi"
+    },
+    "table": {
+      "type": "Type",
+      "period": "Période",
+      "days": "Jours",
+      "status": "Statut",
+      "employee": "Salarié",
+      "year": "Année",
+      "requestedAt": "Demandé le",
+      "actions": "Actions"
+    },
+    "filters": {
+      "allStatuses": "Tous les statuts",
+      "allTypes": "Tous les types",
+      "allYears": "Toutes les années",
+      "allEmployees": "Tous les salariés"
+    },
+    "form": {
+      "type": "Type d'absence",
+      "startDate": "Date de début",
+      "endDate": "Date de fin",
+      "startHalfDay": "Demi-journée (début)",
+      "endHalfDay": "Demi-journée (fin)",
+      "halfDayCheckbox": "Demi-journée",
+      "reason": "Motif",
+      "reasonPlaceholder": "Précisez le motif si nécessaire…",
+      "justification": "Justificatif",
+      "computed": "{days} décompté(s)",
+      "balanceAfter": "Solde restant après cette demande : {value}",
+      "negativeWarning": "Cette demande dépasse votre solde disponible.",
+      "noticeWarning": "Le délai de prévenance ({days} jours) n'est pas respecté.",
+      "submit": "Soumettre la demande",
+      "justificationRequired": "Un justificatif est requis pour ce type d'absence.",
+      "fullDay": "Journée entière",
+      "balanceAt": "Solde au {date}",
+      "balanceAfterValidation": "Solde après validation",
+      "duration": "Durée de la demande",
+      "commentPlaceholder": "Écrire un commentaire…",
+      "serverError": "La demande n'a pas pu être enregistrée.",
+      "errors": {
+        "typeRequired": "Veuillez choisir un type d'absence.",
+        "startRequired": "Veuillez indiquer une date de début.",
+        "endRequired": "Veuillez indiquer une date de fin.",
+        "endBeforeStart": "La date de fin doit être après la date de début.",
+        "zeroDays": "La période sélectionnée ne décompte aucun jour.",
+        "justificationRequired": "Un justificatif est obligatoire pour ce type d'absence."
+      }
+    },
+    "detail": {
+      "title": "Détail de la demande",
+      "timeline": "Historique",
+      "created": "Demande créée",
+      "reviewed": "Traitée par {name}",
+      "rejectionReason": "Motif du refus",
+      "downloadJustification": "Télécharger le justificatif",
+      "cancel": "Annuler ma demande",
+      "cancelConfirm": "Annuler cette demande ?"
+    },
+    "review": {
+      "approve": "Valider",
+      "reject": "Refuser",
+      "rejectTitle": "Refuser la demande",
+      "rejectReasonLabel": "Motif du refus",
+      "rejectReasonPlaceholder": "Expliquez la raison du refus…",
+      "confirm": "Confirmer"
+    },
+    "admin": {
+      "tabs": {
+        "requests": "Demandes",
+        "calendar": "Calendrier",
+        "balances": "Soldes",
+        "employees": "Employés"
+      },
+      "kpis": {
+        "pending": "En attente",
+        "todayAbsent": "Absents aujourd'hui",
+        "weekAbsent": "Absents cette semaine"
+      },
+      "balancesTable": {
+        "employee": "Salarié",
+        "type": "Type",
+        "period": "Période",
+        "acquired": "Acquis (N-1)",
+        "acquiring": "En cours (N)",
+        "taken": "Pris",
+        "pending": "En attente",
+        "available": "Disponible",
+        "adjust": "Ajuster"
+      },
+      "adjust": {
+        "title": "Ajuster le solde",
+        "acquired": "Acquis (N-1)",
+        "acquiring": "En cours d'acquisition (N)",
+        "taken": "Pris",
+        "save": "Enregistrer"
+      },
+      "employees": {
+        "columns": {
+          "name": "Nom",
+          "contract": "Contrat",
+          "cpTaken": "CP pris",
+          "cpRemaining": "CP restants"
+        },
+        "empty": "Aucun employé. Cochez « Employé » sur un utilisateur dans l'administration.",
+        "noContract": "—",
+        "drawer": {
+          "title": "Informations employé",
+          "save": "Enregistrer"
+        },
+        "fields": {
+          "hireDate": "Date d'embauche",
+          "endDate": "Date de sortie",
+          "contractType": "Type de contrat",
+          "workTimeRatio": "Temps de travail (ex : 1.0)",
+          "annualLeaveDays": "CP annuels (jours)",
+          "referencePeriodStart": "Début période réf. (MM-DD)",
+          "initialLeaveBalance": "Solde CP initial"
+        },
+        "contract": {
+          "cdi": "CDI",
+          "cdd": "CDD",
+          "stage": "Stage",
+          "alternance": "Alternance",
+          "autre": "Autre"
         }
+      }
+    },
+    "policies": {
+      "title": "Politiques d'absence",
+      "subtitle": "Réglez les défauts par type d'absence — convention de référence : Syntec (IDCC 1486), à confirmer selon le code APE.",
+      "type": "Type",
+      "daysPerYear": "Jours / an",
+      "daysPerEvent": "Jours / événement",
+      "justificationRequired": "Justificatif requis",
+      "noticeDays": "Délai prévenance (j)",
+      "countWorkingDaysOnly": "Jours ouvrés",
+      "active": "Actif",
+      "save": "Enregistrer"
+    },
+    "toast": {
+      "created": "Demande d'absence créée.",
+      "approved": "Demande validée.",
+      "rejected": "Demande refusée.",
+      "cancelled": "Demande annulée.",
+      "justificationUploaded": "Justificatif ajouté.",
+      "balanceAdjusted": "Solde ajusté.",
+      "policyUpdated": "Politique mise à jour."
+    }
+  },
+  "prospects": {
+    "created": "Prospect créé avec succès.",
+    "updated": "Prospect mis à jour avec succès.",
+    "deleted": "Prospect supprimé avec succès.",
+    "converted": "Prospect converti en client avec succès.",
+    "addProspect": "Ajouter un prospect",
+    "editProspect": "Modifier un prospect",
+    "convert": "Convertir en client",
+    "alreadyConverted": "Déjà converti en client",
+    "fields": {
+      "name": "Nom",
+      "company": "Société",
+      "email": "Email",
+      "phone": "Téléphone",
+      "street": "Rue",
+      "city": "Ville",
+      "postalCode": "Code postal",
+      "status": "Statut",
+      "source": "Source",
+      "notes": "Notes"
+    },
+    "status": {
+      "new": "Nouveau",
+      "contacted": "Contacté",
+      "qualified": "Qualifié",
+      "won": "Gagné",
+      "lost": "Perdu"
+    },
+    "validation": {
+      "nameRequired": "Le nom est requis"
+    }
+  },
+  "directory": {
+    "title": "Répertoire",
+    "tabs": {
+      "clients": "Clients",
+      "prospects": "Prospects",
+      "contact": "Contact",
+      "address": "Adresse",
+      "report": "Rapport"
     },
     "clients": {
-        "created": "Client créé avec succès.",
-        "updated": "Client mis à jour avec succès.",
-        "deleted": "Client supprimé avec succès.",
-        "addClient": "Ajouter un client",
-        "editClient": "Modifier un client"
+      "add": "Ajouter un client",
+      "empty": "Aucun client trouvé."
     },
-    "projects": {
-        "title": "Projets",
-        "created": "Projet créé avec succès.",
-        "updated": "Projet mis à jour avec succès.",
-        "deleted": "Projet supprimé avec succès.",
-        "archived": "Projet archivé avec succès.",
-        "unarchived": "Projet désarchivé avec succès.",
-        "showArchived": "Voir les projets archivés",
-        "hideArchived": "Masquer les projets archivés",
-        "noProjects": "Aucun projet trouvé.",
-        "noArchivedProjects": "Aucun projet archivé.",
-        "addProject": "Ajouter un projet",
-        "addProjectShort": "Projet",
-        "editProject": "Modifier un projet",
-        "deleteConfirmTitle": "Supprimer le projet",
-        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce projet ? Cette action est irréversible.",
-        "cannotDelete": "Impossible de supprimer un projet contenant des tickets."
+    "prospects": {
+      "add": "Ajouter un prospect",
+      "empty": "Aucun prospect trouvé.",
+      "allStatuses": "Tous les statuts"
     },
-    "taskStatuses": {
-        "created": "Statut créé avec succès.",
-        "updated": "Statut mis à jour avec succès.",
-        "deleted": "Statut supprimé avec succès.",
-        "addStatus": "Ajouter un statut",
-        "editStatus": "Modifier un statut",
-        "deleteStatus": "Supprimer le statut « {label} »",
-        "linkedTasks": "{count} tâche est liée à ce statut. Choisissez où les déplacer :",
-        "linkedTasksPlural": "{count} tâches sont liées à ce statut. Choisissez où les déplacer :",
-        "moveTo": "Déplacer vers",
-        "backlog": "Backlog (sans statut)"
+    "contacts": {
+      "add": "Ajouter un contact",
+      "item": "Contact {n}",
+      "saved": "Contact enregistré.",
+      "deleted": "Contact supprimé.",
+      "fields": {
+        "lastName": "Nom",
+        "firstName": "Prénom",
+        "jobTitle": "Fonction",
+        "email": "Email",
+        "phonePrimary": "Téléphone",
+        "phoneSecondary": "Téléphone secondaire"
+      }
     },
-    "workflows": {
-        "title": "Workflows",
-        "addWorkflow": "Ajouter un workflow",
-        "editWorkflow": "Modifier le workflow",
-        "name": "Nom",
-        "isDefault": "Workflow par défaut",
-        "statuses": "Statuts",
-        "addStatus": "Ajouter un statut",
-        "category": "Catégorie",
-        "created": "Workflow créé",
-        "updated": "Workflow mis à jour",
-        "deleted": "Workflow supprimé",
-        "switched": "Workflow du projet changé",
-        "switchTitle": "Changer de workflow",
-        "switchTargetLabel": "Nouveau workflow",
-        "switchMappingTitle": "Mapping des statuts",
-        "switchSourceCol": "Statut actuel",
-        "switchTargetCol": "Statut cible",
-        "switchTaskCountCol": "Tâches",
-        "switchToBacklog": "Mapper vers le backlog",
-        "switchConfirm": "Confirmer la migration",
-        "switchSummary": "{count} tâche(s) migrée(s), projet sur workflow « {name} »",
-        "deleteUsedBy": "Workflow utilisé par {count} projet(s) — impossible de supprimer.",
-        "categories": {
-            "todo": "À faire",
-            "in_progress": "En cours",
-            "blocked": "Bloqué",
-            "review": "En validation",
-            "done": "Terminé"
-        }
+    "addresses": {
+      "add": "Ajouter une adresse",
+      "item": "Adresse {n}",
+      "saved": "Adresse enregistrée.",
+      "deleted": "Adresse supprimée.",
+      "fields": {
+        "label": "Libellé",
+        "street": "Rue",
+        "streetComplement": "Complément",
+        "postalCode": "Code postal",
+        "city": "Ville"
+      }
     },
-    "taskEfforts": {
-        "created": "Effort créé avec succès.",
-        "updated": "Effort mis à jour avec succès.",
-        "deleted": "Effort supprimé avec succès.",
-        "addEffort": "Ajouter un effort",
-        "editEffort": "Modifier un effort"
+    "reports": {
+      "add": "Ajouter un compte-rendu",
+      "empty": "Aucun compte-rendu.",
+      "saved": "Compte-rendu enregistré.",
+      "deleted": "Compte-rendu supprimé.",
+      "fields": {
+        "subject": "Objet",
+        "type": "Type d'échange",
+        "occurredAt": "Date",
+        "body": "Compte-rendu"
+      },
+      "types": {
+        "call": "Appel",
+        "meeting": "Rendez-vous",
+        "email": "Email",
+        "note": "Note"
+      }
     },
-    "taskPriorities": {
-        "created": "Priorité créée avec succès.",
-        "updated": "Priorité mise à jour avec succès.",
-        "deleted": "Priorité supprimée avec succès.",
-        "addPriority": "Ajouter une priorité",
-        "editPriority": "Modifier une priorité"
-    },
-    "taskTags": {
-        "created": "Tag créé avec succès.",
-        "updated": "Tag mis à jour avec succès.",
-        "deleted": "Tag supprimé avec succès.",
-        "addTag": "Ajouter un tag",
-        "editTag": "Modifier un tag"
-    },
-    "taskGroups": {
-        "created": "Groupe créé avec succès.",
-        "updated": "Groupe mis à jour avec succès.",
-        "deleted": "Groupe supprimé avec succès.",
-        "archived": "Groupe archivé avec succès.",
-        "unarchived": "Groupe désarchivé avec succès.",
-        "addGroup": "Ajouter un groupe",
-        "editGroup": "Modifier un groupe"
-    },
-    "taskDocuments": {
-        "title": "Documents",
-        "dropzone": "Glisser des fichiers ici ou cliquer pour sélectionner",
-        "uploaded": "Document ajouté avec succès.",
-        "deleted": "Document supprimé avec succès.",
-        "uploadError": "Erreur lors de l'upload du document.",
-        "confirmDeleteTitle": "Supprimer le document",
-        "confirmDeleteMessage": "Êtes-vous sûr de vouloir supprimer ce document ?",
-        "download": "Télécharger",
-        "copy": "Copier",
-        "copied": "Contenu copié !",
-        "maxSizeError": "Le fichier dépasse la taille maximale de 50 Mo.",
-        "linkShareButton": "Lier depuis le partage",
-        "linkShareTitle": "Lier un fichier du partage",
-        "linkShareHint": "Cliquez sur un dossier pour naviguer, sur un fichier pour le lier au ticket.",
-        "linkShareSuccess": "Fichier du partage lié au ticket.",
-        "linkShareError": "Impossible de lier ce fichier (type non autorisé ou introuvable).",
-        "shareLinkBadge": "Lien vers le partage",
-        "shareLinkLabel": "Partage"
-    },
-    "tasks": {
-        "created": "Ticket créé avec succès.",
-        "updated": "Ticket mis à jour avec succès.",
-        "deleted": "Ticket supprimé avec succès.",
-        "archived": "Ticket archivé avec succès.",
-        "unarchived": "Ticket désarchivé avec succès.",
-        "deleteConfirmTitle": "Supprimer le ticket",
-        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible.",
-        "addTask": "Ajouter un ticket",
-        "editTask": "Modifier un ticket",
-        "detailsTab": "Détails",
-        "planningTab": "Planification",
-        "planning": {
-            "dates": "Dates",
-            "scheduledStart": "Début planifié",
-            "scheduledEnd": "Fin planifiée",
-            "deadline": "Deadline",
-            "calendar": "Calendrier",
-            "syncToCalendar": "Envoyer au calendrier Zimbra",
-            "syncOk": "Synchronisé",
-            "recurrence": "Récurrence",
-            "isRecurring": "Tâche récurrente",
-            "type": "Type",
-            "daily": "Quotidien",
-            "weekly": "Hebdomadaire",
-            "monthly": "Mensuel",
-            "yearly": "Annuel",
-            "interval": "Intervalle",
-            "daysOfWeek": "Jours de la semaine",
-            "days": {
-                "mon": "Lu",
-                "tue": "Ma",
-                "wed": "Me",
-                "thu": "Je",
-                "fri": "Ve",
-                "sat": "Sa",
-                "sun": "Di"
-            },
-            "dayOfMonth": "Jour du mois",
-            "dayOfMonthLabel": "Jour (1-31)",
-            "weekOfMonth": "Semaine du mois",
-            "weekOfMonthLabel": "Semaine",
-            "dayLabel": "Jour",
-            "endRecurrence": "Fin de la récurrence",
-            "neverEnds": "Jamais",
-            "afterOccurrences": "Après X occurrences",
-            "occurrences": "Occurrences",
-            "onDate": "À une date",
-            "endDate": "Date de fin"
-        }
-    },
-    "users": {
-        "created": "Utilisateur créé avec succès.",
-        "updated": "Utilisateur mis à jour avec succès.",
-        "deleted": "Utilisateur supprimé avec succès.",
-        "addUser": "Ajouter un utilisateur",
-        "editUser": "Modifier un utilisateur"
-    },
-    "timeEntries": {
-        "created": "Temps enregistré",
-        "updated": "Temps modifié",
-        "deleted": "Temps supprimé",
-        "noEntries": "Aucune activité pour cette période",
-        "addEntry": "Ajouter une Activité",
-        "editEntry": "Modifier un temps",
-        "export": "Exporter",
-        "exportTitle": "Exporter les temps",
-        "exportCurrentMonth": "Mois en cours",
-        "exportLastMonth": "Mois dernier",
-        "exportCustomPeriod": "Période personnalisée",
-        "exportFrom": "Du",
-        "exportTo": "Au",
-        "exportUsers": "Utilisateurs",
-        "exportClient": "Client",
-        "exportProjects": "Projets",
-        "exportTags": "Tags",
-        "exportAllClients": "Tous les clients",
-        "exportLoading": "Export en cours...",
-        "exportSuccess": "Export terminé !",
-        "exportError": "Erreur lors de l'export."
-    },
-    "archive": {
-        "title": "Archives",
-        "empty": "Aucun ticket archivé.",
-        "archiveButton": "Archiver",
-        "unarchiveButton": "Désarchiver",
-        "showArchived": "Voir les groupes archivés",
-        "hideArchived": "Masquer les groupes archivés",
-        "statusFinal": "Statut final",
-        "groupArchiveDisabled": "Tous les tickets doivent être en statut final pour archiver le groupe.",
-        "groupNonFinalTasks": "Il reste {count} ticket(s) sans statut final dans ce groupe."
-    },
-    "myTasks": {
-        "title": "Mes tâches",
-        "viewKanban": "Vue Kanban",
-        "viewList": "Vue Liste",
-        "allProjects": "Tous les projets",
-        "allGroups": "Tous les groupes",
-        "allTypes": "Tous les types",
-        "allPriorities": "Toutes les priorités",
-        "allEfforts": "Tous les efforts",
-        "allAssignees": "Tous",
-        "noTasks": "Aucune tâche",
-        "backlog": "Backlog",
-        "createTask": "Créer une tâche",
-        "sortBy": "Trier par",
-        "sortDefault": "Par défaut",
-        "sortDeadline": "Échéance",
-        "sortScheduledStart": "Date planifiée",
-        "dropRefused": "Aucun statut de cette colonne dans le workflow de ce projet"
-    },
-    "dashboard": {
-        "title": "Tableau de bord",
-        "noData": "Aucune donnée",
-        "noPriority": "Sans priorité",
-        "noProject": "Sans projet",
-        "hoursWorked": "Heures travaillées",
-        "inProgress": "En cours",
-        "done": "Terminé",
-        "filters": {
-            "period": "Période",
-            "project": "Projet",
-            "user": "Utilisateur",
-            "allProjects": "Tous les projets",
-            "allUsers": "Tous les utilisateurs"
-        },
-        "periods": {
-            "thisWeek": "Cette semaine",
-            "lastWeek": "Semaine dernière",
-            "thisMonth": "Ce mois",
-            "lastMonth": "Mois dernier"
-        },
-        "stats": {
-            "hoursPeriod": "Heures sur la période",
-            "myActiveTasks": "Mes tâches actives",
-            "completed": "terminée(s)",
-            "totalTasks": "Tâches totales",
-            "unassigned": "non assignée(s)",
-            "projects": "Projets",
-            "users": "utilisateur(s)"
-        },
-        "charts": {
-            "hoursByDay": "Heures par jour",
-            "hoursByProject": "Temps par projet",
-            "tasksByStatus": "Tâches par statut",
-            "tasksByPriority": "Tâches par priorité",
-            "tasksByProject": "Tâches par projet"
-        },
-        "days": {
-            "mon": "Lun",
-            "tue": "Mar",
-            "wed": "Mer",
-            "thu": "Jeu",
-            "fri": "Ven",
-            "sat": "Sam",
-            "sun": "Dim"
-        }
-    },
-    "sidebar": {
-        "myTasks": "Mes tâches"
-    },
-    "common": {
-        "cancel": "Annuler",
-        "save": "Enregistrer",
-        "edit": "Modifier",
-        "delete": "Supprimer",
-        "add": "Ajouter",
-        "loading": "Chargement...",
-        "archived": "Archivé",
-        "noClient": "Aucun client",
-        "untitled": "Sans titre",
-        "dateFilter": "Date",
-        "today": "Aujourd'hui",
-        "thisWeek": "Cette semaine",
-        "clear": "Effacer",
-        "day": "Jour",
-        "weekShort": "Sem."
-    },
-    "gitea": {
-        "settings": {
-            "title": "Configuration Gitea",
-            "url": "URL du serveur",
-            "urlPlaceholder": "https://git.example.com",
-            "token": "Token API",
-            "tokenPlaceholder": "Entrez un nouveau token",
-            "tokenConfigured": "Token configuré",
-            "save": "Enregistrer",
-            "saved": "Configuration Gitea sauvegardée.",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie.",
-            "testFailed": "Connexion échouée."
-        },
-        "branch": {
-            "title": "Git",
-            "create": "Créer une branche",
-            "created": "Branche créée avec succès.",
-            "copy": "Copier le nom",
-            "copied": "Nom de branche copié.",
-            "type": "Type",
-            "baseBranch": "Branche de base",
-            "preview": "Aperçu",
-            "types": {
-                "feature": "feature",
-                "fix": "fix",
-                "refactor": "refactor",
-                "hotfix": "hotfix",
-                "chore": "chore"
-            },
-            "noBranches": "Aucune branche liée.",
-            "commits": "Commits",
-            "noCommits": "Aucun commit."
-        },
-        "pr": {
-            "title": "Pull Requests",
-            "noPrs": "Aucune pull request.",
-            "open": "Ouverte",
-            "merged": "Mergée",
-            "closed": "Fermée",
-            "ci": "CI/CD"
-        },
-        "error": "Erreur de connexion à Gitea.",
-        "notConfigured": "Gitea non configuré pour ce projet."
-    },
-    "notification": {
-        "title": "Notifications",
-        "markAllRead": "Tout marquer comme lu",
-        "empty": "Aucune notification",
-        "ticketCreated": "Nouveau ticket client {number}",
-        "ticketStatusChanged": "Ticket {number} mis à jour",
-        "timeAgo": {
-            "now": "À l'instant",
-            "minutes": "Il y a {n} min",
-            "hours": "Il y a {n}h",
-            "days": "Il y a {n}j"
-        }
-    },
-    "profile": {
-        "title": "Mon profil",
-        "changeAvatar": "Changer l'avatar",
-        "removeAvatar": "Supprimer l'avatar",
-        "cropAvatar": "Recadrer l'avatar",
-        "apiToken": {
-            "title": "Token API MCP",
-            "help": "Utilisé pour authentifier le serveur MCP HTTP (à coller dans le header Authorization: Bearer …). Ne pas partager.",
-            "label": "Token",
-            "empty": "Aucun token généré pour le moment.",
-            "generate": "Générer un token",
-            "regenerate": "Régénérer",
-            "copy": "Copier",
-            "copied": "Token copié dans le presse-papiers.",
-            "copyFailed": "Impossible de copier le token.",
-            "regenerated": "Nouveau token généré. L'ancien token est désormais invalide.",
-            "confirmTitle": "Régénérer le token MCP ?",
-            "confirmMessage": "L'ancien token sera immédiatement invalidé. Tous les clients MCP utilisant ce token devront être reconfigurés."
-        }
-    },
-    "bookstack": {
-        "settings": {
-            "title": "Configuration BookStack",
-            "url": "URL du serveur",
-            "urlPlaceholder": "https://wiki.example.com",
-            "tokenId": "Token ID",
-            "tokenIdPlaceholder": "Entrez le Token ID",
-            "tokenSecret": "Token Secret",
-            "tokenSecretPlaceholder": "Entrez le Token Secret",
-            "tokenConfigured": "Token configuré",
-            "save": "Enregistrer",
-            "saved": "Configuration BookStack sauvegardée.",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie.",
-            "testFailed": "Connexion échouée."
-        },
-        "links": {
-            "title": "Documentation",
-            "searchPlaceholder": "Rechercher une page ou un livre...",
-            "noResults": "Aucun résultat",
-            "empty": "Aucun document lié"
-        }
-    },
-    "zimbra": {
-        "settings": {
-            "title": "Calendrier Zimbra",
-            "serverUrl": "URL du serveur CalDAV",
-            "serverUrlPlaceholder": "https://mail.ovh.com",
-            "username": "Nom d'utilisateur",
-            "usernamePlaceholder": "user{'@'}domain.com",
-            "calendarPath": "Chemin du calendrier",
-            "calendarPathPlaceholder": "/dav/user{'@'}domain.com/Calendar/",
-            "password": "Mot de passe",
-            "passwordConfigured": "Mot de passe configuré",
-            "enabled": "Activer la synchronisation CalDAV",
-            "save": "Enregistrer",
-            "saved": "Configuration Zimbra enregistrée",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie",
-            "testFailed": "Connexion échouée"
-        }
-    },
-    "sharedFiles": {
-        "title": "Documents",
-        "root": "Racine",
-        "empty": "Ce dossier est vide.",
-        "noResults": "Aucun document ne correspond à votre recherche.",
-        "searchPlaceholder": "Rechercher dans tout le partage…",
-        "download": "Télécharger",
-        "reload": "Recharger",
-        "previewError": "Aperçu impossible. Téléchargez le fichier pour l'ouvrir.",
-        "colName": "Nom",
-        "colSize": "Taille",
-        "colModified": "Modifié le",
-        "sidebar": {
-            "title": "Documents"
-        }
-    },
-    "adminShare": {
-        "title": "Partage réseau (SMB)",
-        "host": "Serveur",
-        "hostPlaceholder": "ex. WIN-SRV ou 192.168.1.10",
-        "shareName": "Nom du partage",
-        "shareNamePlaceholder": "ex. Documents",
-        "basePath": "Sous-dossier racine (optionnel)",
-        "basePathPlaceholder": "ex. /Projets",
-        "domain": "Domaine / groupe de travail",
-        "domainPlaceholder": "WORKGROUP",
-        "username": "Identifiant",
-        "usernamePlaceholder": "ex. lesstime",
-        "password": "Mot de passe",
-        "passwordConfigured": "Un mot de passe est déjà enregistré.",
-        "enabled": "Activer l'accès au partage",
-        "save": "Enregistrer",
-        "saved": "Configuration enregistrée.",
-        "testConnection": "Tester la connexion",
-        "testSuccess": "Connexion réussie.",
-        "testFailed": "Échec de la connexion."
-    },
-    "taskRecurrence": {
-        "created": "Récurrence créée",
-        "updated": "Récurrence mise à jour",
-        "deleted": "Récurrence supprimée"
-    },
-    "recurrence": {
-        "daily": "Quotidien",
-        "weekly": "Hebdomadaire",
-        "monthly": "Mensuel",
-        "yearly": "Annuel"
-    },
-    "mail": {
-        "title": "Messagerie",
-        "sidebar": {
-            "title": "Messagerie",
-            "ariaLabel": "Accès à la messagerie, {count} messages non lus"
-        },
-        "admin": {
-            "title": "Configuration messagerie",
-            "protocol": "Protocole",
-            "imapSection": "Réception (IMAP)",
-            "smtpSection": "Envoi (SMTP)",
-            "host": "Serveur",
-            "port": "Port",
-            "encryption": "Chiffrement",
-            "username": "Adresse e-mail",
-            "password": "Mot de passe",
-            "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
-            "sentFolderPath": "Dossier des envois",
-            "enabled": "Activer la synchronisation mail",
-            "test": "Tester la connexion",
-            "testSuccess": "Connexion IMAP réussie",
-            "testFailed": "Échec de connexion",
-            "save": "Enregistrer",
-            "saveSuccess": "Configuration enregistrée",
-            "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
-        },
-        "folders": "Dossiers",
-        "messages": "Messages",
-        "viewer": "Lecture",
-        "empty": {
-            "folder": "Aucun dossier disponible.",
-            "list": "Aucun message dans ce dossier.",
-            "viewer": "Sélectionnez un message pour le lire."
-        },
-        "preview": {
-            "open": "Prévisualiser",
-            "close": "Fermer l'aperçu",
-            "loading": "Chargement de l'aperçu…",
-            "unavailable": "Aperçu indisponible pour ce type de fichier."
-        },
-        "folderTree": {
-            "expand": "Déplier le dossier",
-            "collapse": "Replier le dossier"
-        },
-        "systemFolder": {
-            "inbox": "Boîte de réception",
-            "sent": "Éléments envoyés",
-            "drafts": "Brouillons",
-            "archive": "Archives",
-            "trash": "Corbeille",
-            "junk": "Indésirables"
-        },
-        "actions": {
-            "refresh": "Actualiser",
-            "createTask": "Créer une tâche",
-            "linkTask": "Lier à une tâche",
-            "markRead": "Marquer comme lu",
-            "markUnread": "Marquer comme non lu",
-            "flag": "Marquer important",
-            "unflag": "Retirer l'importance",
-            "download": "Télécharger",
-            "showImages": "Afficher les images"
-        },
-        "errors": {
-            "syncFailed": "Erreur lors de la synchronisation.",
-            "fetchFailed": "Impossible de charger les messages.",
-            "notAuthorized": "Vous n'avez pas accès à la messagerie."
-        },
-        "configuration": {
-            "saved": "Configuration mail enregistrée."
-        },
-        "task": {
-            "created": "Tâche créée depuis le mail.",
-            "linked": "Mail lié à la tâche.",
-            "unlinked": "Lien supprimé."
-        },
-        "createTaskModal": {
-            "title": "Créer une tâche depuis ce mail",
-            "submit": "Créer la tâche",
-            "projectLabel": "Projet *",
-            "projectPlaceholder": "Sélectionner un projet",
-            "groupLabel": "Groupe (optionnel)",
-            "groupPlaceholder": "Aucun groupe",
-            "statusLabel": "Statut",
-            "assigneeLabel": "Assigné à",
-            "assigneePlaceholder": "Aucun",
-            "titleHint": "Le titre sera rempli depuis le sujet du mail.",
-            "descriptionHint": "La description sera remplie depuis le corps du mail."
-        },
-        "linkTaskModal": {
-            "title": "Lier à une tâche existante",
-            "submit": "Lier la tâche",
-            "searchPlaceholder": "Rechercher une tâche par titre…",
-            "projectFilter": "Filtrer par projet",
-            "projectAll": "Tous les projets",
-            "empty": "Aucune tâche correspondante.",
-            "loading": "Recherche en cours…"
-        },
-        "taskTab": {
-            "title": "Mails",
-            "empty": "Aucun mail lié à cette tâche.",
-            "openInMailer": "Ouvrir dans la messagerie",
-            "unlinkConfirm": "Délier ce mail ?"
-        },
-        "sync": {
-            "dispatched": "Synchronisation lancée en arrière-plan."
-        },
-        "attachments": "Pièces jointes",
-        "noAttachments": "Aucune pièce jointe.",
-        "from": "De",
-        "to": "À",
-        "cc": "Cc",
-        "date": "Date",
-        "subject": "Sujet",
-        "noSubject": "(Sans objet)",
-        "loadMore": "Charger plus",
-        "loading": "Chargement…",
-        "hasAttachments": "Pièces jointes",
-        "unread": "non lu | non lus",
-        "remoteImagesBlocked": "Les images distantes sont masquées pour votre sécurité."
-    },
-    "absences": {
-        "title": "Mes absences",
-        "teamTitle": "Absences de l'équipe",
-        "newRequest": "Nouvelle demande",
-        "daySingular": "jour",
-        "daysPlural": "jours",
-        "noBalance": "Aucun solde à afficher.",
-        "noRequests": "Aucune demande.",
-        "remaining": "restants",
-        "acquired": "acquis",
-        "acquiredN1": "Acquis (N-1)",
-        "acquiringN": "En cours d'acquisition (N)",
-        "acquiringHint": "posables par anticipation",
-        "taken": "pris",
-        "pending": "en attente",
-        "available": "disponible",
-        "types": {
-            "cp": "Congés payés",
-            "mariage_pacs": "Mariage / PACS",
-            "naissance": "Naissance",
-            "conge_parental": "Congé parental",
-            "deces": "Décès proche",
-            "maladie": "Arrêt maladie"
-        },
-        "status": {
-            "pending": "En attente",
-            "approved": "Approuvée",
-            "rejected": "Refusée",
-            "cancelled": "Annulée"
-        },
-        "halfDay": {
-            "matin": "Matin",
-            "apres_midi": "Après-midi"
-        },
-        "table": {
-            "type": "Type",
-            "period": "Période",
-            "days": "Jours",
-            "status": "Statut",
-            "employee": "Salarié",
-            "year": "Année",
-            "requestedAt": "Demandé le",
-            "actions": "Actions"
-        },
-        "filters": {
-            "allStatuses": "Tous les statuts",
-            "allTypes": "Tous les types",
-            "allYears": "Toutes les années",
-            "allEmployees": "Tous les salariés"
-        },
-        "form": {
-            "type": "Type d'absence",
-            "startDate": "Date de début",
-            "endDate": "Date de fin",
-            "startHalfDay": "Demi-journée (début)",
-            "endHalfDay": "Demi-journée (fin)",
-            "halfDayCheckbox": "Demi-journée",
-            "reason": "Motif",
-            "reasonPlaceholder": "Précisez le motif si nécessaire…",
-            "justification": "Justificatif",
-            "computed": "{days} décompté(s)",
-            "balanceAfter": "Solde restant après cette demande : {value}",
-            "negativeWarning": "Cette demande dépasse votre solde disponible.",
-            "noticeWarning": "Le délai de prévenance ({days} jours) n'est pas respecté.",
-            "submit": "Soumettre la demande",
-            "justificationRequired": "Un justificatif est requis pour ce type d'absence.",
-            "fullDay": "Journée entière",
-            "balanceAt": "Solde au {date}",
-            "balanceAfterValidation": "Solde après validation",
-            "duration": "Durée de la demande",
-            "commentPlaceholder": "Écrire un commentaire…",
-            "serverError": "La demande n'a pas pu être enregistrée.",
-            "errors": {
-                "typeRequired": "Veuillez choisir un type d'absence.",
-                "startRequired": "Veuillez indiquer une date de début.",
-                "endRequired": "Veuillez indiquer une date de fin.",
-                "endBeforeStart": "La date de fin doit être après la date de début.",
-                "zeroDays": "La période sélectionnée ne décompte aucun jour.",
-                "justificationRequired": "Un justificatif est obligatoire pour ce type d'absence."
-            }
-        },
-        "detail": {
-            "title": "Détail de la demande",
-            "timeline": "Historique",
-            "created": "Demande créée",
-            "reviewed": "Traitée par {name}",
-            "rejectionReason": "Motif du refus",
-            "downloadJustification": "Télécharger le justificatif",
-            "cancel": "Annuler ma demande",
-            "cancelConfirm": "Annuler cette demande ?"
-        },
-        "review": {
-            "approve": "Valider",
-            "reject": "Refuser",
-            "rejectTitle": "Refuser la demande",
-            "rejectReasonLabel": "Motif du refus",
-            "rejectReasonPlaceholder": "Expliquez la raison du refus…",
-            "confirm": "Confirmer"
-        },
-        "admin": {
-            "tabs": {
-                "requests": "Demandes",
-                "calendar": "Calendrier",
-                "balances": "Soldes",
-                "employees": "Employés"
-            },
-            "kpis": {
-                "pending": "En attente",
-                "todayAbsent": "Absents aujourd'hui",
-                "weekAbsent": "Absents cette semaine"
-            },
-            "balancesTable": {
-                "employee": "Salarié",
-                "type": "Type",
-                "period": "Période",
-                "acquired": "Acquis (N-1)",
-                "acquiring": "En cours (N)",
-                "taken": "Pris",
-                "pending": "En attente",
-                "available": "Disponible",
-                "adjust": "Ajuster"
-            },
-            "adjust": {
-                "title": "Ajuster le solde",
-                "acquired": "Acquis (N-1)",
-                "acquiring": "En cours d'acquisition (N)",
-                "taken": "Pris",
-                "save": "Enregistrer"
-            },
-            "employees": {
-                "columns": {
-                    "name": "Nom",
-                    "contract": "Contrat",
-                    "cpTaken": "CP pris",
-                    "cpRemaining": "CP restants"
-                },
-                "empty": "Aucun employé. Cochez « Employé » sur un utilisateur dans l'administration.",
-                "noContract": "—",
-                "drawer": {
-                    "title": "Informations employé",
-                    "save": "Enregistrer"
-                },
-                "fields": {
-                    "hireDate": "Date d'embauche",
-                    "endDate": "Date de sortie",
-                    "contractType": "Type de contrat",
-                    "workTimeRatio": "Temps de travail (ex : 1.0)",
-                    "annualLeaveDays": "CP annuels (jours)",
-                    "referencePeriodStart": "Début période réf. (MM-DD)",
-                    "initialLeaveBalance": "Solde CP initial"
-                },
-                "contract": {
-                    "cdi": "CDI",
-                    "cdd": "CDD",
-                    "stage": "Stage",
-                    "alternance": "Alternance",
-                    "autre": "Autre"
-                }
-            }
-        },
-        "policies": {
-            "title": "Politiques d'absence",
-            "subtitle": "Réglez les défauts par type d'absence — convention de référence : Syntec (IDCC 1486), à confirmer selon le code APE.",
-            "type": "Type",
-            "daysPerYear": "Jours / an",
-            "daysPerEvent": "Jours / événement",
-            "justificationRequired": "Justificatif requis",
-            "noticeDays": "Délai prévenance (j)",
-            "countWorkingDaysOnly": "Jours ouvrés",
-            "active": "Actif",
-            "save": "Enregistrer"
-        },
-        "toast": {
-            "created": "Demande d'absence créée.",
-            "approved": "Demande validée.",
-            "rejected": "Demande refusée.",
-            "cancelled": "Demande annulée.",
-            "justificationUploaded": "Justificatif ajouté.",
-            "balanceAdjusted": "Solde ajusté.",
-            "policyUpdated": "Politique mise à jour."
-        }
+    "documents": {
+      "add": "Joindre un document",
+      "uploading": "Envoi…",
+      "empty": "Aucun document.",
+      "deleted": "Document supprimé."
     }
+  }
 }
diff --git a/frontend/middleware/auth.global.ts b/frontend/middleware/auth.global.ts
deleted file mode 100644
index 18799ca..0000000
--- a/frontend/middleware/auth.global.ts
+++ /dev/null
@@ -1,16 +0,0 @@
-export default defineNuxtRouteMiddleware(async (to) => {
-    const auth = useAuthStore()
-    const isLogin = to.path === '/login'
-
-    if (!auth.checked) {
-        await auth.ensureSession()
-    }
-
-    if (!isLogin && !auth.isAuthenticated) {
-        return navigateTo('/login')
-    }
-
-    if (isLogin && auth.isAuthenticated) {
-        return navigateTo('/')
-    }
-})
diff --git a/frontend/modules/.gitkeep b/frontend/modules/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/frontend/components/absence/AbsenceBalanceAdjustDrawer.vue b/frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
similarity index 93%
rename from frontend/components/absence/AbsenceBalanceAdjustDrawer.vue
rename to frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
index d85d9a0..cda4b04 100644
--- a/frontend/components/absence/AbsenceBalanceAdjustDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
@@ -19,8 +19,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
+import type { AbsenceBalance } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceBalanceCards.vue b/frontend/modules/absence/components/AbsenceBalanceCards.vue
similarity index 97%
rename from frontend/components/absence/AbsenceBalanceCards.vue
rename to frontend/modules/absence/components/AbsenceBalanceCards.vue
index b811b5e..02beddf 100644
--- a/frontend/components/absence/AbsenceBalanceCards.vue
+++ b/frontend/modules/absence/components/AbsenceBalanceCards.vue
@@ -73,8 +73,7 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance } from '~/services/dto/absence'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceBalance } from '~/modules/absence/services/dto/absence'
 
 const props = defineProps<{
     balances: AbsenceBalance[]
diff --git a/frontend/components/absence/AbsenceCalendar.vue b/frontend/modules/absence/components/AbsenceCalendar.vue
similarity index 96%
rename from frontend/components/absence/AbsenceCalendar.vue
rename to frontend/modules/absence/components/AbsenceCalendar.vue
index 604bf76..f9bf4e6 100644
--- a/frontend/components/absence/AbsenceCalendar.vue
+++ b/frontend/modules/absence/components/AbsenceCalendar.vue
@@ -52,9 +52,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     absences: AbsenceRequest[]
diff --git a/frontend/components/absence/AbsenceDateField.vue b/frontend/modules/absence/components/AbsenceDateField.vue
similarity index 96%
rename from frontend/components/absence/AbsenceDateField.vue
rename to frontend/modules/absence/components/AbsenceDateField.vue
index fbf31e9..2e96309 100644
--- a/frontend/components/absence/AbsenceDateField.vue
+++ b/frontend/modules/absence/components/AbsenceDateField.vue
@@ -29,7 +29,7 @@
 </template>
 
 <script setup lang="ts">
-import type { HalfDay } from '~/services/dto/absence'
+import type { HalfDay } from '~/modules/absence/services/dto/absence'
 
 const props = withDefaults(defineProps<{
     /** ISO date string "YYYY-MM-DD" or null. */
diff --git a/frontend/components/absence/AbsenceDetailDrawer.vue b/frontend/modules/absence/components/AbsenceDetailDrawer.vue
similarity index 97%
rename from frontend/components/absence/AbsenceDetailDrawer.vue
rename to frontend/modules/absence/components/AbsenceDetailDrawer.vue
index 1ba3820..7870c3f 100644
--- a/frontend/components/absence/AbsenceDetailDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceDetailDrawer.vue
@@ -135,9 +135,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceRejectDrawer.vue b/frontend/modules/absence/components/AbsenceRejectDrawer.vue
similarity index 91%
rename from frontend/components/absence/AbsenceRejectDrawer.vue
rename to frontend/modules/absence/components/AbsenceRejectDrawer.vue
index 1828743..074efbd 100644
--- a/frontend/components/absence/AbsenceRejectDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceRejectDrawer.vue
@@ -26,9 +26,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceRequestDrawer.vue b/frontend/modules/absence/components/AbsenceRequestDrawer.vue
similarity index 98%
rename from frontend/components/absence/AbsenceRequestDrawer.vue
rename to frontend/modules/absence/components/AbsenceRequestDrawer.vue
index 35b4ce0..34ba73f 100644
--- a/frontend/components/absence/AbsenceRequestDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceRequestDrawer.vue
@@ -105,9 +105,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsencePolicy, AbsencePreviewResult, AbsenceType, HalfDay } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsencePolicy, AbsencePreviewResult, AbsenceType, HalfDay } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/EmployeeDrawer.vue b/frontend/modules/absence/components/EmployeeDrawer.vue
similarity index 100%
rename from frontend/components/absence/EmployeeDrawer.vue
rename to frontend/modules/absence/components/EmployeeDrawer.vue
diff --git a/frontend/composables/useAbsenceHelpers.ts b/frontend/modules/absence/composables/useAbsenceHelpers.ts
similarity index 98%
rename from frontend/composables/useAbsenceHelpers.ts
rename to frontend/modules/absence/composables/useAbsenceHelpers.ts
index 3921706..07b03c3 100644
--- a/frontend/composables/useAbsenceHelpers.ts
+++ b/frontend/modules/absence/composables/useAbsenceHelpers.ts
@@ -1,4 +1,4 @@
-import type { AbsenceRequest, AbsenceStatus, AbsenceType, HalfDay } from '~/services/dto/absence'
+import type { AbsenceRequest, AbsenceStatus, AbsenceType, HalfDay } from '~/modules/absence/services/dto/absence'
 
 export type BadgeVariant = 'neutral' | 'info' | 'success' | 'warning' | 'danger'
 
diff --git a/frontend/modules/absence/nuxt.config.ts b/frontend/modules/absence/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/absence/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/absences.vue b/frontend/modules/absence/pages/absences.vue
similarity index 97%
rename from frontend/pages/absences.vue
rename to frontend/modules/absence/pages/absences.vue
index 7b68792..9f569c0 100644
--- a/frontend/pages/absences.vue
+++ b/frontend/modules/absence/pages/absences.vue
@@ -69,9 +69,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance, AbsencePolicy, AbsenceRequest, AbsenceStatus, AbsenceType } from '~/services/dto/absence'
-import { useAbsenceService, type AbsenceRequestFilters } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceBalance, AbsencePolicy, AbsenceRequest, AbsenceStatus, AbsenceType } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService, type AbsenceRequestFilters } from '~/modules/absence/services/absences'
 
 type Row = AbsenceRequest & { typeLabelText: string; periodText: string; daysText: string; createdAtText: string }
 
diff --git a/frontend/pages/team-absences.vue b/frontend/modules/absence/pages/team-absences.vue
similarity index 99%
rename from frontend/pages/team-absences.vue
rename to frontend/modules/absence/pages/team-absences.vue
index 389e55e..385bdba 100644
--- a/frontend/pages/team-absences.vue
+++ b/frontend/modules/absence/pages/team-absences.vue
@@ -198,12 +198,11 @@ import type {
     AbsenceRequest,
     AbsenceStatus,
     AbsenceType,
-} from "~/services/dto/absence";
+} from "~/modules/absence/services/dto/absence";
 import {
     useAbsenceService,
     type AbsenceRequestFilters,
-} from "~/services/absences";
-import { useAbsenceHelpers } from "~/composables/useAbsenceHelpers";
+} from "~/modules/absence/services/absences";
 import { useUserService } from "~/services/users";
 import type { UserData } from "~/services/dto/user-data";
 
diff --git a/frontend/services/absences.ts b/frontend/modules/absence/services/absences.ts
similarity index 100%
rename from frontend/services/absences.ts
rename to frontend/modules/absence/services/absences.ts
diff --git a/frontend/services/dto/absence.ts b/frontend/modules/absence/services/dto/absence.ts
similarity index 100%
rename from frontend/services/dto/absence.ts
rename to frontend/modules/absence/services/dto/absence.ts
diff --git a/frontend/modules/core/composables/usePermissions.ts b/frontend/modules/core/composables/usePermissions.ts
new file mode 100644
index 0000000..0a9425a
--- /dev/null
+++ b/frontend/modules/core/composables/usePermissions.ts
@@ -0,0 +1,27 @@
+export function usePermissions() {
+    const auth = useAuthStore()
+
+    function isAdmin(): boolean {
+        return auth.user?.roles?.includes('ROLE_ADMIN') ?? false
+    }
+
+    function can(code: string): boolean {
+        if (!auth.user) {
+            return false
+        }
+        if (isAdmin()) {
+            return true
+        }
+        return auth.user.effectivePermissions?.includes(code) ?? false
+    }
+
+    function canAny(codes: string[]): boolean {
+        return codes.some((c) => can(c))
+    }
+
+    function canAll(codes: string[]): boolean {
+        return codes.every((c) => can(c))
+    }
+
+    return { can, canAny, canAll, isAdmin }
+}
diff --git a/frontend/modules/core/nuxt.config.ts b/frontend/modules/core/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/core/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/login.vue b/frontend/modules/core/pages/login.vue
similarity index 100%
rename from frontend/pages/login.vue
rename to frontend/modules/core/pages/login.vue
diff --git a/frontend/pages/profile.vue b/frontend/modules/core/pages/profile.vue
similarity index 100%
rename from frontend/pages/profile.vue
rename to frontend/modules/core/pages/profile.vue
diff --git a/frontend/modules/core/services/audit-logs.ts b/frontend/modules/core/services/audit-logs.ts
new file mode 100644
index 0000000..3af46d7
--- /dev/null
+++ b/frontend/modules/core/services/audit-logs.ts
@@ -0,0 +1,65 @@
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type AuditLogAction = 'create' | 'update' | 'delete'
+
+export type AuditLogItem = {
+    id: string
+    '@id'?: string
+    entityType: string
+    entityId: string
+    action: AuditLogAction
+    changes: Record<string, unknown>
+    performedBy: string
+    performedAt: string
+    ipAddress: string | null
+    requestId: string | null
+}
+
+export type AuditLogQuery = {
+    page?: number
+    entityType?: string
+    action?: AuditLogAction
+}
+
+export type AuditLogPage = {
+    items: AuditLogItem[]
+    totalItems: number
+}
+
+export type AuditLogEntityTypes = {
+    '@id'?: string
+    entityTypes: string[]
+}
+
+export function useAuditLogService() {
+    const api = useApi()
+
+    async function list(params: AuditLogQuery = {}): Promise<AuditLogPage> {
+        const query: Record<string, unknown> = {}
+        if (params.page !== undefined) {
+            query.page = params.page
+        }
+        if (params.entityType) {
+            query.entity_type = params.entityType
+        }
+        if (params.action) {
+            query.action = params.action
+        }
+
+        const data = await api.get<HydraCollection<AuditLogItem>>('/audit-logs', query)
+        return {
+            items: extractHydraMembers(data),
+            totalItems: data['hydra:totalItems'] ?? data['totalItems'] ?? 0,
+        }
+    }
+
+    async function entityTypes(): Promise<string[]> {
+        // `/audit-log-entity-types` is a single API Platform item resource
+        // (not a hydra collection): it returns `{ entityTypes: string[] }`.
+        const data = await api.get<AuditLogEntityTypes>('/audit-log-entity-types')
+        return data.entityTypes ?? []
+    }
+
+    return { list, entityTypes }
+}
diff --git a/frontend/modules/core/services/permissions.ts b/frontend/modules/core/services/permissions.ts
new file mode 100644
index 0000000..bcad3ea
--- /dev/null
+++ b/frontend/modules/core/services/permissions.ts
@@ -0,0 +1,22 @@
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type Permission = {
+    id: number
+    '@id'?: string
+    code: string
+    label: string
+    module: string
+    orphan?: boolean
+}
+
+export function usePermissionService() {
+    const api = useApi()
+
+    async function list(): Promise<Permission[]> {
+        const data = await api.get<HydraCollection<Permission>>('/permissions')
+        return extractHydraMembers(data)
+    }
+
+    return { list }
+}
diff --git a/frontend/modules/core/services/roles.ts b/frontend/modules/core/services/roles.ts
new file mode 100644
index 0000000..24bcdea
--- /dev/null
+++ b/frontend/modules/core/services/roles.ts
@@ -0,0 +1,50 @@
+import type { Permission } from './permissions'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type Role = {
+    id: number
+    '@id'?: string
+    code: string
+    label: string
+    description?: string | null
+    isSystem: boolean
+    permissions: Permission[]
+}
+
+export type RoleWrite = {
+    code?: string
+    label: string
+    description?: string | null
+    /** IRIs of the granted permissions (e.g. /api/permissions/3). */
+    permissions: string[]
+}
+
+export function useRoleService() {
+    const api = useApi()
+
+    async function list(): Promise<Role[]> {
+        const data = await api.get<HydraCollection<Role>>('/roles')
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: RoleWrite): Promise<Role> {
+        return api.post<Role>('/roles', payload as Record<string, unknown>, {
+            toastSuccessKey: 'admin.roles.created',
+        })
+    }
+
+    async function update(id: number, payload: Partial<RoleWrite>): Promise<Role> {
+        return api.patch<Role>(`/roles/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'admin.roles.updated',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/roles/${id}`, {}, {
+            toastSuccessKey: 'admin.roles.deleted',
+        })
+    }
+
+    return { list, create, update, remove }
+}
diff --git a/frontend/components/client/ClientDrawer.vue b/frontend/modules/directory/components/ClientDrawer.vue
similarity index 73%
rename from frontend/components/client/ClientDrawer.vue
rename to frontend/modules/directory/components/ClientDrawer.vue
index 918b188..8534d6c 100644
--- a/frontend/components/client/ClientDrawer.vue
+++ b/frontend/modules/directory/components/ClientDrawer.vue
@@ -21,21 +21,6 @@
                 label="Téléphone"
                 input-class="w-full"
             />
-            <MalioInputText
-                v-model="form.street"
-                label="Rue"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.city"
-                label="Ville"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.postalCode"
-                label="Code Postal"
-                input-class="w-full"
-            />
 
             <div class="mt-6 flex justify-end">
                 <MalioButton
@@ -50,8 +35,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Client, ClientWrite } from '~/services/dto/client'
-import { useClientService } from '~/services/clients'
+import type { Client, ClientWrite } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
 
 const props = defineProps<{
     modelValue: boolean
@@ -75,9 +60,6 @@ const form = reactive({
     name: '',
     email: '',
     phone: '',
-    street: '',
-    city: '',
-    postalCode: '',
 })
 
 const touched = reactive({
@@ -91,16 +73,10 @@ watch(() => props.modelValue, (open) => {
             form.name = props.client.name ?? ''
             form.email = props.client.email ?? ''
             form.phone = props.client.phone ?? ''
-            form.street = props.client.street ?? ''
-            form.city = props.client.city ?? ''
-            form.postalCode = props.client.postalCode ?? ''
         } else {
             form.name = ''
             form.email = ''
             form.phone = ''
-            form.street = ''
-            form.city = ''
-            form.postalCode = ''
         }
         touched.name = false
         touched.email = false
@@ -119,9 +95,6 @@ async function handleSubmit() {
             name: form.name.trim(),
             email: form.email.trim() || null,
             phone: form.phone.trim() || null,
-            street: form.street.trim() || null,
-            city: form.city.trim() || null,
-            postalCode: form.postalCode.trim() || null,
         }
 
         if (isEditing.value && props.client) {
diff --git a/frontend/modules/directory/components/CommercialReportTab.vue b/frontend/modules/directory/components/CommercialReportTab.vue
new file mode 100644
index 0000000..e29c78c
--- /dev/null
+++ b/frontend/modules/directory/components/CommercialReportTab.vue
@@ -0,0 +1,160 @@
+<template>
+    <div class="flex flex-col gap-6 pt-6">
+        <!-- Formulaire d'ajout / édition -->
+        <div v-if="isAdmin" class="grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+            <MalioInputText
+                class="col-span-2"
+                :label="$t('directory.reports.fields.subject')"
+                v-model="draft.subject"
+            />
+            <MalioSelect
+                :label="$t('directory.reports.fields.type')"
+                v-model="draft.type"
+                :options="typeOptions"
+                group-class="w-full"
+            />
+            <MalioDate
+                :label="$t('directory.reports.fields.occurredAt')"
+                v-model="draft.occurredAt"
+            />
+            <MalioInputTextArea
+                class="col-span-2"
+                :label="$t('directory.reports.fields.body')"
+                v-model="draft.body"
+            />
+            <div class="col-span-2 flex justify-end gap-3">
+                <MalioButton
+                    v-if="editingId"
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('common.cancel')"
+                    @click="resetDraft"
+                />
+                <MalioButton
+                    button-class="w-auto px-4"
+                    :label="editingId ? $t('common.save') : $t('directory.reports.add')"
+                    :disabled="!draft.subject"
+                    @click="save"
+                />
+            </div>
+        </div>
+
+        <!-- Liste des comptes-rendus -->
+        <div v-for="report in reports" :key="report.id" class="rounded border border-neutral-200 p-4">
+            <div class="flex items-start justify-between">
+                <div>
+                    <p class="font-semibold text-neutral-800">{{ report.subject }}</p>
+                    <p class="text-xs text-neutral-500">
+                        {{ formatDate(report.occurredAt) }} · {{ $t(`directory.reports.types.${report.type}`) }}
+                        <span v-if="report.author"> · {{ report.author.username }}</span>
+                    </p>
+                </div>
+                <div v-if="isAdmin" class="flex gap-2">
+                    <MalioButtonIcon icon="mdi:pencil-outline" :aria-label="$t('common.edit')" @click="edit(report)" />
+                    <MalioButtonIcon icon="mdi:trash-can-outline" button-class="!text-red-600" :aria-label="$t('common.delete')" @click="remove(report.id)" />
+                </div>
+            </div>
+            <p v-if="report.body" class="mt-2 whitespace-pre-wrap text-sm text-neutral-700">{{ report.body }}</p>
+
+            <div class="mt-3 flex flex-col gap-2">
+                <ReportDocumentList
+                    :documents="report.documents ?? []"
+                    :is-admin="isAdmin"
+                    @delete="(id) => removeDocument(report, id)"
+                />
+                <ReportDocumentUpload
+                    v-if="isAdmin"
+                    :report-id="report.id"
+                    @uploaded="reload"
+                />
+            </div>
+        </div>
+
+        <p v-if="!reports.length" class="text-sm text-neutral-400">
+            {{ $t('directory.reports.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { CommercialReport, CommercialReportWrite, ReportType } from '~/modules/directory/services/dto/commercial-report'
+import { useCommercialReportService } from '~/modules/directory/services/commercial-reports'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{
+    owner: { client?: string, prospect?: string }
+    isAdmin: boolean
+}>()
+
+const { t } = useI18n()
+const reportService = useCommercialReportService()
+const documentService = useReportDocumentService()
+
+const reports = ref<CommercialReport[]>([])
+const editingId = ref<number | null>(null)
+
+function emptyDraft(): CommercialReportWrite {
+    return {
+        subject: '',
+        body: null,
+        occurredAt: new Date().toISOString().slice(0, 10),
+        type: 'note',
+        ...props.owner,
+    }
+}
+const draft = ref<CommercialReportWrite>(emptyDraft())
+
+const typeOptions: { label: string, value: ReportType }[] = [
+    { label: t('directory.reports.types.call'), value: 'call' },
+    { label: t('directory.reports.types.meeting'), value: 'meeting' },
+    { label: t('directory.reports.types.email'), value: 'email' },
+    { label: t('directory.reports.types.note'), value: 'note' },
+]
+
+function formatDate(iso: string): string {
+    return new Date(iso).toLocaleDateString('fr-FR')
+}
+
+async function reload(): Promise<void> {
+    reports.value = await reportService.getByOwner(props.owner)
+}
+
+function resetDraft(): void {
+    editingId.value = null
+    draft.value = emptyDraft()
+}
+
+function edit(report: CommercialReport): void {
+    editingId.value = report.id
+    draft.value = {
+        subject: report.subject,
+        body: report.body,
+        occurredAt: report.occurredAt.slice(0, 10),
+        type: report.type,
+        ...props.owner,
+    }
+}
+
+async function save(): Promise<void> {
+    if (editingId.value) {
+        await reportService.update(editingId.value, draft.value)
+    } else {
+        await reportService.create(draft.value)
+    }
+    resetDraft()
+    await reload()
+}
+
+async function remove(id: number): Promise<void> {
+    await reportService.remove(id)
+    await reload()
+}
+
+async function removeDocument(report: CommercialReport, id: number): Promise<void> {
+    await documentService.remove(id)
+    await reload()
+}
+
+onMounted(reload)
+watch(() => props.owner, reload, { deep: true })
+</script>
diff --git a/frontend/modules/directory/components/DirectoryAddressBlock.vue b/frontend/modules/directory/components/DirectoryAddressBlock.vue
new file mode 100644
index 0000000..67c1327
--- /dev/null
+++ b/frontend/modules/directory/components/DirectoryAddressBlock.vue
@@ -0,0 +1,69 @@
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.label')"
+            :model-value="modelValue.label ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('label', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.street')"
+            :model-value="modelValue.street ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('street', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.streetComplement')"
+            :model-value="modelValue.streetComplement ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('streetComplement', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.postalCode')"
+            :model-value="modelValue.postalCode ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('postalCode', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.city')"
+            :model-value="modelValue.city ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('city', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Address } from '~/modules/directory/services/dto/address'
+
+const props = defineProps<{
+    modelValue: Address
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Address]
+    'remove': []
+}>()
+
+function update(field: keyof Address, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
diff --git a/frontend/modules/directory/components/DirectoryContactBlock.vue b/frontend/modules/directory/components/DirectoryContactBlock.vue
new file mode 100644
index 0000000..57a5ca6
--- /dev/null
+++ b/frontend/modules/directory/components/DirectoryContactBlock.vue
@@ -0,0 +1,73 @@
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            :label="$t('directory.contacts.fields.lastName')"
+            :model-value="modelValue.lastName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('lastName', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.firstName')"
+            :model-value="modelValue.firstName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('firstName', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.contacts.fields.jobTitle')"
+            :model-value="modelValue.jobTitle ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('jobTitle', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.email')"
+            :model-value="modelValue.email ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('email', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phonePrimary')"
+            :model-value="modelValue.phonePrimary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phonePrimary', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phoneSecondary')"
+            :model-value="modelValue.phoneSecondary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phoneSecondary', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Contact } from '~/modules/directory/services/dto/contact'
+
+const props = defineProps<{
+    modelValue: Contact
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Contact]
+    'remove': []
+}>()
+
+function update(field: keyof Contact, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
diff --git a/frontend/modules/directory/components/ProspectDrawer.vue b/frontend/modules/directory/components/ProspectDrawer.vue
new file mode 100644
index 0000000..350939d
--- /dev/null
+++ b/frontend/modules/directory/components/ProspectDrawer.vue
@@ -0,0 +1,191 @@
+<template>
+    <MalioDrawer v-model="isOpen">
+        <template #header>
+            <h2 class="text-xl font-bold">{{ isEditing ? $t('prospects.editProspect') : $t('prospects.addProspect') }}</h2>
+        </template>
+        <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
+            <MalioInputText
+                v-model="form.name"
+                :label="$t('prospects.fields.name')"
+                input-class="w-full"
+                :error="touched.name && !form.name.trim() ? $t('prospects.validation.nameRequired') : ''"
+                @blur="touched.name = true"
+            />
+            <MalioInputText
+                v-model="form.company"
+                :label="$t('prospects.fields.company')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.email"
+                :label="$t('prospects.fields.email')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.phone"
+                :label="$t('prospects.fields.phone')"
+                input-class="w-full"
+            />
+            <MalioSelect
+                v-model="form.status"
+                :label="$t('prospects.fields.status')"
+                :options="statusOptions"
+                group-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.source"
+                :label="$t('prospects.fields.source')"
+                input-class="w-full"
+            />
+            <MalioInputTextArea
+                v-model="form.notes"
+                :label="$t('prospects.fields.notes')"
+            />
+
+            <div class="mt-6 flex items-center justify-between gap-2">
+                <MalioButton
+                    v-if="isEditing && !isConverted"
+                    :label="$t('prospects.convert')"
+                    variant="secondary"
+                    icon-name="mdi:account-convert"
+                    icon-position="left"
+                    button-class="w-auto px-4"
+                    :disabled="isSubmitting"
+                    @click="handleConvert"
+                />
+                <span v-else-if="isConverted" class="text-sm text-green-700">
+                    {{ $t('prospects.alreadyConverted') }}
+                </span>
+                <span v-else />
+                <MalioButton
+                    :label="$t('common.save')"
+                    button-class="w-auto px-6"
+                    :disabled="isSubmitting"
+                    @click="handleSubmit"
+                />
+            </div>
+        </form>
+    </MalioDrawer>
+</template>
+
+<script setup lang="ts">
+import type { Prospect, ProspectStatus, ProspectWrite } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+const props = defineProps<{
+    modelValue: boolean
+    prospect: Prospect | null
+}>()
+
+const emit = defineEmits<{
+    (e: 'update:modelValue', value: boolean): void
+    (e: 'saved'): void
+}>()
+
+const { t } = useI18n()
+
+const isOpen = computed({
+    get: () => props.modelValue,
+    set: (v) => emit('update:modelValue', v),
+})
+
+const isEditing = computed(() => !!props.prospect)
+const isConverted = computed(() => !!props.prospect?.convertedClient)
+const isSubmitting = ref(false)
+
+const statusOptions = [
+    { label: t('prospects.status.new'), value: 'new' },
+    { label: t('prospects.status.contacted'), value: 'contacted' },
+    { label: t('prospects.status.qualified'), value: 'qualified' },
+    { label: t('prospects.status.won'), value: 'won' },
+    { label: t('prospects.status.lost'), value: 'lost' },
+]
+
+const form = reactive<{
+    name: string
+    company: string
+    email: string
+    phone: string
+    status: ProspectStatus
+    source: string
+    notes: string
+}>({
+    name: '',
+    company: '',
+    email: '',
+    phone: '',
+    status: 'new',
+    source: '',
+    notes: '',
+})
+
+const touched = reactive({
+    name: false,
+})
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        if (props.prospect) {
+            form.name = props.prospect.name ?? ''
+            form.company = props.prospect.company ?? ''
+            form.email = props.prospect.email ?? ''
+            form.phone = props.prospect.phone ?? ''
+            form.status = props.prospect.status ?? 'new'
+            form.source = props.prospect.source ?? ''
+            form.notes = props.prospect.notes ?? ''
+        } else {
+            form.name = ''
+            form.company = ''
+            form.email = ''
+            form.phone = ''
+            form.status = 'new'
+            form.source = ''
+            form.notes = ''
+        }
+        touched.name = false
+    }
+})
+
+const { create, update, convert } = useProspectService()
+
+async function handleSubmit() {
+    touched.name = true
+    if (!form.name.trim()) return
+
+    isSubmitting.value = true
+    try {
+        const payload: ProspectWrite = {
+            name: form.name.trim(),
+            company: form.company.trim() || null,
+            email: form.email.trim() || null,
+            phone: form.phone.trim() || null,
+            status: form.status,
+            source: form.source.trim() || null,
+            notes: form.notes.trim() || null,
+        }
+
+        if (isEditing.value && props.prospect) {
+            await update(props.prospect.id, payload)
+        } else {
+            await create(payload)
+        }
+
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+
+async function handleConvert() {
+    if (!props.prospect) return
+    isSubmitting.value = true
+    try {
+        await convert(props.prospect.id)
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
diff --git a/frontend/modules/directory/components/ReportDocumentList.vue b/frontend/modules/directory/components/ReportDocumentList.vue
new file mode 100644
index 0000000..705f9dd
--- /dev/null
+++ b/frontend/modules/directory/components/ReportDocumentList.vue
@@ -0,0 +1,42 @@
+<template>
+    <ul v-if="documents.length" class="flex flex-col gap-2">
+        <li
+            v-for="doc in documents"
+            :key="doc.id"
+            class="flex items-center justify-between rounded border border-neutral-200 px-3 py-2"
+        >
+            <a
+                :href="downloadUrl(doc.id)"
+                target="_blank"
+                rel="noopener"
+                class="flex items-center gap-2 text-sm text-blue-700 hover:underline"
+            >
+                <Icon name="mdi:file-document-outline" />
+                {{ doc.originalName }}
+            </a>
+            <MalioButtonIcon
+                v-if="isAdmin"
+                icon="mdi:trash-can-outline"
+                button-class="!text-red-600"
+                :aria-label="$t('common.delete')"
+                @click="$emit('delete', doc.id)"
+            />
+        </li>
+    </ul>
+    <p v-else class="text-sm text-neutral-400">
+        {{ $t('directory.documents.empty') }}
+    </p>
+</template>
+
+<script setup lang="ts">
+import type { ReportDocument } from '~/modules/directory/services/dto/report-document'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+defineProps<{ documents: ReportDocument[], isAdmin: boolean }>()
+defineEmits<{ delete: [id: number] }>()
+
+const { getDownloadUrl } = useReportDocumentService()
+function downloadUrl(id: number): string {
+    return getDownloadUrl(id)
+}
+</script>
diff --git a/frontend/modules/directory/components/ReportDocumentUpload.vue b/frontend/modules/directory/components/ReportDocumentUpload.vue
new file mode 100644
index 0000000..14625bc
--- /dev/null
+++ b/frontend/modules/directory/components/ReportDocumentUpload.vue
@@ -0,0 +1,45 @@
+<template>
+    <div class="flex items-center gap-3">
+        <input
+            ref="fileInput"
+            type="file"
+            class="hidden"
+            @change="onFileSelected"
+        >
+        <MalioButton
+            icon-name="mdi:paperclip"
+            icon-position="left"
+            button-class="w-auto px-4"
+            :label="$t('directory.documents.add')"
+            :disabled="uploading"
+            @click="fileInput?.click()"
+        />
+        <span v-if="uploading" class="text-sm text-neutral-500">{{ $t('directory.documents.uploading') }}</span>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{ reportId: number }>()
+const emit = defineEmits<{ uploaded: [] }>()
+
+const service = useReportDocumentService()
+const fileInput = ref<HTMLInputElement | null>(null)
+const uploading = ref(false)
+
+async function onFileSelected(event: Event): Promise<void> {
+    const input = event.target as HTMLInputElement
+    const file = input.files?.[0]
+    if (!file) return
+
+    uploading.value = true
+    try {
+        await service.upload(props.reportId, file)
+        emit('uploaded')
+    } finally {
+        uploading.value = false
+        input.value = ''
+    }
+}
+</script>
diff --git a/frontend/modules/directory/composables/useDirectoryDetail.ts b/frontend/modules/directory/composables/useDirectoryDetail.ts
new file mode 100644
index 0000000..122c4cf
--- /dev/null
+++ b/frontend/modules/directory/composables/useDirectoryDetail.ts
@@ -0,0 +1,92 @@
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+type Owner = { client?: string, prospect?: string }
+
+/**
+ * Logique partagée des fiches détail Client/Prospect : gestion des blocs
+ * répétables Contact et Adresse (chargement, ajout, édition par bloc avec
+ * persistance immédiate, suppression). Paramétré par l'IRI du propriétaire
+ * (`{ client }` ou `{ prospect }`), réutilisé tel quel par les deux pages.
+ */
+export function useDirectoryDetail(owner: Owner) {
+    const contactService = useContactService()
+    const addressService = useAddressService()
+
+    const contacts = ref<Contact[]>([])
+    const addresses = ref<Address[]>([])
+
+    function emptyContact(): Contact {
+        return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, ...owner }
+    }
+    function emptyAddress(): Address {
+        return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', ...owner }
+    }
+
+    async function onContactInput(index: number, value: Contact): Promise<void> {
+        contacts.value[index] = value
+        await persistContact(index)
+    }
+    async function persistContact(index: number): Promise<void> {
+        const c = contacts.value[index]
+        if (!c) return
+        const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, ...owner }
+        if (c.id && c.id > 0) {
+            await contactService.update(c.id, payload)
+        } else if (c.lastName || c.firstName) {
+            const created = await contactService.create(payload)
+            contacts.value[index] = created
+        }
+    }
+    function addContact(): void {
+        contacts.value.push(emptyContact())
+    }
+    async function removeContact(index: number): Promise<void> {
+        const c = contacts.value[index]
+        if (c?.id && c.id > 0) await contactService.remove(c.id)
+        contacts.value.splice(index, 1)
+    }
+
+    async function onAddressInput(index: number, value: Address): Promise<void> {
+        addresses.value[index] = value
+        await persistAddress(index)
+    }
+    async function persistAddress(index: number): Promise<void> {
+        const a = addresses.value[index]
+        if (!a) return
+        const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, ...owner }
+        if (a.id && a.id > 0) {
+            await addressService.update(a.id, payload)
+        } else if (a.street || a.city || a.postalCode) {
+            const created = await addressService.create(payload)
+            addresses.value[index] = created
+        }
+    }
+    function addAddress(): void {
+        addresses.value.push(emptyAddress())
+    }
+    async function removeAddress(index: number): Promise<void> {
+        const a = addresses.value[index]
+        if (a?.id && a.id > 0) await addressService.remove(a.id)
+        addresses.value.splice(index, 1)
+    }
+
+    async function load(): Promise<void> {
+        contacts.value = await contactService.getByOwner(owner)
+        addresses.value = await addressService.getByOwner(owner)
+    }
+
+    return {
+        contacts,
+        addresses,
+        onContactInput,
+        addContact,
+        removeContact,
+        onAddressInput,
+        addAddress,
+        removeAddress,
+        load,
+    }
+}
diff --git a/frontend/modules/directory/nuxt.config.ts b/frontend/modules/directory/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/directory/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/modules/directory/pages/directory/clients/[id].vue b/frontend/modules/directory/pages/directory/clients/[id].vue
new file mode 100644
index 0000000..28c723a
--- /dev/null
+++ b/frontend/modules/directory/pages/directory/clients/[id].vue
@@ -0,0 +1,107 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ client?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="client">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/clients/${id}`
+const owner = { client: ownerIri }
+
+const clientService = useClientService()
+const {
+    contacts,
+    addresses,
+    onContactInput,
+    addContact,
+    removeContact,
+    onAddressInput,
+    addAddress,
+    removeAddress,
+    load,
+} = useDirectoryDetail(owner)
+
+const client = ref<Client | null>(null)
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    client.value = await clientService.getById(id)
+    await load()
+    loading.value = false
+})
+</script>
diff --git a/frontend/modules/directory/pages/directory/index.vue b/frontend/modules/directory/pages/directory/index.vue
new file mode 100644
index 0000000..3803d64
--- /dev/null
+++ b/frontend/modules/directory/pages/directory/index.vue
@@ -0,0 +1,241 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <h1 class="text-2xl font-bold text-neutral-900">
+            {{ $t('directory.title') }}
+        </h1>
+
+        <MalioTabList v-model="activeTab" :tabs="tabs">
+            <!-- Clients -->
+            <template #clients>
+                <div class="flex min-h-[30rem] flex-col gap-4 pt-10">
+                    <div class="flex items-center justify-end">
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.clients.add')"
+                            @click="openCreateClient"
+                        />
+                    </div>
+
+                    <MalioDataTable
+                        :columns="clientColumns"
+                        :items="clients"
+                        :total-items="clients.length"
+                        :empty-message="$t('directory.clients.empty')"
+                        @row-click="openEditClient"
+                    >
+                        <template #cell-email="{ item }">
+                            {{ (item as Client).email ?? '—' }}
+                        </template>
+                        <template #cell-phone="{ item }">
+                            {{ (item as Client).phone ?? '—' }}
+                        </template>
+                    </MalioDataTable>
+                </div>
+            </template>
+
+            <!-- Prospects -->
+            <template #prospects>
+                <div class="flex min-h-[30rem] flex-col gap-4 pt-10">
+                    <div class="flex flex-wrap items-end justify-between gap-3">
+                        <MalioSelect
+                            v-model="statusFilter"
+                            :label="$t('prospects.fields.status')"
+                            :options="statusOptions"
+                            :empty-option-label="$t('directory.prospects.allStatuses')"
+                            group-class="w-48"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.prospects.add')"
+                            @click="openCreateProspect"
+                        />
+                    </div>
+
+                    <MalioDataTable
+                        :columns="prospectColumns"
+                        :items="prospectRows"
+                        :total-items="prospectRows.length"
+                        :empty-message="$t('directory.prospects.empty')"
+                        @row-click="openEditProspect"
+                    >
+                        <template #cell-status="{ item }">
+                            <StatusBadge
+                                :label="statusLabel((item as ProspectRow).status)"
+                                :variant="statusVariant((item as ProspectRow).status)"
+                            />
+                        </template>
+                        <template #cell-email="{ item }">
+                            {{ (item as ProspectRow).email ?? '—' }}
+                        </template>
+                        <template #cell-phone="{ item }">
+                            {{ (item as ProspectRow).phone ?? '—' }}
+                        </template>
+                        <template #cell-actions="{ item }">
+                            <div
+                                v-if="!(item as ProspectRow).convertedClient"
+                                class="flex justify-end"
+                                @click.stop
+                            >
+                                <MalioButtonIcon
+                                    icon="mdi:account-convert"
+                                    :aria-label="$t('prospects.convert')"
+                                    button-class="!bg-green-100 !text-green-700"
+                                    :icon-size="18"
+                                    @click="convertProspect(item as ProspectRow)"
+                                />
+                            </div>
+                            <span v-else class="text-neutral-300">—</span>
+                        </template>
+                    </MalioDataTable>
+                </div>
+            </template>
+        </MalioTabList>
+
+        <ClientDrawer
+            v-model="clientDrawerOpen"
+            :client="selectedClient"
+            @saved="loadClients"
+        />
+        <ProspectDrawer
+            v-model="prospectDrawerOpen"
+            :prospect="selectedProspect"
+            @saved="onProspectSaved"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
+import type { Prospect, ProspectStatus } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+definePageMeta({ middleware: ['admin'] })
+
+type ProspectRow = Prospect
+
+const { t } = useI18n()
+useHead({ title: t('directory.title') })
+
+const clientService = useClientService()
+const prospectService = useProspectService()
+
+const activeTab = ref('clients')
+const tabs = [
+    { key: 'clients', label: t('directory.tabs.clients'), icon: 'mdi:account-tie-outline' },
+    { key: 'prospects', label: t('directory.tabs.prospects'), icon: 'mdi:account-search-outline' },
+]
+
+// --- Clients ---
+const clients = ref<Client[]>([])
+const clientDrawerOpen = ref(false)
+const selectedClient = ref<Client | null>(null)
+
+const clientColumns = [
+    { key: 'name', label: t('prospects.fields.name') },
+    { key: 'email', label: t('prospects.fields.email') },
+    { key: 'phone', label: t('prospects.fields.phone') },
+]
+
+async function loadClients() {
+    clients.value = await clientService.getAll()
+}
+
+function openCreateClient() {
+    selectedClient.value = null
+    clientDrawerOpen.value = true
+}
+
+function openEditClient(item: Record<string, unknown>) {
+    navigateTo(`/directory/clients/${(item as Client).id}`)
+}
+
+// --- Prospects ---
+const prospects = ref<Prospect[]>([])
+const prospectDrawerOpen = ref(false)
+const selectedProspect = ref<Prospect | null>(null)
+const statusFilter = ref<ProspectStatus | null>(null)
+
+const statusOptions = [
+    { label: t('prospects.status.new'), value: 'new' },
+    { label: t('prospects.status.contacted'), value: 'contacted' },
+    { label: t('prospects.status.qualified'), value: 'qualified' },
+    { label: t('prospects.status.won'), value: 'won' },
+    { label: t('prospects.status.lost'), value: 'lost' },
+]
+
+const prospectColumns = [
+    { key: 'name', label: t('prospects.fields.name') },
+    { key: 'company', label: t('prospects.fields.company') },
+    { key: 'status', label: t('prospects.fields.status') },
+    { key: 'email', label: t('prospects.fields.email') },
+    { key: 'phone', label: t('prospects.fields.phone') },
+    { key: 'actions', label: '' },
+]
+
+const prospectRows = computed<ProspectRow[]>(() => prospects.value)
+
+function statusLabel(status: ProspectStatus): string {
+    return t(`prospects.status.${status}`)
+}
+
+function statusVariant(status: ProspectStatus): 'neutral' | 'info' | 'success' | 'warning' | 'danger' {
+    switch (status) {
+        case 'new':
+            return 'info'
+        case 'contacted':
+            return 'warning'
+        case 'qualified':
+            return 'neutral'
+        case 'won':
+            return 'success'
+        case 'lost':
+            return 'danger'
+        default:
+            return 'neutral'
+    }
+}
+
+async function loadProspects() {
+    prospects.value = await prospectService.getAll(statusFilter.value ?? undefined)
+}
+
+function openCreateProspect() {
+    selectedProspect.value = null
+    prospectDrawerOpen.value = true
+}
+
+function openEditProspect(item: Record<string, unknown>) {
+    navigateTo(`/directory/prospects/${(item as Prospect).id}`)
+}
+
+async function convertProspect(row: ProspectRow) {
+    await prospectService.convert(row.id)
+    // La conversion crée un client et retire le prospect : rafraîchir les deux listes.
+    await Promise.all([loadProspects(), loadClients()])
+}
+
+// Le ProspectDrawer porte aussi le bouton « Convertir » : son event 'saved' peut
+// donc être une conversion → toujours rafraîchir les deux listes par sécurité.
+async function onProspectSaved() {
+    await Promise.all([loadProspects(), loadClients()])
+}
+
+watch(statusFilter, loadProspects)
+
+onMounted(async () => {
+    await Promise.all([loadClients(), loadProspects()])
+})
+</script>
+
+<style scoped>
+/* MalioTabList (lib) : aère les onglets verticalement (espace haut/bas du texte) */
+:deep([role="tab"]) {
+    padding-top: 0.9rem;
+    padding-bottom: 0.25rem;
+}
+</style>
diff --git a/frontend/modules/directory/pages/directory/prospects/[id].vue b/frontend/modules/directory/pages/directory/prospects/[id].vue
new file mode 100644
index 0000000..d621f5d
--- /dev/null
+++ b/frontend/modules/directory/pages/directory/prospects/[id].vue
@@ -0,0 +1,107 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ prospect?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="prospect">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Prospect } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/prospects/${id}`
+const owner = { prospect: ownerIri }
+
+const prospectService = useProspectService()
+const {
+    contacts,
+    addresses,
+    onContactInput,
+    addContact,
+    removeContact,
+    onAddressInput,
+    addAddress,
+    removeAddress,
+    load,
+} = useDirectoryDetail(owner)
+
+const prospect = ref<Prospect | null>(null)
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    prospect.value = await prospectService.getById(id)
+    await load()
+    loading.value = false
+})
+</script>
diff --git a/frontend/modules/directory/services/addresses.ts b/frontend/modules/directory/services/addresses.ts
new file mode 100644
index 0000000..3676e8f
--- /dev/null
+++ b/frontend/modules/directory/services/addresses.ts
@@ -0,0 +1,32 @@
+import type { Address, AddressWrite } from './dto/address'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useAddressService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Address[]> {
+        const data = await api.get<HydraCollection<Address>>('/addresses', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: AddressWrite): Promise<Address> {
+        return api.post<Address>('/addresses', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<AddressWrite>): Promise<Address> {
+        return api.patch<Address>(`/addresses/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/addresses/${id}`, {}, { toastSuccessKey: 'directory.addresses.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/services/clients.ts b/frontend/modules/directory/services/clients.ts
similarity index 85%
rename from frontend/services/clients.ts
rename to frontend/modules/directory/services/clients.ts
index 6a100be..05d73a4 100644
--- a/frontend/services/clients.ts
+++ b/frontend/modules/directory/services/clients.ts
@@ -10,6 +10,10 @@ export function useClientService() {
         return extractHydraMembers(data)
     }
 
+    async function getById(id: number): Promise<Client> {
+        return api.get<Client>(`/clients/${id}`)
+    }
+
     async function create(payload: ClientWrite): Promise<Client> {
         return api.post<Client>('/clients', payload as Record<string, unknown>, {
             toastSuccessKey: 'clients.created',
@@ -28,5 +32,5 @@ export function useClientService() {
         })
     }
 
-    return { getAll, create, update, remove }
+    return { getAll, getById, create, update, remove }
 }
diff --git a/frontend/modules/directory/services/commercial-reports.ts b/frontend/modules/directory/services/commercial-reports.ts
new file mode 100644
index 0000000..4f27deb
--- /dev/null
+++ b/frontend/modules/directory/services/commercial-reports.ts
@@ -0,0 +1,32 @@
+import type { CommercialReport, CommercialReportWrite } from './dto/commercial-report'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useCommercialReportService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<CommercialReport[]> {
+        const data = await api.get<HydraCollection<CommercialReport>>('/commercial_reports', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: CommercialReportWrite): Promise<CommercialReport> {
+        return api.post<CommercialReport>('/commercial_reports', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<CommercialReportWrite>): Promise<CommercialReport> {
+        return api.patch<CommercialReport>(`/commercial_reports/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/commercial_reports/${id}`, {}, { toastSuccessKey: 'directory.reports.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/modules/directory/services/contacts.ts b/frontend/modules/directory/services/contacts.ts
new file mode 100644
index 0000000..551b3d2
--- /dev/null
+++ b/frontend/modules/directory/services/contacts.ts
@@ -0,0 +1,32 @@
+import type { Contact, ContactWrite } from './dto/contact'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useContactService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Contact[]> {
+        const data = await api.get<HydraCollection<Contact>>('/contacts', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: ContactWrite): Promise<Contact> {
+        return api.post<Contact>('/contacts', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ContactWrite>): Promise<Contact> {
+        return api.patch<Contact>(`/contacts/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/contacts/${id}`, {}, { toastSuccessKey: 'directory.contacts.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/modules/directory/services/dto/address.ts b/frontend/modules/directory/services/dto/address.ts
new file mode 100644
index 0000000..f66d3a9
--- /dev/null
+++ b/frontend/modules/directory/services/dto/address.ts
@@ -0,0 +1,23 @@
+export type Address = {
+    id: number
+    '@id'?: string
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+
+export type AddressWrite = {
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/services/dto/client.ts b/frontend/modules/directory/services/dto/client.ts
similarity index 58%
rename from frontend/services/dto/client.ts
rename to frontend/modules/directory/services/dto/client.ts
index 191931a..cb65b73 100644
--- a/frontend/services/dto/client.ts
+++ b/frontend/modules/directory/services/dto/client.ts
@@ -4,16 +4,10 @@ export type Client = {
     name: string
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
 }
 
 export type ClientWrite = {
     name: string
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
 }
diff --git a/frontend/modules/directory/services/dto/commercial-report.ts b/frontend/modules/directory/services/dto/commercial-report.ts
new file mode 100644
index 0000000..bdfaccc
--- /dev/null
+++ b/frontend/modules/directory/services/dto/commercial-report.ts
@@ -0,0 +1,27 @@
+import type { ReportDocument } from './report-document'
+
+export type ReportType = 'call' | 'meeting' | 'email' | 'note'
+
+export type CommercialReport = {
+    id: number
+    '@id'?: string
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    author?: { id: number, username: string } | null
+    client?: string | null
+    prospect?: string | null
+    documents?: ReportDocument[]
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type CommercialReportWrite = {
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/modules/directory/services/dto/contact.ts b/frontend/modules/directory/services/dto/contact.ts
new file mode 100644
index 0000000..eead371
--- /dev/null
+++ b/frontend/modules/directory/services/dto/contact.ts
@@ -0,0 +1,23 @@
+export type Contact = {
+    id: number
+    '@id'?: string
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+
+export type ContactWrite = {
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/modules/directory/services/dto/prospect.ts b/frontend/modules/directory/services/dto/prospect.ts
new file mode 100644
index 0000000..6d16590
--- /dev/null
+++ b/frontend/modules/directory/services/dto/prospect.ts
@@ -0,0 +1,28 @@
+import type { Client } from './client'
+
+export type ProspectStatus = 'new' | 'contacted' | 'qualified' | 'won' | 'lost'
+
+export type Prospect = {
+    id: number
+    '@id'?: string
+    name: string
+    company: string | null
+    email: string | null
+    phone: string | null
+    status: ProspectStatus
+    source: string | null
+    notes: string | null
+    convertedClient: Client | string | null
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type ProspectWrite = {
+    name: string
+    company: string | null
+    email: string | null
+    phone: string | null
+    status: ProspectStatus
+    source: string | null
+    notes: string | null
+}
diff --git a/frontend/modules/directory/services/dto/report-document.ts b/frontend/modules/directory/services/dto/report-document.ts
new file mode 100644
index 0000000..c97100c
--- /dev/null
+++ b/frontend/modules/directory/services/dto/report-document.ts
@@ -0,0 +1,13 @@
+import type { UserData } from '~/services/dto/user-data'
+
+export type ReportDocument = {
+    '@id'?: string
+    id: number
+    commercialReport: string
+    originalName: string
+    fileName?: string | null
+    mimeType: string
+    size: number
+    createdAt: string
+    uploadedBy?: UserData | null
+}
diff --git a/frontend/modules/directory/services/prospects.ts b/frontend/modules/directory/services/prospects.ts
new file mode 100644
index 0000000..a07e9b0
--- /dev/null
+++ b/frontend/modules/directory/services/prospects.ts
@@ -0,0 +1,44 @@
+import type { Prospect, ProspectStatus, ProspectWrite } from './dto/prospect'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export function useProspectService() {
+    const api = useApi()
+
+    async function getAll(status?: ProspectStatus): Promise<Prospect[]> {
+        const query: Record<string, unknown> = {}
+        if (status) query.status = status
+        const data = await api.get<HydraCollection<Prospect>>('/prospects', query)
+        return extractHydraMembers(data)
+    }
+
+    async function getById(id: number): Promise<Prospect> {
+        return api.get<Prospect>(`/prospects/${id}`)
+    }
+
+    async function create(payload: ProspectWrite): Promise<Prospect> {
+        return api.post<Prospect>('/prospects', payload as Record<string, unknown>, {
+            toastSuccessKey: 'prospects.created',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ProspectWrite>): Promise<Prospect> {
+        return api.patch<Prospect>(`/prospects/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'prospects.updated',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/prospects/${id}`, {}, {
+            toastSuccessKey: 'prospects.deleted',
+        })
+    }
+
+    async function convert(id: number): Promise<Prospect> {
+        return api.post<Prospect>(`/prospects/${id}/convert`, {}, {
+            toastSuccessKey: 'prospects.converted',
+        })
+    }
+
+    return { getAll, getById, create, update, remove, convert }
+}
diff --git a/frontend/modules/directory/services/report-documents.ts b/frontend/modules/directory/services/report-documents.ts
new file mode 100644
index 0000000..3306496
--- /dev/null
+++ b/frontend/modules/directory/services/report-documents.ts
@@ -0,0 +1,39 @@
+import type { ReportDocument } from './dto/report-document'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+import { $fetch } from 'ofetch'
+
+export function useReportDocumentService() {
+    const api = useApi()
+    const config = useRuntimeConfig()
+    const baseURL = config.public.apiBase || '/api'
+
+    async function getByReport(reportId: number): Promise<ReportDocument[]> {
+        const data = await api.get<HydraCollection<ReportDocument>>('/report_documents', {
+            commercialReport: `/api/commercial_reports/${reportId}`,
+        })
+        return extractHydraMembers(data)
+    }
+
+    async function upload(reportId: number, file: File): Promise<ReportDocument> {
+        const formData = new FormData()
+        formData.append('file', file)
+        formData.append('commercialReport', `/api/commercial_reports/${reportId}`)
+
+        return $fetch<ReportDocument>(`${baseURL}/report_documents`, {
+            method: 'POST',
+            body: formData,
+            credentials: 'include',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/report_documents/${id}`, {}, { toastSuccessKey: 'directory.documents.deleted' })
+    }
+
+    function getDownloadUrl(id: number): string {
+        return `${baseURL}/report_documents/${id}/download`
+    }
+
+    return { getByReport, upload, remove, getDownloadUrl }
+}
diff --git a/frontend/composables/useShareStatus.ts b/frontend/modules/integration/composables/useShareStatus.ts
similarity index 88%
rename from frontend/composables/useShareStatus.ts
rename to frontend/modules/integration/composables/useShareStatus.ts
index 92c734a..92bdc5d 100644
--- a/frontend/composables/useShareStatus.ts
+++ b/frontend/modules/integration/composables/useShareStatus.ts
@@ -1,4 +1,4 @@
-import { useShareService } from '~/services/share'
+import { useShareService } from '~/modules/integration/services/share'
 
 export function useShareStatus() {
     const enabled = useState<boolean | null>('share-enabled', () => null)
diff --git a/frontend/modules/integration/nuxt.config.ts b/frontend/modules/integration/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/integration/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/services/bookstack.ts b/frontend/modules/integration/services/bookstack.ts
similarity index 100%
rename from frontend/services/bookstack.ts
rename to frontend/modules/integration/services/bookstack.ts
diff --git a/frontend/services/dto/bookstack.ts b/frontend/modules/integration/services/dto/bookstack.ts
similarity index 100%
rename from frontend/services/dto/bookstack.ts
rename to frontend/modules/integration/services/dto/bookstack.ts
diff --git a/frontend/services/dto/gitea.ts b/frontend/modules/integration/services/dto/gitea.ts
similarity index 100%
rename from frontend/services/dto/gitea.ts
rename to frontend/modules/integration/services/dto/gitea.ts
diff --git a/frontend/services/dto/share.ts b/frontend/modules/integration/services/dto/share.ts
similarity index 100%
rename from frontend/services/dto/share.ts
rename to frontend/modules/integration/services/dto/share.ts
diff --git a/frontend/services/dto/zimbra.ts b/frontend/modules/integration/services/dto/zimbra.ts
similarity index 100%
rename from frontend/services/dto/zimbra.ts
rename to frontend/modules/integration/services/dto/zimbra.ts
diff --git a/frontend/services/gitea.ts b/frontend/modules/integration/services/gitea.ts
similarity index 100%
rename from frontend/services/gitea.ts
rename to frontend/modules/integration/services/gitea.ts
diff --git a/frontend/services/share-settings.ts b/frontend/modules/integration/services/share-settings.ts
similarity index 100%
rename from frontend/services/share-settings.ts
rename to frontend/modules/integration/services/share-settings.ts
diff --git a/frontend/services/share.ts b/frontend/modules/integration/services/share.ts
similarity index 100%
rename from frontend/services/share.ts
rename to frontend/modules/integration/services/share.ts
diff --git a/frontend/services/zimbra.ts b/frontend/modules/integration/services/zimbra.ts
similarity index 100%
rename from frontend/services/zimbra.ts
rename to frontend/modules/integration/services/zimbra.ts
diff --git a/frontend/components/mail/MailAttachmentPreview.vue b/frontend/modules/mail/components/MailAttachmentPreview.vue
similarity index 100%
rename from frontend/components/mail/MailAttachmentPreview.vue
rename to frontend/modules/mail/components/MailAttachmentPreview.vue
diff --git a/frontend/components/mail/MailCreateTaskModal.vue b/frontend/modules/mail/components/MailCreateTaskModal.vue
similarity index 89%
rename from frontend/components/mail/MailCreateTaskModal.vue
rename to frontend/modules/mail/components/MailCreateTaskModal.vue
index 64e3fa4..ad839f8 100644
--- a/frontend/components/mail/MailCreateTaskModal.vue
+++ b/frontend/modules/mail/components/MailCreateTaskModal.vue
@@ -1,14 +1,14 @@
 <script setup lang="ts">
-import type { MailMessageDetailDto } from '~/services/dto/mail'
-import type { Task } from '~/services/dto/task'
-import type { Project } from '~/services/dto/project'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { MailMessageDetailDto } from '~/modules/mail/services/dto/mail'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useMailService } from '~/services/mail'
-import { useProjectService } from '~/services/projects'
-import { useTaskGroupService } from '~/services/task-groups'
+import { useMailService } from '~/modules/mail/services/mail'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
-import { useAuthStore } from '~/stores/auth'
+import { useAuthStore } from '~/shared/stores/auth'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/mail/MailFolderTree.vue b/frontend/modules/mail/components/MailFolderTree.vue
similarity index 98%
rename from frontend/components/mail/MailFolderTree.vue
rename to frontend/modules/mail/components/MailFolderTree.vue
index 604aaba..ac267ff 100644
--- a/frontend/components/mail/MailFolderTree.vue
+++ b/frontend/modules/mail/components/MailFolderTree.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { MailFolderDto } from '~/services/dto/mail'
+import type { MailFolderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     /** Arbre de dossiers (getter folderTree du store) */
diff --git a/frontend/components/mail/MailLinkTaskModal.vue b/frontend/modules/mail/components/MailLinkTaskModal.vue
similarity index 96%
rename from frontend/components/mail/MailLinkTaskModal.vue
rename to frontend/modules/mail/components/MailLinkTaskModal.vue
index 9749099..2cbbfca 100644
--- a/frontend/components/mail/MailLinkTaskModal.vue
+++ b/frontend/modules/mail/components/MailLinkTaskModal.vue
@@ -1,9 +1,9 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { Project } from '~/services/dto/project'
-import { useMailService } from '~/services/mail'
-import { useTaskService } from '~/services/tasks'
-import { useProjectService } from '~/services/projects'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import { useMailService } from '~/modules/mail/services/mail'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/mail/MailMessageList.vue b/frontend/modules/mail/components/MailMessageList.vue
similarity index 98%
rename from frontend/components/mail/MailMessageList.vue
rename to frontend/modules/mail/components/MailMessageList.vue
index 1367ff1..f4099d2 100644
--- a/frontend/components/mail/MailMessageList.vue
+++ b/frontend/modules/mail/components/MailMessageList.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { MailMessageHeaderDto } from '~/services/dto/mail'
+import type { MailMessageHeaderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     messages: readonly MailMessageHeaderDto[]
diff --git a/frontend/components/mail/MailMessageViewer.vue b/frontend/modules/mail/components/MailMessageViewer.vue
similarity index 98%
rename from frontend/components/mail/MailMessageViewer.vue
rename to frontend/modules/mail/components/MailMessageViewer.vue
index 34467e1..51e0ef3 100644
--- a/frontend/components/mail/MailMessageViewer.vue
+++ b/frontend/modules/mail/components/MailMessageViewer.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
-import type { MailMessageDetailDto, MailAddressDto, MailAttachmentDto } from '~/services/dto/mail'
+import type { MailMessageDetailDto, MailAddressDto, MailAttachmentDto } from '~/modules/mail/services/dto/mail'
 import { sanitizeMailHtml } from '~/utils/sanitizeMailHtml'
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const props = defineProps<{
     /** Détail complet du message. null = aucun message sélectionné. */
diff --git a/frontend/components/mail/MailRefreshButton.vue b/frontend/modules/mail/components/MailRefreshButton.vue
similarity index 89%
rename from frontend/components/mail/MailRefreshButton.vue
rename to frontend/modules/mail/components/MailRefreshButton.vue
index 2d29e26..c3aaf01 100644
--- a/frontend/components/mail/MailRefreshButton.vue
+++ b/frontend/modules/mail/components/MailRefreshButton.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { useMailStore } from '~/stores/mail'
+import { useMailStore } from '~/modules/mail/stores/mail'
 
 const store = useMailStore()
 const { syncing } = storeToRefs(store)
diff --git a/frontend/modules/mail/nuxt.config.ts b/frontend/modules/mail/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/mail/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/mail.vue b/frontend/modules/mail/pages/mail.vue
similarity index 97%
rename from frontend/pages/mail.vue
rename to frontend/modules/mail/pages/mail.vue
index 6f79de7..2690254 100644
--- a/frontend/pages/mail.vue
+++ b/frontend/modules/mail/pages/mail.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import { useMailStore } from '~/stores/mail'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useMailStore } from '~/modules/mail/stores/mail'
 
 const { t } = useI18n()
 const router = useRouter()
diff --git a/frontend/services/dto/mail.ts b/frontend/modules/mail/services/dto/mail.ts
similarity index 100%
rename from frontend/services/dto/mail.ts
rename to frontend/modules/mail/services/dto/mail.ts
diff --git a/frontend/services/mail.ts b/frontend/modules/mail/services/mail.ts
similarity index 98%
rename from frontend/services/mail.ts
rename to frontend/modules/mail/services/mail.ts
index 2f44422..944d6d9 100644
--- a/frontend/services/mail.ts
+++ b/frontend/modules/mail/services/mail.ts
@@ -11,8 +11,8 @@ import type {
     MailCreateTaskInput,
     MailLinkTaskInput,
     MailSyncResultDto,
-} from './dto/mail'
-import type { Task } from './dto/task'
+} from '~/modules/mail/services/dto/mail'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 type BackendMailMessage = {
     id: number
diff --git a/frontend/stores/mail.ts b/frontend/modules/mail/stores/mail.ts
similarity index 99%
rename from frontend/stores/mail.ts
rename to frontend/modules/mail/stores/mail.ts
index 05d89e0..c779c09 100644
--- a/frontend/stores/mail.ts
+++ b/frontend/modules/mail/stores/mail.ts
@@ -3,8 +3,8 @@ import type {
     MailFolderDto,
     MailMessageHeaderDto,
     MailMessageDetailDto,
-} from '~/services/dto/mail'
-import { useMailService } from '~/services/mail'
+} from '~/modules/mail/services/dto/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const POLL_INTERVAL_MS = 30 * 1000 // 30 secondes
 
diff --git a/frontend/components/project/ProjectDrawer.vue b/frontend/modules/project-management/components/ProjectDrawer.vue
similarity index 94%
rename from frontend/components/project/ProjectDrawer.vue
rename to frontend/modules/project-management/components/ProjectDrawer.vue
index 27d639b..eff00db 100644
--- a/frontend/components/project/ProjectDrawer.vue
+++ b/frontend/modules/project-management/components/ProjectDrawer.vue
@@ -123,13 +123,13 @@
 </template>
 
 <script setup lang="ts">
-import type { Project, ProjectWrite } from '~/services/dto/project'
-import type { Client } from '~/services/dto/client'
-import type { GiteaRepository } from '~/services/dto/gitea'
-import type { BookStackShelf } from '~/services/dto/bookstack'
-import { useProjectService } from '~/services/projects'
-import { useGiteaService } from '~/services/gitea'
-import { useBookStackService } from '~/services/bookstack'
+import type { Project, ProjectWrite } from '~/modules/project-management/services/dto/project'
+import type { Client } from '~/modules/directory/services/dto/client'
+import type { GiteaRepository } from '~/modules/integration/services/dto/gitea'
+import type { BookStackShelf } from '~/modules/integration/services/dto/bookstack'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useGiteaService } from '~/modules/integration/services/gitea'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/project/ProjectGroupTab.vue b/frontend/modules/project-management/components/ProjectGroupTab.vue
similarity index 94%
rename from frontend/components/project/ProjectGroupTab.vue
rename to frontend/modules/project-management/components/ProjectGroupTab.vue
index 45047d1..e5e8627 100644
--- a/frontend/components/project/ProjectGroupTab.vue
+++ b/frontend/modules/project-management/components/ProjectGroupTab.vue
@@ -67,10 +67,10 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskGroup } from '~/services/dto/task-group'
-import type { Task } from '~/services/dto/task'
-import { useTaskGroupService } from '~/services/task-groups'
-import { useTaskService } from '~/services/tasks'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 import { stripRichText } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/project/ProjectWorkflowSwitchModal.vue b/frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
similarity index 94%
rename from frontend/components/project/ProjectWorkflowSwitchModal.vue
rename to frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
index 3b5a3a6..c485f95 100644
--- a/frontend/components/project/ProjectWorkflowSwitchModal.vue
+++ b/frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
@@ -82,12 +82,12 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { Workflow } from '~/services/dto/workflow'
-import type { TaskStatus } from '~/services/dto/task-status'
-import { useWorkflowService } from '~/services/workflows'
-import { useTaskService } from '~/services/tasks'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Workflow } from '~/modules/project-management/services/dto/workflow'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/StatusPickerPopover.vue b/frontend/modules/project-management/components/StatusPickerPopover.vue
similarity index 91%
rename from frontend/components/task/StatusPickerPopover.vue
rename to frontend/modules/project-management/components/StatusPickerPopover.vue
index a37e074..0927082 100644
--- a/frontend/components/task/StatusPickerPopover.vue
+++ b/frontend/modules/project-management/components/StatusPickerPopover.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { TaskStatus } from '~/services/dto/task-status'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
 
 defineProps<{
     statuses: TaskStatus[]
diff --git a/frontend/components/task/TaskBookStackLinks.vue b/frontend/modules/project-management/components/TaskBookStackLinks.vue
similarity index 96%
rename from frontend/components/task/TaskBookStackLinks.vue
rename to frontend/modules/project-management/components/TaskBookStackLinks.vue
index 2986197..945a7d6 100644
--- a/frontend/components/task/TaskBookStackLinks.vue
+++ b/frontend/modules/project-management/components/TaskBookStackLinks.vue
@@ -75,8 +75,8 @@
 </template>
 
 <script setup lang="ts">
-import type { BookStackLink, BookStackSearchResult } from '~/services/dto/bookstack'
-import { useBookStackService } from '~/services/bookstack'
+import type { BookStackLink, BookStackSearchResult } from '~/modules/integration/services/dto/bookstack'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const props = defineProps<{
     taskId: number
diff --git a/frontend/components/task/TaskBulkActions.vue b/frontend/modules/project-management/components/TaskBulkActions.vue
similarity index 92%
rename from frontend/components/task/TaskBulkActions.vue
rename to frontend/modules/project-management/components/TaskBulkActions.vue
index 77cecd4..0d16060 100644
--- a/frontend/components/task/TaskBulkActions.vue
+++ b/frontend/modules/project-management/components/TaskBulkActions.vue
@@ -104,13 +104,13 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
+import type { Project } from '~/modules/project-management/services/dto/project'
 
 const props = withDefaults(defineProps<{
     selectedCount: number
diff --git a/frontend/components/task/TaskCard.vue b/frontend/modules/project-management/components/TaskCard.vue
similarity index 98%
rename from frontend/components/task/TaskCard.vue
rename to frontend/modules/project-management/components/TaskCard.vue
index 595b319..777087c 100644
--- a/frontend/components/task/TaskCard.vue
+++ b/frontend/modules/project-management/components/TaskCard.vue
@@ -102,7 +102,7 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/components/task/TaskDocumentList.vue b/frontend/modules/project-management/components/TaskDocumentList.vue
similarity index 95%
rename from frontend/components/task/TaskDocumentList.vue
rename to frontend/modules/project-management/components/TaskDocumentList.vue
index b4aed6b..acb94ab 100644
--- a/frontend/components/task/TaskDocumentList.vue
+++ b/frontend/modules/project-management/components/TaskDocumentList.vue
@@ -60,8 +60,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskDocument } from '~/services/dto/task-document'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 
 defineProps<{
diff --git a/frontend/components/task/TaskDocumentPreview.vue b/frontend/modules/project-management/components/TaskDocumentPreview.vue
similarity index 97%
rename from frontend/components/task/TaskDocumentPreview.vue
rename to frontend/modules/project-management/components/TaskDocumentPreview.vue
index e6e4327..d40ed8b 100644
--- a/frontend/components/task/TaskDocumentPreview.vue
+++ b/frontend/modules/project-management/components/TaskDocumentPreview.vue
@@ -121,8 +121,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskDocument } from '~/services/dto/task-document'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 import { copyToClipboard } from '~/utils/clipboard'
 
diff --git a/frontend/components/task/TaskDocumentShareLinker.vue b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
similarity index 95%
rename from frontend/components/task/TaskDocumentShareLinker.vue
rename to frontend/modules/project-management/components/TaskDocumentShareLinker.vue
index 695db5c..11c2a9f 100644
--- a/frontend/components/task/TaskDocumentShareLinker.vue
+++ b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
@@ -56,9 +56,9 @@
 </template>
 
 <script setup lang="ts">
-import type { Breadcrumb, FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { Breadcrumb, FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/task/TaskDocumentUpload.vue b/frontend/modules/project-management/components/TaskDocumentUpload.vue
similarity index 97%
rename from frontend/components/task/TaskDocumentUpload.vue
rename to frontend/modules/project-management/components/TaskDocumentUpload.vue
index 853850a..d818665 100644
--- a/frontend/components/task/TaskDocumentUpload.vue
+++ b/frontend/modules/project-management/components/TaskDocumentUpload.vue
@@ -46,7 +46,7 @@
 </template>
 
 <script setup lang="ts">
-import { useTaskDocumentService } from '~/services/task-documents'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 
 const props = defineProps<{
     taskId?: number
diff --git a/frontend/components/task/TaskEffortDrawer.vue b/frontend/modules/project-management/components/TaskEffortDrawer.vue
similarity index 91%
rename from frontend/components/task/TaskEffortDrawer.vue
rename to frontend/modules/project-management/components/TaskEffortDrawer.vue
index ac186be..a0794cd 100644
--- a/frontend/components/task/TaskEffortDrawer.vue
+++ b/frontend/modules/project-management/components/TaskEffortDrawer.vue
@@ -25,8 +25,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskEffort, TaskEffortWrite } from '~/services/dto/task-effort'
-import { useTaskEffortService } from '~/services/task-efforts'
+import type { TaskEffort, TaskEffortWrite } from '~/modules/project-management/services/dto/task-effort'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskGitSection.vue b/frontend/modules/project-management/components/TaskGitSection.vue
similarity index 98%
rename from frontend/components/task/TaskGitSection.vue
rename to frontend/modules/project-management/components/TaskGitSection.vue
index 0e6dffc..1b67859 100644
--- a/frontend/components/task/TaskGitSection.vue
+++ b/frontend/modules/project-management/components/TaskGitSection.vue
@@ -226,9 +226,9 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { GiteaBranch, GiteaPullRequest } from '~/services/dto/gitea'
-import { useGiteaService } from '~/services/gitea'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { GiteaBranch, GiteaPullRequest } from '~/modules/integration/services/dto/gitea'
+import { useGiteaService } from '~/modules/integration/services/gitea'
 import { copyToClipboard } from '~/utils/clipboard'
 
 const { t } = useI18n()
diff --git a/frontend/components/task/TaskGroupDrawer.vue b/frontend/modules/project-management/components/TaskGroupDrawer.vue
similarity index 93%
rename from frontend/components/task/TaskGroupDrawer.vue
rename to frontend/modules/project-management/components/TaskGroupDrawer.vue
index 2d64266..4f52523 100644
--- a/frontend/components/task/TaskGroupDrawer.vue
+++ b/frontend/modules/project-management/components/TaskGroupDrawer.vue
@@ -56,10 +56,10 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskGroup, TaskGroupWrite } from '~/services/dto/task-group'
-import type { Task } from '~/services/dto/task'
-import { useTaskGroupService } from '~/services/task-groups'
-import { useTaskService } from '~/services/tasks'
+import type { TaskGroup, TaskGroupWrite } from '~/modules/project-management/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskListItem.vue b/frontend/modules/project-management/components/TaskListItem.vue
similarity index 98%
rename from frontend/components/task/TaskListItem.vue
rename to frontend/modules/project-management/components/TaskListItem.vue
index e2f5d5f..e978073 100644
--- a/frontend/components/task/TaskListItem.vue
+++ b/frontend/modules/project-management/components/TaskListItem.vue
@@ -110,7 +110,7 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/components/task/TaskModal.vue b/frontend/modules/project-management/components/TaskModal.vue
similarity index 97%
rename from frontend/components/task/TaskModal.vue
rename to frontend/modules/project-management/components/TaskModal.vue
index 5930be3..bb90876 100644
--- a/frontend/components/task/TaskModal.vue
+++ b/frontend/modules/project-management/components/TaskModal.vue
@@ -536,23 +536,23 @@
 </template>
 
 <script setup lang="ts">
-import type { Task, TaskWrite } from '~/services/dto/task'
-import type { TaskDocument } from '~/services/dto/task-document'
-import { useGiteaService } from '~/services/gitea'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { Task, TaskWrite } from '~/modules/project-management/services/dto/task'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useGiteaService } from '~/modules/integration/services/gitea'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import ConfirmDeleteDocumentModal from '~/components/ui/ConfirmDeleteDocumentModal.vue'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useTaskService } from '~/services/tasks'
-import { useTaskRecurrenceService } from '~/services/task-recurrences'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskRecurrenceService } from '~/modules/project-management/services/task-recurrences'
 
-import type { Project } from '~/services/dto/project'
-import { useMailService } from '~/services/mail'
-import type { MailMessageHeaderDto } from '~/services/dto/mail'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import { useMailService } from '~/modules/mail/services/mail'
+import type { MailMessageHeaderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     modelValue: boolean
@@ -569,7 +569,7 @@ const props = defineProps<{
 
 const emit = defineEmits<{
     (e: 'update:modelValue', value: boolean): void
-    (e: 'saved'): void
+    (e: 'saved', task?: Task): void
 }>()
 
 const isOpen = computed({
@@ -1042,7 +1042,7 @@ async function handleSubmit() {
             await removeRecurrence(props.task.recurrence.id)
         }
 
-        emit('saved')
+        emit('saved', savedTask)
         isOpen.value = false
     } finally {
         isSubmitting.value = false
diff --git a/frontend/components/task/TaskPriorityDrawer.vue b/frontend/modules/project-management/components/TaskPriorityDrawer.vue
similarity index 92%
rename from frontend/components/task/TaskPriorityDrawer.vue
rename to frontend/modules/project-management/components/TaskPriorityDrawer.vue
index 627abe4..dd9e9b8 100644
--- a/frontend/components/task/TaskPriorityDrawer.vue
+++ b/frontend/modules/project-management/components/TaskPriorityDrawer.vue
@@ -28,8 +28,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskPriority, TaskPriorityWrite } from '~/services/dto/task-priority'
-import { useTaskPriorityService } from '~/services/task-priorities'
+import type { TaskPriority, TaskPriorityWrite } from '~/modules/project-management/services/dto/task-priority'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskTagDrawer.vue b/frontend/modules/project-management/components/TaskTagDrawer.vue
similarity index 93%
rename from frontend/components/task/TaskTagDrawer.vue
rename to frontend/modules/project-management/components/TaskTagDrawer.vue
index 01ec2e1..16dc44e 100644
--- a/frontend/components/task/TaskTagDrawer.vue
+++ b/frontend/modules/project-management/components/TaskTagDrawer.vue
@@ -28,8 +28,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskTag, TaskTagWrite } from '~/services/dto/task-tag'
-import { useTaskTagService } from '~/services/task-tags'
+import type { TaskTag, TaskTagWrite } from '~/modules/project-management/services/dto/task-tag'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/modules/project-management/nuxt.config.ts b/frontend/modules/project-management/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/project-management/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/my-tasks.vue b/frontend/modules/project-management/pages/my-tasks.vue
similarity index 90%
rename from frontend/pages/my-tasks.vue
rename to frontend/modules/project-management/pages/my-tasks.vue
index 4172272..52e019d 100644
--- a/frontend/pages/my-tasks.vue
+++ b/frontend/modules/project-management/pages/my-tasks.vue
@@ -1,22 +1,22 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { StatusCategory } from '~/services/dto/workflow'
-import { STATUS_CATEGORY_LABEL, STATUS_CATEGORY_COLOR, contrastText } from '~/services/dto/workflow'
-import { useTaskService } from '~/services/tasks'
-import { useTaskStatusService } from '~/services/task-statuses'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { StatusCategory } from '~/modules/project-management/services/dto/workflow'
+import { STATUS_CATEGORY_LABEL, STATUS_CATEGORY_COLOR, contrastText } from '~/modules/project-management/services/dto/workflow'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const { t } = useI18n()
 const route = useRoute()
@@ -87,8 +87,16 @@ function statusesForTaskCategory(task: Task, category: StatusCategory): TaskStat
 }
 
 async function applyStatus(task: Task, status: TaskStatus): Promise<void> {
-    await taskService.update(task.id, { status: `/api/task_statuses/${status.id}` })
-    await loadTasks()
+    if (task.status?.id === status.id) return
+    // Mise à jour optimiste : re-bucket le kanban instantanément avant la réponse réseau (cf. index.vue).
+    const previousStatus = task.status
+    task.status = status
+    try {
+        await taskService.update(task.id, { status: `/api/task_statuses/${status.id}` })
+    } catch (e) {
+        task.status = previousStatus
+        throw e
+    }
 }
 
 function onDrop(category: StatusCategory, event: DragEvent): void {
@@ -269,7 +277,13 @@ watch(taskModalOpen, (open) => {
     }
 })
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste avant le re-fetch (cf. index.vue) pour éviter le snapshot stale.
+    if (savedTask) {
+        const idx = tasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) tasks.value[idx] = savedTask
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadTasks()
 }
 
diff --git a/frontend/pages/projects/[id]/archives.vue b/frontend/modules/project-management/pages/projects/[id]/archives.vue
similarity index 76%
rename from frontend/pages/projects/[id]/archives.vue
rename to frontend/modules/project-management/pages/projects/[id]/archives.vue
index f8994d6..de3ea86 100644
--- a/frontend/pages/projects/[id]/archives.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/archives.vue
@@ -72,20 +72,20 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useProjectService } from '~/services/projects'
-import { useTaskService } from '~/services/tasks'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
 
 const route = useRoute()
@@ -150,7 +150,13 @@ function openTaskEdit(task: Task) {
     taskDrawerOpen.value = true
 }
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste avant le re-fetch (cf. index.vue) pour éviter le snapshot stale.
+    if (savedTask) {
+        const idx = archivedTasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) archivedTasks.value[idx] = savedTask
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadData()
 }
 
diff --git a/frontend/pages/projects/[id]/groups.vue b/frontend/modules/project-management/pages/projects/[id]/groups.vue
similarity index 82%
rename from frontend/pages/projects/[id]/groups.vue
rename to frontend/modules/project-management/pages/projects/[id]/groups.vue
index ce87026..3a4f802 100644
--- a/frontend/pages/projects/[id]/groups.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/groups.vue
@@ -13,8 +13,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import { useProjectService } from '~/services/projects'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const route = useRoute()
 const projectId = computed(() => Number(route.params.id))
diff --git a/frontend/pages/projects/[id]/index.vue b/frontend/modules/project-management/pages/projects/[id]/index.vue
similarity index 90%
rename from frontend/pages/projects/[id]/index.vue
rename to frontend/modules/project-management/pages/projects/[id]/index.vue
index 861aee3..13bd443 100644
--- a/frontend/pages/projects/[id]/index.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/index.vue
@@ -207,22 +207,22 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Client } from '~/services/dto/client'
-import { useProjectService } from '~/services/projects'
-import { useClientService } from '~/services/clients'
-import { useTaskService } from '~/services/tasks'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useClientService } from '~/modules/directory/services/clients'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
 
 const route = useRoute()
@@ -473,7 +473,16 @@ async function onBulkDelete() {
     await loadData()
 }
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste : la modale se ferme avant la fin du re-fetch, on
+    // réinjecte immédiatement la tâche fraîche renvoyée par l'API pour éviter
+    // que la liste (et un éventuel ré-ouverture de la modale) reste sur l'ancien snapshot.
+    if (savedTask) {
+        const idx = tasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) tasks.value[idx] = savedTask
+        else tasks.value.push(savedTask)
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadData()
 }
 
diff --git a/frontend/pages/projects/index.vue b/frontend/modules/project-management/pages/projects/index.vue
similarity index 94%
rename from frontend/pages/projects/index.vue
rename to frontend/modules/project-management/pages/projects/index.vue
index 821b9aa..d4b1b99 100644
--- a/frontend/pages/projects/index.vue
+++ b/frontend/modules/project-management/pages/projects/index.vue
@@ -76,10 +76,10 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Client } from '~/services/dto/client'
-import { useProjectService } from '~/services/projects'
-import { useClientService } from '~/services/clients'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useClientService } from '~/modules/directory/services/clients'
 
 useHead({ title: 'Projets' })
 
diff --git a/frontend/services/dto/project.ts b/frontend/modules/project-management/services/dto/project.ts
similarity index 92%
rename from frontend/services/dto/project.ts
rename to frontend/modules/project-management/services/dto/project.ts
index 8e36770..5d13625 100644
--- a/frontend/services/dto/project.ts
+++ b/frontend/modules/project-management/services/dto/project.ts
@@ -1,4 +1,4 @@
-import type { Client } from './client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import type { Workflow } from './workflow'
 
 export type Project = {
diff --git a/frontend/services/dto/task-document.ts b/frontend/modules/project-management/services/dto/task-document.ts
similarity index 81%
rename from frontend/services/dto/task-document.ts
rename to frontend/modules/project-management/services/dto/task-document.ts
index e9a8886..45688a5 100644
--- a/frontend/services/dto/task-document.ts
+++ b/frontend/modules/project-management/services/dto/task-document.ts
@@ -1,4 +1,4 @@
-import type { UserData } from './user-data'
+import type { UserData } from '~/services/dto/user-data'
 
 export type TaskDocument = {
     '@id'?: string
diff --git a/frontend/services/dto/task-effort.ts b/frontend/modules/project-management/services/dto/task-effort.ts
similarity index 100%
rename from frontend/services/dto/task-effort.ts
rename to frontend/modules/project-management/services/dto/task-effort.ts
diff --git a/frontend/services/dto/task-group.ts b/frontend/modules/project-management/services/dto/task-group.ts
similarity index 100%
rename from frontend/services/dto/task-group.ts
rename to frontend/modules/project-management/services/dto/task-group.ts
diff --git a/frontend/services/dto/task-priority.ts b/frontend/modules/project-management/services/dto/task-priority.ts
similarity index 100%
rename from frontend/services/dto/task-priority.ts
rename to frontend/modules/project-management/services/dto/task-priority.ts
diff --git a/frontend/services/dto/task-recurrence.ts b/frontend/modules/project-management/services/dto/task-recurrence.ts
similarity index 100%
rename from frontend/services/dto/task-recurrence.ts
rename to frontend/modules/project-management/services/dto/task-recurrence.ts
diff --git a/frontend/services/dto/task-status.ts b/frontend/modules/project-management/services/dto/task-status.ts
similarity index 100%
rename from frontend/services/dto/task-status.ts
rename to frontend/modules/project-management/services/dto/task-status.ts
diff --git a/frontend/services/dto/task-tag.ts b/frontend/modules/project-management/services/dto/task-tag.ts
similarity index 100%
rename from frontend/services/dto/task-tag.ts
rename to frontend/modules/project-management/services/dto/task-tag.ts
diff --git a/frontend/services/dto/task.ts b/frontend/modules/project-management/services/dto/task.ts
similarity index 96%
rename from frontend/services/dto/task.ts
rename to frontend/modules/project-management/services/dto/task.ts
index d2a8114..3a20502 100644
--- a/frontend/services/dto/task.ts
+++ b/frontend/modules/project-management/services/dto/task.ts
@@ -3,7 +3,7 @@ import type { TaskEffort } from './task-effort'
 import type { TaskPriority } from './task-priority'
 import type { TaskTag } from './task-tag'
 import type { TaskGroup } from './task-group'
-import type { UserData } from './user-data'
+import type { UserData } from '~/services/dto/user-data'
 import type { Project } from './project'
 import type { TaskDocument } from './task-document'
 
diff --git a/frontend/services/dto/workflow.ts b/frontend/modules/project-management/services/dto/workflow.ts
similarity index 100%
rename from frontend/services/dto/workflow.ts
rename to frontend/modules/project-management/services/dto/workflow.ts
diff --git a/frontend/services/projects.ts b/frontend/modules/project-management/services/projects.ts
similarity index 100%
rename from frontend/services/projects.ts
rename to frontend/modules/project-management/services/projects.ts
diff --git a/frontend/services/task-documents.ts b/frontend/modules/project-management/services/task-documents.ts
similarity index 94%
rename from frontend/services/task-documents.ts
rename to frontend/modules/project-management/services/task-documents.ts
index 0daf539..285cc81 100644
--- a/frontend/services/task-documents.ts
+++ b/frontend/modules/project-management/services/task-documents.ts
@@ -51,10 +51,11 @@ export function useTaskDocumentService() {
     }
 
     async function getContent(id: number): Promise<string> {
-        return $fetch<string>(`${baseURL}/task_documents/${id}/download`, {
+        const response = await fetch(`${baseURL}/task_documents/${id}/download`, {
             credentials: 'include',
-            responseType: 'text',
         })
+
+        return response.text()
     }
 
     return { getByTask, upload, linkShare, remove, getDownloadUrl, getContent }
diff --git a/frontend/services/task-efforts.ts b/frontend/modules/project-management/services/task-efforts.ts
similarity index 100%
rename from frontend/services/task-efforts.ts
rename to frontend/modules/project-management/services/task-efforts.ts
diff --git a/frontend/services/task-groups.ts b/frontend/modules/project-management/services/task-groups.ts
similarity index 100%
rename from frontend/services/task-groups.ts
rename to frontend/modules/project-management/services/task-groups.ts
diff --git a/frontend/services/task-priorities.ts b/frontend/modules/project-management/services/task-priorities.ts
similarity index 100%
rename from frontend/services/task-priorities.ts
rename to frontend/modules/project-management/services/task-priorities.ts
diff --git a/frontend/services/task-recurrences.ts b/frontend/modules/project-management/services/task-recurrences.ts
similarity index 100%
rename from frontend/services/task-recurrences.ts
rename to frontend/modules/project-management/services/task-recurrences.ts
diff --git a/frontend/services/task-statuses.ts b/frontend/modules/project-management/services/task-statuses.ts
similarity index 100%
rename from frontend/services/task-statuses.ts
rename to frontend/modules/project-management/services/task-statuses.ts
diff --git a/frontend/services/task-tags.ts b/frontend/modules/project-management/services/task-tags.ts
similarity index 100%
rename from frontend/services/task-tags.ts
rename to frontend/modules/project-management/services/task-tags.ts
diff --git a/frontend/services/tasks.ts b/frontend/modules/project-management/services/tasks.ts
similarity index 100%
rename from frontend/services/tasks.ts
rename to frontend/modules/project-management/services/tasks.ts
diff --git a/frontend/services/workflows.ts b/frontend/modules/project-management/services/workflows.ts
similarity index 100%
rename from frontend/services/workflows.ts
rename to frontend/modules/project-management/services/workflows.ts
diff --git a/frontend/modules/reporting/components/ReportingBarChart.vue b/frontend/modules/reporting/components/ReportingBarChart.vue
new file mode 100644
index 0000000..0eb18e3
--- /dev/null
+++ b/frontend/modules/reporting/components/ReportingBarChart.vue
@@ -0,0 +1,52 @@
+<template>
+    <div class="h-64">
+        <Bar
+            v-if="hasData"
+            :data="chartData"
+            :options="options"
+        />
+        <p v-else class="flex h-full items-center justify-center text-sm text-neutral-400">
+            {{ emptyMessage ?? $t('reporting.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { Bar } from 'vue-chartjs'
+
+const props = defineProps<{
+    labels: string[]
+    values: number[]
+    color?: string
+    emptyMessage?: string
+}>()
+
+const hasData = computed(() => props.values.some(v => v > 0))
+
+const chartData = computed(() => ({
+    labels: props.labels,
+    datasets: [{
+        data: props.values,
+        backgroundColor: props.color ?? '#6366f1',
+        borderWidth: 0,
+        borderRadius: 6,
+    }],
+}))
+
+const options = {
+    responsive: true,
+    maintainAspectRatio: false,
+    plugins: {
+        legend: { display: false },
+    },
+    scales: {
+        y: {
+            beginAtZero: true,
+            grid: { color: '#f3f4f6' },
+        },
+        x: {
+            grid: { display: false },
+        },
+    },
+}
+</script>
diff --git a/frontend/modules/reporting/components/ReportingDoughnut.vue b/frontend/modules/reporting/components/ReportingDoughnut.vue
new file mode 100644
index 0000000..691faca
--- /dev/null
+++ b/frontend/modules/reporting/components/ReportingDoughnut.vue
@@ -0,0 +1,56 @@
+<template>
+    <div class="h-64">
+        <Doughnut
+            v-if="hasData"
+            :data="chartData"
+            :options="options"
+        />
+        <p v-else class="flex h-full items-center justify-center text-sm text-neutral-400">
+            {{ emptyMessage ?? $t('reporting.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { Doughnut } from 'vue-chartjs'
+
+const props = defineProps<{
+    labels: string[]
+    values: number[]
+    colors?: string[]
+    emptyMessage?: string
+}>()
+
+const palette = [
+    '#6366f1', '#10b981', '#f59e0b', '#ef4444', '#3b82f6',
+    '#8b5cf6', '#ec4899', '#14b8a6', '#f97316', '#84cc16',
+]
+
+const hasData = computed(() => props.values.some(v => v > 0))
+
+const chartData = computed(() => ({
+    labels: props.labels,
+    datasets: [{
+        data: props.values,
+        backgroundColor: props.colors ?? props.labels.map((_, i) => palette[i % palette.length]),
+        borderWidth: 0,
+    }],
+}))
+
+const options = {
+    responsive: true,
+    maintainAspectRatio: false,
+    cutout: '65%',
+    plugins: {
+        legend: {
+            position: 'bottom' as const,
+            labels: {
+                padding: 16,
+                usePointStyle: true,
+                pointStyle: 'circle',
+                font: { size: 12 },
+            },
+        },
+    },
+}
+</script>
diff --git a/frontend/modules/reporting/composables/useCsvExport.ts b/frontend/modules/reporting/composables/useCsvExport.ts
new file mode 100644
index 0000000..25c7a98
--- /dev/null
+++ b/frontend/modules/reporting/composables/useCsvExport.ts
@@ -0,0 +1,44 @@
+export type CsvColumn<T> = {
+    header: string
+    value: (row: T) => string | number
+}
+
+/** Escapes a single CSV cell (quotes wrapping + doubled inner quotes). */
+function escapeCell(value: string | number): string {
+    const str = String(value ?? '')
+    if (/[",\n;]/.test(str)) {
+        return `"${str.replace(/"/g, '""')}"`
+    }
+    return str
+}
+
+export function useCsvExport() {
+    /** Builds a CSV string from rows + column definitions (semicolon separator, FR-friendly). */
+    function toCsv<T>(rows: T[], columns: CsvColumn<T>[]): string {
+        const header = columns.map(c => escapeCell(c.header)).join(';')
+        const lines = rows.map(row =>
+            columns.map(c => escapeCell(c.value(row))).join(';'),
+        )
+        return [header, ...lines].join('\n')
+    }
+
+    /** Triggers a browser download of the given CSV content. */
+    function downloadCsv<T>(filename: string, rows: T[], columns: CsvColumn<T>[]): void {
+        if (typeof window === 'undefined') {
+            return
+        }
+        const csv = toCsv(rows, columns)
+        // Prepend BOM so Excel detects UTF-8.
+        const blob = new Blob([`${csv}`], { type: 'text/csv;charset=utf-8;' })
+        const url = URL.createObjectURL(blob)
+        const link = document.createElement('a')
+        link.href = url
+        link.download = filename.endsWith('.csv') ? filename : `${filename}.csv`
+        document.body.appendChild(link)
+        link.click()
+        document.body.removeChild(link)
+        URL.revokeObjectURL(url)
+    }
+
+    return { toCsv, downloadCsv }
+}
diff --git a/frontend/modules/reporting/composables/useReportingFilters.ts b/frontend/modules/reporting/composables/useReportingFilters.ts
new file mode 100644
index 0000000..bdc60de
--- /dev/null
+++ b/frontend/modules/reporting/composables/useReportingFilters.ts
@@ -0,0 +1,41 @@
+export type ReportPeriodKey = 'thisMonth' | 'lastMonth' | 'custom'
+
+export type ReportPeriodRange = {
+    from: string
+    to: string
+}
+
+/** Formats a Date as an ISO "YYYY-MM-DD" string (local time, no timezone shift). */
+function toIsoDate(date: Date): string {
+    const year = date.getFullYear()
+    const month = String(date.getMonth() + 1).padStart(2, '0')
+    const day = String(date.getDate()).padStart(2, '0')
+    return `${year}-${month}-${day}`
+}
+
+/** Returns the {from, to} range (inclusive) for a given month offset relative to now. */
+function getMonthRange(offset: number): ReportPeriodRange {
+    const now = new Date()
+    const start = new Date(now.getFullYear(), now.getMonth() + offset, 1)
+    const end = new Date(now.getFullYear(), now.getMonth() + offset + 1, 0)
+    return { from: toIsoDate(start), to: toIsoDate(end) }
+}
+
+export function useReportingFilters() {
+    const thisMonth = (): ReportPeriodRange => getMonthRange(0)
+    const lastMonth = (): ReportPeriodRange => getMonthRange(-1)
+
+    /** Resolves a preset key to a concrete range. `custom` keeps the provided range. */
+    function rangeForPreset(key: ReportPeriodKey, current: ReportPeriodRange): ReportPeriodRange {
+        switch (key) {
+            case 'thisMonth':
+                return thisMonth()
+            case 'lastMonth':
+                return lastMonth()
+            case 'custom':
+                return current
+        }
+    }
+
+    return { thisMonth, lastMonth, rangeForPreset, toIsoDate }
+}
diff --git a/frontend/modules/reporting/nuxt.config.ts b/frontend/modules/reporting/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/reporting/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/modules/reporting/pages/reporting.vue b/frontend/modules/reporting/pages/reporting.vue
new file mode 100644
index 0000000..8fc220b
--- /dev/null
+++ b/frontend/modules/reporting/pages/reporting.vue
@@ -0,0 +1,388 @@
+<template>
+    <div>
+        <div class="sticky top-8 z-20 bg-white pb-4 sm:top-12">
+            <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">
+                {{ $t('reporting.title') }}
+            </h1>
+
+            <!-- Filters -->
+            <div class="mt-4 flex flex-wrap items-end gap-3">
+                <MalioSelect
+                    v-model="selectedPeriod"
+                    :options="periodOptions"
+                    :label="$t('reporting.filters.period')"
+                    group-class="!w-48"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+                <div class="w-40">
+                    <label class="mb-1 block text-sm font-medium text-neutral-700">
+                        {{ $t('reporting.filters.from') }}
+                    </label>
+                    <MalioDate
+                        v-model="customFrom"
+                        :disabled="selectedPeriod !== 'custom'"
+                        group-class="w-full"
+                    />
+                </div>
+                <div class="w-40">
+                    <label class="mb-1 block text-sm font-medium text-neutral-700">
+                        {{ $t('reporting.filters.to') }}
+                    </label>
+                    <MalioDate
+                        v-model="customTo"
+                        :disabled="selectedPeriod !== 'custom'"
+                        group-class="w-full"
+                    />
+                </div>
+                <MalioSelect
+                    v-model="selectedProjectId"
+                    :options="projectOptions"
+                    :label="$t('reporting.filters.project')"
+                    :empty-option-label="$t('reporting.filters.allProjects')"
+                    group-class="!w-44"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+                <MalioSelect
+                    v-model="selectedUserId"
+                    :options="userOptions"
+                    :label="$t('reporting.filters.user')"
+                    :empty-option-label="$t('reporting.filters.allUsers')"
+                    group-class="!w-44"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+            </div>
+        </div>
+
+        <!-- Loading -->
+        <div v-if="isLoading" class="mt-12 flex items-center justify-center">
+            <p class="text-neutral-400">{{ $t('common.loading') }}</p>
+        </div>
+
+        <template v-else>
+            <!-- Section 1 : Time per project -->
+            <section class="mt-8 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.timePerProject') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="timePerProject.length === 0"
+                        @click="exportTimePerProject"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="projectColumns"
+                        :items="timePerProject"
+                        :empty-message="$t('reporting.empty')"
+                    >
+                        <template #cell-hours="{ item }">
+                            {{ formatHours((item as TimePerProject).hours) }}
+                        </template>
+                    </DataTable>
+                    <ReportingDoughnut
+                        :labels="timePerProject.map(r => r.projectName)"
+                        :values="timePerProject.map(r => round(r.hours))"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 2 : Time per user -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.timePerUser') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="timePerUser.length === 0"
+                        @click="exportTimePerUser"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="userColumns"
+                        :items="timePerUser"
+                        :empty-message="$t('reporting.empty')"
+                    >
+                        <template #cell-hours="{ item }">
+                            {{ formatHours((item as TimePerUser).hours) }}
+                        </template>
+                    </DataTable>
+                    <ReportingBarChart
+                        :labels="timePerUser.map(r => r.fullName || r.username)"
+                        :values="timePerUser.map(r => round(r.hours))"
+                        color="#10b981"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 3 : Tasks by status -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.tasksByStatus') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="tasksByStatus.length === 0"
+                        @click="exportTasksByStatus"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="statusColumns"
+                        :items="tasksByStatus"
+                        :empty-message="$t('reporting.empty')"
+                    />
+                    <ReportingDoughnut
+                        :labels="tasksByStatus.map(r => r.statusLabel)"
+                        :values="tasksByStatus.map(r => r.count)"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 4 : Absences by type -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.absencesByType') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="absencesByType.length === 0"
+                        @click="exportAbsencesByType"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="absenceColumns"
+                        :items="absenceRows"
+                        :empty-message="$t('reporting.empty')"
+                    />
+                    <ReportingBarChart
+                        :labels="absencesByType.map(r => absenceTypeLabel(r.type))"
+                        :values="absencesByType.map(r => r.totalDays)"
+                        color="#f59e0b"
+                    />
+                </div>
+            </section>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+import type {
+    AbsencesByType,
+    ReportFilters,
+    TasksByStatus,
+    TimePerProject,
+    TimePerUser,
+} from '~/modules/reporting/services/dto/reporting'
+import { useReportingService } from '~/modules/reporting/services/reporting'
+import {
+    useReportingFilters,
+    type ReportPeriodKey,
+} from '~/modules/reporting/composables/useReportingFilters'
+import { useCsvExport } from '~/modules/reporting/composables/useCsvExport'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { UserData } from '~/services/dto/user-data'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useUserService } from '~/services/users'
+
+definePageMeta({ middleware: ['admin'] })
+
+const { t } = useI18n()
+useHead({ title: t('reporting.title') })
+
+const reportingService = useReportingService()
+const projectService = useProjectService()
+const userService = useUserService()
+const { rangeForPreset, thisMonth } = useReportingFilters()
+const { downloadCsv } = useCsvExport()
+
+// --- Filters state ---
+const selectedPeriod = ref<ReportPeriodKey>('thisMonth')
+const initialRange = thisMonth()
+const customFrom = ref<string | null>(initialRange.from)
+const customTo = ref<string | null>(initialRange.to)
+const selectedProjectId = ref<number | null>(null)
+const selectedUserId = ref<number | null>(null)
+
+const periodOptions = computed(() => [
+    { label: t('reporting.periods.thisMonth'), value: 'thisMonth' },
+    { label: t('reporting.periods.lastMonth'), value: 'lastMonth' },
+    { label: t('reporting.periods.custom'), value: 'custom' },
+])
+
+const projects = ref<Project[]>([])
+const users = ref<UserData[]>([])
+
+const projectOptions = computed(() =>
+    projects.value.map(p => ({ label: p.name, value: p.id })),
+)
+const userOptions = computed(() =>
+    users.value.map(u => ({
+        label: [u.firstName, u.lastName].filter(Boolean).join(' ') || u.username,
+        value: u.id,
+    })),
+)
+
+// --- Effective range (preset → concrete dates) ---
+const activeFilters = computed<ReportFilters>(() => ({
+    from: customFrom.value ?? initialRange.from,
+    to: customTo.value ?? initialRange.to,
+    projectId: selectedProjectId.value,
+    userId: selectedUserId.value,
+}))
+
+// When a non-custom preset is picked, sync the date pickers.
+watch(selectedPeriod, (key) => {
+    if (key !== 'custom') {
+        const range = rangeForPreset(key, {
+            from: customFrom.value ?? initialRange.from,
+            to: customTo.value ?? initialRange.to,
+        })
+        customFrom.value = range.from
+        customTo.value = range.to
+    }
+})
+
+// --- Report data ---
+const timePerProject = ref<TimePerProject[]>([])
+const timePerUser = ref<TimePerUser[]>([])
+const tasksByStatus = ref<TasksByStatus[]>([])
+const absencesByType = ref<AbsencesByType[]>([])
+const isLoading = ref(true)
+
+const absenceRows = computed(() =>
+    absencesByType.value.map(r => ({ ...r, typeLabel: absenceTypeLabel(r.type) })),
+)
+
+// --- Columns ---
+const projectColumns: DataTableColumn[] = [
+    { key: 'projectName', label: t('reporting.columns.project'), primary: true },
+    { key: 'hours', label: t('reporting.columns.hours') },
+    { key: 'entryCount', label: t('reporting.columns.entries') },
+]
+const userColumns: DataTableColumn[] = [
+    { key: 'fullName', label: t('reporting.columns.user'), primary: true },
+    { key: 'hours', label: t('reporting.columns.hours') },
+    { key: 'entryCount', label: t('reporting.columns.entries') },
+]
+const statusColumns: DataTableColumn[] = [
+    { key: 'statusLabel', label: t('reporting.columns.status'), primary: true },
+    { key: 'count', label: t('reporting.columns.count') },
+]
+const absenceColumns: DataTableColumn[] = [
+    { key: 'typeLabel', label: t('reporting.columns.type'), primary: true },
+    { key: 'count', label: t('reporting.columns.count') },
+    { key: 'totalDays', label: t('reporting.columns.days') },
+]
+
+// --- Helpers ---
+function round(value: number): number {
+    return Math.round(value * 100) / 100
+}
+
+function formatHours(h: number): string {
+    const hours = Math.floor(h)
+    const mins = Math.round((h - hours) * 60)
+    return mins > 0 ? `${hours}h${String(mins).padStart(2, '0')}` : `${hours}h`
+}
+
+function absenceTypeLabel(type: string): string {
+    const key = `reporting.absenceTypes.${type}`
+    const label = t(key)
+    return label === key ? type : label
+}
+
+// --- Loading ---
+async function loadReferenceData() {
+    const [proj, usr] = await Promise.all([
+        projectService.getAll(),
+        userService.getAll(),
+    ])
+    projects.value = proj
+    users.value = usr
+}
+
+async function loadReports() {
+    isLoading.value = true
+    try {
+        const filters = activeFilters.value
+        const [tpp, tpu, tbs, abt] = await Promise.all([
+            reportingService.timePerProject(filters),
+            reportingService.timePerUser(filters),
+            reportingService.tasksByStatus(filters),
+            reportingService.absencesByType(filters),
+        ])
+        timePerProject.value = tpp
+        timePerUser.value = tpu
+        tasksByStatus.value = tbs
+        absencesByType.value = abt
+    } finally {
+        isLoading.value = false
+    }
+}
+
+// Reload reports whenever the effective filters change.
+watch(activeFilters, () => {
+    loadReports()
+}, { deep: true })
+
+onMounted(async () => {
+    await loadReferenceData()
+    await loadReports()
+})
+
+// --- CSV export ---
+function exportTimePerProject() {
+    downloadCsv('rapport-temps-par-projet', timePerProject.value, [
+        { header: t('reporting.columns.project'), value: r => r.projectName },
+        { header: t('reporting.columns.code'), value: r => r.projectCode },
+        { header: t('reporting.columns.hours'), value: r => round(r.hours) },
+        { header: t('reporting.columns.entries'), value: r => r.entryCount },
+    ])
+}
+
+function exportTimePerUser() {
+    downloadCsv('rapport-temps-par-utilisateur', timePerUser.value, [
+        { header: t('reporting.columns.user'), value: r => r.fullName || r.username },
+        { header: t('reporting.columns.hours'), value: r => round(r.hours) },
+        { header: t('reporting.columns.entries'), value: r => r.entryCount },
+    ])
+}
+
+function exportTasksByStatus() {
+    downloadCsv('rapport-taches-par-statut', tasksByStatus.value, [
+        { header: t('reporting.columns.status'), value: r => r.statusLabel },
+        { header: t('reporting.columns.count'), value: r => r.count },
+    ])
+}
+
+function exportAbsencesByType() {
+    downloadCsv('rapport-absences-par-type', absencesByType.value, [
+        { header: t('reporting.columns.type'), value: r => absenceTypeLabel(r.type) },
+        { header: t('reporting.columns.count'), value: r => r.count },
+        { header: t('reporting.columns.days'), value: r => r.totalDays },
+    ])
+}
+</script>
diff --git a/frontend/modules/reporting/services/dto/reporting.ts b/frontend/modules/reporting/services/dto/reporting.ts
new file mode 100644
index 0000000..4494fd7
--- /dev/null
+++ b/frontend/modules/reporting/services/dto/reporting.ts
@@ -0,0 +1,34 @@
+export type TimePerProject = {
+    projectId: number
+    projectCode: string
+    projectName: string
+    hours: number
+    entryCount: number
+}
+
+export type TimePerUser = {
+    userId: number
+    username: string
+    fullName: string
+    hours: number
+    entryCount: number
+}
+
+export type TasksByStatus = {
+    statusId: number
+    statusLabel: string
+    count: number
+}
+
+export type AbsencesByType = {
+    type: string
+    count: number
+    totalDays: number
+}
+
+export type ReportFilters = {
+    from: string
+    to: string
+    userId?: number | null
+    projectId?: number | null
+}
diff --git a/frontend/modules/reporting/services/reporting.ts b/frontend/modules/reporting/services/reporting.ts
new file mode 100644
index 0000000..95aff37
--- /dev/null
+++ b/frontend/modules/reporting/services/reporting.ts
@@ -0,0 +1,51 @@
+import type {
+    AbsencesByType,
+    ReportFilters,
+    TasksByStatus,
+    TimePerProject,
+    TimePerUser,
+} from './dto/reporting'
+import type { AnyObject } from '~/shared/composables/useApi'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+function buildQuery(filters: Partial<ReportFilters>, keys: (keyof ReportFilters)[]): AnyObject {
+    const query: AnyObject = {}
+    for (const key of keys) {
+        const value = filters[key]
+        if (value !== undefined && value !== null && value !== '') {
+            query[key] = value
+        }
+    }
+    return query
+}
+
+export function useReportingService() {
+    const api = useApi()
+
+    async function timePerProject(filters: ReportFilters): Promise<TimePerProject[]> {
+        const query = buildQuery(filters, ['from', 'to', 'userId', 'projectId'])
+        const data = await api.get<HydraCollection<TimePerProject>>('/reports/time-per-project', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function timePerUser(filters: ReportFilters): Promise<TimePerUser[]> {
+        const query = buildQuery(filters, ['from', 'to', 'projectId'])
+        const data = await api.get<HydraCollection<TimePerUser>>('/reports/time-per-user', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function tasksByStatus(filters: ReportFilters): Promise<TasksByStatus[]> {
+        const query = buildQuery(filters, ['projectId'])
+        const data = await api.get<HydraCollection<TasksByStatus>>('/reports/tasks-by-status', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function absencesByType(filters: ReportFilters): Promise<AbsencesByType[]> {
+        const query = buildQuery(filters, ['from', 'to', 'userId'])
+        const data = await api.get<HydraCollection<AbsencesByType>>('/reports/absences-by-type', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    return { timePerProject, timePerUser, tasksByStatus, absencesByType }
+}
diff --git a/frontend/components/time-tracking/TimeEntryBlock.vue b/frontend/modules/time-tracking/components/TimeEntryBlock.vue
similarity index 99%
rename from frontend/components/time-tracking/TimeEntryBlock.vue
rename to frontend/modules/time-tracking/components/TimeEntryBlock.vue
index ffdb7d7..560ccd3 100644
--- a/frontend/components/time-tracking/TimeEntryBlock.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryBlock.vue
@@ -64,7 +64,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 
 const props = defineProps<{
     entry: TimeEntry
diff --git a/frontend/components/time-tracking/TimeEntryContextMenu.vue b/frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
similarity index 96%
rename from frontend/components/time-tracking/TimeEntryContextMenu.vue
rename to frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
index 6088ed3..ada7403 100644
--- a/frontend/components/time-tracking/TimeEntryContextMenu.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
@@ -35,7 +35,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 
 const props = defineProps<{
     visible: boolean
diff --git a/frontend/components/time-tracking/TimeEntryDrawer.vue b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
similarity index 96%
rename from frontend/components/time-tracking/TimeEntryDrawer.vue
rename to frontend/modules/time-tracking/components/TimeEntryDrawer.vue
index f9660b5..0f002a1 100644
--- a/frontend/components/time-tracking/TimeEntryDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
@@ -124,11 +124,11 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry, TimeEntryWrite } from '~/services/dto/time-entry'
+import type { TimeEntry, TimeEntryWrite } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
-import { useTimeEntryService } from '~/services/time-entries'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/time-tracking/TimeEntryList.vue b/frontend/modules/time-tracking/components/TimeEntryList.vue
similarity index 98%
rename from frontend/components/time-tracking/TimeEntryList.vue
rename to frontend/modules/time-tracking/components/TimeEntryList.vue
index a727593..9913e0d 100644
--- a/frontend/components/time-tracking/TimeEntryList.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryList.vue
@@ -67,7 +67,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import { stripRichText } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/time-tracking/TimeTrackingCalendar.vue b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
similarity index 99%
rename from frontend/components/time-tracking/TimeTrackingCalendar.vue
rename to frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
index 4b32e29..455c7dd 100644
--- a/frontend/components/time-tracking/TimeTrackingCalendar.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
@@ -150,8 +150,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
-import { useAbsenceService } from '~/services/absences'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const { t } = useI18n()
 const absenceService = useAbsenceService()
diff --git a/frontend/components/time-tracking/TimeTrackingExportDrawer.vue b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
similarity index 96%
rename from frontend/components/time-tracking/TimeTrackingExportDrawer.vue
rename to frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
index abeeb8e..958b3af 100644
--- a/frontend/components/time-tracking/TimeTrackingExportDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
@@ -108,9 +108,9 @@
 
 <script setup lang="ts">
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { Client } from '~/services/dto/client'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { Client } from '~/modules/directory/services/dto/client'
 
 const props = defineProps<{
     users: UserData[]
diff --git a/frontend/modules/time-tracking/nuxt.config.ts b/frontend/modules/time-tracking/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/time-tracking/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/time-tracking.vue b/frontend/modules/time-tracking/pages/time-tracking.vue
similarity index 97%
rename from frontend/pages/time-tracking.vue
rename to frontend/modules/time-tracking/pages/time-tracking.vue
index d740b12..070c55b 100644
--- a/frontend/pages/time-tracking.vue
+++ b/frontend/modules/time-tracking/pages/time-tracking.vue
@@ -150,12 +150,12 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { Client } from '~/services/dto/client'
-import { useTimeEntryService } from '~/services/time-entries'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
 
diff --git a/frontend/services/dto/time-entry.ts b/frontend/modules/time-tracking/services/dto/time-entry.ts
similarity index 62%
rename from frontend/services/dto/time-entry.ts
rename to frontend/modules/time-tracking/services/dto/time-entry.ts
index 991d0fc..3f4275e 100644
--- a/frontend/services/dto/time-entry.ts
+++ b/frontend/modules/time-tracking/services/dto/time-entry.ts
@@ -1,7 +1,7 @@
-import type { UserData } from './user-data'
-import type { Project } from './project'
-import type { Task } from './task'
-import type { TaskTag } from './task-tag'
+import type { UserData } from '~/services/dto/user-data'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 
 export type TimeEntry = {
     id: number
diff --git a/frontend/services/time-entries.ts b/frontend/modules/time-tracking/services/time-entries.ts
similarity index 100%
rename from frontend/services/time-entries.ts
rename to frontend/modules/time-tracking/services/time-entries.ts
diff --git a/frontend/stores/timer.ts b/frontend/modules/time-tracking/stores/timer.ts
similarity index 93%
rename from frontend/stores/timer.ts
rename to frontend/modules/time-tracking/stores/timer.ts
index 28d5688..6462747 100644
--- a/frontend/stores/timer.ts
+++ b/frontend/modules/time-tracking/stores/timer.ts
@@ -1,7 +1,7 @@
 import { defineStore } from 'pinia'
-import type { TimeEntry } from '~/services/dto/time-entry'
-import type { Task } from '~/services/dto/task'
-import { useTimeEntryService } from '~/services/time-entries'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 export const useTimerStore = defineStore('timer', () => {
     const activeEntry = ref<TimeEntry | null>(null)
diff --git a/frontend/nuxt.config.ts b/frontend/nuxt.config.ts
index 1f8c5b9..2819db7 100644
--- a/frontend/nuxt.config.ts
+++ b/frontend/nuxt.config.ts
@@ -1,14 +1,32 @@
+import { existsSync, readdirSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const modulesDir = resolve(__dirname, 'modules')
+const moduleDirs = existsSync(modulesDir)
+    ? readdirSync(modulesDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name)
+    : []
+const moduleLayers = moduleDirs.map((name) => `./modules/${name}`)
+const moduleComposableDirs = moduleDirs
+    .map((name) => `modules/${name}/composables`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+const moduleStoreDirs = moduleDirs
+    .map((name) => `modules/${name}/stores`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+
 export default defineNuxtConfig({
     compatibilityDate: '2025-07-15',
-    devtools: {enabled: false},
+    devtools: { enabled: false },
     ssr: false,
+    srcDir: '.',
     css: ['~/assets/css/app.css', '~/assets/css/dark.css'],
     app: {
         baseURL: process.env.NODE_ENV === 'production'
             ? (process.env.NUXT_PUBLIC_APP_BASE || '/')
-            : '/'
+            : '/',
     },
-    extends: ['@malio/layer-ui'],
+    extends: ['@malio/layer-ui', ...moduleLayers],
     modules: [
         '@nuxtjs/tailwindcss',
         '@pinia/nuxt',
@@ -16,16 +34,35 @@ export default defineNuxtConfig({
         '@nuxtjs/i18n',
         '@nuxt/icon',
     ],
+    dir: {
+        layouts: 'app/layouts',
+        middleware: 'app/middleware',
+    },
+    imports: {
+        dirs: [
+            'shared/composables',
+            'shared/stores',
+            'shared/utils',
+            'composables',
+            'stores',
+            'utils',
+            ...moduleComposableDirs,
+            ...moduleStoreDirs,
+        ],
+    },
+    pinia: {
+        storesDirs: ['shared/stores/**', 'stores/**', 'modules/*/stores/**'],
+    },
     runtimeConfig: {
         public: {
-            apiBase: process.env.NUXT_PUBLIC_API_BASE
-        }
+            apiBase: process.env.NUXT_PUBLIC_API_BASE,
+        },
     },
     devServer: {
         port: 3002,
     },
     components: [
-        {path: '~/components', pathPrefix: false},
+        { path: '~/components', pathPrefix: false },
     ],
     vite: {
         server: {
@@ -56,10 +93,6 @@ export default defineNuxtConfig({
             {code: 'fr', file: 'fr.json', name: 'Français'}
         ],
     },
-    typescript: {
-        strict: true
-    },
-    build: {
-        transpile: ['@vuepic/vue-datepicker']
-    }
+    typescript: { strict: true },
+    build: { transpile: ['@vuepic/vue-datepicker'] },
 })
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index 998deac..668db4e 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -6,7 +6,7 @@
             <div class="mt-6 border-b border-neutral-200 overflow-x-auto">
                 <nav class="flex gap-4 sm:gap-6">
                     <button
-                        v-for="tab in tabs"
+                        v-for="tab in visibleTabs"
                         :key="tab.key"
                         class="whitespace-nowrap px-1 pb-3 text-sm font-semibold transition"
                         :class="activeTab === tab.key
@@ -27,6 +27,8 @@
             <AdminPriorityTab v-if="activeTab === 'priorities'" />
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
+            <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
+            <AdminAuditTab v-if="activeTab === 'audit' && canViewAudit" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
@@ -41,6 +43,12 @@
 definePageMeta({ middleware: ['admin'] })
 useHead({ title: 'Administration' })
 
+const { can } = usePermissions()
+const { t } = useI18n()
+
+const canViewRoles = computed(() => can('core.roles.view'))
+const canViewAudit = computed(() => can('core.audit_log.view'))
+
 const tabs = [
     { key: 'clients', label: 'Clients' },
     { key: 'workflows', label: 'Workflows' },
@@ -48,6 +56,8 @@ const tabs = [
     { key: 'priorities', label: 'Priorités' },
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
+    { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
+    { key: 'audit', label: t('admin.audit.title'), permission: 'core.audit_log.view' },
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },
@@ -58,5 +68,9 @@ const tabs = [
 
 type TabKey = typeof tabs[number]['key']
 
+const visibleTabs = computed(() =>
+    tabs.filter((tab) => !('permission' in tab) || can(tab.permission)),
+)
+
 const activeTab = ref<TabKey>('clients')
 </script>
diff --git a/frontend/pages/documents.vue b/frontend/pages/documents.vue
index 05fec23..1a68bfe 100644
--- a/frontend/pages/documents.vue
+++ b/frontend/pages/documents.vue
@@ -81,8 +81,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Breadcrumb, FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
+import type { Breadcrumb, FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
 import { formatFileSize } from '~/utils/format'
 
 useHead({ title: 'Documents' })
diff --git a/frontend/pages/index.vue b/frontend/pages/index.vue
index 684631b..96b1d67 100644
--- a/frontend/pages/index.vue
+++ b/frontend/pages/index.vue
@@ -1,16 +1,16 @@
 <script setup lang="ts">
 import { Doughnut, Bar, Line } from 'vue-chartjs'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TimeEntry } from '~/services/dto/time-entry'
-import type { Project } from '~/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
+import type { Project } from '~/modules/project-management/services/dto/project'
 import type { UserData } from '~/services/dto/user-data'
-import { useTaskService } from '~/services/tasks'
-import { useTaskStatusService } from '~/services/task-statuses'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTimeEntryService } from '~/services/time-entries'
-import { useProjectService } from '~/services/projects'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
+import { useProjectService } from '~/modules/project-management/services/projects'
 import { useUserService } from '~/services/users'
 
 const { t } = useI18n()
diff --git a/frontend/services/dto/notification.ts b/frontend/services/dto/notification.ts
index 9b8fe43..37d3d45 100644
--- a/frontend/services/dto/notification.ts
+++ b/frontend/services/dto/notification.ts
@@ -1,4 +1,4 @@
-export type NotificationType = 'ticket_created' | 'ticket_status_changed'
+export type NotificationType = 'task_assigned' | 'task_collaborator_added'
 
 export type Notification = {
     '@id'?: string
diff --git a/frontend/services/dto/user-data.ts b/frontend/services/dto/user-data.ts
index 3f5f5df..148bac0 100644
--- a/frontend/services/dto/user-data.ts
+++ b/frontend/services/dto/user-data.ts
@@ -7,6 +7,7 @@ export type UserData = {
     firstName?: string | null
     lastName?: string | null
     roles: string[]
+    effectivePermissions?: string[]
     avatarUrl?: string | null
     apiToken?: string | null
     // HR / absence management
diff --git a/frontend/services/users.ts b/frontend/services/users.ts
index 69e02f0..ce64cd3 100644
--- a/frontend/services/users.ts
+++ b/frontend/services/users.ts
@@ -10,6 +10,10 @@ export function useUserService() {
         return extractHydraMembers(data)
     }
 
+    async function getById(id: number): Promise<UserData> {
+        return api.get<UserData>(`/users/${id}`)
+    }
+
     async function create(payload: UserWrite): Promise<UserData> {
         return api.post<UserData>('/users', payload as Record<string, unknown>, {
             toastSuccessKey: 'users.created',
@@ -28,5 +32,5 @@ export function useUserService() {
         })
     }
 
-    return { getAll, create, update, remove }
+    return { getAll, getById, create, update, remove }
 }
diff --git a/frontend/composables/useApi.ts b/frontend/shared/composables/useApi.ts
similarity index 99%
rename from frontend/composables/useApi.ts
rename to frontend/shared/composables/useApi.ts
index bac2544..8ebb4f1 100644
--- a/frontend/composables/useApi.ts
+++ b/frontend/shared/composables/useApi.ts
@@ -1,6 +1,6 @@
 import type { FetchOptions } from 'ofetch'
 import { $fetch, FetchError } from 'ofetch'
-import { useAuthStore } from '~/stores/auth'
+import { useAuthStore } from '~/shared/stores/auth'
 
 export type AnyObject = Record<string, unknown>
 
diff --git a/frontend/shared/composables/useModules.ts b/frontend/shared/composables/useModules.ts
new file mode 100644
index 0000000..873c9cb
--- /dev/null
+++ b/frontend/shared/composables/useModules.ts
@@ -0,0 +1,22 @@
+const activeModuleIds = ref<string[]>([])
+const loaded = ref(false)
+
+export function useModules() {
+    async function loadModules(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ modules: string[] }>('/modules', {}, { toast: false })
+        activeModuleIds.value = data.modules ?? []
+        loaded.value = true
+    }
+
+    function isModuleActive(id: string): boolean {
+        return activeModuleIds.value.includes(id)
+    }
+
+    function resetModules(): void {
+        activeModuleIds.value = []
+        loaded.value = false
+    }
+
+    return { activeModuleIds, loaded, loadModules, isModuleActive, resetModules }
+}
diff --git a/frontend/shared/composables/useSidebar.ts b/frontend/shared/composables/useSidebar.ts
new file mode 100644
index 0000000..5004182
--- /dev/null
+++ b/frontend/shared/composables/useSidebar.ts
@@ -0,0 +1,31 @@
+import type { SidebarSection } from '~/shared/types/sidebar'
+
+const sections = ref<SidebarSection[]>([])
+const disabledRoutes = ref<string[]>([])
+const loaded = ref(false)
+
+export function useSidebar() {
+    async function loadSidebar(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ sections: SidebarSection[]; disabledRoutes: string[] }>(
+            '/sidebar', {}, { toast: false },
+        )
+        sections.value = data.sections ?? []
+        disabledRoutes.value = data.disabledRoutes ?? []
+        loaded.value = true
+    }
+
+    function isRouteDisabled(path: string): boolean {
+        return disabledRoutes.value.some(
+            (disabled) => path === disabled || path.startsWith(disabled + '/'),
+        )
+    }
+
+    function resetSidebar(): void {
+        sections.value = []
+        disabledRoutes.value = []
+        loaded.value = false
+    }
+
+    return { sections, disabledRoutes, loaded, loadSidebar, isRouteDisabled, resetSidebar }
+}
diff --git a/frontend/stores/auth.ts b/frontend/shared/stores/auth.ts
similarity index 100%
rename from frontend/stores/auth.ts
rename to frontend/shared/stores/auth.ts
diff --git a/frontend/stores/ui.ts b/frontend/shared/stores/ui.ts
similarity index 100%
rename from frontend/stores/ui.ts
rename to frontend/shared/stores/ui.ts
diff --git a/frontend/shared/types/sidebar.ts b/frontend/shared/types/sidebar.ts
new file mode 100644
index 0000000..0f4057f
--- /dev/null
+++ b/frontend/shared/types/sidebar.ts
@@ -0,0 +1,11 @@
+export type SidebarItem = {
+    label: string
+    to: string
+    icon: string
+}
+
+export type SidebarSection = {
+    label: string
+    icon: string
+    items: SidebarItem[]
+}
diff --git a/infra/prod/deploy.sh b/infra/prod/deploy.sh
index e8f189c..1027034 100755
--- a/infra/prod/deploy.sh
+++ b/infra/prod/deploy.sh
@@ -27,6 +27,9 @@ sudo docker compose cp app:/var/www/html/public/maintenance.html public/maintena
 echo "==> Running migrations..."
 sudo docker compose exec -T -u www-data app php bin/console doctrine:migrations:migrate --no-interaction
 
+echo "==> Syncing RBAC permissions catalog..."
+sudo docker compose exec -T -u www-data app php bin/console app:sync-permissions
+
 echo "==> Clearing cache..."
 sudo docker compose exec -T -u www-data app php bin/console cache:clear --env=prod
 sudo docker compose exec -T -u www-data app php bin/console cache:warmup --env=prod
diff --git a/makefile b/makefile
index 9cc9803..440a548 100644
--- a/makefile
+++ b/makefile
@@ -38,7 +38,7 @@ restart: env-init
 	$(DOCKER_COMPOSE) down
 	CURRENT_UID=$(shell id -u) CURRENT_GID=$(shell id -g) $(DOCKER_COMPOSE) up -d
 
-install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate
+install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate sync-permissions
 
 # Supprime tout est réinstalle tout (Attention ça supprime la bdd aussi)
 reset: delete_built_dir remove_orphans build-without-cache start wait install
@@ -77,6 +77,10 @@ build-without-cache:
 migration-migrate:
 	$(SYMFONY_CONSOLE) doctrine:migrations:migrate --no-interaction
 
+# Synchronise le catalogue des permissions RBAC depuis les modules actifs
+sync-permissions:
+	$(SYMFONY_CONSOLE) app:sync-permissions
+
 fixtures:
 	$(SYMFONY_CONSOLE) --no-interaction doctrine:fixtures:load
 
@@ -87,6 +91,7 @@ db-reset:
 	$(MAKE) wait
 	$(SYMFONY_CONSOLE) doctrine:database:create --if-not-exists
 	$(MAKE) migration-migrate
+	$(MAKE) sync-permissions
 	$(MAKE) fixtures
 
 # Restart la bdd
diff --git a/migrations/Version20260619145109.php b/migrations/Version20260619145109.php
new file mode 100644
index 0000000..5de9930
--- /dev/null
+++ b/migrations/Version20260619145109.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * RBAC fin (LST-57) : permission, role and their many-to-many relations with user.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619145109 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add RBAC permission and role entities with user relations (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('CREATE TABLE permission (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, code VARCHAR(255) NOT NULL, label VARCHAR(255) NOT NULL, module VARCHAR(100) NOT NULL, orphan BOOLEAN NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_E04992AA77153098 ON permission (code)');
+        $this->addSql('CREATE INDEX idx_permission_module ON permission (module)');
+        $this->addSql('CREATE INDEX idx_permission_orphan ON permission (orphan)');
+        $this->addSql('COMMENT ON COLUMN permission.code IS \'Permission code (module.resource[.sub].action)\'');
+        $this->addSql('COMMENT ON COLUMN permission.label IS \'Human-readable permission label\'');
+        $this->addSql('COMMENT ON COLUMN permission.module IS \'Owning module id (e.g. core)\'');
+        $this->addSql('COMMENT ON COLUMN permission.orphan IS \'True when the permission is no longer declared by any active module\'');
+
+        $this->addSql('CREATE TABLE "role" (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, code VARCHAR(100) NOT NULL, label VARCHAR(255) NOT NULL, description TEXT DEFAULT NULL, is_system BOOLEAN NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_57698A6A77153098 ON "role" (code)');
+        $this->addSql('CREATE INDEX idx_role_is_system ON "role" (is_system)');
+        $this->addSql('COMMENT ON COLUMN "role".code IS \'Immutable role code (snake_case)\'');
+        $this->addSql('COMMENT ON COLUMN "role".label IS \'Human-readable role label\'');
+        $this->addSql('COMMENT ON COLUMN "role".description IS \'Optional role description\'');
+        $this->addSql('COMMENT ON COLUMN "role".is_system IS \'True for built-in roles that cannot be deleted\'');
+
+        $this->addSql('CREATE TABLE role_permission (role_id INT NOT NULL, permission_id INT NOT NULL, PRIMARY KEY (role_id, permission_id))');
+        $this->addSql('CREATE INDEX IDX_6F7DF886D60322AC ON role_permission (role_id)');
+        $this->addSql('CREATE INDEX IDX_6F7DF886FED90CCA ON role_permission (permission_id)');
+
+        $this->addSql('CREATE TABLE user_role (user_id INT NOT NULL, role_id INT NOT NULL, PRIMARY KEY (user_id, role_id))');
+        $this->addSql('CREATE INDEX IDX_2DE8C6A3A76ED395 ON user_role (user_id)');
+        $this->addSql('CREATE INDEX IDX_2DE8C6A3D60322AC ON user_role (role_id)');
+
+        $this->addSql('CREATE TABLE user_permission (user_id INT NOT NULL, permission_id INT NOT NULL, PRIMARY KEY (user_id, permission_id))');
+        $this->addSql('CREATE INDEX IDX_472E5446A76ED395 ON user_permission (user_id)');
+        $this->addSql('CREATE INDEX IDX_472E5446FED90CCA ON user_permission (permission_id)');
+
+        $this->addSql('ALTER TABLE role_permission ADD CONSTRAINT FK_6F7DF886D60322AC FOREIGN KEY (role_id) REFERENCES "role" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE role_permission ADD CONSTRAINT FK_6F7DF886FED90CCA FOREIGN KEY (permission_id) REFERENCES permission (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_role ADD CONSTRAINT FK_2DE8C6A3A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_role ADD CONSTRAINT FK_2DE8C6A3D60322AC FOREIGN KEY (role_id) REFERENCES "role" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_permission ADD CONSTRAINT FK_472E5446A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_permission ADD CONSTRAINT FK_472E5446FED90CCA FOREIGN KEY (permission_id) REFERENCES permission (id) ON DELETE CASCADE');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE role_permission DROP CONSTRAINT FK_6F7DF886D60322AC');
+        $this->addSql('ALTER TABLE role_permission DROP CONSTRAINT FK_6F7DF886FED90CCA');
+        $this->addSql('ALTER TABLE user_role DROP CONSTRAINT FK_2DE8C6A3A76ED395');
+        $this->addSql('ALTER TABLE user_role DROP CONSTRAINT FK_2DE8C6A3D60322AC');
+        $this->addSql('ALTER TABLE user_permission DROP CONSTRAINT FK_472E5446A76ED395');
+        $this->addSql('ALTER TABLE user_permission DROP CONSTRAINT FK_472E5446FED90CCA');
+        $this->addSql('DROP TABLE role_permission');
+        $this->addSql('DROP TABLE user_role');
+        $this->addSql('DROP TABLE user_permission');
+        $this->addSql('DROP TABLE permission');
+        $this->addSql('DROP TABLE "role"');
+    }
+}
diff --git a/migrations/Version20260619185448.php b/migrations/Version20260619185448.php
new file mode 100644
index 0000000..a9c2335
--- /dev/null
+++ b/migrations/Version20260619185448.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619185448 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}
diff --git a/migrations/Version20260620161036.php b/migrations/Version20260620161036.php
new file mode 100644
index 0000000..b494795
--- /dev/null
+++ b/migrations/Version20260620161036.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * TimeTracking module (2.1): add Timestampable/Blamable columns to time_entry.
+ *
+ * TimeEntry is the first adopter of TimestampableBlamableTrait. This migration
+ * is purely additive — nullable columns + nullable FK to "user" with
+ * ON DELETE SET NULL. No DROP/ALTER on existing data. Columns are lowercase
+ * snake_case. Hand-written to guarantee zero destructive instruction.
+ */
+final class Version20260620161036 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'TimeTracking: add timestampable/blamable columns to time_entry (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE time_entry ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD CONSTRAINT FK_6E537C0CDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE time_entry ADD CONSTRAINT FK_6E537C0C16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_6E537C0CDE12AB56 ON time_entry (created_by)');
+        $this->addSql('CREATE INDEX IDX_6E537C0C16FE72E1 ON time_entry (updated_by)');
+        $this->addSql("COMMENT ON COLUMN time_entry.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE time_entry DROP CONSTRAINT FK_6E537C0CDE12AB56');
+        $this->addSql('ALTER TABLE time_entry DROP CONSTRAINT FK_6E537C0C16FE72E1');
+        $this->addSql('DROP INDEX IDX_6E537C0CDE12AB56');
+        $this->addSql('DROP INDEX IDX_6E537C0C16FE72E1');
+        $this->addSql('ALTER TABLE time_entry DROP created_at');
+        $this->addSql('ALTER TABLE time_entry DROP updated_at');
+        $this->addSql('ALTER TABLE time_entry DROP created_by');
+        $this->addSql('ALTER TABLE time_entry DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260620161500.php b/migrations/Version20260620161500.php
new file mode 100644
index 0000000..1e9b5a4
--- /dev/null
+++ b/migrations/Version20260620161500.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * ProjectManagement module (LST-65 slice 3): add Timestampable/Blamable columns
+ * to task and project.
+ *
+ * Task and Project adopt TimestampableBlamableTrait (after TimeEntry). This
+ * migration is purely additive — nullable columns + nullable FK to "user" with
+ * ON DELETE SET NULL. No DROP/ALTER on existing data. Columns are lowercase
+ * snake_case. Hand-written to guarantee zero destructive instruction.
+ */
+final class Version20260620161500 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'ProjectManagement: add timestampable/blamable columns to task and project (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // task
+        $this->addSql('ALTER TABLE task ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB25DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB2516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB25DE12AB56 ON task (created_by)');
+        $this->addSql('CREATE INDEX IDX_527EDB2516FE72E1 ON task (updated_by)');
+        $this->addSql("COMMENT ON COLUMN task.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN task.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN task.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN task.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // project
+        $this->addSql('ALTER TABLE project ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD CONSTRAINT FK_2FB3D0EEDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE project ADD CONSTRAINT FK_2FB3D0EE16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_2FB3D0EEDE12AB56 ON project (created_by)');
+        $this->addSql('CREATE INDEX IDX_2FB3D0EE16FE72E1 ON project (updated_by)');
+        $this->addSql("COMMENT ON COLUMN project.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN project.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN project.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN project.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // task
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB25DE12AB56');
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB2516FE72E1');
+        $this->addSql('DROP INDEX IDX_527EDB25DE12AB56');
+        $this->addSql('DROP INDEX IDX_527EDB2516FE72E1');
+        $this->addSql('ALTER TABLE task DROP created_at');
+        $this->addSql('ALTER TABLE task DROP updated_at');
+        $this->addSql('ALTER TABLE task DROP created_by');
+        $this->addSql('ALTER TABLE task DROP updated_by');
+
+        // project
+        $this->addSql('ALTER TABLE project DROP CONSTRAINT FK_2FB3D0EEDE12AB56');
+        $this->addSql('ALTER TABLE project DROP CONSTRAINT FK_2FB3D0EE16FE72E1');
+        $this->addSql('DROP INDEX IDX_2FB3D0EEDE12AB56');
+        $this->addSql('DROP INDEX IDX_2FB3D0EE16FE72E1');
+        $this->addSql('ALTER TABLE project DROP created_at');
+        $this->addSql('ALTER TABLE project DROP updated_at');
+        $this->addSql('ALTER TABLE project DROP created_by');
+        $this->addSql('ALTER TABLE project DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260620170000.php b/migrations/Version20260620170000.php
new file mode 100644
index 0000000..71896e8
--- /dev/null
+++ b/migrations/Version20260620170000.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Absence module: add Timestampable/Blamable columns to absence_balance and
+ * absence_policy.
+ *
+ * AbsenceBalance and AbsencePolicy adopt TimestampableBlamableTrait.
+ * AbsenceRequest is intentionally untouched (it already carries createdAt /
+ * reviewedAt). This migration is purely additive — nullable columns + nullable
+ * FK to "user" with ON DELETE SET NULL. No DROP/ALTER on existing data. Columns
+ * are lowercase snake_case. Hand-written to guarantee zero destructive
+ * instruction.
+ */
+final class Version20260620170000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Absence: add timestampable/blamable columns to absence_balance and absence_policy (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // absence_balance
+        $this->addSql('ALTER TABLE absence_balance ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD CONSTRAINT FK_65723A76DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE absence_balance ADD CONSTRAINT FK_65723A7616FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_65723A76DE12AB56 ON absence_balance (created_by)');
+        $this->addSql('CREATE INDEX IDX_65723A7616FE72E1 ON absence_balance (updated_by)');
+        $this->addSql("COMMENT ON COLUMN absence_balance.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // absence_policy
+        $this->addSql('ALTER TABLE absence_policy ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD CONSTRAINT FK_7A780B65DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE absence_policy ADD CONSTRAINT FK_7A780B6516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_7A780B65DE12AB56 ON absence_policy (created_by)');
+        $this->addSql('CREATE INDEX IDX_7A780B6516FE72E1 ON absence_policy (updated_by)');
+        $this->addSql("COMMENT ON COLUMN absence_policy.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // absence_balance
+        $this->addSql('ALTER TABLE absence_balance DROP CONSTRAINT FK_65723A76DE12AB56');
+        $this->addSql('ALTER TABLE absence_balance DROP CONSTRAINT FK_65723A7616FE72E1');
+        $this->addSql('DROP INDEX IDX_65723A76DE12AB56');
+        $this->addSql('DROP INDEX IDX_65723A7616FE72E1');
+        $this->addSql('ALTER TABLE absence_balance DROP created_at');
+        $this->addSql('ALTER TABLE absence_balance DROP updated_at');
+        $this->addSql('ALTER TABLE absence_balance DROP created_by');
+        $this->addSql('ALTER TABLE absence_balance DROP updated_by');
+
+        // absence_policy
+        $this->addSql('ALTER TABLE absence_policy DROP CONSTRAINT FK_7A780B65DE12AB56');
+        $this->addSql('ALTER TABLE absence_policy DROP CONSTRAINT FK_7A780B6516FE72E1');
+        $this->addSql('DROP INDEX IDX_7A780B65DE12AB56');
+        $this->addSql('DROP INDEX IDX_7A780B6516FE72E1');
+        $this->addSql('ALTER TABLE absence_policy DROP created_at');
+        $this->addSql('ALTER TABLE absence_policy DROP updated_at');
+        $this->addSql('ALTER TABLE absence_policy DROP created_by');
+        $this->addSql('ALTER TABLE absence_policy DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260620180000.php b/migrations/Version20260620180000.php
new file mode 100644
index 0000000..1304283
--- /dev/null
+++ b/migrations/Version20260620180000.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Directory module: add Timestampable/Blamable columns to client.
+ *
+ * Client (moved to App\Module\Directory\Domain\Entity) adopts
+ * TimestampableBlamableTrait. This migration is purely additive — nullable
+ * columns + nullable FK to "user" with ON DELETE SET NULL. No DROP/ALTER on
+ * existing data. Columns are lowercase snake_case. Hand-written to guarantee
+ * zero destructive instruction.
+ */
+final class Version20260620180000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Directory: add timestampable/blamable columns to client (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE client ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD CONSTRAINT FK_C7440455DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client ADD CONSTRAINT FK_C744045516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_C7440455DE12AB56 ON client (created_by)');
+        $this->addSql('CREATE INDEX IDX_C744045516FE72E1 ON client (updated_by)');
+        $this->addSql("COMMENT ON COLUMN client.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN client.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN client.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN client.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE client DROP CONSTRAINT FK_C7440455DE12AB56');
+        $this->addSql('ALTER TABLE client DROP CONSTRAINT FK_C744045516FE72E1');
+        $this->addSql('DROP INDEX IDX_C7440455DE12AB56');
+        $this->addSql('DROP INDEX IDX_C744045516FE72E1');
+        $this->addSql('ALTER TABLE client DROP created_at');
+        $this->addSql('ALTER TABLE client DROP updated_at');
+        $this->addSql('ALTER TABLE client DROP created_by');
+        $this->addSql('ALTER TABLE client DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260620190000.php b/migrations/Version20260620190000.php
new file mode 100644
index 0000000..26f5306
--- /dev/null
+++ b/migrations/Version20260620190000.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Directory module: create the prospect table.
+ *
+ * Purely additive — creates a brand-new table with nullable FKs:
+ *   converted_client_id -> client(id)  ON DELETE SET NULL
+ *   created_by/updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case.
+ * Hand-written to mirror the schema dump and guarantee zero destructive
+ * instruction. down() drops the new table.
+ */
+final class Version20260620190000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Directory: create prospect table (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('CREATE TABLE prospect (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, name VARCHAR(255) NOT NULL, company VARCHAR(255) DEFAULT NULL, email VARCHAR(255) DEFAULT NULL, phone VARCHAR(50) DEFAULT NULL, street VARCHAR(255) DEFAULT NULL, city VARCHAR(255) DEFAULT NULL, postal_code VARCHAR(20) DEFAULT NULL, status VARCHAR(32) NOT NULL, source VARCHAR(255) DEFAULT NULL, notes TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, converted_client_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7D5AA408DD ON prospect (converted_client_id)');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7DDE12AB56 ON prospect (created_by)');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7D16FE72E1 ON prospect (updated_by)');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7D5AA408DD FOREIGN KEY (converted_client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7DDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7D16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql("COMMENT ON COLUMN prospect.status IS 'Prospect pipeline status (ProspectStatus enum: new, contacted, qualified, won, lost)'");
+        $this->addSql("COMMENT ON COLUMN prospect.converted_client_id IS 'Client created when the prospect is converted (FK client.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN prospect.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN prospect.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN prospect.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN prospect.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE prospect');
+    }
+}
diff --git a/migrations/Version20260620200000.php b/migrations/Version20260620200000.php
new file mode 100644
index 0000000..f750e91
--- /dev/null
+++ b/migrations/Version20260620200000.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Mail module: add Timestampable + Blamable tracking on mail_configuration.
+ *
+ * Purely additive — adds nullable audit columns to an existing table:
+ *   created_at / updated_at (Timestampable)
+ *   created_by / updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case.
+ * Hand-written to mirror the schema dump and guarantee zero destructive
+ * instruction. down() drops the new columns and their FKs/indexes.
+ */
+final class Version20260620200000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Mail: add Timestampable/Blamable columns on mail_configuration (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE mail_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD CONSTRAINT FK_BFC0A7DBDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE mail_configuration ADD CONSTRAINT FK_BFC0A7DB16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_BFC0A7DBDE12AB56 ON mail_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_BFC0A7DB16FE72E1 ON mail_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN mail_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE mail_configuration DROP CONSTRAINT FK_BFC0A7DBDE12AB56');
+        $this->addSql('ALTER TABLE mail_configuration DROP CONSTRAINT FK_BFC0A7DB16FE72E1');
+        $this->addSql('DROP INDEX IDX_BFC0A7DBDE12AB56');
+        $this->addSql('DROP INDEX IDX_BFC0A7DB16FE72E1');
+        $this->addSql('ALTER TABLE mail_configuration DROP created_at');
+        $this->addSql('ALTER TABLE mail_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE mail_configuration DROP created_by');
+        $this->addSql('ALTER TABLE mail_configuration DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260620201000.php b/migrations/Version20260620201000.php
new file mode 100644
index 0000000..5328ac5
--- /dev/null
+++ b/migrations/Version20260620201000.php
@@ -0,0 +1,125 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Integration module: add Timestampable + Blamable tracking on the four
+ * external-integration configuration tables (Gitea, BookStack, Zimbra, Share).
+ *
+ * Purely additive — adds nullable audit columns to existing tables:
+ *   created_at / updated_at (Timestampable)
+ *   created_by / updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case. FK/index
+ * names mirror Doctrine's generated identifiers so schema:validate stays clean.
+ * down() drops the new columns and their FKs/indexes.
+ */
+final class Version20260620201000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Integration: add Timestampable/Blamable columns on gitea/bookstack/zimbra/share configuration (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // gitea_configuration
+        $this->addSql('ALTER TABLE gitea_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD CONSTRAINT FK_901AB3BDDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE gitea_configuration ADD CONSTRAINT FK_901AB3BD16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_901AB3BDDE12AB56 ON gitea_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_901AB3BD16FE72E1 ON gitea_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // book_stack_configuration
+        $this->addSql('ALTER TABLE book_stack_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD CONSTRAINT FK_63A143E0DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD CONSTRAINT FK_63A143E016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_63A143E0DE12AB56 ON book_stack_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_63A143E016FE72E1 ON book_stack_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // zimbra_configuration
+        $this->addSql('ALTER TABLE zimbra_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD CONSTRAINT FK_E97E3357DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD CONSTRAINT FK_E97E335716FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_E97E3357DE12AB56 ON zimbra_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_E97E335716FE72E1 ON zimbra_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // share_configuration
+        $this->addSql('ALTER TABLE share_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD CONSTRAINT FK_F73FE5CDDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE share_configuration ADD CONSTRAINT FK_F73FE5CD16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_F73FE5CDDE12AB56 ON share_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_F73FE5CD16FE72E1 ON share_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN share_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE gitea_configuration DROP CONSTRAINT FK_901AB3BDDE12AB56');
+        $this->addSql('ALTER TABLE gitea_configuration DROP CONSTRAINT FK_901AB3BD16FE72E1');
+        $this->addSql('DROP INDEX IDX_901AB3BDDE12AB56');
+        $this->addSql('DROP INDEX IDX_901AB3BD16FE72E1');
+        $this->addSql('ALTER TABLE gitea_configuration DROP created_at');
+        $this->addSql('ALTER TABLE gitea_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE gitea_configuration DROP created_by');
+        $this->addSql('ALTER TABLE gitea_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE book_stack_configuration DROP CONSTRAINT FK_63A143E0DE12AB56');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP CONSTRAINT FK_63A143E016FE72E1');
+        $this->addSql('DROP INDEX IDX_63A143E0DE12AB56');
+        $this->addSql('DROP INDEX IDX_63A143E016FE72E1');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP created_at');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP created_by');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE zimbra_configuration DROP CONSTRAINT FK_E97E3357DE12AB56');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP CONSTRAINT FK_E97E335716FE72E1');
+        $this->addSql('DROP INDEX IDX_E97E3357DE12AB56');
+        $this->addSql('DROP INDEX IDX_E97E335716FE72E1');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP created_at');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP created_by');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE share_configuration DROP CONSTRAINT FK_F73FE5CDDE12AB56');
+        $this->addSql('ALTER TABLE share_configuration DROP CONSTRAINT FK_F73FE5CD16FE72E1');
+        $this->addSql('DROP INDEX IDX_F73FE5CDDE12AB56');
+        $this->addSql('DROP INDEX IDX_F73FE5CD16FE72E1');
+        $this->addSql('ALTER TABLE share_configuration DROP created_at');
+        $this->addSql('ALTER TABLE share_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE share_configuration DROP created_by');
+        $this->addSql('ALTER TABLE share_configuration DROP updated_by');
+    }
+}
diff --git a/migrations/Version20260621120000.php b/migrations/Version20260621120000.php
new file mode 100644
index 0000000..e203b84
--- /dev/null
+++ b/migrations/Version20260621120000.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Client portal — phase 1 foundations (additive).
+ *
+ * - Creates the client_ticket table (per-project numbering, FK project/submittedBy,
+ *   Timestampable/Blamable columns, unique (project_id, number), filter indexes).
+ * - Adds user.client_id (FK client, SET NULL) and the user_allowed_projects join table.
+ * - Adds task.client_ticket_id (FK client_ticket, SET NULL).
+ * - Generalises task_document: task_id becomes nullable, adds client_ticket_id
+ *   (FK client_ticket, CASCADE) and a CHECK enforcing that a document is bound
+ *   to either a task or a client ticket.
+ *
+ * Lowercase SQL columns; "user" table is quoted. FK/index names mirror Doctrine's
+ * generated identifiers so doctrine:schema:validate stays clean. down() reverses.
+ */
+final class Version20260621120000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Client portal phase 1: client_ticket table, user.client_id, user_allowed_projects, task/task_document client ticket links (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // --- client_ticket ---
+        $this->addSql('CREATE TABLE client_ticket (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, number INT NOT NULL, type VARCHAR(16) NOT NULL, title VARCHAR(255) NOT NULL, description TEXT NOT NULL, url VARCHAR(1024) DEFAULT NULL, status VARCHAR(16) NOT NULL, status_comment TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, project_id INT NOT NULL, submitted_by_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX uniq_client_ticket_project_number ON client_ticket (project_id, number)');
+        $this->addSql('CREATE INDEX idx_client_ticket_project ON client_ticket (project_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_submitted_by ON client_ticket (submitted_by_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_status_project ON client_ticket (status, project_id)');
+        $this->addSql('CREATE INDEX IDX_C206E610DE12AB56 ON client_ticket (created_by)');
+        $this->addSql('CREATE INDEX IDX_C206E61016FE72E1 ON client_ticket (updated_by)');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61079F7D87D FOREIGN KEY (submitted_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql("COMMENT ON COLUMN client_ticket.number IS 'Numero incremental unique par projet (affiche CT-XXX).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.type IS 'Type de ticket : bug, improvement, other.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.status IS 'Statut : new, in_progress, done, rejected.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.status_comment IS 'Commentaire du manager lors d''un changement de statut (obligatoire si rejected).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.url IS 'URL de la page concernee, affichee uniquement pour les bugs.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.submitted_by_id IS 'Utilisateur-client ayant soumis le ticket (FK user, SET NULL pour conserver l''historique).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" ADD client_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE "user" ADD CONSTRAINT FK_8D93D64919EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_8D93D64919EB6921 ON "user" (client_id)');
+        $this->addSql('COMMENT ON COLUMN "user".client_id IS \'Client auquel appartient l\'\'utilisateur (FK client, SET NULL). null = utilisateur interne.\'');
+
+        // --- user_allowed_projects (ManyToMany) ---
+        $this->addSql('CREATE TABLE user_allowed_projects (user_id INT NOT NULL, project_id INT NOT NULL, PRIMARY KEY (user_id, project_id))');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97A76ED395 ON user_allowed_projects (user_id)');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97166D1F9C ON user_allowed_projects (project_id)');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB259B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB259B2097DD ON task (client_ticket_id)');
+        $this->addSql("COMMENT ON COLUMN task.client_ticket_id IS 'Lien manuel optionnel vers un ticket client (FK client_ticket, SET NULL).'");
+
+        // --- task_document generalisation ---
+        $this->addSql('ALTER TABLE task_document ALTER task_id DROP NOT NULL');
+        $this->addSql('ALTER TABLE task_document ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT FK_98A9603A9B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_98A9603A9B2097DD ON task_document (client_ticket_id)');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT chk_task_document_target CHECK (task_id IS NOT NULL OR client_ticket_id IS NOT NULL)');
+        $this->addSql("COMMENT ON COLUMN task_document.client_ticket_id IS 'Ticket client auquel le document est rattache (FK client_ticket, CASCADE). Alternative a task_id.'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // task_document
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT chk_task_document_target');
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT FK_98A9603A9B2097DD');
+        $this->addSql('DROP INDEX IDX_98A9603A9B2097DD');
+        $this->addSql('ALTER TABLE task_document DROP client_ticket_id');
+        $this->addSql('ALTER TABLE task_document ALTER task_id SET NOT NULL');
+
+        // task
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB259B2097DD');
+        $this->addSql('DROP INDEX IDX_527EDB259B2097DD');
+        $this->addSql('ALTER TABLE task DROP client_ticket_id');
+
+        // user_allowed_projects
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97A76ED395');
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97166D1F9C');
+        $this->addSql('DROP TABLE user_allowed_projects');
+
+        // user.client_id
+        $this->addSql('ALTER TABLE "user" DROP CONSTRAINT FK_8D93D64919EB6921');
+        $this->addSql('DROP INDEX IDX_8D93D64919EB6921');
+        $this->addSql('ALTER TABLE "user" DROP client_id');
+
+        // client_ticket
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610166D1F9C');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61079F7D87D');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610DE12AB56');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61016FE72E1');
+        $this->addSql('DROP TABLE client_ticket');
+    }
+}
diff --git a/migrations/Version20260621130000.php b/migrations/Version20260621130000.php
new file mode 100644
index 0000000..cb565c4
--- /dev/null
+++ b/migrations/Version20260621130000.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Client portal — phase 3: link notifications to client tickets (additive).
+ *
+ * - Adds notification.related_ticket_id (FK client_ticket, SET NULL) plus its index,
+ *   so a notification can deep-link to the ticket it concerns without breaking the
+ *   existing task-based notifications (column is nullable).
+ *
+ * Lowercase SQL columns; FK/index names mirror Doctrine's generated identifiers.
+ * down() reverses.
+ */
+final class Version20260621130000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Client portal phase 3: notification.related_ticket_id link to client_ticket (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE notification ADD related_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE notification ADD CONSTRAINT FK_BF5476CA98F144DB FOREIGN KEY (related_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX idx_notification_related_ticket ON notification (related_ticket_id)');
+        $this->addSql("COMMENT ON COLUMN notification.related_ticket_id IS 'Ticket client lie a la notification (FK client_ticket, SET NULL). null = notification non liee a un ticket.'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE notification DROP CONSTRAINT FK_BF5476CA98F144DB');
+        $this->addSql('DROP INDEX idx_notification_related_ticket');
+        $this->addSql('ALTER TABLE notification DROP related_ticket_id');
+    }
+}
diff --git a/migrations/Version20260622090000.php b/migrations/Version20260622090000.php
new file mode 100644
index 0000000..37e8c00
--- /dev/null
+++ b/migrations/Version20260622090000.php
@@ -0,0 +1,120 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Remove the client portal entirely (reverses phases 1 & 3).
+ *
+ * - Drops notification.related_ticket_id (FK/index/column).
+ * - Restores task_document to a task-only model: drops the CHECK constraint and
+ *   client_ticket_id, removes orphan client-ticket-only documents, makes task_id
+ *   NOT NULL again.
+ * - Drops task.client_ticket_id.
+ * - Drops the user_allowed_projects join table and user.client_id.
+ * - Drops the client_ticket table.
+ * - Deletes leftover client accounts (roles contains ROLE_CLIENT): with the portal
+ *   gone every user now resolves to ROLE_USER, so external client accounts MUST be
+ *   removed to avoid silently granting them internal access.
+ *
+ * Lowercase SQL columns; "user" table is quoted. down() recreates the schema
+ * (structure only — deleted client accounts/tickets are not restored).
+ */
+final class Version20260622090000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Remove client portal: drop client_ticket, related portal columns/links and external client accounts';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // --- notification.related_ticket_id (phase 3) ---
+        $this->addSql('ALTER TABLE notification DROP CONSTRAINT FK_BF5476CA98F144DB');
+        $this->addSql('DROP INDEX idx_notification_related_ticket');
+        $this->addSql('ALTER TABLE notification DROP related_ticket_id');
+
+        // --- task_document: back to task-only ---
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT chk_task_document_target');
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT FK_98A9603A9B2097DD');
+        $this->addSql('DROP INDEX IDX_98A9603A9B2097DD');
+        // Remove documents attached only to a client ticket before re-enforcing NOT NULL.
+        $this->addSql('DELETE FROM task_document WHERE task_id IS NULL');
+        $this->addSql('ALTER TABLE task_document DROP client_ticket_id');
+        $this->addSql('ALTER TABLE task_document ALTER task_id SET NOT NULL');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB259B2097DD');
+        $this->addSql('DROP INDEX IDX_527EDB259B2097DD');
+        $this->addSql('ALTER TABLE task DROP client_ticket_id');
+
+        // --- user_allowed_projects ---
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97A76ED395');
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97166D1F9C');
+        $this->addSql('DROP TABLE user_allowed_projects');
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" DROP CONSTRAINT FK_8D93D64919EB6921');
+        $this->addSql('DROP INDEX IDX_8D93D64919EB6921');
+        $this->addSql('ALTER TABLE "user" DROP client_id');
+
+        // --- client_ticket table ---
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610166D1F9C');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61079F7D87D');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610DE12AB56');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61016FE72E1');
+        $this->addSql('DROP TABLE client_ticket');
+
+        // --- external client accounts ---
+        $this->addSql('DELETE FROM "user" WHERE roles::text LIKE \'%ROLE_CLIENT%\'');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // --- client_ticket table ---
+        $this->addSql('CREATE TABLE client_ticket (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, number INT NOT NULL, type VARCHAR(16) NOT NULL, title VARCHAR(255) NOT NULL, description TEXT NOT NULL, url VARCHAR(1024) DEFAULT NULL, status VARCHAR(16) NOT NULL, status_comment TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, project_id INT NOT NULL, submitted_by_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX uniq_client_ticket_project_number ON client_ticket (project_id, number)');
+        $this->addSql('CREATE INDEX idx_client_ticket_project ON client_ticket (project_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_submitted_by ON client_ticket (submitted_by_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_status_project ON client_ticket (status, project_id)');
+        $this->addSql('CREATE INDEX IDX_C206E610DE12AB56 ON client_ticket (created_by)');
+        $this->addSql('CREATE INDEX IDX_C206E61016FE72E1 ON client_ticket (updated_by)');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61079F7D87D FOREIGN KEY (submitted_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" ADD client_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE "user" ADD CONSTRAINT FK_8D93D64919EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_8D93D64919EB6921 ON "user" (client_id)');
+
+        // --- user_allowed_projects ---
+        $this->addSql('CREATE TABLE user_allowed_projects (user_id INT NOT NULL, project_id INT NOT NULL, PRIMARY KEY (user_id, project_id))');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97A76ED395 ON user_allowed_projects (user_id)');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97166D1F9C ON user_allowed_projects (project_id)');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB259B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB259B2097DD ON task (client_ticket_id)');
+
+        // --- task_document generalisation ---
+        $this->addSql('ALTER TABLE task_document ALTER task_id DROP NOT NULL');
+        $this->addSql('ALTER TABLE task_document ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT FK_98A9603A9B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_98A9603A9B2097DD ON task_document (client_ticket_id)');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT chk_task_document_target CHECK (task_id IS NOT NULL OR client_ticket_id IS NOT NULL)');
+
+        // --- notification.related_ticket_id ---
+        $this->addSql('ALTER TABLE notification ADD related_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE notification ADD CONSTRAINT FK_BF5476CA98F144DB FOREIGN KEY (related_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX idx_notification_related_ticket ON notification (related_ticket_id)');
+    }
+}
diff --git a/migrations/Version20260622100916.php b/migrations/Version20260622100916.php
new file mode 100644
index 0000000..337586b
--- /dev/null
+++ b/migrations/Version20260622100916.php
@@ -0,0 +1,222 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20260622100916 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('CREATE TABLE commercial_report (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, subject VARCHAR(255) NOT NULL, body TEXT DEFAULT NULL, occurred_at DATE NOT NULL, type VARCHAR(32) NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, author_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_886919D819EB6921 ON commercial_report (client_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8D182060A ON commercial_report (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8F675F31B ON commercial_report (author_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8DE12AB56 ON commercial_report (created_by)');
+        $this->addSql('CREATE INDEX IDX_886919D816FE72E1 ON commercial_report (updated_by)');
+        $this->addSql('CREATE TABLE directory_address (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, label VARCHAR(255) DEFAULT NULL, street VARCHAR(255) DEFAULT NULL, street_complement VARCHAR(255) DEFAULT NULL, postal_code VARCHAR(20) DEFAULT NULL, city VARCHAR(255) DEFAULT NULL, country VARCHAR(2) NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_6E5D970719EB6921 ON directory_address (client_id)');
+        $this->addSql('CREATE INDEX IDX_6E5D9707D182060A ON directory_address (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_6E5D9707DE12AB56 ON directory_address (created_by)');
+        $this->addSql('CREATE INDEX IDX_6E5D970716FE72E1 ON directory_address (updated_by)');
+        $this->addSql('CREATE TABLE directory_contact (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, first_name VARCHAR(255) DEFAULT NULL, last_name VARCHAR(255) DEFAULT NULL, job_title VARCHAR(255) DEFAULT NULL, email VARCHAR(255) DEFAULT NULL, phone_primary VARCHAR(50) DEFAULT NULL, phone_secondary VARCHAR(50) DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_2F711EBE19EB6921 ON directory_contact (client_id)');
+        $this->addSql('CREATE INDEX IDX_2F711EBED182060A ON directory_contact (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_2F711EBEDE12AB56 ON directory_contact (created_by)');
+        $this->addSql('CREATE INDEX IDX_2F711EBE16FE72E1 ON directory_contact (updated_by)');
+        $this->addSql('CREATE TABLE report_document (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, original_name VARCHAR(255) NOT NULL, file_name VARCHAR(255) DEFAULT NULL, mime_type VARCHAR(100) NOT NULL, size INT NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, commercial_report_id INT NOT NULL, uploaded_by_id INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_D809130B4AB5D1D4 ON report_document (commercial_report_id)');
+        $this->addSql('CREATE INDEX IDX_D809130BA2B28FE8 ON report_document (uploaded_by_id)');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D819EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8D182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8F675F31B FOREIGN KEY (author_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D816FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D970719EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D9707D182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D9707DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D970716FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBE19EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBED182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBEDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBE16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE report_document ADD CONSTRAINT FK_D809130B4AB5D1D4 FOREIGN KEY (commercial_report_id) REFERENCES commercial_report (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE report_document ADD CONSTRAINT FK_D809130BA2B28FE8 FOREIGN KEY (uploaded_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+
+        // Ownership CHECK constraints: each row must belong to a client or a prospect.
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT chk_contact_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT chk_address_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT chk_report_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+
+        // Data migration: copy existing inline addresses into directory_address before dropping the columns.
+        $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, client_id, created_at, updated_at)
+            SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+            FROM client
+            WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+        $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, prospect_id, created_at, updated_at)
+            SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+            FROM prospect
+            WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_by IS \'\'');
+        $this->addSql('ALTER TABLE client DROP street');
+        $this->addSql('ALTER TABLE client DROP city');
+        $this->addSql('ALTER TABLE client DROP postal_code');
+        $this->addSql('COMMENT ON COLUMN client.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_by IS \'\'');
+        $this->addSql('ALTER TABLE prospect DROP street');
+        $this->addSql('ALTER TABLE prospect DROP city');
+        $this->addSql('ALTER TABLE prospect DROP postal_code');
+        $this->addSql('COMMENT ON COLUMN prospect.status IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.converted_client_id IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_by IS \'\'');
+        $this->addSql('DROP INDEX idx_75ea56e016ba31db');
+        $this->addSql('DROP INDEX idx_75ea56e0fb7336f0');
+        $this->addSql('DROP INDEX idx_75ea56e0e3bd61ce');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id DROP DEFAULT');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id ADD GENERATED BY DEFAULT AS IDENTITY');
+        $this->addSql('CREATE INDEX IDX_75EA56E0FB7336F0E3BD61CE16BA31DBBF396750 ON messenger_messages (queue_name, available_at, delivered_at, id)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D819EB6921');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8D182060A');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8F675F31B');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8DE12AB56');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D816FE72E1');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D970719EB6921');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D9707D182060A');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D9707DE12AB56');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D970716FE72E1');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBE19EB6921');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBED182060A');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBEDE12AB56');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBE16FE72E1');
+        $this->addSql('ALTER TABLE report_document DROP CONSTRAINT FK_D809130B4AB5D1D4');
+        $this->addSql('ALTER TABLE report_document DROP CONSTRAINT FK_D809130BA2B28FE8');
+        $this->addSql('DROP TABLE commercial_report');
+        $this->addSql('DROP TABLE directory_address');
+        $this->addSql('DROP TABLE directory_contact');
+        $this->addSql('DROP TABLE report_document');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('ALTER TABLE client ADD street VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD city VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD postal_code VARCHAR(20) DEFAULT NULL');
+        $this->addSql('COMMENT ON COLUMN client.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN client.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('DROP INDEX IDX_75EA56E0FB7336F0E3BD61CE16BA31DBBF396750');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id SET DEFAULT nextval(\'messenger_messages_id_seq\'::regclass)');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id DROP IDENTITY');
+        $this->addSql('CREATE INDEX idx_75ea56e016ba31db ON messenger_messages (delivered_at)');
+        $this->addSql('CREATE INDEX idx_75ea56e0fb7336f0 ON messenger_messages (queue_name)');
+        $this->addSql('CREATE INDEX idx_75ea56e0e3bd61ce ON messenger_messages (available_at)');
+        $this->addSql('COMMENT ON COLUMN project.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN project.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('ALTER TABLE prospect ADD street VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE prospect ADD city VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE prospect ADD postal_code VARCHAR(20) DEFAULT NULL');
+        $this->addSql('COMMENT ON COLUMN prospect.status IS \'Prospect pipeline status (ProspectStatus enum: new, contacted, qualified, won, lost)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.converted_client_id IS \'Client created when the prospect is converted (FK client.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN task.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN task.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+    }
+}
diff --git a/src/Command/GenerateApiTokenCommand.php b/src/Command/GenerateApiTokenCommand.php
index a23adce..e6687a0 100644
--- a/src/Command/GenerateApiTokenCommand.php
+++ b/src/Command/GenerateApiTokenCommand.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Command;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -22,7 +22,7 @@ use function sprintf;
 class GenerateApiTokenCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
     ) {
         parent::__construct();
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 0b5de94..52a1d7e 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,28 +4,32 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Entity\AbsenceRequest;
-use App\Entity\Client;
-use App\Entity\MailConfiguration;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskEffort;
-use App\Entity\TaskGroup;
-use App\Entity\TaskPriority;
-use App\Entity\TaskRecurrence;
-use App\Entity\TaskStatus;
-use App\Entity\TaskTag;
-use App\Entity\TimeEntry;
-use App\Entity\User;
-use App\Entity\Workflow;
-use App\Entity\ZimbraConfiguration;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Enum\ContractType;
-use App\Enum\RecurrenceType;
-use App\Enum\StatusCategory;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Enum\ContractType;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use DateTimeImmutable;
 use DateTimeZone;
 use Doctrine\Bundle\FixturesBundle\Fixture;
@@ -36,6 +40,7 @@ class AppFixtures extends Fixture
 {
     public function __construct(
         private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly RbacSeeder $rbacSeeder,
     ) {}
 
     public function load(ObjectManager $manager): void
@@ -79,29 +84,102 @@ class AppFixtures extends Fixture
         $clientLiot->setName('LIOT');
         $clientLiot->setEmail('contact@liot.fr');
         $clientLiot->setPhone('05 50 50 50 50');
-        $clientLiot->setStreet('14 allée d\'argenson');
-        $clientLiot->setCity('Poitiers');
-        $clientLiot->setPostalCode('86100');
         $manager->persist($clientLiot);
 
+        $addressLiot = new Address();
+        $addressLiot->setLabel('Principale');
+        $addressLiot->setStreet('14 allée d\'argenson');
+        $addressLiot->setCity('Poitiers');
+        $addressLiot->setPostalCode('86100');
+        $addressLiot->setCountry('FR');
+        $addressLiot->setClient($clientLiot);
+        $manager->persist($addressLiot);
+
         $clientAcme = new Client();
         $clientAcme->setName('ACME Corp');
         $clientAcme->setEmail('contact@acme.com');
         $clientAcme->setPhone('01 23 45 67 89');
-        $clientAcme->setStreet('10 rue de la Paix');
-        $clientAcme->setCity('Paris');
-        $clientAcme->setPostalCode('75002');
         $manager->persist($clientAcme);
 
+        $addressAcme = new Address();
+        $addressAcme->setLabel('Principale');
+        $addressAcme->setStreet('10 rue de la Paix');
+        $addressAcme->setCity('Paris');
+        $addressAcme->setPostalCode('75002');
+        $addressAcme->setCountry('FR');
+        $addressAcme->setClient($clientAcme);
+        $manager->persist($addressAcme);
+
         $clientNova = new Client();
         $clientNova->setName('Nova Tech');
         $clientNova->setEmail('info@novatech.io');
         $clientNova->setPhone('04 56 78 90 12');
-        $clientNova->setStreet('5 avenue Jean Jaurès');
-        $clientNova->setCity('Lyon');
-        $clientNova->setPostalCode('69007');
         $manager->persist($clientNova);
 
+        $addressNova = new Address();
+        $addressNova->setLabel('Principale');
+        $addressNova->setStreet('5 avenue Jean Jaurès');
+        $addressNova->setCity('Lyon');
+        $addressNova->setPostalCode('69007');
+        $addressNova->setCountry('FR');
+        $addressNova->setClient($clientNova);
+        $manager->persist($addressNova);
+
+        // Prospects
+        $prospectLead = new Prospect();
+        $prospectLead->setName('Marie Dupont');
+        $prospectLead->setCompany('Atelier Dupont');
+        $prospectLead->setEmail('marie@atelier-dupont.fr');
+        $prospectLead->setPhone('06 11 22 33 44');
+        $prospectLead->setStatus(ProspectStatus::New);
+        $prospectLead->setSource('Site web');
+        $prospectLead->setNotes('Demande de devis via le formulaire de contact.');
+        $manager->persist($prospectLead);
+
+        $addressLead = new Address();
+        $addressLead->setLabel('Principale');
+        $addressLead->setCity('Nantes');
+        $addressLead->setPostalCode('44000');
+        $addressLead->setCountry('FR');
+        $addressLead->setProspect($prospectLead);
+        $manager->persist($addressLead);
+
+        $prospectQualified = new Prospect();
+        $prospectQualified->setName('Jean Martin');
+        $prospectQualified->setCompany('Martin & Fils');
+        $prospectQualified->setEmail('contact@martin-fils.fr');
+        $prospectQualified->setPhone('07 55 66 77 88');
+        $prospectQualified->setStatus(ProspectStatus::Qualified);
+        $prospectQualified->setSource('Salon professionnel');
+        $manager->persist($prospectQualified);
+
+        $addressQualified = new Address();
+        $addressQualified->setLabel('Principale');
+        $addressQualified->setStreet('22 rue du Commerce');
+        $addressQualified->setCity('Bordeaux');
+        $addressQualified->setPostalCode('33000');
+        $addressQualified->setCountry('FR');
+        $addressQualified->setProspect($prospectQualified);
+        $manager->persist($addressQualified);
+
+        $prospectWon = new Prospect();
+        $prospectWon->setName('Sophie Bernard');
+        $prospectWon->setCompany('ACME Corp');
+        $prospectWon->setEmail('contact@acme.com');
+        $prospectWon->setPhone('01 23 45 67 89');
+        $prospectWon->setStatus(ProspectStatus::Won);
+        $prospectWon->setSource('Recommandation');
+        $prospectWon->setConvertedClient($clientAcme);
+        $manager->persist($prospectWon);
+
+        $addressWon = new Address();
+        $addressWon->setLabel('Principale');
+        $addressWon->setCity('Paris');
+        $addressWon->setPostalCode('75002');
+        $addressWon->setCountry('FR');
+        $addressWon->setProspect($prospectWon);
+        $manager->persist($addressWon);
+
         // Workflow par défaut
         $standardWorkflow = new Workflow();
         $standardWorkflow->setName('Standard');
@@ -751,5 +829,9 @@ class AppFixtures extends Fixture
         $manager->persist($pendingMarriage);
 
         $manager->flush();
+
+        // Seed des rôles système RBAC (admin, user). Idempotent ; aucune matrice
+        // métier attachée (cf. Décision 4 : les modules métier arrivent en 2.x).
+        $this->rbacSeeder->ensureSystemRoles();
     }
 }
diff --git a/src/Module/Absence/AbsenceModule.php b/src/Module/Absence/AbsenceModule.php
new file mode 100644
index 0000000..10eac76
--- /dev/null
+++ b/src/Module/Absence/AbsenceModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class AbsenceModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'absence';
+    }
+
+    public static function label(): string
+    {
+        return 'Absences';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Absence.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'absence.requests.view', 'label' => 'Voir les demandes d\'absence'],
+            ['code' => 'absence.requests.manage', 'label' => 'Gérer les demandes d\'absence'],
+            ['code' => 'absence.policies.manage', 'label' => 'Gérer les règles d\'absence'],
+            ['code' => 'absence.balances.manage', 'label' => 'Gérer les soldes d\'absence'],
+        ];
+    }
+}
diff --git a/src/Service/AbsenceBalanceService.php b/src/Module/Absence/Application/Service/AbsenceBalanceService.php
similarity index 79%
rename from src/Service/AbsenceBalanceService.php
rename to src/Module/Absence/Application/Service/AbsenceBalanceService.php
index 471bd11..0c56363 100644
--- a/src/Service/AbsenceBalanceService.php
+++ b/src/Module/Absence/Application/Service/AbsenceBalanceService.php
@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Application\Service;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsenceRequest;
-use App\Entity\User;
-use App\Enum\AbsenceType;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -21,21 +22,24 @@ final readonly class AbsenceBalanceService
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
-        private AbsenceBalanceRepository $balanceRepository,
+        private AbsenceBalanceRepositoryInterface $balanceRepository,
     ) {}
 
     /**
      * Reference period string for a request: paid leave follows the employee's
      * reference period (e.g. "2025-2026"), other types are tracked yearly.
      */
-    public function periodFor(User $user, AbsenceType $type, DateTimeInterface $date): string
+    public function periodFor(UserInterface $user, AbsenceType $type, DateTimeInterface $date): string
     {
         if (AbsenceType::PaidLeave !== $type) {
             return $date->format('Y');
         }
 
-        $year            = (int) $date->format('Y');
-        $startMonthDay   = $user->getReferencePeriodStart(); // e.g. "06-01"
+        $year = (int) $date->format('Y');
+        // The reference-period start (e.g. "06-01") is an HR profile field,
+        // accessed through the LeaveProfileInterface contract to keep the
+        // Absence module decoupled from the concrete Core User entity.
+        $startMonthDay   = $user instanceof LeaveProfileInterface ? $user->getReferencePeriodStart() : '01-01';
         $currentMonthDay = $date->format('m-d');
 
         $startYear = $currentMonthDay >= $startMonthDay ? $year : $year - 1;
@@ -43,7 +47,7 @@ final readonly class AbsenceBalanceService
         return sprintf('%d-%d', $startYear, $startYear + 1);
     }
 
-    public function getOrCreateBalance(User $user, AbsenceType $type, string $period): AbsenceBalance
+    public function getOrCreateBalance(UserInterface $user, AbsenceType $type, string $period): AbsenceBalance
     {
         $balance = $this->balanceRepository->findOneForPeriod($user, $type, $period);
 
@@ -85,7 +89,7 @@ final readonly class AbsenceBalanceService
             return null;
         }
 
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user    = $request->getUser();
         $period  = $this->periodFor($user, $request->getType(), $request->getStartDate());
         $balance = $this->balanceRepository->findOneForPeriod($user, $request->getType(), $period);
@@ -128,7 +132,7 @@ final readonly class AbsenceBalanceService
 
     private function balanceForRequest(AbsenceRequest $request): AbsenceBalance
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user   = $request->getUser();
         $type   = $request->getType();
         $period = $this->periodFor($user, $type, $request->getStartDate());
diff --git a/src/Entity/AbsenceBalance.php b/src/Module/Absence/Domain/Entity/AbsenceBalance.php
similarity index 85%
rename from src/Entity/AbsenceBalance.php
rename to src/Module/Absence/Domain/Entity/AbsenceBalance.php
index 97efea9..3de6a16 100644
--- a/src/Entity/AbsenceBalance.php
+++ b/src/Module/Absence/Domain/Entity/AbsenceBalance.php
@@ -2,15 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Enum\AbsenceType;
-use App\Repository\AbsenceBalanceRepository;
-use App\State\AbsenceBalanceProvider;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceBalanceProvider;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -34,21 +38,23 @@ use Symfony\Component\Serializer\Attribute\Groups;
     normalizationContext: ['groups' => ['absence_balance:read']],
     denormalizationContext: ['groups' => ['absence_balance:write']],
 )]
-#[ORM\Entity(repositoryClass: AbsenceBalanceRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsenceBalanceRepository::class)]
 #[ORM\Table(name: 'absence_balance')]
 #[ORM\UniqueConstraint(name: 'uniq_absence_balance_user_type_period', columns: ['user_id', 'type', 'period'])]
-class AbsenceBalance
+class AbsenceBalance implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
     #[Groups(['absence_balance:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_balance:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_balance:read'])]
@@ -110,12 +116,12 @@ class AbsenceBalance
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
diff --git a/src/Entity/AbsencePolicy.php b/src/Module/Absence/Domain/Entity/AbsencePolicy.php
similarity index 89%
rename from src/Entity/AbsencePolicy.php
rename to src/Module/Absence/Domain/Entity/AbsencePolicy.php
index 00abb17..16612a3 100644
--- a/src/Entity/AbsencePolicy.php
+++ b/src/Module/Absence/Domain/Entity/AbsencePolicy.php
@@ -2,14 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Enum\AbsenceType;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -31,11 +34,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['absence_policy:write']],
     order: ['type' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: AbsencePolicyRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsencePolicyRepository::class)]
 #[ORM\Table(name: 'absence_policy')]
 #[ORM\UniqueConstraint(name: 'uniq_absence_policy_type', columns: ['type'])]
-class AbsencePolicy
+class AbsencePolicy implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/AbsenceRequest.php b/src/Module/Absence/Domain/Entity/AbsenceRequest.php
similarity index 87%
rename from src/Entity/AbsenceRequest.php
rename to src/Module/Absence/Domain/Entity/AbsenceRequest.php
index 5045bdf..55ce07a 100644
--- a/src/Entity/AbsenceRequest.php
+++ b/src/Module/Absence/Domain/Entity/AbsenceRequest.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,14 +10,15 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
-use App\Repository\AbsenceRequestRepository;
-use App\State\AbsenceCancelProcessor;
-use App\State\AbsenceRequestProcessor;
-use App\State\AbsenceRequestProvider;
-use App\State\AbsenceReviewProcessor;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceCancelProcessor;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceRequestProcessor;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceRequestProvider;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceReviewProcessor;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -63,7 +64,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['absence_request:write']],
     order: ['createdAt' => 'DESC'],
 )]
-#[ORM\Entity(repositoryClass: AbsenceRequestRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsenceRequestRepository::class)]
 #[ORM\Table(name: 'absence_request')]
 class AbsenceRequest
 {
@@ -73,10 +74,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_request:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_request:read', 'absence_request:write'])]
@@ -130,10 +131,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?DateTimeImmutable $reviewedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['absence_request:read'])]
-    private ?User $reviewedBy = null;
+    private ?UserInterface $reviewedBy = null;
 
     #[Groups(['absence_request:read'])]
     public function getLabel(): ?string
@@ -156,12 +157,12 @@ class AbsenceRequest
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
@@ -312,12 +313,12 @@ class AbsenceRequest
         return $this;
     }
 
-    public function getReviewedBy(): ?User
+    public function getReviewedBy(): ?UserInterface
     {
         return $this->reviewedBy;
     }
 
-    public function setReviewedBy(?User $reviewedBy): static
+    public function setReviewedBy(?UserInterface $reviewedBy): static
     {
         $this->reviewedBy = $reviewedBy;
 
diff --git a/src/Enum/AbsenceStatus.php b/src/Module/Absence/Domain/Enum/AbsenceStatus.php
similarity index 91%
rename from src/Enum/AbsenceStatus.php
rename to src/Module/Absence/Domain/Enum/AbsenceStatus.php
index ce45714..2fc35c8 100644
--- a/src/Enum/AbsenceStatus.php
+++ b/src/Module/Absence/Domain/Enum/AbsenceStatus.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum AbsenceStatus: string
 {
diff --git a/src/Enum/AbsenceType.php b/src/Module/Absence/Domain/Enum/AbsenceType.php
similarity index 96%
rename from src/Enum/AbsenceType.php
rename to src/Module/Absence/Domain/Enum/AbsenceType.php
index 0406dcb..1fafb53 100644
--- a/src/Enum/AbsenceType.php
+++ b/src/Module/Absence/Domain/Enum/AbsenceType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum AbsenceType: string
 {
diff --git a/src/Enum/HalfDay.php b/src/Module/Absence/Domain/Enum/HalfDay.php
similarity index 87%
rename from src/Enum/HalfDay.php
rename to src/Module/Absence/Domain/Enum/HalfDay.php
index fa868f3..fed94ca 100644
--- a/src/Enum/HalfDay.php
+++ b/src/Module/Absence/Domain/Enum/HalfDay.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum HalfDay: string
 {
diff --git a/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
new file mode 100644
index 0000000..e2dffd2
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
+
+interface AbsenceBalanceRepositoryInterface
+{
+    public function findById(int $id): ?AbsenceBalance;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return AbsenceBalance[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance;
+}
diff --git a/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
new file mode 100644
index 0000000..21a1330
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+
+interface AbsencePolicyRepositoryInterface
+{
+    public function findById(int $id): ?AbsencePolicy;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return AbsencePolicy[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findOneByType(AbsenceType $type): ?AbsencePolicy;
+}
diff --git a/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
new file mode 100644
index 0000000..5a648a5
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeInterface;
+
+interface AbsenceRequestRepositoryInterface
+{
+    public function findById(int $id): ?AbsenceRequest;
+
+    /**
+     * Whether the user already has a PENDING or APPROVED absence that overlaps
+     * the given date range.
+     */
+    public function hasOverlap(
+        UserInterface $user,
+        DateTimeInterface $startDate,
+        DateTimeInterface $endDate,
+        ?int $excludeId = null,
+    ): bool;
+
+    /**
+     * Absences (approved or pending) overlapping a date range, all employees.
+     *
+     * @return AbsenceRequest[]
+     */
+    public function findInRange(DateTimeInterface $from, DateTimeInterface $to): array;
+
+    /**
+     * @return AbsenceRequest[]
+     */
+    public function findFiltered(
+        ?UserInterface $user = null,
+        ?AbsenceStatus $status = null,
+        ?AbsenceType $type = null,
+        ?DateTimeInterface $from = null,
+        ?DateTimeInterface $to = null,
+    ): array;
+}
diff --git a/src/Service/AbsenceDayCalculator.php b/src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
similarity index 96%
rename from src/Service/AbsenceDayCalculator.php
rename to src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
index d30a598..d8bf055 100644
--- a/src/Service/AbsenceDayCalculator.php
+++ b/src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Domain\Service;
 
-use App\Enum\HalfDay;
+use App\Module\Absence\Domain\Enum\HalfDay;
 use DateInterval;
 use DatePeriod;
 use DateTimeImmutable;
diff --git a/src/Service/PublicHolidayProvider.php b/src/Module/Absence/Domain/Service/PublicHolidayProvider.php
similarity index 98%
rename from src/Service/PublicHolidayProvider.php
rename to src/Module/Absence/Domain/Service/PublicHolidayProvider.php
index 1897757..c7273d7 100644
--- a/src/Service/PublicHolidayProvider.php
+++ b/src/Module/Absence/Domain/Service/PublicHolidayProvider.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Domain\Service;
 
 use DateTimeImmutable;
 use DateTimeInterface;
diff --git a/src/State/AbsenceBalanceProvider.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
similarity index 77%
rename from src/State/AbsenceBalanceProvider.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
index d155efa..c969db3 100644
--- a/src/State/AbsenceBalanceProvider.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\AbsenceBalance;
-use App\Entity\User;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -18,19 +19,19 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
+        private AbsenceBalanceRepositoryInterface $balanceRepository,
         private Security $security,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceBalance|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
-        $repo    = $this->entityManager->getRepository(AbsenceBalance::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
 
         if (isset($uriVariables['id'])) {
-            $balance = $repo->find($uriVariables['id']);
+            $balance = $this->balanceRepository->findById((int) $uriVariables['id']);
             if (null === $balance) {
                 return null;
             }
@@ -41,7 +42,8 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
             return $balance;
         }
 
-        $qb = $repo->createQueryBuilder('b')
+        $qb = $this->entityManager->getRepository(AbsenceBalance::class)
+            ->createQueryBuilder('b')
             ->orderBy('b.type', 'ASC')
         ;
 
diff --git a/src/State/AbsenceCancelProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
similarity index 87%
rename from src/State/AbsenceCancelProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
index 59b9e0f..b52c33a 100644
--- a/src/State/AbsenceCancelProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
@@ -50,6 +50,12 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
         $status  = $data->getStatus();
 
+        // Authorize before mutating the balance: an employee may only cancel
+        // their own request (admins can cancel any).
+        if (!$isAdmin && $data->getUser() !== $user) {
+            throw new AccessDeniedHttpException('You can only cancel your own requests.');
+        }
+
         if (AbsenceStatus::Pending === $status) {
             $this->balanceService->release($data, false);
         } elseif (AbsenceStatus::Approved === $status) {
@@ -61,11 +67,6 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
             throw new ConflictHttpException('This request can no longer be cancelled.');
         }
 
-        // An employee may only cancel their own request (admins can cancel any).
-        if (!$isAdmin && $data->getUser() !== $user) {
-            throw new AccessDeniedHttpException('You can only cancel your own requests.');
-        }
-
         $data->setStatus(AbsenceStatus::Cancelled);
 
         $this->entityManager->flush();
diff --git a/src/State/AbsenceRequestProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
similarity index 81%
rename from src/State/AbsenceRequestProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
index e65ec99..5dabdf8 100644
--- a/src/State/AbsenceRequestProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
@@ -2,18 +2,18 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Entity\User;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -32,8 +32,8 @@ final readonly class AbsenceRequestProcessor implements ProcessorInterface
         private EntityManagerInterface $entityManager,
         private Security $security,
         private AbsenceDayCalculator $calculator,
-        private AbsencePolicyRepository $policyRepository,
-        private AbsenceRequestRepository $requestRepository,
+        private AbsencePolicyRepositoryInterface $policyRepository,
+        private AbsenceRequestRepositoryInterface $requestRepository,
         private AbsenceBalanceService $balanceService,
     ) {}
 
@@ -42,7 +42,7 @@ final readonly class AbsenceRequestProcessor implements ProcessorInterface
         assert($data instanceof AbsenceRequest);
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $type      = $data->getType();
         $startDate = $data->getStartDate();
diff --git a/src/State/AbsenceRequestProvider.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
similarity index 80%
rename from src/State/AbsenceRequestProvider.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
index 0e05508..854cc29 100644
--- a/src/State/AbsenceRequestProvider.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\AbsenceRequest;
-use App\Entity\User;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -18,20 +19,20 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
+        private AbsenceRequestRepositoryInterface $requestRepository,
         private Security $security,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceRequest|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
-        $repo    = $this->entityManager->getRepository(AbsenceRequest::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
 
         // Single item: owner or admin only
         if (isset($uriVariables['id'])) {
-            $request = $repo->find($uriVariables['id']);
+            $request = $this->requestRepository->findById((int) $uriVariables['id']);
             if (null === $request) {
                 return null;
             }
@@ -42,7 +43,8 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
             return $request;
         }
 
-        $qb = $repo->createQueryBuilder('a')
+        $qb = $this->entityManager->getRepository(AbsenceRequest::class)
+            ->createQueryBuilder('a')
             ->orderBy('a.createdAt', 'DESC')
         ;
 
diff --git a/src/State/AbsenceReviewProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
similarity index 91%
rename from src/State/AbsenceReviewProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
index 0eecb1e..01853ae 100644
--- a/src/State/AbsenceReviewProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Entity\User;
-use App\Enum\AbsenceStatus;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -55,7 +55,7 @@ final readonly class AbsenceReviewProcessor implements ProcessorInterface
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ($isApprove) {
             // Never let an approval push the balance below zero (CP only): the
diff --git a/src/Command/AccrueLeaveCommand.php b/src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
similarity index 83%
rename from src/Command/AccrueLeaveCommand.php
rename to src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
index e241e64..7257dc8 100644
--- a/src/Command/AccrueLeaveCommand.php
+++ b/src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Absence\Infrastructure\Command;
 
-use App\Enum\AbsenceType;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Exception;
@@ -37,8 +38,8 @@ use function sprintf;
 class AccrueLeaveCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly UserRepositoryInterface $userRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly EntityManagerInterface $entityManager,
     ) {
@@ -88,7 +89,14 @@ class AccrueLeaveCommand extends Command
         $skipped = 0;
 
         foreach ($employees as $user) {
-            $rate   = ($user->getAnnualLeaveDays() / 12) * $user->getWorkTimeRatio();
+            // RH leave profile fields are read through the contract to keep the
+            // Absence module decoupled from the concrete Core User entity.
+            $profile = $user instanceof LeaveProfileInterface ? $user : null;
+            if (null === $profile) {
+                continue;
+            }
+
+            $rate   = ($profile->getAnnualLeaveDays() / 12) * $profile->getWorkTimeRatio();
             $period = $this->balanceService->periodFor($user, AbsenceType::PaidLeave, $firstDay);
 
             $balance = $this->balanceRepository->findOneForPeriod($user, AbsenceType::PaidLeave, $period);
@@ -104,7 +112,7 @@ class AccrueLeaveCommand extends Command
                     ? $this->balanceRepository->findOneForPeriod($user, AbsenceType::PaidLeave, $previousPeriod)
                     : null;
                 $balance->setAcquired(
-                    null !== $previousBalance ? $previousBalance->getAcquiring() : $user->getInitialLeaveBalance(),
+                    null !== $previousBalance ? $previousBalance->getAcquiring() : $profile->getInitialLeaveBalance(),
                 );
             }
 
@@ -119,7 +127,7 @@ class AccrueLeaveCommand extends Command
             $balance->setLastAccruedMonth($monthKey);
             ++$accrued;
 
-            $seeded = $isNew && (null !== self::previousPeriod($period) || $user->getInitialLeaveBalance() > 0);
+            $seeded = $isNew && (null !== self::previousPeriod($period) || $profile->getInitialLeaveBalance() > 0);
             $rows[] = [
                 $user->getUsername(),
                 $period,
diff --git a/src/Controller/Absence/AbsenceCalendarController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
similarity index 86%
rename from src/Controller/Absence/AbsenceCalendarController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
index aec8f07..766c8f9 100644
--- a/src/Controller/Absence/AbsenceCalendarController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -19,7 +19,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class AbsenceCalendarController extends AbstractController
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
     ) {}
 
     #[Route('/api/admin/absences/calendar', name: 'absence_calendar', methods: ['GET'], priority: 1)]
diff --git a/src/Controller/Absence/AbsenceJustificationDownloadController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
similarity index 89%
rename from src/Controller/Absence/AbsenceJustificationDownloadController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
index 3a48dd8..05bf4af 100644
--- a/src/Controller/Absence/AbsenceJustificationDownloadController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
@@ -2,10 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Entity\AbsenceRequest;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
@@ -21,7 +20,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class AbsenceJustificationDownloadController extends AbstractController
 {
     public function __construct(
-        private readonly EntityManagerInterface $entityManager,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -30,7 +29,7 @@ class AbsenceJustificationDownloadController extends AbstractController
     #[IsGranted('ROLE_USER')]
     public function __invoke(int $id): BinaryFileResponse
     {
-        $absence = $this->entityManager->getRepository(AbsenceRequest::class)->find($id);
+        $absence = $this->requestRepository->findById($id);
         if (null === $absence) {
             throw new NotFoundHttpException('Absence request not found.');
         }
diff --git a/src/Controller/Absence/AbsenceJustificationUploadController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
similarity index 92%
rename from src/Controller/Absence/AbsenceJustificationUploadController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
index 5cfaa20..3f2afcb 100644
--- a/src/Controller/Absence/AbsenceJustificationUploadController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -34,6 +34,7 @@ class AbsenceJustificationUploadController extends AbstractController
 
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -42,7 +43,7 @@ class AbsenceJustificationUploadController extends AbstractController
     #[IsGranted('ROLE_USER')]
     public function __invoke(int $id, Request $request): JsonResponse
     {
-        $absence = $this->entityManager->getRepository(AbsenceRequest::class)->find($id);
+        $absence = $this->requestRepository->findById($id);
         if (null === $absence) {
             throw new NotFoundHttpException('Absence request not found.');
         }
diff --git a/src/Controller/Absence/AbsencePreviewController.php b/src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
similarity index 83%
rename from src/Controller/Absence/AbsencePreviewController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
index c313cc2..887fcec 100644
--- a/src/Controller/Absence/AbsencePreviewController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Entity\User;
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\AbsencePolicyRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -30,8 +30,8 @@ class AbsencePreviewController extends AbstractController
     public function __construct(
         private readonly Security $security,
         private readonly AbsenceDayCalculator $calculator,
-        private readonly AbsencePolicyRepository $policyRepository,
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
     ) {}
 
@@ -71,7 +71,7 @@ class AbsencePreviewController extends AbstractController
         );
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $available          = null;
         $projectedAvailable = null;
diff --git a/src/Controller/Absence/PublicHolidayController.php b/src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
similarity index 92%
rename from src/Controller/Absence/PublicHolidayController.php
rename to src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
index 5c308fa..9e0ae37 100644
--- a/src/Controller/Absence/PublicHolidayController.php
+++ b/src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
diff --git a/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
new file mode 100644
index 0000000..7a3d7fe
--- /dev/null
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Infrastructure\Doctrine;
+
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<AbsenceBalance>
+ */
+class DoctrineAbsenceBalanceRepository extends ServiceEntityRepository implements AbsenceBalanceRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, AbsenceBalance::class);
+    }
+
+    public function findById(int $id): ?AbsenceBalance
+    {
+        return $this->find($id);
+    }
+
+    public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance
+    {
+        return $this->findOneBy([
+            'user'   => $user,
+            'type'   => $type,
+            'period' => $period,
+        ]);
+    }
+}
diff --git a/src/Repository/AbsencePolicyRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
similarity index 51%
rename from src/Repository/AbsencePolicyRepository.php
rename to src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
index b1467a7..4f1d64a 100644
--- a/src/Repository/AbsencePolicyRepository.php
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
@@ -2,23 +2,29 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Absence\Infrastructure\Doctrine;
 
-use App\Entity\AbsencePolicy;
-use App\Enum\AbsenceType;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<AbsencePolicy>
  */
-class AbsencePolicyRepository extends ServiceEntityRepository
+class DoctrineAbsencePolicyRepository extends ServiceEntityRepository implements AbsencePolicyRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AbsencePolicy::class);
     }
 
+    public function findById(int $id): ?AbsencePolicy
+    {
+        return $this->find($id);
+    }
+
     public function findOneByType(AbsenceType $type): ?AbsencePolicy
     {
         return $this->findOneBy(['type' => $type]);
diff --git a/src/Repository/AbsenceRequestRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
similarity index 84%
rename from src/Repository/AbsenceRequestRepository.php
rename to src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
index ffd8d3f..a3bc830 100644
--- a/src/Repository/AbsenceRequestRepository.php
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Absence\Infrastructure\Doctrine;
 
-use App\Entity\AbsenceRequest;
-use App\Entity\User;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -15,20 +16,25 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<AbsenceRequest>
  */
-class AbsenceRequestRepository extends ServiceEntityRepository
+class DoctrineAbsenceRequestRepository extends ServiceEntityRepository implements AbsenceRequestRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AbsenceRequest::class);
     }
 
+    public function findById(int $id): ?AbsenceRequest
+    {
+        return $this->find($id);
+    }
+
     /**
      * Whether the user already has a PENDING or APPROVED absence that overlaps
      * the given date range. Two ranges overlap when start_a <= end_b and
      * end_a >= start_b.
      */
     public function hasOverlap(
-        User $user,
+        UserInterface $user,
         DateTimeInterface $startDate,
         DateTimeInterface $endDate,
         ?int $excludeId = null,
@@ -77,7 +83,7 @@ class AbsenceRequestRepository extends ServiceEntityRepository
      * @return AbsenceRequest[]
      */
     public function findFiltered(
-        ?User $user = null,
+        ?UserInterface $user = null,
         ?AbsenceStatus $status = null,
         ?AbsenceType $type = null,
         ?DateTimeInterface $from = null,
diff --git a/src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
similarity index 81%
rename from src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
index d946bae..2c65812 100644
--- a/src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceStatus;
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -21,7 +21,7 @@ class CancelAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
     ) {}
@@ -32,7 +32,7 @@ class CancelAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
similarity index 81%
rename from src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
index 8a7af97..f645ac5 100644
--- a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
@@ -2,18 +2,18 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -28,9 +28,9 @@ class CreateAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
-        private readonly AbsencePolicyRepository $policyRepository,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly UserRepositoryInterface $userRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceDayCalculator $calculator,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
@@ -49,7 +49,7 @@ class CreateAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $user = $this->userRepository->find($userId)
+        $user = $this->userRepository->findById($userId)
             ?? throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
 
         $typeEnum = AbsenceType::tryFrom($type)
diff --git a/src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
similarity index 81%
rename from src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
index 2048ba3..eb917f9 100644
--- a/src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteAbsenceRequestTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/GetAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
similarity index 73%
rename from src/Mcp/Tool/Absence/GetAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
index eb0d2aa..9aed1c8 100644
--- a/src/Mcp/Tool/Absence/GetAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetAbsenceRequestTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
similarity index 75%
rename from src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
index f0baf6a..8445a36 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceType;
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -19,8 +19,8 @@ use function sprintf;
 class ListAbsenceBalancesTool
 {
     public function __construct(
-        private readonly AbsenceBalanceRepository $balanceRepository,
-        private readonly UserRepository $userRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -32,7 +32,7 @@ class ListAbsenceBalancesTool
 
         $criteria = [];
         if (null !== $userId) {
-            $user = $this->userRepository->find($userId);
+            $user = $this->userRepository->findById($userId);
             if (null === $user) {
                 throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
             }
diff --git a/src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
similarity index 77%
rename from src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
index 491aed0..8ec32b0 100644
--- a/src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListAbsencePoliciesTool
 {
     public function __construct(
-        private readonly AbsencePolicyRepository $policyRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
similarity index 78%
rename from src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
index 485f730..a5b21b4 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -21,8 +21,8 @@ use function sprintf;
 class ListAbsenceRequestsTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
-        private readonly UserRepository $userRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -39,7 +39,7 @@ class ListAbsenceRequestsTool
 
         $user = null;
         if (null !== $userId) {
-            $user = $this->userRepository->find($userId)
+            $user = $this->userRepository->findById($userId)
                 ?? throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
         }
 
diff --git a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
similarity index 85%
rename from src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
index 1556d8a..2b3372e 100644
--- a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Entity\User;
-use App\Enum\AbsenceStatus;
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -24,7 +24,7 @@ class ReviewAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
     ) {}
@@ -39,7 +39,7 @@ class ReviewAbsenceRequestTool
             throw new InvalidArgumentException('decision must be "approve" or "reject".');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
@@ -49,7 +49,7 @@ class ReviewAbsenceRequestTool
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ('approve' === $decision) {
             // Never let an approval push the balance below zero (CP only).
diff --git a/src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
similarity index 82%
rename from src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
index 069d764..c3726fa 100644
--- a/src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateAbsenceBalanceTool
 {
     public function __construct(
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -33,7 +33,7 @@ class UpdateAbsenceBalanceTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $balance = $this->balanceRepository->find($id);
+        $balance = $this->balanceRepository->findById($id);
         if (null === $balance) {
             throw new InvalidArgumentException(sprintf('AbsenceBalance with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
similarity index 86%
rename from src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
index 7ff6274..b0a3ee7 100644
--- a/src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateAbsencePolicyTool
 {
     public function __construct(
-        private readonly AbsencePolicyRepository $policyRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -36,7 +36,7 @@ class UpdateAbsencePolicyTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $policy = $this->policyRepository->find($id);
+        $policy = $this->policyRepository->findById($id);
         if (null === $policy) {
             throw new InvalidArgumentException(sprintf('AbsencePolicy with ID %d not found.', $id));
         }
diff --git a/src/Module/Core/Application/DTO/AuditLogOutput.php b/src/Module/Core/Application/DTO/AuditLogOutput.php
new file mode 100644
index 0000000..d84ad5a
--- /dev/null
+++ b/src/Module/Core/Application/DTO/AuditLogOutput.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\DTO;
+
+use DateTimeImmutable;
+
+/**
+ * DTO de sortie pour une ligne d'audit.
+ *
+ * Readonly : aucune mutation possible apres hydration. La resource API
+ * Platform expose directement ce DTO (pas d'entite sous-jacente car la
+ * table audit_log n'est pas geree par l'ORM).
+ */
+final readonly class AuditLogOutput
+{
+    public function __construct(
+        public string $id,
+        public string $entityType,
+        public string $entityId,
+        public string $action,
+        /** @var array<string, mixed> */
+        public array $changes,
+        public string $performedBy,
+        public DateTimeImmutable $performedAt,
+        public ?string $ipAddress,
+        public ?string $requestId,
+    ) {}
+}
diff --git a/src/Module/Core/Application/Rbac/RbacSeeder.php b/src/Module/Core/Application/Rbac/RbacSeeder.php
new file mode 100644
index 0000000..22a94a1
--- /dev/null
+++ b/src/Module/Core/Application/Rbac/RbacSeeder.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\Rbac;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class RbacSeeder
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private RoleRepositoryInterface $roles,
+    ) {}
+
+    /**
+     * Crée les rôles système s'ils sont absents. Idempotent.
+     */
+    public function ensureSystemRoles(): void
+    {
+        $this->ensureRole(SystemRoles::ADMIN_CODE, 'Administrateur', 'Accès complet (bypass RBAC).');
+        $this->ensureRole(SystemRoles::USER_CODE, 'Utilisateur', 'Rôle de base sans permission spécifique.');
+        $this->em->flush();
+    }
+
+    private function ensureRole(string $code, string $label, string $description): void
+    {
+        if (null !== $this->roles->findByCode($code)) {
+            return;
+        }
+        $this->roles->save(new Role($code, $label, $description, true));
+    }
+}
diff --git a/src/Module/Core/CoreModule.php b/src/Module/Core/CoreModule.php
new file mode 100644
index 0000000..f6db729
--- /dev/null
+++ b/src/Module/Core/CoreModule.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Core (1.2).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.users.view', 'label' => 'Voir les utilisateurs'],
+            ['code' => 'core.users.manage', 'label' => 'Gérer les utilisateurs (créer, éditer, supprimer)'],
+            ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
+            ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
+            ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
+            ['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
+        ];
+    }
+}
diff --git a/src/Entity/Notification.php b/src/Module/Core/Domain/Entity/Notification.php
similarity index 85%
rename from src/Entity/Notification.php
rename to src/Module/Core/Domain/Entity/Notification.php
index 2253335..1eded34 100644
--- a/src/Entity/Notification.php
+++ b/src/Module/Core/Domain/Entity/Notification.php
@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Repository\NotificationRepository;
-use App\State\NotificationProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\NotificationProvider;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -28,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['notification:write']],
     order: ['createdAt' => 'DESC'],
 )]
-#[ORM\Entity(repositoryClass: NotificationRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineNotificationRepository::class)]
 #[ORM\Index(columns: ['user_id'], name: 'idx_notification_user')]
 #[ORM\Index(columns: ['user_id', 'is_read'], name: 'idx_notification_user_read')]
 class Notification
@@ -39,10 +40,10 @@ class Notification
     #[Groups(['notification:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['notification:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(length: 50)]
     #[Groups(['notification:read'])]
@@ -69,12 +70,12 @@ class Notification
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
new file mode 100644
index 0000000..907b0a0
--- /dev/null
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use Doctrine\ORM\Mapping as ORM;
+use InvalidArgumentException;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
+#[ORM\Table(name: 'permission')]
+#[ORM\Index(name: 'idx_permission_module', columns: ['module'])]
+#[ORM\Index(name: 'idx_permission_orphan', columns: ['orphan'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false),
+        new Get(),
+    ],
+    normalizationContext: ['groups' => ['permission:read']],
+    security: "is_granted('core.permissions.view') or is_granted('core.users.manage') or is_granted('core.roles.manage')",
+)]
+class Permission
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['permission:read', 'role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, unique: true, options: ['comment' => 'Permission code (module.resource[.sub].action)'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $code;
+
+    #[ORM\Column(length: 255, options: ['comment' => 'Human-readable permission label'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $label;
+
+    #[ORM\Column(length: 100, options: ['comment' => 'Owning module id (e.g. core)'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $module;
+
+    #[ORM\Column(options: ['comment' => 'True when the permission is no longer declared by any active module'])]
+    #[Groups(['permission:read'])]
+    private bool $orphan = false;
+
+    public function __construct(string $code, string $label, string $module)
+    {
+        $code   = trim($code);
+        $label  = trim($label);
+        $module = trim($module);
+
+        if ('' === $code || !str_contains($code, '.')) {
+            throw new InvalidArgumentException(sprintf('Code de permission invalide : "%s" (attendu module.resource.action).', $code));
+        }
+        if ('' === $label) {
+            throw new InvalidArgumentException('Le libellé de permission ne peut pas être vide.');
+        }
+        if ('' === $module) {
+            throw new InvalidArgumentException('Le module de permission ne peut pas être vide.');
+        }
+
+        $this->code   = $code;
+        $this->label  = $label;
+        $this->module = $module;
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function getModule(): string
+    {
+        return $this->module;
+    }
+
+    public function isOrphan(): bool
+    {
+        return $this->orphan;
+    }
+
+    public function markOrphan(): void
+    {
+        $this->orphan = true;
+    }
+
+    public function revive(string $label, string $module): void
+    {
+        $this->orphan = false;
+        $this->updateMetadata($label, $module);
+    }
+
+    public function updateMetadata(string $label, string $module): void
+    {
+        $this->label  = $label;
+        $this->module = $module;
+    }
+}
diff --git a/src/Module/Core/Domain/Entity/Role.php b/src/Module/Core/Domain/Entity/Role.php
new file mode 100644
index 0000000..9022147
--- /dev/null
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -0,0 +1,151 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\ORM\Mapping as ORM;
+use InvalidArgumentException;
+use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
+
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
+#[ORM\Table(name: '`role`')]
+#[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(security: "is_granted('core.roles.view')", paginationEnabled: false),
+        new Get(security: "is_granted('core.roles.view')"),
+        new Post(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Patch(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Delete(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+class Role
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 100, unique: true, options: ['comment' => 'Immutable role code (snake_case)'])]
+    #[Groups(['role:read', 'role:write'])]
+    private string $code;
+
+    #[ORM\Column(length: 255, options: ['comment' => 'Human-readable role label'])]
+    #[Groups(['role:read', 'role:write'])]
+    private string $label;
+
+    #[ORM\Column(type: 'text', nullable: true, options: ['comment' => 'Optional role description'])]
+    #[Groups(['role:read', 'role:write'])]
+    private ?string $description;
+
+    #[ORM\Column(name: 'is_system', options: ['comment' => 'True for built-in roles that cannot be deleted'])]
+    private bool $isSystem;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
+    private Collection $permissions;
+
+    public function __construct(string $code, string $label, ?string $description = null, bool $isSystem = false)
+    {
+        if (1 !== preg_match('/^[a-z][a-z0-9_]*$/', $code)) {
+            throw new InvalidArgumentException(sprintf('Code de rôle invalide : "%s" (attendu snake_case).', $code));
+        }
+        if ('' === trim($label)) {
+            throw new InvalidArgumentException('Le libellé de rôle ne peut pas être vide.');
+        }
+
+        $this->code        = $code;
+        $this->label       = $label;
+        $this->description = $description;
+        $this->isSystem    = $isSystem;
+        $this->permissions = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(string $label): void
+    {
+        $this->label = $label;
+    }
+
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): void
+    {
+        $this->description = $description;
+    }
+
+    // PropertyInfo strips the `is` prefix and would expose this field as `system`.
+    // An explicit SerializedName guarantees the `isSystem` key expected by API clients.
+    #[Groups(['role:read'])]
+    #[SerializedName('isSystem')]
+    public function isSystem(): bool
+    {
+        return $this->isSystem;
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getPermissions(): Collection
+    {
+        return $this->permissions;
+    }
+
+    public function addPermission(Permission $permission): void
+    {
+        if (!$this->permissions->contains($permission)) {
+            $this->permissions->add($permission);
+        }
+    }
+
+    public function removePermission(Permission $permission): void
+    {
+        $this->permissions->removeElement($permission);
+    }
+
+    public function ensureDeletable(): void
+    {
+        if ($this->isSystem) {
+            throw new SystemRoleDeletionException($this->code);
+        }
+    }
+}
diff --git a/src/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
similarity index 71%
rename from src/Entity/User.php
rename to src/Module/Core/Domain/Entity/User.php
index 2bc49c9..45b940e 100644
--- a/src/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
@@ -11,11 +11,18 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\ContractType;
-use App\Repository\UserRepository;
-use App\State\MeProvider;
-use App\State\UserPasswordHasherProcessor;
+use App\Module\Core\Domain\Enum\ContractType;
+use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
+use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
@@ -30,30 +37,45 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['me:read']],
         ),
         new Get(
+            security: "is_granted('ROLE_USER')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new GetCollection(
             paginationEnabled: false,
+            security: "is_granted('ROLE_USER')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
         new Patch(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
         new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Get(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+        ),
+        new Patch(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+            denormalizationContext: ['groups' => ['user:rbac:write']],
+            processor: UserRbacProcessor::class,
+        ),
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
-#[ORM\Entity(repositoryClass: UserRepository::class)]
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface, LeaveProfileInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
-    #[Groups(['me:read', 'task:read', 'user:list', 'time_entry:read', 'absence_request:read', 'absence_balance:read'])]
+    #[Groups(['me:read', 'task:read', 'user:list', 'time_entry:read', 'absence_request:read', 'absence_balance:read', 'commercial_report:read'])]
     private ?int $id = null;
 
     #[ORM\Column(length: 180, unique: true)]
-    #[Groups(['me:read', 'task:read', 'user:list', 'user:write', 'time_entry:read', 'absence_request:read', 'absence_balance:read'])]
+    #[Groups(['me:read', 'task:read', 'user:list', 'user:write', 'time_entry:read', 'absence_request:read', 'absence_balance:read', 'commercial_report:read'])]
     private ?string $username = null;
 
     #[ORM\Column(length: 100, nullable: true)]
@@ -71,9 +93,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private array $roles = [];
 
     #[ORM\Column]
+    #[AuditIgnore]
     private ?string $password = null;
 
     #[Groups(['user:write'])]
+    #[AuditIgnore]
     private ?string $plainPassword = null;
 
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
@@ -81,6 +105,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
     #[ORM\Column(length: 64, unique: true, nullable: true)]
     #[Groups(['me:read'])]
+    #[AuditIgnore]
     private ?string $apiToken = null;
 
     #[ORM\Column(length: 255, nullable: true)]
@@ -134,9 +159,27 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     #[Groups(['me:read', 'user:list', 'user:write'])]
     private float $initialLeaveBalance = 0.0;
 
+    /**
+     * @var Collection<int, Role>
+     */
+    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_role')]
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $rbacRoles;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_permission')]
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $directPermissions;
+
     public function __construct()
     {
-        $this->createdAt = new DateTimeImmutable();
+        $this->createdAt         = new DateTimeImmutable();
+        $this->rbacRoles         = new ArrayCollection();
+        $this->directPermissions = new ArrayCollection();
     }
 
     public function getId(): ?int
@@ -188,7 +231,9 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     /** @return list<string> */
     public function getRoles(): array
     {
-        $roles   = $this->roles;
+        $roles = $this->roles;
+
+        // Every authenticated user gets ROLE_USER.
         $roles[] = 'ROLE_USER';
 
         return array_values(array_unique($roles));
@@ -372,4 +417,67 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
         return $this;
     }
+
+    /**
+     * @return Collection<int, Role>
+     */
+    public function getRbacRoles(): Collection
+    {
+        return $this->rbacRoles;
+    }
+
+    public function addRbacRole(Role $role): void
+    {
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
+        }
+    }
+
+    public function removeRbacRole(Role $role): void
+    {
+        $this->rbacRoles->removeElement($role);
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getDirectPermissions(): Collection
+    {
+        return $this->directPermissions;
+    }
+
+    public function addDirectPermission(Permission $permission): void
+    {
+        if (!$this->directPermissions->contains($permission)) {
+            $this->directPermissions->add($permission);
+        }
+    }
+
+    public function removeDirectPermission(Permission $permission): void
+    {
+        $this->directPermissions->removeElement($permission);
+    }
+
+    /**
+     * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
+     *
+     * @return list<string>
+     */
+    #[Groups(['me:read', 'user:rbac:read'])]
+    public function getEffectivePermissions(): array
+    {
+        $codes = [];
+        foreach ($this->rbacRoles as $role) {
+            foreach ($role->getPermissions() as $permission) {
+                $codes[$permission->getCode()] = true;
+            }
+        }
+        foreach ($this->directPermissions as $permission) {
+            $codes[$permission->getCode()] = true;
+        }
+        $keys = array_keys($codes);
+        sort($keys);
+
+        return $keys;
+    }
 }
diff --git a/src/Enum/ContractType.php b/src/Module/Core/Domain/Enum/ContractType.php
similarity index 92%
rename from src/Enum/ContractType.php
rename to src/Module/Core/Domain/Enum/ContractType.php
index fe1d7b1..5963572 100644
--- a/src/Enum/ContractType.php
+++ b/src/Module/Core/Domain/Enum/ContractType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Core\Domain\Enum;
 
 enum ContractType: string
 {
diff --git a/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php b/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
new file mode 100644
index 0000000..bf33752
--- /dev/null
+++ b/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Exception;
+
+use DomainException;
+
+final class SystemRoleDeletionException extends DomainException
+{
+    public function __construct(string $code)
+    {
+        parent::__construct(sprintf('Le rôle système "%s" ne peut pas être supprimé.', $code));
+    }
+}
diff --git a/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php b/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
new file mode 100644
index 0000000..4226a38
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Permission;
+
+interface PermissionRepositoryInterface
+{
+    public function findById(int $id): ?Permission;
+
+    public function findByCode(string $code): ?Permission;
+
+    /** @return list<Permission> */
+    public function findAll(): array;
+
+    /** @return list<string> */
+    public function findAllCodes(): array;
+
+    public function save(Permission $permission): void;
+}
diff --git a/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php b/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
new file mode 100644
index 0000000..adf8420
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Role;
+
+interface RoleRepositoryInterface
+{
+    public function findById(int $id): ?Role;
+
+    public function findByCode(string $code): ?Role;
+
+    /** @return list<Role> */
+    public function findAll(): array;
+
+    public function save(Role $role): void;
+}
diff --git a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
new file mode 100644
index 0000000..6308542
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeInterface;
+
+interface UserRepositoryInterface
+{
+    public function findById(int $id): ?UserInterface;
+
+    /**
+     * @param int[] $ids
+     *
+     * @return list<UserInterface>
+     */
+    public function findByIds(array $ids): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}
diff --git a/src/Module/Core/Domain/Security/SystemRoles.php b/src/Module/Core/Domain/Security/SystemRoles.php
new file mode 100644
index 0000000..ab02545
--- /dev/null
+++ b/src/Module/Core/Domain/Security/SystemRoles.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Security;
+
+final class SystemRoles
+{
+    public const string ADMIN_CODE = 'admin';
+    public const string USER_CODE  = 'user';
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php b/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
new file mode 100644
index 0000000..adda23c
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Pagination;
+
+use ApiPlatform\State\Pagination\PaginatorInterface;
+use ArrayIterator;
+use IteratorAggregate;
+use Traversable;
+
+/**
+ * Paginator pour resources alimentees par DBAL (pas par Doctrine ORM).
+ *
+ * Implemente PaginatorInterface : API Platform l'introspecte pour generer
+ * automatiquement la section `hydra:view` (first / next / previous / last)
+ * dans la reponse JSON-LD. Aucun calcul manuel de liens.
+ *
+ * @template T of object
+ *
+ * @implements PaginatorInterface<T>
+ */
+final readonly class DbalPaginator implements PaginatorInterface, IteratorAggregate
+{
+    /**
+     * @param list<T> $items        Items deja decoupes sur la page courante
+     * @param int     $currentPage  Page courante (1-indexee)
+     * @param int     $itemsPerPage Limite appliquee a la requete SQL
+     * @param int     $totalItems   Resultat du COUNT(*) sans limite
+     */
+    public function __construct(
+        private array $items,
+        private int $currentPage,
+        private int $itemsPerPage,
+        private int $totalItems,
+    ) {}
+
+    public function getCurrentPage(): float
+    {
+        return (float) $this->currentPage;
+    }
+
+    public function getLastPage(): float
+    {
+        if ($this->itemsPerPage <= 0) {
+            return 1.0;
+        }
+
+        return (float) max(1, (int) ceil($this->totalItems / $this->itemsPerPage));
+    }
+
+    public function getItemsPerPage(): float
+    {
+        return (float) $this->itemsPerPage;
+    }
+
+    public function getTotalItems(): float
+    {
+        return (float) $this->totalItems;
+    }
+
+    public function count(): int
+    {
+        return count($this->items);
+    }
+
+    /**
+     * @return Traversable<int, T>
+     */
+    public function getIterator(): Traversable
+    {
+        return new ArrayIterator($this->items);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
new file mode 100644
index 0000000..5892f6c
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogEntityTypesProvider;
+
+/**
+ * Retourne la liste des valeurs distinctes de `entity_type` presentes dans
+ * `audit_log`, pour alimenter le filtre multi-selection cote front (journal
+ * d'audit). La liste evolue automatiquement avec les nouvelles entites
+ * `#[Auditable]` au fil des ecritures.
+ */
+#[ApiResource(
+    shortName: 'AuditLogEntityTypes',
+    operations: [
+        new Get(
+            uriTemplate: '/audit-log-entity-types',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogEntityTypesProvider::class,
+        ),
+    ],
+)]
+final class AuditLogEntityTypesResource
+{
+    /** @param list<string> $entityTypes */
+    public function __construct(
+        public readonly string $id = 'entity-types',
+        public readonly array $entityTypes = [],
+    ) {}
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
new file mode 100644
index 0000000..4879894
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogProvider;
+
+/**
+ * Resource API Platform en lecture seule sur le journal d'audit.
+ *
+ * Aucune operation d'ecriture exposee (POST/PUT/PATCH/DELETE -> 405)
+ * conformement au caractere append-only de la table `audit_log`.
+ *
+ * La resource est un simple porteur de metadonnees #[ApiResource] ; le
+ * provider lit via DBAL et retourne directement des instances du DTO
+ * `AuditLogOutput` (declare via `output:`). La table n'est pas geree par
+ * l'ORM : aucune entite Doctrine n'est necessaire ici.
+ *
+ * Filtres query-param supportes par le provider :
+ *   ?entity_type=core.User
+ *   ?entity_id=42
+ *   ?action=update
+ *   ?performed_by=admin
+ *   ?performed_at[after]=2026-04-01T00:00:00Z
+ *   ?performed_at[before]=2026-04-30T23:59:59Z
+ *
+ * La pagination herite du standard global (10 items / page, max 50, cf.
+ * `config/packages/api_platform.yaml`). Elle est materialisee par le
+ * DbalPaginator du provider qui implemente PaginatorInterface — API Platform
+ * genere automatiquement hydra:view sans construction manuelle.
+ */
+#[ApiResource(
+    shortName: 'AuditLog',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/audit-logs',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+        new Get(
+            uriTemplate: '/audit-logs/{id}',
+            requirements: ['id' => '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'],
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+    ],
+    output: AuditLogOutput::class,
+)]
+final class AuditLogResource {}
diff --git a/src/State/MeProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
similarity index 55%
rename from src/State/MeProvider.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
index f2866a7..520e239 100644
--- a/src/State/MeProvider.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 
 /**
  * @implements ProviderInterface<User>
@@ -20,7 +21,11 @@ final readonly class MeProvider implements ProviderInterface
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
     {
-        // @var User $user
-        return $this->security->getUser();
+        $user = $this->security->getUser();
+        if (!$user instanceof User) {
+            throw new UnauthorizedHttpException('Bearer', 'Not authenticated.');
+        }
+
+        return $user;
     }
 }
diff --git a/src/State/NotificationProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
similarity index 84%
rename from src/State/NotificationProvider.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
index ff872c9..371debd 100644
--- a/src/State/NotificationProvider.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\Pagination\Pagination;
 use ApiPlatform\State\Pagination\TraversablePaginator;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\Notification;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Domain\Entity\Notification;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use ArrayIterator;
 use Doctrine\ORM\Tools\Pagination\Paginator as DoctrinePaginator;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -23,7 +23,7 @@ final readonly class NotificationProvider implements ProviderInterface
 {
     public function __construct(
         private Security $security,
-        private NotificationRepository $notificationRepository,
+        private DoctrineNotificationRepository $notificationRepository,
         private Pagination $pagination,
     ) {}
 
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
new file mode 100644
index 0000000..f8b00ed
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use Doctrine\ORM\EntityManagerInterface;
+use DomainException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+use function assert;
+
+/**
+ * @implements ProcessorInterface<Role, null|Role>
+ */
+final readonly class RoleProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?Role
+    {
+        assert($data instanceof Role);
+
+        if ($operation instanceof DeleteOperationInterface) {
+            try {
+                $data->ensureDeletable();
+            } catch (DomainException $e) {
+                throw new AccessDeniedHttpException($e->getMessage(), $e);
+            }
+            $this->em->remove($data);
+            $this->em->flush();
+
+            return null;
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
new file mode 100644
index 0000000..5381e1a
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+use function assert;
+
+/**
+ * @implements ProcessorInterface<User, User>
+ */
+final readonly class UserRbacProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private Security $security,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
+    {
+        assert($data instanceof User);
+
+        // Defense-in-depth: a user may never edit their OWN RBAC assignment
+        // through this endpoint, even with core.users.manage — this prevents
+        // self-escalation if the permission is ever delegated to a non-admin.
+        $current = $this->security->getUser();
+        if ($current instanceof User && $current->getId() === $data->getId()) {
+            throw new AccessDeniedHttpException('You cannot edit your own RBAC assignment.');
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
new file mode 100644
index 0000000..eee33e5
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Infrastructure\ApiPlatform\Resource\AuditLogEntityTypesResource;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL : SELECT DISTINCT entity_type FROM audit_log.
+ *
+ * @implements ProviderInterface<AuditLogEntityTypesResource>
+ */
+final readonly class AuditLogEntityTypesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogEntityTypesResource
+    {
+        /** @var list<string> $types */
+        $types = $this->connection
+            ->executeQuery('SELECT DISTINCT entity_type FROM audit_log ORDER BY entity_type ASC')
+            ->fetchFirstColumn()
+        ;
+
+        return new AuditLogEntityTypesResource(entityTypes: $types);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
new file mode 100644
index 0000000..7cc3126
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
@@ -0,0 +1,247 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\CollectionOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\Pagination\Pagination;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\Pagination\DbalPaginator;
+use DateTimeImmutable;
+use Doctrine\DBAL\ArrayParameterType;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Query\QueryBuilder;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Provider API Platform pour la resource AuditLog.
+ *
+ * Lit la table `audit_log` via DBAL (pas d'entite ORM). Retourne soit :
+ *  - une instance unique d'AuditLogOutput (operation Get) ;
+ *  - un DbalPaginator de AuditLogOutput (operation GetCollection).
+ *
+ * Le paginator implementant PaginatorInterface laisse API Platform generer
+ * automatiquement la section `hydra:view` : aucune manipulation manuelle.
+ *
+ * Connexion DBAL : `default` (lecture — aucun besoin de la connexion `audit`
+ * reservee a l'ecriture hors transaction ORM).
+ */
+final readonly class AuditLogProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+        private Pagination $pagination,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogOutput|DbalPaginator|null
+    {
+        if (!$operation instanceof CollectionOperationInterface) {
+            return $this->provideItem((string) $uriVariables['id']);
+        }
+
+        return $this->provideCollection($operation, $context);
+    }
+
+    private function provideItem(string $id): ?AuditLogOutput
+    {
+        /** @var array<string, mixed>|false $row */
+        $row = $this->connection->fetchAssociative(
+            'SELECT id, entity_type, entity_id, action, changes, performed_by, performed_at, ip_address, request_id
+             FROM audit_log WHERE id = :id',
+            ['id' => $id],
+        );
+
+        if (false === $row) {
+            return null;
+        }
+
+        return $this->hydrate($row);
+    }
+
+    /**
+     * @param array<string, mixed> $context
+     */
+    private function provideCollection(Operation $operation, array $context): DbalPaginator
+    {
+        // Contrairement aux ressources ORM (cf. CategoryProvider), ce provider
+        // ne gere PAS l'echappatoire `?pagination=false` : la pagination y est
+        // toujours forcee. `audit_log` est une table append-only a croissance
+        // infinie — la dumper entierement saturerait memoire/reseau et n'a aucun
+        // usage front (pas de <select> alimente par l'audit). Le flag global
+        // `pagination_client_enabled: true` reste donc volontairement inerte ici.
+        //
+        // `page` brut peut etre <= 0 (parametre client) → OFFSET negatif → 500 PG
+        // (`SQLSTATE[22023] OFFSET must not be negative`). API Platform clampe
+        // `itemsPerPage` au max de la resource mais pas `page` ; on impose un
+        // minimum a 1 cote provider.
+        $page         = max(1, $this->pagination->getPage($context));
+        $itemsPerPage = $this->pagination->getLimit($operation, $context);
+        $offset       = ($page - 1) * $itemsPerPage;
+        $filters      = $this->extractFilters($context['filters'] ?? []);
+
+        $dataQuery = $this->buildBaseQuery()
+            ->select('id', 'entity_type', 'entity_id', 'action', 'changes', 'performed_by', 'performed_at', 'ip_address', 'request_id')
+            ->orderBy('performed_at', 'DESC')
+            // Tie-breaker sur `id` (UUID v7 monotone) : garantit un tri
+            // totalement deterministe quand plusieurs lignes partagent la
+            // meme timestamp (ex: batch fixture, bulk flush < 1µs).
+            ->addOrderBy('id', 'DESC')
+            ->setFirstResult($offset)
+            ->setMaxResults($itemsPerPage)
+        ;
+
+        $countQuery = $this->buildBaseQuery()->select('COUNT(*)');
+
+        $this->applyFilters($dataQuery, $filters);
+        $this->applyFilters($countQuery, $filters);
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows       = $dataQuery->executeQuery()->fetchAllAssociative();
+        $totalItems = (int) $countQuery->executeQuery()->fetchOne();
+
+        $items = array_map(fn (array $row) => $this->hydrate($row), $rows);
+
+        return new DbalPaginator($items, $page, $itemsPerPage, $totalItems);
+    }
+
+    private function buildBaseQuery(): QueryBuilder
+    {
+        return $this->connection->createQueryBuilder()->from('audit_log');
+    }
+
+    /**
+     * @param array<string, mixed> $raw
+     *
+     * @return array{entity_type?: list<string>|string, entity_id?: string, action?: string, performed_by?: string, performed_at_after?: string, performed_at_before?: string}
+     */
+    private function extractFilters(array $raw): array
+    {
+        $filters = [];
+
+        // `entity_type` accepte soit une chaine, soit une liste (query syntax
+        // `entity_type[]=core.User&entity_type[]=core.Role`) pour le filtre
+        // multi-selection cote front. On normalise en list<string> non-vide.
+        if (isset($raw['entity_type'])) {
+            if (is_string($raw['entity_type']) && '' !== $raw['entity_type']) {
+                $filters['entity_type'] = $raw['entity_type'];
+            } elseif (is_array($raw['entity_type'])) {
+                $cleaned = array_values(array_filter(
+                    $raw['entity_type'],
+                    static fn ($v): bool => is_string($v) && '' !== $v,
+                ));
+                if ([] !== $cleaned) {
+                    $filters['entity_type'] = $cleaned;
+                }
+            }
+        }
+
+        foreach (['entity_id', 'performed_by'] as $key) {
+            if (isset($raw[$key]) && is_string($raw[$key]) && '' !== $raw[$key]) {
+                $filters[$key] = $raw[$key];
+            }
+        }
+
+        // `action` : whitelist stricte. Un input hors-liste provoquait avant
+        // un simple match vide (resultat 0 ligne) mais permettait d'incrementer
+        // le log applicatif a chaque variation ; on rejette en 400 explicite.
+        if (isset($raw['action']) && is_string($raw['action']) && '' !== $raw['action']) {
+            if (!in_array($raw['action'], ['create', 'update', 'delete'], true)) {
+                throw new BadRequestHttpException(
+                    'Filtre "action" invalide : valeurs autorisees create|update|delete.',
+                );
+            }
+            $filters['action'] = $raw['action'];
+        }
+
+        // Filtres de plage `performed_at[after]` / `performed_at[before]`.
+        // Sans validation, un input malforme remonte jusqu'a Postgres qui
+        // leve `SQLSTATE[22007]: invalid input syntax for type timestamp` →
+        // 500 Internal Server Error, log Monolog pollue, mauvaise UX API.
+        // On valide en amont et on rejette en 400 explicite.
+        if (isset($raw['performed_at']) && is_array($raw['performed_at'])) {
+            $range = $raw['performed_at'];
+            foreach (['after', 'before'] as $bound) {
+                if (!isset($range[$bound]) || !is_string($range[$bound]) || '' === $range[$bound]) {
+                    continue;
+                }
+                if (false === strtotime($range[$bound])) {
+                    throw new BadRequestHttpException(sprintf(
+                        'Filtre "performed_at[%s]" invalide : date ISO 8601 attendue (ex: 2026-04-22T00:00:00Z).',
+                        $bound,
+                    ));
+                }
+                $filters['performed_at_'.$bound] = $range[$bound];
+            }
+        }
+
+        return $filters;
+    }
+
+    /**
+     * @param array<string, list<string>|string> $filters
+     */
+    private function applyFilters(QueryBuilder $qb, array $filters): void
+    {
+        if (isset($filters['entity_type'])) {
+            if (is_array($filters['entity_type'])) {
+                $qb->andWhere('entity_type IN (:entity_types)')
+                    ->setParameter('entity_types', $filters['entity_type'], ArrayParameterType::STRING)
+                ;
+            } else {
+                $qb->andWhere('entity_type = :entity_type')->setParameter('entity_type', $filters['entity_type']);
+            }
+        }
+        if (isset($filters['entity_id'])) {
+            $qb->andWhere('entity_id = :entity_id')->setParameter('entity_id', $filters['entity_id']);
+        }
+        if (isset($filters['action'])) {
+            $qb->andWhere('action = :action')->setParameter('action', $filters['action']);
+        }
+        if (isset($filters['performed_by'])) {
+            // Recherche contains insensible a la casse pour matcher "adm" → "admin".
+            // On echappe `%`, `_` et `\` saisis par l'utilisateur pour qu'ils soient
+            // interpretes comme caracteres litteraux (sinon `%` matche tout, `_`
+            // matche n'importe quel caractere). Pas de clause ESCAPE : `\` est
+            // deja le caractere d'echappement LIKE par defaut en PostgreSQL.
+            $escaped = str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $filters['performed_by']);
+            $qb->andWhere('performed_by ILIKE :performed_by')
+                ->setParameter('performed_by', '%'.$escaped.'%')
+            ;
+        }
+        if (isset($filters['performed_at_after'])) {
+            $qb->andWhere('performed_at >= :performed_at_after')->setParameter('performed_at_after', $filters['performed_at_after']);
+        }
+        if (isset($filters['performed_at_before'])) {
+            $qb->andWhere('performed_at <= :performed_at_before')->setParameter('performed_at_before', $filters['performed_at_before']);
+        }
+    }
+
+    /**
+     * @param array<string, mixed> $row
+     */
+    private function hydrate(array $row): AuditLogOutput
+    {
+        /** @var string $rawChanges */
+        $rawChanges = $row['changes'] ?? '{}';
+
+        /** @var array<string, mixed> $changes */
+        $changes = is_array($rawChanges) ? $rawChanges : json_decode((string) $rawChanges, true, 512, JSON_THROW_ON_ERROR);
+
+        return new AuditLogOutput(
+            id: (string) $row['id'],
+            entityType: (string) $row['entity_type'],
+            entityId: (string) $row['entity_id'],
+            action: (string) $row['action'],
+            changes: $changes,
+            performedBy: (string) $row['performed_by'],
+            performedAt: new DateTimeImmutable((string) $row['performed_at']),
+            ipAddress: null !== $row['ip_address'] ? (string) $row['ip_address'] : null,
+            requestId: null !== $row['request_id'] ? (string) $row['request_id'] : null,
+        );
+    }
+}
diff --git a/src/State/UserPasswordHasherProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
similarity index 92%
rename from src/State/UserPasswordHasherProcessor.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
index 88e9d1c..7dccd1f 100644
--- a/src/State/UserPasswordHasherProcessor.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
diff --git a/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php b/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
new file mode 100644
index 0000000..e1f1bfa
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {}
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php b/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php
new file mode 100644
index 0000000..9521405
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php b/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
new file mode 100644
index 0000000..ab795cd
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(name: 'app:seed-rbac', description: 'Seed les rôles système RBAC (admin, user).')]
+final class SeedRbacCommand extends Command
+{
+    public function __construct(private readonly RbacSeeder $seeder)
+    {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+        $this->seeder->ensureSystemRoles();
+        $io->success('Rôles système RBAC seedés (admin, user).');
+
+        return Command::SUCCESS;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php b/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
new file mode 100644
index 0000000..6dd35bd
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+use function count;
+
+#[AsCommand(name: 'app:sync-permissions', description: 'Synchronise le catalogue des permissions depuis les modules actifs.')]
+final class SyncPermissionsCommand extends Command
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly PermissionRepositoryInterface $permissions,
+        #[Autowire('%kernel.project_dir%')]
+        private readonly string $projectDir,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        // Phase 1 : permissions désirées (code => {code,label,module}).
+        $desired = [];
+        foreach (ModuleRegistry::permissions($moduleClasses) as $perm) {
+            $desired[$perm['code']] = $perm;
+        }
+
+        // Phase 2 : upsert.
+        $existing = [];
+        foreach ($this->permissions->findAll() as $permission) {
+            $existing[$permission->getCode()] = $permission;
+        }
+
+        $added = $updated = $revived = 0;
+        foreach ($desired as $code => $perm) {
+            $entity = $existing[$code] ?? null;
+            if (null === $entity) {
+                $this->permissions->save(new Permission($perm['code'], $perm['label'], $perm['module']));
+                ++$added;
+
+                continue;
+            }
+            if ($entity->isOrphan()) {
+                $entity->revive($perm['label'], $perm['module']);
+                ++$revived;
+            } elseif ($entity->getLabel() !== $perm['label'] || $entity->getModule() !== $perm['module']) {
+                $entity->updateMetadata($perm['label'], $perm['module']);
+                ++$updated;
+            }
+        }
+
+        // Phase 3 : orphelines (existantes absentes des désirées).
+        $orphaned = 0;
+        foreach ($existing as $code => $entity) {
+            if (!isset($desired[$code]) && !$entity->isOrphan()) {
+                $entity->markOrphan();
+                ++$orphaned;
+            }
+        }
+
+        $this->em->flush();
+
+        $io->success(sprintf('Permissions synchronisées : %d ajoutées, %d mises à jour, %d réactivées, %d orphelines. Total désirées : %d.', $added, $updated, $revived, $orphaned, count($desired)));
+
+        return Command::SUCCESS;
+    }
+}
diff --git a/src/Controller/MarkAllReadController.php b/src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
similarity index 71%
rename from src/Controller/MarkAllReadController.php
rename to src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
index a745051..cd0ea0c 100644
--- a/src/Controller/MarkAllReadController.php
+++ b/src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
@@ -14,14 +14,14 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MarkAllReadController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/mark-all-read', name: 'notification_mark_all_read', methods: ['POST'], priority: 1)]
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): Response
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $this->notificationRepository->markAllReadByUser($user);
diff --git a/src/Controller/NotificationUnreadCountController.php b/src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
similarity index 71%
rename from src/Controller/NotificationUnreadCountController.php
rename to src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
index f4c6d82..db9bde9 100644
--- a/src/Controller/NotificationUnreadCountController.php
+++ b/src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -14,14 +14,14 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class NotificationUnreadCountController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/unread-count', name: 'notification_unread_count', methods: ['GET'], priority: 1)]
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): JsonResponse
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $count = $this->notificationRepository->countUnreadByUser($user);
diff --git a/src/Controller/RegenerateApiTokenController.php b/src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
similarity index 91%
rename from src/Controller/RegenerateApiTokenController.php
rename to src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
index ca209de..00ad222 100644
--- a/src/Controller/RegenerateApiTokenController.php
+++ b/src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
diff --git a/src/Controller/UserAvatarController.php b/src/Module/Core/Infrastructure/Controller/UserAvatarController.php
similarity index 98%
rename from src/Controller/UserAvatarController.php
rename to src/Module/Core/Infrastructure/Controller/UserAvatarController.php
index 450d2cb..ebfde04 100644
--- a/src/Controller/UserAvatarController.php
+++ b/src/Module/Core/Infrastructure/Controller/UserAvatarController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
diff --git a/src/Module/Core/Infrastructure/Doctrine/AuditListener.php b/src/Module/Core/Infrastructure/Doctrine/AuditListener.php
new file mode 100644
index 0000000..c478cda
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/AuditListener.php
@@ -0,0 +1,513 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Infrastructure\Audit\AuditLogWriter;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+use DateTimeInterface;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\Event\OnFlushEventArgs;
+use Doctrine\ORM\Event\PostFlushEventArgs;
+use Doctrine\ORM\Events;
+use Doctrine\ORM\Mapping\ClassMetadata;
+use Doctrine\ORM\PersistentCollection;
+use Doctrine\ORM\UnitOfWork;
+use Psr\Log\LoggerInterface;
+use ReflectionClass;
+use ReflectionProperty;
+use Throwable;
+
+/**
+ * Listener Doctrine qui produit les lignes d'audit pour les entites portant
+ * l'attribut #[Auditable].
+ *
+ * Pipeline en deux temps :
+ *  1. onFlush : on traverse UnitOfWork (insertions / updates / deletions) et
+ *     on capture les changements en memoire. Aucune ecriture SQL cote audit
+ *     a ce stade pour ne pas interferer avec la transaction ORM en cours.
+ *  2. postFlush : on ecrit via AuditLogWriter (connexion DBAL dediee).
+ *
+ * Pattern swap-and-clear dans postFlush :
+ *  - on copie localement la liste des evenements ;
+ *  - on vide la propriete pendingLogs immediatement ;
+ *  - on itere la copie.
+ * Pourquoi : si une ecriture audit declenchait un flush re-entrant (cas rare,
+ * ex: callback listener externe), l'etat de pendingLogs serait deja nettoye —
+ * pas de double insertion, pas de boucle infinie.
+ *
+ * Erreurs silencieuses : un INSERT audit qui echoue est logue en error mais
+ * jamais propage. Acceptable pour un CRM interne ; a reconsiderer si besoin
+ * de garantie forte (dead-letter queue, retry).
+ *
+ * Collections (OneToMany / ManyToMany) :
+ *  - Les modifications de collections sont tracees via
+ *    `getScheduledCollectionUpdates()` et reportees comme un changement
+ *    `{fieldName: {added: [ids], removed: [ids]}}` dans le changeset de
+ *    l'entite proprietaire.
+ *  - Si l'entite proprietaire est deja scheduled pour insertion, la diff
+ *    est merge dans le snapshot create (en tant que liste d'IDs initiaux).
+ *  - Si l'entite proprietaire est scheduled pour deletion, les collections
+ *    associees sont ignorees (deja couvertes par le snapshot delete).
+ *
+ * Limitations connues :
+ *  - Les ManyToOne sont tracees par ID (null-safe via `?->getId()`).
+ *  - Les DELETE / UPDATE bulk DQL et les `Connection::executeStatement()`
+ *    bruts BYPASSENT le listener : onFlush n'est jamais appele. Toute
+ *    operation de purge/nettoyage qui doit etre auditee doit passer par
+ *    `EntityManager::remove()` + `flush()`. Si un futur batch (ex: commande
+ *    "purger users inactifs") utilise du DQL bulk, les suppressions ne
+ *    seront pas dans `audit_log` — choix d'architecture explicite a faire.
+ */
+#[AsDoctrineListener(event: Events::onFlush)]
+#[AsDoctrineListener(event: Events::postFlush)]
+final class AuditListener
+{
+    /**
+     * Cache par FQCN : true si la classe porte #[Auditable], false sinon.
+     * Evite une ReflectionClass par entite a chaque flush.
+     *
+     * @var array<class-string, bool>
+     */
+    private array $auditableCache = [];
+
+    /**
+     * Cache par FQCN : liste des noms de proprietes ignorees (#[AuditIgnore]).
+     *
+     * @var array<class-string, list<string>>
+     */
+    private array $ignoredPropertiesCache = [];
+
+    /**
+     * Logs en attente d'ecriture (remplis en onFlush, consommes en postFlush).
+     *
+     * Pour les inserts, l'ID est assignee DURANT le flush : on capture la
+     * reference de l'entite et on resout l'ID au moment du postFlush.
+     *
+     * @var list<array{entity: object, metadata: ClassMetadata, entityType: string, action: string, changes: array<string, mixed>, capturedId: ?string}>
+     */
+    private array $pendingLogs = [];
+
+    public function __construct(
+        private readonly AuditLogWriter $writer,
+        private readonly LoggerInterface $logger,
+    ) {}
+
+    public function onFlush(OnFlushEventArgs $args): void
+    {
+        /** @var EntityManagerInterface $em */
+        $em  = $args->getObjectManager();
+        $uow = $em->getUnitOfWork();
+
+        // Reset defensif en debut de cycle : si un flush precedent a leve une
+        // exception, Doctrine n'appelle PAS postFlush et pendingLogs reste
+        // rempli avec des changements jamais committes. Sans ce reset, un
+        // flush ulterieur reussi ecrirait les fausses entrees dans audit_log.
+        // Le swap-and-clear dans postFlush couvre deja les flushes re-entrants,
+        // ce reset ne le fragilise donc pas.
+        $this->pendingLogs = [];
+
+        foreach ($uow->getScheduledEntityInsertions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'create');
+        }
+
+        foreach ($uow->getScheduledEntityUpdates() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'update');
+        }
+
+        foreach ($uow->getScheduledEntityDeletions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'delete');
+        }
+
+        // Collections to-many (OneToMany / ManyToMany) : `getEntityChangeSet()`
+        // ne les expose pas, il faut interroger `UnitOfWork` separement. On
+        // merge la diff dans le log de l'entite proprietaire si elle est deja
+        // scheduled, sinon on cree une entree "update" dediee.
+        foreach ($uow->getScheduledCollectionUpdates() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: false);
+        }
+
+        foreach ($uow->getScheduledCollectionDeletions() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: true);
+        }
+    }
+
+    public function postFlush(PostFlushEventArgs $args): void
+    {
+        // Swap-and-clear : protege d'un flush re-entrant (aucune double
+        // insertion meme si un callback utilisateur re-declenche un flush).
+        $logs              = $this->pendingLogs;
+        $this->pendingLogs = [];
+
+        foreach ($logs as $log) {
+            // Pour les inserts, l'ID n'etait pas encore disponible en onFlush :
+            // on la resout maintenant (Doctrine l'a hydratee pendant le flush).
+            $entityId = $log['capturedId'] ?? $this->resolveEntityId($log['entity'], $log['metadata']);
+
+            if (null === $entityId) {
+                $this->logger->warning(
+                    'AuditListener : impossible de resoudre l\'ID de l\'entite apres flush, entree ignoree',
+                    ['entityType' => $log['entityType'], 'action' => $log['action']]
+                );
+
+                continue;
+            }
+
+            try {
+                $this->writer->log(
+                    $log['entityType'],
+                    $entityId,
+                    $log['action'],
+                    $log['changes'],
+                );
+            } catch (Throwable $e) {
+                // Erreur audit : logue mais ne crashe jamais le flux metier.
+                $this->logger->error(
+                    'Echec d\'ecriture audit_log',
+                    [
+                        'exception'  => $e,
+                        'entityType' => $log['entityType'],
+                        'entityId'   => $entityId,
+                        'action'     => $log['action'],
+                    ]
+                );
+            }
+        }
+    }
+
+    private function capturePendingLog(object $entity, EntityManagerInterface $em, UnitOfWork $uow, string $action): void
+    {
+        // Resolution via ClassMetadata : `$entity::class` renvoie le FQCN du
+        // proxy Doctrine pour une entite chargee en lazy (ex:
+        // `Proxies\__CG__\App\Module\Core\Domain\Entity\User`) — `isAuditable()`
+        // le verrait comme non-auditable car `#[Auditable]` n'est declare que
+        // sur la classe parente.
+        $metadata = $em->getClassMetadata($entity::class);
+        $class    = $metadata->getName();
+
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        // Sur `delete`, on inclut aussi les collections to-many dans le
+        // snapshot : c'est la derniere occasion de capturer l'etat complet
+        // (ex: quelles permissions etaient rattachees au role supprime).
+        // Sur `create`, les collections initiales sont rapportees via
+        // captureCollectionChange quand l'entite est scheduled avec un
+        // collection update dans le meme flush.
+        $changes = match ($action) {
+            'update' => $this->buildUpdateChanges($entity, $uow, $class),
+            'create' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: false),
+            'delete' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: true),
+            default  => [],
+        };
+
+        if ('update' === $action && [] === $changes) {
+            // Flush sans changement reel sur une entite auditable : on n'emet pas.
+            return;
+        }
+
+        // Pour delete/update, l'ID est deja set en onFlush — on la capture
+        // maintenant (apres postFlush, l'entite detachee peut perdre sa ref
+        // dans l'identity map). Pour create (IDENTITY), l'ID est generee par
+        // le flush — on differe a postFlush.
+        $capturedId = 'create' === $action ? null : $this->resolveEntityId($entity, $metadata);
+
+        $this->pendingLogs[] = [
+            'entity'     => $entity,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => $action,
+            'changes'    => $changes,
+            'capturedId' => $capturedId,
+        ];
+    }
+
+    /**
+     * Capture la modification d'une collection to-many.
+     *
+     * Strategie de merge :
+     *  - Si l'entite proprietaire est deja scheduled pour `delete` → ignore
+     *    (redondant avec le snapshot delete deja produit).
+     *  - Si l'entite est deja scheduled pour `create` → on ajoute le champ
+     *    collection au snapshot initial, sous forme de liste d'IDs ajoutes.
+     *  - Si l'entite est deja scheduled pour `update` → on merge la diff
+     *    {added, removed} dans le changeset existant.
+     *  - Sinon → on cree une nouvelle entree `update` dediee pour l'entite
+     *    proprietaire (cas d'une collection modifiee sans autre changement
+     *    sur l'entite elle-meme, ex : ajout d'une permission a un role).
+     *
+     * @param bool $cleared true si la collection entiere est supprimee
+     *                      (getScheduledCollectionDeletions) — tous les
+     *                      items du snapshot sont consideres comme retires
+     */
+    private function captureCollectionChange(PersistentCollection $collection, EntityManagerInterface $em, bool $cleared): void
+    {
+        $owner = $collection->getOwner();
+        if (null === $owner) {
+            return;
+        }
+
+        // Voir capturePendingLog : meme contournement proxy Doctrine.
+        $class = $em->getClassMetadata($owner::class)->getName();
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        $fieldName = $collection->getMapping()->fieldName;
+        if (in_array($fieldName, $this->getIgnoredProperties($class), true)) {
+            return;
+        }
+
+        if ($cleared) {
+            $added   = [];
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getSnapshot(),
+            );
+        } else {
+            $added = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getInsertDiff(),
+            );
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getDeleteDiff(),
+            );
+        }
+
+        if ([] === $added && [] === $removed) {
+            return;
+        }
+
+        // Chercher un log deja en attente pour cette entite, pour merger la
+        // diff au lieu de creer une entree d'audit redondante.
+        foreach ($this->pendingLogs as $idx => $log) {
+            if ($log['entity'] !== $owner) {
+                continue;
+            }
+
+            if ('delete' === $log['action']) {
+                // Deletion de l'entite : la collection suit mecaniquement,
+                // pas d'entree dediee (le snapshot delete contient deja
+                // l'etat a supprimer).
+                return;
+            }
+
+            if ('create' === $log['action']) {
+                // Insertion : le snapshot create ne contient pas les
+                // collections (buildSnapshot ignore les to-many). On ajoute
+                // donc la liste des items initiaux comme IDs, pour avoir
+                // une trace complete de l'etat a la creation. array_values
+                // garantit un array JSON (pas un objet) si les cles du diff
+                // ne sont pas sequentielles.
+                $this->pendingLogs[$idx]['changes'][$fieldName] = array_values($added);
+
+                return;
+            }
+
+            // Update : on merge dans le changeset existant.
+            $this->pendingLogs[$idx]['changes'][$fieldName] = [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ];
+
+            return;
+        }
+
+        // Aucun log existant : l'entite n'a eu QUE des changements de
+        // collection. On cree une entree update minimale.
+        $metadata = $em->getClassMetadata($class);
+
+        $this->pendingLogs[] = [
+            'entity'     => $owner,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => 'update',
+            'changes'    => [$fieldName => [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ]],
+            'capturedId' => $this->resolveEntityId($owner, $metadata),
+        ];
+    }
+
+    /**
+     * Build du changeset "update" : {champ: {old, new}} a partir de
+     * `UnitOfWork::getEntityChangeSet()`. ManyToOne : on log l'ID,
+     * null-safe via `?->getId()`.
+     *
+     * @return array<string, array{old: mixed, new: mixed}>
+     */
+    private function buildUpdateChanges(object $entity, UnitOfWork $uow, string $class): array
+    {
+        $changeSet       = $uow->getEntityChangeSet($entity);
+        $ignored         = $this->getIgnoredProperties($class);
+        $filteredChanges = [];
+
+        foreach ($changeSet as $field => [$oldValue, $newValue]) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $filteredChanges[$field] = [
+                'old' => $this->normalizeValue($oldValue),
+                'new' => $this->normalizeValue($newValue),
+            ];
+        }
+
+        return $filteredChanges;
+    }
+
+    /**
+     * Build d'un snapshot complet (create / delete) : lit toutes les
+     * proprietes non-ignorees via Reflection.
+     *
+     * @param bool $includeCollections si true, les associations to-many sont
+     *                                 aussi snapshotees (liste d'IDs). Utilise
+     *                                 uniquement sur `delete` pour preserver
+     *                                 l'etat des relations au moment de la
+     *                                 suppression. En create, on laisse
+     *                                 captureCollectionChange enrichir le
+     *                                 snapshot si une collection est modifiee
+     *                                 dans le meme flush.
+     *
+     * @return array<string, mixed>
+     */
+    private function buildSnapshot(object $entity, ClassMetadata $metadata, string $class, bool $includeCollections): array
+    {
+        $ignored  = $this->getIgnoredProperties($class);
+        $snapshot = [];
+
+        foreach ($metadata->getFieldNames() as $field) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $snapshot[$field] = $this->normalizeValue($metadata->getFieldValue($entity, $field));
+        }
+
+        foreach ($metadata->getAssociationNames() as $assoc) {
+            if (in_array($assoc, $ignored, true)) {
+                continue;
+            }
+
+            if ($metadata->isSingleValuedAssociation($assoc)) {
+                $related          = $metadata->getFieldValue($entity, $assoc);
+                $snapshot[$assoc] = null !== $related && method_exists($related, 'getId')
+                    ? $related->getId()
+                    : null;
+
+                continue;
+            }
+
+            if (!$includeCollections) {
+                continue;
+            }
+
+            // Collection to-many : snapshot = liste d'IDs. On itere la
+            // Collection (PersistentCollection ou ArrayCollection) pour
+            // obtenir les elements. Pour un delete, la collection est deja
+            // chargee (Doctrine en a besoin pour les cascades).
+            $collection = $metadata->getFieldValue($entity, $assoc);
+            if (!is_iterable($collection)) {
+                continue;
+            }
+            $ids = [];
+            foreach ($collection as $item) {
+                $ids[] = $this->normalizeValue($item);
+            }
+            $snapshot[$assoc] = $ids;
+        }
+
+        return $snapshot;
+    }
+
+    private function isAuditable(string $class): bool
+    {
+        if (array_key_exists($class, $this->auditableCache)) {
+            return $this->auditableCache[$class];
+        }
+
+        $reflection                   = new ReflectionClass($class);
+        $isAuditable                  = [] !== $reflection->getAttributes(Auditable::class);
+        $this->auditableCache[$class] = $isAuditable;
+
+        return $isAuditable;
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function getIgnoredProperties(string $class): array
+    {
+        if (array_key_exists($class, $this->ignoredPropertiesCache)) {
+            return $this->ignoredPropertiesCache[$class];
+        }
+
+        $ignored    = [];
+        $reflection = new ReflectionClass($class);
+
+        foreach ($reflection->getProperties(ReflectionProperty::IS_PROTECTED | ReflectionProperty::IS_PRIVATE | ReflectionProperty::IS_PUBLIC) as $property) {
+            if ([] !== $property->getAttributes(AuditIgnore::class)) {
+                $ignored[] = $property->getName();
+            }
+        }
+
+        $this->ignoredPropertiesCache[$class] = $ignored;
+
+        return $ignored;
+    }
+
+    /**
+     * Transforme un FQCN `App\Module\Core\Domain\Entity\User` en `core.User`.
+     *
+     * Format `module.Entity` pour eviter les collisions inter-modules.
+     */
+    private function formatEntityType(string $class): string
+    {
+        if (1 === preg_match('#^App\\\Module\\\(?<module>[^\\\]+)\\\.+\\\(?<entity>[^\\\]+)$#', $class, $matches)) {
+            return strtolower($matches['module']).'.'.$matches['entity'];
+        }
+
+        // Fallback : on retourne le FQCN complet si la regex ne matche pas
+        // (entite hors structure modulaire — ne devrait pas arriver).
+        return $class;
+    }
+
+    private function resolveEntityId(object $entity, ClassMetadata $metadata): ?string
+    {
+        $identifier = $metadata->getIdentifierValues($entity);
+        if ([] === $identifier) {
+            return null;
+        }
+
+        // Cle composee : on concatene les valeurs. Cas rare sur le projet.
+        return implode('-', array_map(static fn ($v) => (string) $v, $identifier));
+    }
+
+    /**
+     * Normalise une valeur pour encodage JSON stable.
+     */
+    private function normalizeValue(mixed $value): mixed
+    {
+        if ($value instanceof DateTimeInterface) {
+            return $value->format(DateTimeInterface::ATOM);
+        }
+
+        if (is_object($value)) {
+            // Relation to-one non parsee par buildSnapshot (cas update sur
+            // un champ qui devient un objet) : on tente getId() si possible.
+            if (method_exists($value, 'getId')) {
+                return $value->getId();
+            }
+
+            return (string) $value;
+        }
+
+        return $value;
+    }
+}
diff --git a/src/Repository/NotificationRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
similarity index 77%
rename from src/Repository/NotificationRepository.php
rename to src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
index 7dba9a8..22618d5 100644
--- a/src/Repository/NotificationRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\Notification;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\ORM\QueryBuilder;
 use Doctrine\Persistence\ManagerRegistry;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\User\UserInterface;
 /**
  * @extends ServiceEntityRepository<Notification>
  */
-class NotificationRepository extends ServiceEntityRepository
+class DoctrineNotificationRepository extends ServiceEntityRepository
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -30,7 +30,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function countUnreadByUser(User $user): int
+    public function countUnreadByUser(SharedUserInterface $user): int
     {
         return (int) $this->createQueryBuilder('n')
             ->select('COUNT(n.id)')
@@ -42,7 +42,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function markAllReadByUser(User $user): int
+    public function markAllReadByUser(SharedUserInterface $user): int
     {
         return $this->createQueryBuilder('n')
             ->update()
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
new file mode 100644
index 0000000..5ce888f
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Permission>
+ */
+final class DoctrinePermissionRepository extends ServiceEntityRepository implements PermissionRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Permission::class);
+    }
+
+    public function findById(int $id): ?Permission
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Permission
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Permission> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    /** @return list<string> */
+    public function findAllCodes(): array
+    {
+        /** @var list<array{code: string}> $rows */
+        $rows = $this->createQueryBuilder('p')->select('p.code')->getQuery()->getArrayResult();
+
+        return array_map(static fn (array $r): string => $r['code'], $rows);
+    }
+
+    public function save(Permission $permission): void
+    {
+        $this->getEntityManager()->persist($permission);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
new file mode 100644
index 0000000..2853629
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Role>
+ */
+final class DoctrineRoleRepository extends ServiceEntityRepository implements RoleRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Role::class);
+    }
+
+    public function findById(int $id): ?Role
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Role
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Role> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    public function save(Role $role): void
+    {
+        $this->getEntityManager()->persist($role);
+    }
+}
diff --git a/src/Repository/UserRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
similarity index 59%
rename from src/Repository/UserRepository.php
rename to src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
index df31a3f..d69e010 100644
--- a/src/Repository/UserRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
@@ -2,9 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -12,15 +14,39 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<User>
  */
-class UserRepository extends ServiceEntityRepository
+class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, User::class);
     }
 
+    public function findById(int $id): ?UserInterface
+    {
+        return $this->find($id);
+    }
+
     /**
-     * @return User[]
+     * @param int[] $ids
+     *
+     * @return list<UserInterface>
+     */
+    public function findByIds(array $ids): array
+    {
+        if ([] === $ids) {
+            return [];
+        }
+
+        return $this->createQueryBuilder('u')
+            ->where('u.id IN (:ids)')
+            ->setParameter('ids', $ids)
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
+    /**
+     * @return list<UserInterface>
      */
     public function findByRole(string $role): array
     {
@@ -43,7 +69,7 @@ class UserRepository extends ServiceEntityRepository
     /**
      * Employees active on the given date (hired on/before it, not yet left).
      *
-     * @return User[]
+     * @return list<UserInterface>
      */
     public function findActiveEmployees(DateTimeInterface $date): array
     {
@@ -59,4 +85,9 @@ class UserRepository extends ServiceEntityRepository
             ->getResult()
         ;
     }
+
+    public function findOneByUsername(string $username): ?UserInterface
+    {
+        return $this->findOneBy(['username' => $username]);
+    }
 }
diff --git a/src/Mcp/Tool/Reference/GetUserTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
similarity index 81%
rename from src/Mcp/Tool/Reference/GetUserTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
index 4ef1791..45de3d2 100644
--- a/src/Mcp/Tool/Reference/GetUserTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Reference/ListUsersTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
similarity index 83%
rename from src/Mcp/Tool/Reference/ListUsersTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
index e602047..d40b9f4 100644
--- a/src/Mcp/Tool/Reference/ListUsersTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListUsersTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Reference/UpdateUserTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
similarity index 90%
rename from src/Mcp/Tool/Reference/UpdateUserTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
index c7a3d94..c532a54 100644
--- a/src/Mcp/Tool/Reference/UpdateUserTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
-use App\Enum\ContractType;
-use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Domain\Enum\ContractType;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -20,7 +20,7 @@ use function sprintf;
 class UpdateUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
diff --git a/src/Module/Core/Infrastructure/Notifier.php b/src/Module/Core/Infrastructure/Notifier.php
new file mode 100644
index 0000000..83e4a31
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Notifier.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(
+        UserInterface $user,
+        string $type,
+        string $title,
+        string $message,
+    ): void {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $notification->setCreatedAt(new DateTimeImmutable());
+
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Security/PermissionVoter.php b/src/Module/Core/Infrastructure/Security/PermissionVoter.php
new file mode 100644
index 0000000..542e220
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Security/PermissionVoter.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<string, mixed>
+ */
+final class PermissionVoter extends Voter
+{
+    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return 1 === preg_match(self::PATTERN, $attribute);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+    {
+        $user = $token->getUser();
+        if (!$user instanceof User) {
+            return false;
+        }
+
+        // ROLE_ADMIN = bypass total (cf. Décision 1).
+        if (in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            return true;
+        }
+
+        return in_array($attribute, $user->getEffectivePermissions(), true);
+    }
+}
diff --git a/src/Module/Directory/DirectoryModule.php b/src/Module/Directory/DirectoryModule.php
new file mode 100644
index 0000000..a3b9ecf
--- /dev/null
+++ b/src/Module/Directory/DirectoryModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class DirectoryModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'directory';
+    }
+
+    public static function label(): string
+    {
+        return 'Répertoire';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Directory.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'directory.clients.view', 'label' => 'Voir les clients'],
+            ['code' => 'directory.clients.manage', 'label' => 'Gérer les clients'],
+            ['code' => 'directory.prospects.view', 'label' => 'Voir les prospects'],
+            ['code' => 'directory.prospects.manage', 'label' => 'Gérer les prospects'],
+        ];
+    }
+}
diff --git a/src/Module/Directory/Domain/Entity/Address.php b/src/Module/Directory/Domain/Entity/Address.php
new file mode 100644
index 0000000..00c2e45
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Address.php
@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineAddressRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['address:read']],
+    denormalizationContext: ['groups' => ['address:write']],
+    order: ['id' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineAddressRepository::class)]
+#[ORM\Table(name: 'directory_address')]
+class Address implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['address:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $label = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $street = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $streetComplement = null;
+
+    #[ORM\Column(length: 20, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $postalCode = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $city = null;
+
+    #[ORM\Column(length: 2)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private string $country = 'FR';
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getLabel(): ?string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(?string $label): static
+    {
+        $this->label = $label;
+
+        return $this;
+    }
+
+    public function getStreet(): ?string
+    {
+        return $this->street;
+    }
+
+    public function setStreet(?string $street): static
+    {
+        $this->street = $street;
+
+        return $this;
+    }
+
+    public function getStreetComplement(): ?string
+    {
+        return $this->streetComplement;
+    }
+
+    public function setStreetComplement(?string $streetComplement): static
+    {
+        $this->streetComplement = $streetComplement;
+
+        return $this;
+    }
+
+    public function getPostalCode(): ?string
+    {
+        return $this->postalCode;
+    }
+
+    public function setPostalCode(?string $postalCode): static
+    {
+        $this->postalCode = $postalCode;
+
+        return $this;
+    }
+
+    public function getCity(): ?string
+    {
+        return $this->city;
+    }
+
+    public function setCity(?string $city): static
+    {
+        $this->city = $city;
+
+        return $this;
+    }
+
+    public function getCountry(): string
+    {
+        return $this->country;
+    }
+
+    public function setCountry(string $country): static
+    {
+        $this->country = $country;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
diff --git a/src/Entity/Client.php b/src/Module/Directory/Domain/Entity/Client.php
similarity index 64%
rename from src/Entity/Client.php
rename to src/Module/Directory/Domain/Entity/Client.php
index dd782b2..9d420be 100644
--- a/src/Entity/Client.php
+++ b/src/Module/Directory/Domain/Entity/Client.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Directory\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,12 +10,19 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
+#[Auditable]
 #[ApiResource(
     operations: [
         new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
@@ -28,9 +35,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['client:write']],
     order: ['name' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: ClientRepository::class)]
-class Client
+#[ORM\Entity(repositoryClass: DoctrineClientRepository::class)]
+class Client implements ClientInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -49,20 +58,8 @@ class Client
     #[Groups(['client:read', 'client:write'])]
     private ?string $phone = null;
 
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $street = null;
-
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $city = null;
-
-    #[ORM\Column(length: 20, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $postalCode = null;
-
-    /** @var Collection<int, Project> */
-    #[ORM\OneToMany(targetEntity: Project::class, mappedBy: 'client')]
+    /** @var Collection<int, ProjectInterface> */
+    #[ORM\OneToMany(targetEntity: ProjectInterface::class, mappedBy: 'client')]
     private Collection $projects;
 
     public function __construct()
@@ -111,43 +108,7 @@ class Client
         return $this;
     }
 
-    public function getStreet(): ?string
-    {
-        return $this->street;
-    }
-
-    public function setStreet(?string $street): static
-    {
-        $this->street = $street;
-
-        return $this;
-    }
-
-    public function getCity(): ?string
-    {
-        return $this->city;
-    }
-
-    public function setCity(?string $city): static
-    {
-        $this->city = $city;
-
-        return $this;
-    }
-
-    public function getPostalCode(): ?string
-    {
-        return $this->postalCode;
-    }
-
-    public function setPostalCode(?string $postalCode): static
-    {
-        $this->postalCode = $postalCode;
-
-        return $this;
-    }
-
-    /** @return Collection<int, Project> */
+    /** @return Collection<int, ProjectInterface> */
     public function getProjects(): Collection
     {
         return $this->projects;
diff --git a/src/Module/Directory/Domain/Entity/CommercialReport.php b/src/Module/Directory/Domain/Entity/CommercialReport.php
new file mode 100644
index 0000000..ce55791
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/CommercialReport.php
@@ -0,0 +1,187 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineCommercialReportRepository;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['commercial_report:read']],
+    denormalizationContext: ['groups' => ['commercial_report:write']],
+    order: ['occurredAt' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineCommercialReportRepository::class)]
+#[ORM\Table(name: 'commercial_report')]
+class CommercialReport implements TimestampableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $subject = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $body = null;
+
+    #[ORM\Column(type: Types::DATE_IMMUTABLE)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?DateTimeImmutable $occurredAt = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ReportType::class)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ReportType $type = ReportType::Note;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'author_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['commercial_report:read'])]
+    private ?UserInterface $author = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Prospect $prospect = null;
+
+    /** @var Collection<int, ReportDocument> */
+    #[ORM\OneToMany(targetEntity: ReportDocument::class, mappedBy: 'commercialReport', cascade: ['remove'])]
+    #[Groups(['commercial_report:read'])]
+    private Collection $documents;
+
+    public function __construct()
+    {
+        $this->documents = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getSubject(): ?string
+    {
+        return $this->subject;
+    }
+
+    public function setSubject(string $subject): static
+    {
+        $this->subject = $subject;
+
+        return $this;
+    }
+
+    public function getBody(): ?string
+    {
+        return $this->body;
+    }
+
+    public function setBody(?string $body): static
+    {
+        $this->body = $body;
+
+        return $this;
+    }
+
+    public function getOccurredAt(): ?DateTimeImmutable
+    {
+        return $this->occurredAt;
+    }
+
+    public function setOccurredAt(DateTimeImmutable $occurredAt): static
+    {
+        $this->occurredAt = $occurredAt;
+
+        return $this;
+    }
+
+    public function getType(): ReportType
+    {
+        return $this->type;
+    }
+
+    public function setType(ReportType $type): static
+    {
+        $this->type = $type;
+
+        return $this;
+    }
+
+    public function getAuthor(): ?UserInterface
+    {
+        return $this->author;
+    }
+
+    public function setAuthor(?UserInterface $author): static
+    {
+        $this->author = $author;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+
+    /** @return Collection<int, ReportDocument> */
+    public function getDocuments(): Collection
+    {
+        return $this->documents;
+    }
+}
diff --git a/src/Module/Directory/Domain/Entity/Contact.php b/src/Module/Directory/Domain/Entity/Contact.php
new file mode 100644
index 0000000..0f9e1d5
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Contact.php
@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineContactRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['contact:read']],
+    denormalizationContext: ['groups' => ['contact:write']],
+    order: ['lastName' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineContactRepository::class)]
+#[ORM\Table(name: 'directory_contact')]
+class Contact implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['contact:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $firstName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $lastName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $jobTitle = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phonePrimary = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phoneSecondary = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getFirstName(): ?string
+    {
+        return $this->firstName;
+    }
+
+    public function setFirstName(?string $firstName): static
+    {
+        $this->firstName = $firstName;
+
+        return $this;
+    }
+
+    public function getLastName(): ?string
+    {
+        return $this->lastName;
+    }
+
+    public function setLastName(?string $lastName): static
+    {
+        $this->lastName = $lastName;
+
+        return $this;
+    }
+
+    public function getJobTitle(): ?string
+    {
+        return $this->jobTitle;
+    }
+
+    public function setJobTitle(?string $jobTitle): static
+    {
+        $this->jobTitle = $jobTitle;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhonePrimary(): ?string
+    {
+        return $this->phonePrimary;
+    }
+
+    public function setPhonePrimary(?string $phonePrimary): static
+    {
+        $this->phonePrimary = $phonePrimary;
+
+        return $this;
+    }
+
+    public function getPhoneSecondary(): ?string
+    {
+        return $this->phoneSecondary;
+    }
+
+    public function setPhoneSecondary(?string $phoneSecondary): static
+    {
+        $this->phoneSecondary = $phoneSecondary;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Entity/Prospect.php b/src/Module/Directory/Domain/Entity/Prospect.php
new file mode 100644
index 0000000..cd0f213
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Prospect.php
@@ -0,0 +1,191 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Post(
+            uriTemplate: '/prospects/{id}/convert',
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ConvertProspectProcessor::class,
+        ),
+    ],
+    normalizationContext: ['groups' => ['prospect:read']],
+    denormalizationContext: ['groups' => ['prospect:write']],
+    order: ['name' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['status' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineProspectRepository::class)]
+#[ORM\Table(name: 'prospect')]
+class Prospect implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['prospect:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $name = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $company = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $phone = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ProspectStatus::class)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ProspectStatus $status = ProspectStatus::New;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $source = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $notes = null;
+
+    #[ORM\ManyToOne(targetEntity: ClientInterface::class)]
+    #[ORM\JoinColumn(name: 'converted_client_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['prospect:read'])]
+    private ?ClientInterface $convertedClient = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getName(): ?string
+    {
+        return $this->name;
+    }
+
+    public function setName(string $name): static
+    {
+        $this->name = $name;
+
+        return $this;
+    }
+
+    public function getCompany(): ?string
+    {
+        return $this->company;
+    }
+
+    public function setCompany(?string $company): static
+    {
+        $this->company = $company;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhone(): ?string
+    {
+        return $this->phone;
+    }
+
+    public function setPhone(?string $phone): static
+    {
+        $this->phone = $phone;
+
+        return $this;
+    }
+
+    public function getStatus(): ProspectStatus
+    {
+        return $this->status;
+    }
+
+    public function setStatus(ProspectStatus $status): static
+    {
+        $this->status = $status;
+
+        return $this;
+    }
+
+    public function getSource(): ?string
+    {
+        return $this->source;
+    }
+
+    public function setSource(?string $source): static
+    {
+        $this->source = $source;
+
+        return $this;
+    }
+
+    public function getNotes(): ?string
+    {
+        return $this->notes;
+    }
+
+    public function setNotes(?string $notes): static
+    {
+        $this->notes = $notes;
+
+        return $this;
+    }
+
+    public function getConvertedClient(): ?ClientInterface
+    {
+        return $this->convertedClient;
+    }
+
+    public function setConvertedClient(?ClientInterface $convertedClient): static
+    {
+        $this->convertedClient = $convertedClient;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Entity/ReportDocument.php b/src/Module/Directory/Domain/Entity/ReportDocument.php
new file mode 100644
index 0000000..4c4a8b5
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/ReportDocument.php
@@ -0,0 +1,166 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor;
+use App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ReportDocumentProcessor::class,
+            deserialize: false,
+        ),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['report_document:read']],
+    denormalizationContext: ['groups' => ['report_document:write']],
+    order: ['id' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['commercialReport' => 'exact'])]
+#[ORM\Entity]
+#[ORM\Table(name: 'report_document')]
+#[ORM\EntityListeners([ReportDocumentListener::class])]
+class ReportDocument
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\ManyToOne(targetEntity: CommercialReport::class, inversedBy: 'documents')]
+    #[ORM\JoinColumn(name: 'commercial_report_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    #[Groups(['report_document:read', 'report_document:write'])]
+    private ?CommercialReport $commercialReport = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $originalName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $fileName = null;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $mimeType = null;
+
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $size = null;
+
+    #[ORM\Column(type: 'datetime_immutable')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'uploaded_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?UserInterface $uploadedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCommercialReport(): ?CommercialReport
+    {
+        return $this->commercialReport;
+    }
+
+    public function setCommercialReport(?CommercialReport $commercialReport): static
+    {
+        $this->commercialReport = $commercialReport;
+
+        return $this;
+    }
+
+    public function getOriginalName(): ?string
+    {
+        return $this->originalName;
+    }
+
+    public function setOriginalName(string $originalName): static
+    {
+        $this->originalName = $originalName;
+
+        return $this;
+    }
+
+    public function getFileName(): ?string
+    {
+        return $this->fileName;
+    }
+
+    public function setFileName(?string $fileName): static
+    {
+        $this->fileName = $fileName;
+
+        return $this;
+    }
+
+    public function getMimeType(): ?string
+    {
+        return $this->mimeType;
+    }
+
+    public function setMimeType(string $mimeType): static
+    {
+        $this->mimeType = $mimeType;
+
+        return $this;
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function setSize(int $size): static
+    {
+        $this->size = $size;
+
+        return $this;
+    }
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): static
+    {
+        $this->createdAt = $createdAt;
+
+        return $this;
+    }
+
+    public function getUploadedBy(): ?UserInterface
+    {
+        return $this->uploadedBy;
+    }
+
+    public function setUploadedBy(?UserInterface $uploadedBy): static
+    {
+        $this->uploadedBy = $uploadedBy;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Enum/ProspectStatus.php b/src/Module/Directory/Domain/Enum/ProspectStatus.php
new file mode 100644
index 0000000..b23c169
--- /dev/null
+++ b/src/Module/Directory/Domain/Enum/ProspectStatus.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ProspectStatus: string
+{
+    case New       = 'new';
+    case Contacted = 'contacted';
+    case Qualified = 'qualified';
+    case Won       = 'won';
+    case Lost      = 'lost';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::New       => 'Nouveau',
+            self::Contacted => 'Contacté',
+            self::Qualified => 'Qualifié',
+            self::Won       => 'Gagné',
+            self::Lost      => 'Perdu',
+        };
+    }
+}
diff --git a/src/Module/Directory/Domain/Enum/ReportType.php b/src/Module/Directory/Domain/Enum/ReportType.php
new file mode 100644
index 0000000..f762ae1
--- /dev/null
+++ b/src/Module/Directory/Domain/Enum/ReportType.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ReportType: string
+{
+    case Call    = 'call';
+    case Meeting = 'meeting';
+    case Email   = 'email';
+    case Note    = 'note';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::Call    => 'Appel',
+            self::Meeting => 'Rendez-vous',
+            self::Email   => 'Email',
+            self::Note    => 'Note',
+        };
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php b/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
new file mode 100644
index 0000000..44b05f0
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Address;
+
+interface AddressRepositoryInterface
+{
+    public function findById(int $id): ?Address;
+}
diff --git a/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
new file mode 100644
index 0000000..4562b76
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Client;
+
+interface ClientRepositoryInterface
+{
+    public function findById(int $id): ?Client;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Client[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php b/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
new file mode 100644
index 0000000..94fa3d0
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+
+interface CommercialReportRepositoryInterface
+{
+    public function findById(int $id): ?CommercialReport;
+}
diff --git a/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
new file mode 100644
index 0000000..0f28c4d
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Contact;
+
+interface ContactRepositoryInterface
+{
+    public function findById(int $id): ?Contact;
+}
diff --git a/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
new file mode 100644
index 0000000..c4fba0c
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Prospect;
+
+interface ProspectRepositoryInterface
+{
+    public function findById(int $id): ?Prospect;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Prospect[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
new file mode 100644
index 0000000..841936f
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+
+interface ReportDocumentRepositoryInterface
+{
+    public function findById(int $id): ?ReportDocument;
+}
diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
new file mode 100644
index 0000000..94e5067
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
@@ -0,0 +1,90 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Converts a Prospect into a Client and reassigns its contacts, addresses and
+ * commercial reports to the new client (preserving the commercial history).
+ *
+ * Idempotent: if already converted, returns it unchanged.
+ *
+ * @implements ProcessorInterface<Prospect, Prospect>
+ */
+final readonly class ConvertProspectProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private ProspectRepositoryInterface $prospectRepository,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): Prospect
+    {
+        $id       = $uriVariables['id'] ?? null;
+        $prospect = is_numeric($id) ? $this->prospectRepository->findById((int) $id) : null;
+
+        if (!$prospect instanceof Prospect) {
+            throw new NotFoundHttpException('Prospect not found.');
+        }
+
+        // Idempotent: already converted, return as-is.
+        if (null !== $prospect->getConvertedClient()) {
+            return $prospect;
+        }
+
+        $client = new Client();
+        $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+        $client->setEmail($prospect->getEmail());
+        $client->setPhone($prospect->getPhone());
+
+        $this->entityManager->persist($client);
+
+        $this->reassignContacts($prospect, $client);
+        $this->reassignAddresses($prospect, $client);
+        $this->reassignReports($prospect, $client);
+
+        $prospect->setConvertedClient($client);
+        $prospect->setStatus(ProspectStatus::Won);
+
+        $this->entityManager->flush();
+
+        return $prospect;
+    }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
new file mode 100644
index 0000000..fdbee11
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
@@ -0,0 +1,165 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\Uid\Uuid;
+use Throwable;
+
+use function in_array;
+
+/**
+ * @implements ProcessorInterface<ReportDocument, ReportDocument>
+ */
+final readonly class ReportDocumentProcessor implements ProcessorInterface
+{
+    private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
+
+    private const ALLOWED_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'text/plain', 'text/csv',
+        'application/zip', 'application/x-rar-compressed', 'application/gzip',
+        'application/json', 'application/xml', 'text/xml',
+    ];
+
+    private const MIME_TO_EXTENSION = [
+        'image/jpeg'                                                                => 'jpg',
+        'image/png'                                                                 => 'png',
+        'image/gif'                                                                 => 'gif',
+        'image/webp'                                                                => 'webp',
+        'application/pdf'                                                           => 'pdf',
+        'application/msword'                                                        => 'doc',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
+        'application/vnd.ms-excel'                                                  => 'xls',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'         => 'xlsx',
+        'application/vnd.ms-powerpoint'                                             => 'ppt',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation' => 'pptx',
+        'text/plain'                                                                => 'txt',
+        'text/csv'                                                                  => 'csv',
+        'application/zip'                                                           => 'zip',
+        'application/x-rar-compressed'                                              => 'rar',
+        'application/gzip'                                                          => 'gz',
+        'application/json'                                                          => 'json',
+        'application/xml'                                                           => 'xml',
+        'text/xml'                                                                  => 'xml',
+    ];
+
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+        private RequestStack $requestStack,
+        private string $uploadDir,
+    ) {}
+
+    /**
+     * @param ReportDocument $data
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ReportDocument
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating report documents requires admin privileges.');
+        }
+
+        $request = $this->requestStack->getCurrentRequest();
+
+        if (null === $request) {
+            throw new BadRequestHttpException('No request available.');
+        }
+
+        $document = $this->createUpload($request);
+        $document->setCreatedAt(new DateTimeImmutable());
+        $document->setUploadedBy($this->security->getUser());
+
+        try {
+            $this->entityManager->persist($document);
+            $this->entityManager->flush();
+        } catch (Throwable $e) {
+            $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+            if (file_exists($filePath)) {
+                @unlink($filePath);
+            }
+
+            throw $e;
+        }
+
+        return $document;
+    }
+
+    private function createUpload(Request $request): ReportDocument
+    {
+        $file = $request->files->get('file');
+
+        if (null === $file || !$file->isValid()) {
+            throw new BadRequestHttpException('No valid file uploaded.');
+        }
+
+        if ($file->getSize() > self::MAX_FILE_SIZE) {
+            throw new BadRequestHttpException('File size exceeds 50 MB limit.');
+        }
+
+        $report = $this->resolveReport((string) $request->request->get('commercialReport', ''));
+
+        $originalName = $file->getClientOriginalName();
+        $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
+        $fileSize     = $file->getSize();
+
+        if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+            throw new BadRequestHttpException(sprintf('File type "%s" is not allowed.', $mimeType));
+        }
+
+        $extension = self::MIME_TO_EXTENSION[$mimeType] ?? 'bin';
+        $fileName  = Uuid::v4()->toRfc4122().'.'.$extension;
+
+        if (!is_dir($this->uploadDir)) {
+            mkdir($this->uploadDir, 0o775, true);
+        }
+
+        $file->move($this->uploadDir, $fileName);
+
+        $document = new ReportDocument();
+        $document->setCommercialReport($report);
+        $document->setOriginalName($originalName);
+        $document->setFileName($fileName);
+        $document->setMimeType($mimeType);
+        $document->setSize($fileSize);
+
+        return $document;
+    }
+
+    private function resolveReport(string $iri): CommercialReport
+    {
+        $idString = basename($iri);
+
+        if ('' === $iri || !ctype_digit($idString)) {
+            throw new BadRequestHttpException('A valid commercialReport IRI is required.');
+        }
+
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) $idString);
+
+        if (null === $report) {
+            throw new BadRequestHttpException('Commercial report not found.');
+        }
+
+        return $report;
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php b/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
new file mode 100644
index 0000000..f31e792
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Controller;
+
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+final class ReportDocumentDownloadController
+{
+    private const INLINE_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+    ];
+
+    public function __construct(
+        private readonly ReportDocumentRepositoryInterface $repository,
+        private readonly string $uploadDir,
+    ) {}
+
+    #[Route('/api/report_documents/{id}/download', name: 'report_document_download', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(int $id): Response
+    {
+        $document = $this->repository->findById($id);
+
+        if (null === $document || null === $document->getFileName()) {
+            throw new NotFoundHttpException('Document not found.');
+        }
+
+        $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+        if (!is_file($filePath)) {
+            throw new NotFoundHttpException('File missing on disk.');
+        }
+
+        $response = new BinaryFileResponse($filePath);
+        $mimeType = (string) $document->getMimeType();
+
+        $disposition = in_array($mimeType, self::INLINE_MIME_TYPES, true)
+            ? ResponseHeaderBag::DISPOSITION_INLINE
+            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+
+        $response->setContentDisposition($disposition, (string) $document->getOriginalName());
+        $response->headers->set('Content-Type', $mimeType);
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
new file mode 100644
index 0000000..f32d731
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Repository\AddressRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Address>
+ */
+final class DoctrineAddressRepository extends ServiceEntityRepository implements AddressRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Address::class);
+    }
+
+    public function findById(int $id): ?Address
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
new file mode 100644
index 0000000..a5cdf9d
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Client>
+ */
+final class DoctrineClientRepository extends ServiceEntityRepository implements ClientRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Client::class);
+    }
+
+    public function findById(int $id): ?Client
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
new file mode 100644
index 0000000..17e855a
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Repository\CommercialReportRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<CommercialReport>
+ */
+final class DoctrineCommercialReportRepository extends ServiceEntityRepository implements CommercialReportRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, CommercialReport::class);
+    }
+
+    public function findById(int $id): ?CommercialReport
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
new file mode 100644
index 0000000..bca52e9
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Repository\ContactRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Contact>
+ */
+final class DoctrineContactRepository extends ServiceEntityRepository implements ContactRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Contact::class);
+    }
+
+    public function findById(int $id): ?Contact
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
new file mode 100644
index 0000000..7bcf2da
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Prospect>
+ */
+final class DoctrineProspectRepository extends ServiceEntityRepository implements ProspectRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Prospect::class);
+    }
+
+    public function findById(int $id): ?Prospect
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
new file mode 100644
index 0000000..20cd0c5
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<ReportDocument>
+ */
+final class DoctrineReportDocumentRepository extends ServiceEntityRepository implements ReportDocumentRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ReportDocument::class);
+    }
+
+    public function findById(int $id): ?ReportDocument
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php b/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php
new file mode 100644
index 0000000..5cf23cc
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class CommercialReportAuthorListener
+{
+    public function __construct(private Security $security) {}
+
+    public function prePersist(CommercialReport $report, PrePersistEventArgs $args): void
+    {
+        if (null !== $report->getAuthor()) {
+            return;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof UserInterface) {
+            $report->setAuthor($user);
+        }
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php b/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php
new file mode 100644
index 0000000..583db11
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use Doctrine\ORM\Event\PreRemoveEventArgs;
+use Psr\Log\LoggerInterface;
+
+final readonly class ReportDocumentListener
+{
+    public function __construct(
+        private string $uploadDir,
+        private LoggerInterface $logger,
+    ) {}
+
+    public function preRemove(ReportDocument $document, PreRemoveEventArgs $args): void
+    {
+        $fileName = $document->getFileName();
+
+        if (null === $fileName) {
+            return;
+        }
+
+        $path = $this->uploadDir.'/'.$fileName;
+
+        if (is_file($path) && !@unlink($path)) {
+            $this->logger->warning('Failed to delete report document file', ['path' => $path]);
+        }
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
new file mode 100644
index 0000000..a049837
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'convert-prospect', description: 'Convert a prospect into a client (admin). Idempotent: returns the prospect unchanged if already converted.')]
+class ConvertProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        if (null === $prospect->getConvertedClient()) {
+            $client = new Client();
+            $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+            $client->setEmail($prospect->getEmail());
+            $client->setPhone($prospect->getPhone());
+
+            $this->entityManager->persist($client);
+
+            $this->reassignContacts($prospect, $client);
+            $this->reassignAddresses($prospect, $client);
+            $this->reassignReports($prospect, $client);
+
+            $prospect->setConvertedClient($client);
+            $prospect->setStatus(ProspectStatus::Won);
+
+            $this->entityManager->flush();
+        }
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
+}
diff --git a/src/Mcp/Tool/Reference/CreateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
similarity index 78%
rename from src/Mcp/Tool/Reference/CreateClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
index 3218610..cef763d 100644
--- a/src/Mcp/Tool/Reference/CreateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Entity\Client;
-use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -23,9 +23,6 @@ class CreateClientTool
         string $name,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
     ): string {
         if (!$this->security->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
@@ -35,9 +32,6 @@ class CreateClientTool
         $client->setName($name);
         $client->setEmail($email);
         $client->setPhone($phone);
-        $client->setStreet($street);
-        $client->setCity($city);
-        $client->setPostalCode($postalCode);
 
         $this->entityManager->persist($client);
         $this->entityManager->flush();
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
new file mode 100644
index 0000000..7230599
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Shared\Infrastructure\Mcp\Serializer;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'create-prospect', description: 'Create a prospect (admin). Only name is required. Status defaults to "new".')]
+class CreateProspectTool
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(
+        string $name,
+        ?string $company = null,
+        ?string $email = null,
+        ?string $phone = null,
+        ?string $status = null,
+        ?string $source = null,
+        ?string $notes = null,
+    ): string {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = new Prospect();
+        $prospect->setName($name);
+        $prospect->setCompany($company);
+        $prospect->setEmail($email);
+        $prospect->setPhone($phone);
+        $prospect->setSource($source);
+        $prospect->setNotes($notes);
+
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $prospect->setStatus($statusEnum);
+        }
+
+        $this->entityManager->persist($prospect);
+        $this->entityManager->flush();
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Mcp/Tool/Reference/DeleteClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
similarity index 81%
rename from src/Mcp/Tool/Reference/DeleteClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
index b3af640..168af47 100644
--- a/src/Mcp/Tool/Reference/DeleteClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteClientTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
new file mode 100644
index 0000000..ab20019
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'delete-prospect', description: 'Delete a prospect (admin).')]
+class DeleteProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        $name = $prospect->getName();
+        $this->entityManager->remove($prospect);
+        $this->entityManager->flush();
+
+        return json_encode(['success' => true, 'message' => sprintf('Prospect "%s" deleted.', $name)]);
+    }
+}
diff --git a/src/Mcp/Tool/Reference/GetClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
similarity index 73%
rename from src/Mcp/Tool/Reference/GetClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
index 163070f..676c1b0 100644
--- a/src/Mcp/Tool/Reference/GetClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetClientTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
new file mode 100644
index 0000000..06db797
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'get-prospect', description: 'Get a prospect by ID with full details.')]
+class GetProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Mcp/Tool/Reference/ListClientsTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
similarity index 82%
rename from src/Mcp/Tool/Reference/ListClientsTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
index 29ef197..9eb8218 100644
--- a/src/Mcp/Tool/Reference/ListClientsTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListClientsTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
new file mode 100644
index 0000000..d7473de
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'list-prospects', description: 'List prospects, optionally filtered by status (new, contacted, qualified, won, lost).')]
+class ListProspectsTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(?string $status = null): string
+    {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $criteria = [];
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $criteria['status'] = $statusEnum;
+        }
+
+        $prospects = $this->prospectRepository->findBy($criteria, ['name' => 'ASC']);
+
+        return json_encode(array_map(static fn ($prospect) => Serializer::prospect($prospect), $prospects));
+    }
+}
diff --git a/src/Mcp/Tool/Reference/UpdateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
similarity index 70%
rename from src/Mcp/Tool/Reference/UpdateClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
index fc03cb8..f780006 100644
--- a/src/Mcp/Tool/Reference/UpdateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,15 +28,12 @@ class UpdateClientTool
         ?string $name = null,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
     ): string {
         if (!$this->security->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
@@ -50,15 +47,6 @@ class UpdateClientTool
         if (null !== $phone) {
             $client->setPhone($phone);
         }
-        if (null !== $street) {
-            $client->setStreet($street);
-        }
-        if (null !== $city) {
-            $client->setCity($city);
-        }
-        if (null !== $postalCode) {
-            $client->setPostalCode($postalCode);
-        }
 
         $this->entityManager->flush();
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
new file mode 100644
index 0000000..d4dfb72
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'update-prospect', description: 'Update a prospect (admin). Only provided fields change.')]
+class UpdateProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(
+        int $id,
+        ?string $name = null,
+        ?string $company = null,
+        ?string $email = null,
+        ?string $phone = null,
+        ?string $status = null,
+        ?string $source = null,
+        ?string $notes = null,
+    ): string {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        if (null !== $name) {
+            $prospect->setName($name);
+        }
+        if (null !== $company) {
+            $prospect->setCompany($company);
+        }
+        if (null !== $email) {
+            $prospect->setEmail($email);
+        }
+        if (null !== $phone) {
+            $prospect->setPhone($phone);
+        }
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $prospect->setStatus($statusEnum);
+        }
+        if (null !== $source) {
+            $prospect->setSource($source);
+        }
+        if (null !== $notes) {
+            $prospect->setNotes($notes);
+        }
+
+        $this->entityManager->flush();
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Entity/BookStackConfiguration.php b/src/Module/Integration/Domain/Entity/BookStackConfiguration.php
similarity index 72%
rename from src/Entity/BookStackConfiguration.php
rename to src/Module/Integration/Domain/Entity/BookStackConfiguration.php
index 5bc546e..66ed20f 100644
--- a/src/Entity/BookStackConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/BookStackConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineBookStackConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: BookStackConfigurationRepository::class)]
-class BookStackConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineBookStackConfigurationRepository::class)]
+class BookStackConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/GiteaConfiguration.php b/src/Module/Integration/Domain/Entity/GiteaConfiguration.php
similarity index 65%
rename from src/Entity/GiteaConfiguration.php
rename to src/Module/Integration/Domain/Entity/GiteaConfiguration.php
index 45345ad..00e1f00 100644
--- a/src/Entity/GiteaConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/GiteaConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineGiteaConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: GiteaConfigurationRepository::class)]
-class GiteaConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineGiteaConfigurationRepository::class)]
+class GiteaConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/ShareConfiguration.php b/src/Module/Integration/Domain/Entity/ShareConfiguration.php
similarity index 83%
rename from src/Entity/ShareConfiguration.php
rename to src/Module/Integration/Domain/Entity/ShareConfiguration.php
index 3ff8ea5..f32bc26 100644
--- a/src/Entity/ShareConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/ShareConfiguration.php
@@ -2,14 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineShareConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: ShareConfigurationRepository::class)]
-class ShareConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineShareConfigurationRepository::class)]
+class ShareConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/TaskBookStackLink.php b/src/Module/Integration/Domain/Entity/TaskBookStackLink.php
similarity index 81%
rename from src/Entity/TaskBookStackLink.php
rename to src/Module/Integration/Domain/Entity/TaskBookStackLink.php
index 34b3f01..56fffa5 100644
--- a/src/Entity/TaskBookStackLink.php
+++ b/src/Module/Integration/Domain/Entity/TaskBookStackLink.php
@@ -2,14 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineTaskBookStackLinkRepository;
+use App\Shared\Domain\Contract\TaskInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: TaskBookStackLinkRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskBookStackLinkRepository::class)]
 #[ORM\UniqueConstraint(name: 'UNIQ_task_bookstack_link', columns: ['task_id', 'bookstack_id', 'bookstack_type'])]
 class TaskBookStackLink
 {
@@ -18,9 +19,9 @@ class TaskBookStackLink
     #[ORM\Column]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
-    private Task $task;
+    private TaskInterface $task;
 
     #[ORM\Column]
     private int $bookstackId;
@@ -48,12 +49,12 @@ class TaskBookStackLink
         return $this->id;
     }
 
-    public function getTask(): Task
+    public function getTask(): TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(Task $task): static
+    public function setTask(TaskInterface $task): static
     {
         $this->task = $task;
 
diff --git a/src/Entity/ZimbraConfiguration.php b/src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
similarity index 78%
rename from src/Entity/ZimbraConfiguration.php
rename to src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
index d867920..c5c4925 100644
--- a/src/Entity/ZimbraConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineZimbraConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: ZimbraConfigurationRepository::class)]
-class ZimbraConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineZimbraConfigurationRepository::class)]
+class ZimbraConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Exception/BookStackApiException.php b/src/Module/Integration/Domain/Exception/BookStackApiException.php
similarity index 70%
rename from src/Exception/BookStackApiException.php
rename to src/Module/Integration/Domain/Exception/BookStackApiException.php
index 5b9691a..d288730 100644
--- a/src/Exception/BookStackApiException.php
+++ b/src/Module/Integration/Domain/Exception/BookStackApiException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Exception/GiteaApiException.php b/src/Module/Integration/Domain/Exception/GiteaApiException.php
similarity index 69%
rename from src/Exception/GiteaApiException.php
rename to src/Module/Integration/Domain/Exception/GiteaApiException.php
index d5174f0..39e4c05 100644
--- a/src/Exception/GiteaApiException.php
+++ b/src/Module/Integration/Domain/Exception/GiteaApiException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/InvalidPathException.php b/src/Module/Integration/Domain/Exception/InvalidPathException.php
similarity index 69%
rename from src/Service/Share/Exception/InvalidPathException.php
rename to src/Module/Integration/Domain/Exception/InvalidPathException.php
index 49d1280..23e20fe 100644
--- a/src/Service/Share/Exception/InvalidPathException.php
+++ b/src/Module/Integration/Domain/Exception/InvalidPathException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/ShareConnectionException.php b/src/Module/Integration/Domain/Exception/ShareConnectionException.php
similarity index 70%
rename from src/Service/Share/Exception/ShareConnectionException.php
rename to src/Module/Integration/Domain/Exception/ShareConnectionException.php
index c3bb11d..d5c9a3f 100644
--- a/src/Service/Share/Exception/ShareConnectionException.php
+++ b/src/Module/Integration/Domain/Exception/ShareConnectionException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/ShareNotConfiguredException.php b/src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
similarity index 71%
rename from src/Service/Share/Exception/ShareNotConfiguredException.php
rename to src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
index b9a1406..67a1ff7 100644
--- a/src/Service/Share/Exception/ShareNotConfiguredException.php
+++ b/src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..30ba42f
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+
+interface BookStackConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?BookStackConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..d0ddbe0
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+
+interface GiteaConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?GiteaConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..c316d9d
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+
+interface ShareConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?ShareConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php b/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
new file mode 100644
index 0000000..4184617
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+
+interface TaskBookStackLinkRepositoryInterface
+{
+    public function findById(int $id): ?TaskBookStackLink;
+
+    /**
+     * @return TaskBookStackLink[]
+     */
+    public function findByTaskId(int $taskId): array;
+}
diff --git a/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..d967133
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+
+interface ZimbraConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?ZimbraConfiguration;
+}
diff --git a/src/Service/Share/FileEntry.php b/src/Module/Integration/Domain/Service/FileEntry.php
similarity index 85%
rename from src/Service/Share/FileEntry.php
rename to src/Module/Integration/Domain/Service/FileEntry.php
index 8fba713..ff04797 100644
--- a/src/Service/Share/FileEntry.php
+++ b/src/Module/Integration/Domain/Service/FileEntry.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 final readonly class FileEntry
 {
diff --git a/src/Service/Share/FileSource.php b/src/Module/Integration/Domain/Service/FileSource.php
similarity index 92%
rename from src/Service/Share/FileSource.php
rename to src/Module/Integration/Domain/Service/FileSource.php
index 4143f6a..f1e7022 100644
--- a/src/Service/Share/FileSource.php
+++ b/src/Module/Integration/Domain/Service/FileSource.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 interface FileSource
 {
diff --git a/src/Service/Share/SharePathResolver.php b/src/Module/Integration/Domain/Service/SharePathResolver.php
similarity index 90%
rename from src/Service/Share/SharePathResolver.php
rename to src/Module/Integration/Domain/Service/SharePathResolver.php
index 830d1a5..c569651 100644
--- a/src/Service/Share/SharePathResolver.php
+++ b/src/Module/Integration/Domain/Service/SharePathResolver.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
-use App\Service\Share\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
 
 final class SharePathResolver
 {
diff --git a/src/Service/Share/ShareTestResult.php b/src/Module/Integration/Domain/Service/ShareTestResult.php
similarity index 79%
rename from src/Service/Share/ShareTestResult.php
rename to src/Module/Integration/Domain/Service/ShareTestResult.php
index 9e63ef9..1f96133 100644
--- a/src/Service/Share/ShareTestResult.php
+++ b/src/Module/Integration/Domain/Service/ShareTestResult.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 final readonly class ShareTestResult
 {
diff --git a/src/ApiResource/BookStackLink.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
similarity index 80%
rename from src/ApiResource/BookStackLink.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
index f324d6e..6dac12a 100644
--- a/src/ApiResource/BookStackLink.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Post;
-use App\Entity\Task;
-use App\Entity\TaskBookStackLink;
-use App\State\BookStackLinkProcessor;
-use App\State\BookStackLinkProvider;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackLinkProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackLinkProvider;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
@@ -24,7 +24,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             normalizationContext: ['groups' => ['bookstack_link:read']],
             provider: BookStackLinkProvider::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
         new Post(
             uriTemplate: '/tasks/{taskId}/bookstack/links',
@@ -35,7 +35,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['bookstack_link:read']],
             provider: BookStackLinkProvider::class,
             processor: BookStackLinkProcessor::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
         new Delete(
             uriTemplate: '/tasks/{taskId}/bookstack/links/{id}',
@@ -45,7 +45,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             provider: BookStackLinkProvider::class,
             processor: BookStackLinkProcessor::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]
diff --git a/src/ApiResource/BookStackSearchResult.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
similarity index 77%
rename from src/ApiResource/BookStackSearchResult.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
index 83ca6f9..e4c99ca 100644
--- a/src/ApiResource/BookStackSearchResult.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
-use App\Entity\Task;
-use App\State\BookStackSearchResultProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSearchResultProvider;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
@@ -20,7 +20,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             normalizationContext: ['groups' => ['bookstack_search:read']],
             provider: BookStackSearchResultProvider::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]
diff --git a/src/ApiResource/BookStackSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
similarity index 83%
rename from src/ApiResource/BookStackSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
index 1ea3f20..a2bb3bc 100644
--- a/src/ApiResource/BookStackSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\BookStackSettingsProcessor;
-use App\State\BookStackSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackShelf.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
similarity index 80%
rename from src/ApiResource/BookStackShelf.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
index 6c434a9..b7a2c0c 100644
--- a/src/ApiResource/BookStackShelf.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\BookStackShelfProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackShelfProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
similarity index 80%
rename from src/ApiResource/BookStackTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
index cbe472a..b2b68d8 100644
--- a/src/ApiResource/BookStackTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\BookStackTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaBranch.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
similarity index 84%
rename from src/ApiResource/GiteaBranch.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
index 03de7df..1095b3b 100644
--- a/src/ApiResource/GiteaBranch.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
-use App\State\GiteaBranchProcessor;
-use App\State\GiteaBranchProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaBranchName.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
similarity index 78%
rename from src/ApiResource/GiteaBranchName.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
index 1310b69..1e4cb77 100644
--- a/src/ApiResource/GiteaBranchName.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use App\State\GiteaBranchNameProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchNameProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaPullRequest.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
similarity index 87%
rename from src/ApiResource/GiteaPullRequest.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
index 9992883..4d0b503 100644
--- a/src/ApiResource/GiteaPullRequest.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\GiteaPullRequestProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaPullRequestProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaRepository.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
similarity index 81%
rename from src/ApiResource/GiteaRepository.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
index 8022b74..2ea8636 100644
--- a/src/ApiResource/GiteaRepository.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\GiteaRepositoryProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaRepositoryProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
similarity index 82%
rename from src/ApiResource/GiteaSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
index 7e1ae89..5b4cd20 100644
--- a/src/ApiResource/GiteaSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\GiteaSettingsProcessor;
-use App\State\GiteaSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
similarity index 80%
rename from src/ApiResource/GiteaTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
index b7eea04..eb6ca44 100644
--- a/src/ApiResource/GiteaTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\GiteaTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ShareSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
similarity index 87%
rename from src/ApiResource/ShareSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
index 160511e..46ed120 100644
--- a/src/ApiResource/ShareSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\ShareSettingsProcessor;
-use App\State\ShareSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ShareTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
similarity index 81%
rename from src/ApiResource/ShareTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
index 74f947e..d2df88c 100644
--- a/src/ApiResource/ShareTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\ShareTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ZimbraSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
similarity index 85%
rename from src/ApiResource/ZimbraSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
index 5790a06..141770d 100644
--- a/src/ApiResource/ZimbraSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\ZimbraSettingsProcessor;
-use App\State\ZimbraSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ZimbraTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
similarity index 80%
rename from src/ApiResource/ZimbraTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
index 42e9012..d6d4b7e 100644
--- a/src/ApiResource/ZimbraTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\ZimbraTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/State/BookStackLinkProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
similarity index 76%
rename from src/State/BookStackLinkProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
index 81809e0..60337f2 100644
--- a/src/State/BookStackLinkProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\BookStackLink;
-use App\Entity\Task;
-use App\Entity\TaskBookStackLink;
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackLink;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -18,7 +18,8 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private TaskBookStackLinkRepository $linkRepository,
+        private TaskBookStackLinkRepositoryInterface $linkRepository,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?BookStackLink
@@ -35,7 +36,7 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
         assert($data instanceof BookStackLink);
 
         $taskId = $uriVariables['taskId'] ?? 0;
-        $task   = $this->em->getRepository(Task::class)->find($taskId);
+        $task   = $this->taskRepository->findById((int) $taskId);
 
         if (null === $task) {
             throw new NotFoundHttpException('Task not found.');
@@ -65,7 +66,7 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
     private function handleDelete(array $uriVariables): null
     {
         $linkId = $uriVariables['id'] ?? 0;
-        $link   = $this->linkRepository->find($linkId);
+        $link   = $this->linkRepository->findById((int) $linkId);
 
         if (null === $link) {
             throw new NotFoundHttpException('Link not found.');
diff --git a/src/State/BookStackLinkProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
similarity index 81%
rename from src/State/BookStackLinkProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
index e7a0cdf..33492b0 100644
--- a/src/State/BookStackLinkProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackLink;
-use App\Entity\TaskBookStackLink;
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackLink;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 final readonly class BookStackLinkProvider implements ProviderInterface
 {
     public function __construct(
-        private TaskBookStackLinkRepository $linkRepository,
+        private TaskBookStackLinkRepositoryInterface $linkRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|BookStackLink
diff --git a/src/State/BookStackSearchResultProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
similarity index 76%
rename from src/State/BookStackSearchResultProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
index d7bb95b..377b101 100644
--- a/src/State/BookStackSearchResultProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
@@ -2,15 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackSearchResult;
-use App\Entity\Task;
-use App\Exception\BookStackApiException;
-use App\Service\BookStackApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSearchResult;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
@@ -18,14 +17,14 @@ final readonly class BookStackSearchResultProvider implements ProviderInterface
 {
     public function __construct(
         private BookStackApiService $bookStackApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
         private RequestStack $requestStack,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
     {
         $taskId = $uriVariables['taskId'] ?? 0;
-        $task   = $this->em->getRepository(Task::class)->find($taskId);
+        $task   = $this->taskRepository->findById((int) $taskId);
 
         if (null === $task || null === $task->getProject()) {
             return [];
diff --git a/src/State/BookStackSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
similarity index 75%
rename from src/State/BookStackSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
index d7d2217..5fd2fc9 100644
--- a/src/State/BookStackSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\BookStackSettings;
-use App\Entity\BookStackConfiguration;
-use App\Repository\BookStackConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSettings;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class BookStackSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private BookStackConfigurationRepository $configRepository,
+        private BookStackConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/BookStackSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
similarity index 66%
rename from src/State/BookStackSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
index 5d0db34..82a4012 100644
--- a/src/State/BookStackSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackSettings;
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSettings;
 
 final readonly class BookStackSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private BookStackConfigurationRepository $configRepository,
+        private BookStackConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): BookStackSettings
diff --git a/src/State/BookStackShelfProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
similarity index 76%
rename from src/State/BookStackShelfProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
index 71252e2..6733740 100644
--- a/src/State/BookStackShelfProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackShelf;
-use App\Exception\BookStackApiException;
-use App\Service\BookStackApiService;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackShelf;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class BookStackShelfProvider implements ProviderInterface
diff --git a/src/State/BookStackTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
similarity index 78%
rename from src/State/BookStackTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
index 1eb88ee..8dcafc5 100644
--- a/src/State/BookStackTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackTestConnection;
-use App\Service\BookStackApiService;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackTestConnection;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
 
 final readonly class BookStackTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/GiteaBranchNameProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
similarity index 72%
rename from src/State/GiteaBranchNameProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
index d226b62..21c9772 100644
--- a/src/State/GiteaBranchNameProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
@@ -2,14 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaBranchName;
-use App\Entity\Task;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranchName;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -20,12 +19,12 @@ final readonly class GiteaBranchNameProvider implements ProviderInterface
 
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): GiteaBranchName
     {
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task) {
             throw new NotFoundHttpException('Task not found.');
         }
diff --git a/src/State/GiteaBranchProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
similarity index 75%
rename from src/State/GiteaBranchProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
index 6814630..b4771f1 100644
--- a/src/State/GiteaBranchProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
@@ -2,15 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\GiteaBranch;
-use App\Entity\Task;
-use App\Exception\GiteaApiException;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranch;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -20,14 +19,14 @@ final readonly class GiteaBranchProcessor implements ProcessorInterface
 
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): GiteaBranch
     {
         assert($data instanceof GiteaBranch);
 
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             throw new NotFoundHttpException('Task not found.');
         }
diff --git a/src/State/GiteaBranchProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
similarity index 80%
rename from src/State/GiteaBranchProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
index 8152110..80d8abd 100644
--- a/src/State/GiteaBranchProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
@@ -2,23 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaBranch;
-use App\Entity\Task;
-use App\Exception\GiteaApiException;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranch;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaBranchProvider implements ProviderInterface
 {
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|GiteaBranch
@@ -27,7 +26,7 @@ final readonly class GiteaBranchProvider implements ProviderInterface
             return new GiteaBranch();
         }
 
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             return [];
         }
diff --git a/src/State/GiteaPullRequestProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
similarity index 78%
rename from src/State/GiteaPullRequestProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
index 69f2128..a4933ac 100644
--- a/src/State/GiteaPullRequestProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
@@ -2,27 +2,26 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaPullRequest;
-use App\Entity\Task;
-use App\Exception\GiteaApiException;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaPullRequest;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaPullRequestProvider implements ProviderInterface
 {
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
     {
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             return [];
         }
diff --git a/src/State/GiteaRepositoryProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
similarity index 78%
rename from src/State/GiteaRepositoryProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
index e483897..5ecb119 100644
--- a/src/State/GiteaRepositoryProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaRepository;
-use App\Exception\GiteaApiException;
-use App\Service\GiteaApiService;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaRepository;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaRepositoryProvider implements ProviderInterface
diff --git a/src/State/GiteaSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
similarity index 73%
rename from src/State/GiteaSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
index 48e59e8..31ee8b2 100644
--- a/src/State/GiteaSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\GiteaSettings;
-use App\Entity\GiteaConfiguration;
-use App\Repository\GiteaConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaSettings;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class GiteaSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/GiteaSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
similarity index 67%
rename from src/State/GiteaSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
index 7b3c76a..3e90274 100644
--- a/src/State/GiteaSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaSettings;
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaSettings;
 
 final readonly class GiteaSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): GiteaSettings
diff --git a/src/State/GiteaTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
similarity index 78%
rename from src/State/GiteaTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
index 608c60f..d7d90bf 100644
--- a/src/State/GiteaTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaTestConnection;
-use App\Service\GiteaApiService;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaTestConnection;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
 
 final readonly class GiteaTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/ShareSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
similarity index 79%
rename from src/State/ShareSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
index ce43f86..9044ba1 100644
--- a/src/State/ShareSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\ShareSettings;
-use App\Entity\ShareConfiguration;
-use App\Repository\ShareConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareSettings;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class ShareSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private ShareConfigurationRepository $configRepository,
+        private ShareConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/ShareSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
similarity index 74%
rename from src/State/ShareSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
index 0b43e3c..3b8a316 100644
--- a/src/State/ShareSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ShareSettings;
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareSettings;
 
 final readonly class ShareSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private ShareConfigurationRepository $configRepository,
+        private ShareConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): ShareSettings
diff --git a/src/State/ShareTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
similarity index 80%
rename from src/State/ShareTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
index 4e1d393..1a600d8 100644
--- a/src/State/ShareTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ShareTestConnection;
-use App\Service\Share\FileSource;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareTestConnection;
 
 final readonly class ShareTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/ZimbraSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
similarity index 78%
rename from src/State/ZimbraSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
index 7825a6b..14f96c8 100644
--- a/src/State/ZimbraSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\ZimbraSettings;
-use App\Entity\ZimbraConfiguration;
-use App\Repository\ZimbraConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraSettings;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class ZimbraSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private ZimbraConfigurationRepository $configRepository,
+        private ZimbraConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/ZimbraSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
similarity index 72%
rename from src/State/ZimbraSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
index fe95719..a33f45d 100644
--- a/src/State/ZimbraSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ZimbraSettings;
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraSettings;
 
 final readonly class ZimbraSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private ZimbraConfigurationRepository $configRepository,
+        private ZimbraConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): ZimbraSettings
diff --git a/src/State/ZimbraTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
similarity index 80%
rename from src/State/ZimbraTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
index 828c64f..f10f72a 100644
--- a/src/State/ZimbraTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ZimbraTestConnection;
-use App\Service\CalDavService;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraTestConnection;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Throwable;
 
 final readonly class ZimbraTestConnectionProvider implements ProviderInterface, ProcessorInterface
diff --git a/src/Controller/Share/ShareBrowseController.php b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
similarity index 82%
rename from src/Controller/Share/ShareBrowseController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
index ce44962..a464765 100644
--- a/src/Controller/Share/ShareBrowseController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -24,7 +24,7 @@ class ShareBrowseController extends AbstractController
     ) {}
 
     #[Route('/api/share/browse', name: 'share_browse', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): JsonResponse
     {
         $rawPath = (string) $request->query->get('path', '');
diff --git a/src/Controller/Share/ShareDownloadController.php b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
similarity index 87%
rename from src/Controller/Share/ShareDownloadController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
index b3eb5bd..27292a3 100644
--- a/src/Controller/Share/ShareDownloadController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\HeaderUtils;
 use Symfony\Component\HttpFoundation\Request;
@@ -29,7 +29,7 @@ class ShareDownloadController extends AbstractController
     ) {}
 
     #[Route('/api/share/download', name: 'share_download', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): Response
     {
         $rawPath = (string) $request->query->get('path', '');
diff --git a/src/Controller/Share/ShareSearchController.php b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
similarity index 83%
rename from src/Controller/Share/ShareSearchController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
index aa5512b..eae046e 100644
--- a/src/Controller/Share/ShareSearchController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -24,7 +24,7 @@ class ShareSearchController extends AbstractController
     ) {}
 
     #[Route('/api/share/search', name: 'share_search', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): JsonResponse
     {
         $query = trim((string) $request->query->get('q', ''));
diff --git a/src/Controller/Share/ShareStatusController.php b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
similarity index 71%
rename from src/Controller/Share/ShareStatusController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
index 4c226cb..0743f6c 100644
--- a/src/Controller/Share/ShareStatusController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -13,11 +13,11 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class ShareStatusController extends AbstractController
 {
     public function __construct(
-        private readonly ShareConfigurationRepository $configRepository,
+        private readonly ShareConfigurationRepositoryInterface $configRepository,
     ) {}
 
     #[Route('/api/share/status', name: 'share_status', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(): JsonResponse
     {
         $config = $this->configRepository->findSingleton();
diff --git a/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
new file mode 100644
index 0000000..32a5eb4
--- /dev/null
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Infrastructure\Doctrine;
+
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<BookStackConfiguration>
+ */
+class DoctrineBookStackConfigurationRepository extends ServiceEntityRepository implements BookStackConfigurationRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, BookStackConfiguration::class);
+    }
+
+    public function findSingleton(): ?BookStackConfiguration
+    {
+        return $this->findOneBy([]);
+    }
+}
diff --git a/src/Repository/GiteaConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
similarity index 50%
rename from src/Repository/GiteaConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
index 4f1096e..2b81fda 100644
--- a/src/Repository/GiteaConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class GiteaConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<GiteaConfiguration>
+ */
+class DoctrineGiteaConfigurationRepository extends ServiceEntityRepository implements GiteaConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/ShareConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
similarity index 56%
rename from src/Repository/ShareConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
index 066236b..13038bf 100644
--- a/src/Repository/ShareConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class ShareConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<ShareConfiguration>
+ */
+class DoctrineShareConfigurationRepository extends ServiceEntityRepository implements ShareConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
new file mode 100644
index 0000000..00eef16
--- /dev/null
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Infrastructure\Doctrine;
+
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskBookStackLink>
+ */
+class DoctrineTaskBookStackLinkRepository extends ServiceEntityRepository implements TaskBookStackLinkRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskBookStackLink::class);
+    }
+
+    public function findById(int $id): ?TaskBookStackLink
+    {
+        return $this->find($id);
+    }
+
+    /**
+     * @return TaskBookStackLink[]
+     */
+    public function findByTaskId(int $taskId): array
+    {
+        return $this->findBy(['task' => $taskId], ['createdAt' => 'DESC']);
+    }
+}
diff --git a/src/Repository/ZimbraConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
similarity index 56%
rename from src/Repository/ZimbraConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
index 24a9b6c..fd5529a 100644
--- a/src/Repository/ZimbraConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class ZimbraConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<ZimbraConfiguration>
+ */
+class DoctrineZimbraConfigurationRepository extends ServiceEntityRepository implements ZimbraConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Service/BookStackApiService.php b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
similarity index 87%
rename from src/Service/BookStackApiService.php
rename to src/Module/Integration/Infrastructure/Service/BookStackApiService.php
index cf4b66c..ec918da 100644
--- a/src/Service/BookStackApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\BookStackConfiguration;
-use App\Exception\BookStackApiException;
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
 use Symfony\Contracts\HttpClient\Exception\HttpExceptionInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
@@ -14,12 +15,9 @@ use Throwable;
 
 final class BookStackApiService
 {
-    /** @var array<int, int[]> */
-    private array $shelfBookCache = [];
-
     public function __construct(
         private readonly HttpClientInterface $httpClient,
-        private readonly BookStackConfigurationRepository $configRepository,
+        private readonly BookStackConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
     ) {}
 
@@ -80,9 +78,6 @@ final class BookStackApiService
             $bookSlugs[$book['id']] = $book['slug'] ?? '';
         }
 
-        // Update cache for getShelfBookIds
-        $this->shelfBookCache[$shelfId] = $bookIds;
-
         $config  = $this->getConfiguration();
         $baseUrl = rtrim($config->getUrl() ?? '', '/');
         $trimmed = trim($query);
@@ -140,24 +135,6 @@ final class BookStackApiService
         return $this->request('GET', sprintf('/api/books/%d', $id));
     }
 
-    /**
-     * @return int[]
-     */
-    private function getShelfBookIds(int $shelfId): array
-    {
-        if (isset($this->shelfBookCache[$shelfId])) {
-            return $this->shelfBookCache[$shelfId];
-        }
-
-        $data  = $this->request('GET', sprintf('/api/shelves/%d', $shelfId));
-        $books = $data['books'] ?? [];
-
-        $ids                            = array_map(static fn (array $book): int => $book['id'], $books);
-        $this->shelfBookCache[$shelfId] = $ids;
-
-        return $ids;
-    }
-
     private function getConfiguration(): BookStackConfiguration
     {
         $config = $this->configRepository->findSingleton();
diff --git a/src/Service/GiteaApiService.php b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
similarity index 94%
rename from src/Service/GiteaApiService.php
rename to src/Module/Integration/Infrastructure/Service/GiteaApiService.php
index a61df03..78e0949 100644
--- a/src/Service/GiteaApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\GiteaConfiguration;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Exception\GiteaApiException;
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Symfony\Component\String\Slugger\AsciiSlugger;
 use Symfony\Component\String\Slugger\SluggerInterface;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
@@ -22,7 +23,7 @@ final readonly class GiteaApiService
 
     public function __construct(
         private HttpClientInterface $httpClient,
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {
         $this->slugger = new AsciiSlugger('fr');
diff --git a/src/Service/Share/SmbFileSource.php b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
similarity index 89%
rename from src/Service/Share/SmbFileSource.php
rename to src/Module/Integration/Infrastructure/Service/SmbFileSource.php
index d4f29fd..2bb25be 100644
--- a/src/Service/Share/SmbFileSource.php
+++ b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\ShareConfiguration;
-use App\Repository\ShareConfigurationRepository;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\TokenEncryptor;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
+use App\Module\Integration\Domain\Service\ShareTestResult;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Icewind\SMB\BasicAuth;
 use Icewind\SMB\IFileInfo;
 use Icewind\SMB\IShare;
@@ -24,7 +28,7 @@ final class SmbFileSource implements FileSource
     private const int SEARCH_MAX_DIRS = 2000;
 
     public function __construct(
-        private readonly ShareConfigurationRepository $configRepository,
+        private readonly ShareConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly SharePathResolver $pathResolver,
     ) {}
diff --git a/src/Module/Integration/IntegrationModule.php b/src/Module/Integration/IntegrationModule.php
new file mode 100644
index 0000000..1aacd90
--- /dev/null
+++ b/src/Module/Integration/IntegrationModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class IntegrationModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'integration';
+    }
+
+    public static function label(): string
+    {
+        return 'Intégrations';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Integration (Gitea, BookStack, Zimbra, Share).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'integration.settings.manage', 'label' => 'Gérer les intégrations externes'],
+            ['code' => 'integration.share.access', 'label' => 'Accéder au partage de fichiers'],
+        ];
+    }
+}
diff --git a/src/Mail/Dto/MailAttachmentDto.php b/src/Module/Mail/Application/Dto/MailAttachmentDto.php
similarity index 85%
rename from src/Mail/Dto/MailAttachmentDto.php
rename to src/Module/Mail/Application/Dto/MailAttachmentDto.php
index cb6362a..ce7146c 100644
--- a/src/Mail/Dto/MailAttachmentDto.php
+++ b/src/Module/Mail/Application/Dto/MailAttachmentDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailAttachmentDto
 {
diff --git a/src/Mail/Dto/MailFolderDto.php b/src/Module/Mail/Application/Dto/MailFolderDto.php
similarity index 86%
rename from src/Mail/Dto/MailFolderDto.php
rename to src/Module/Mail/Application/Dto/MailFolderDto.php
index d6ff8ff..5069774 100644
--- a/src/Mail/Dto/MailFolderDto.php
+++ b/src/Module/Mail/Application/Dto/MailFolderDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailFolderDto
 {
diff --git a/src/Mail/Dto/MailMessageDetailDto.php b/src/Module/Mail/Application/Dto/MailMessageDetailDto.php
similarity index 88%
rename from src/Mail/Dto/MailMessageDetailDto.php
rename to src/Module/Mail/Application/Dto/MailMessageDetailDto.php
index 76462e7..68587ba 100644
--- a/src/Mail/Dto/MailMessageDetailDto.php
+++ b/src/Module/Mail/Application/Dto/MailMessageDetailDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailMessageDetailDto
 {
diff --git a/src/Mail/Dto/MailMessageHeaderDto.php b/src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
similarity index 92%
rename from src/Mail/Dto/MailMessageHeaderDto.php
rename to src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
index fe9d022..1418298 100644
--- a/src/Mail/Dto/MailMessageHeaderDto.php
+++ b/src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 use DateTimeImmutable;
 
diff --git a/src/Mail/Dto/MailSyncReport.php b/src/Module/Mail/Application/Dto/MailSyncReport.php
similarity index 91%
rename from src/Mail/Dto/MailSyncReport.php
rename to src/Module/Mail/Application/Dto/MailSyncReport.php
index cee124b..c1c5f1a 100644
--- a/src/Mail/Dto/MailSyncReport.php
+++ b/src/Module/Mail/Application/Dto/MailSyncReport.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 use DateTimeImmutable;
 
diff --git a/src/Message/MailSyncRequested.php b/src/Module/Mail/Application/Message/MailSyncRequested.php
similarity index 77%
rename from src/Message/MailSyncRequested.php
rename to src/Module/Mail/Application/Message/MailSyncRequested.php
index 01ecb52..5c80a56 100644
--- a/src/Message/MailSyncRequested.php
+++ b/src/Module/Mail/Application/Message/MailSyncRequested.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Message;
+namespace App\Module\Mail\Application\Message;
 
 final readonly class MailSyncRequested
 {
diff --git a/src/MessageHandler/MailSyncRequestedHandler.php b/src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
similarity index 85%
rename from src/MessageHandler/MailSyncRequestedHandler.php
rename to src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
index d76e32b..89168eb 100644
--- a/src/MessageHandler/MailSyncRequestedHandler.php
+++ b/src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\MessageHandler;
+namespace App\Module\Mail\Application\MessageHandler;
 
-use App\Message\MailSyncRequested;
-use App\Repository\MailFolderRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Message\MailSyncRequested;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Messenger\Attribute\AsMessageHandler;
 use Throwable;
@@ -16,7 +16,7 @@ final readonly class MailSyncRequestedHandler
 {
     public function __construct(
         private MailSyncService $mailSyncService,
-        private MailFolderRepository $folderRepository,
+        private MailFolderRepositoryInterface $folderRepository,
         private LoggerInterface $logger,
     ) {}
 
diff --git a/src/Service/MailSyncService.php b/src/Module/Mail/Application/Service/MailSyncService.php
similarity index 94%
rename from src/Service/MailSyncService.php
rename to src/Module/Mail/Application/Service/MailSyncService.php
index 2d0e329..ba90b9d 100644
--- a/src/Service/MailSyncService.php
+++ b/src/Module/Mail/Application/Service/MailSyncService.php
@@ -2,16 +2,16 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Mail\Application\Service;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
-use App\Mail\Dto\MailSyncReport;
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Application\Dto\MailSyncReport;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\Persistence\ManagerRegistry;
@@ -27,9 +27,9 @@ final class MailSyncService
 
     public function __construct(
         private readonly MailProviderInterface $provider,
-        private readonly MailConfigurationRepository $configRepository,
-        private readonly MailFolderRepository $folderRepository,
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly LockFactory $lockFactory,
         private readonly LoggerInterface $logger,
diff --git a/src/Entity/MailConfiguration.php b/src/Module/Mail/Domain/Entity/MailConfiguration.php
similarity index 87%
rename from src/Entity/MailConfiguration.php
rename to src/Module/Mail/Domain/Entity/MailConfiguration.php
index b1af5b1..c63b120 100644
--- a/src/Entity/MailConfiguration.php
+++ b/src/Module/Mail/Domain/Entity/MailConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailConfigurationRepository::class)]
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineMailConfigurationRepository::class)]
 #[ORM\Table(name: 'mail_configuration')]
-class MailConfiguration
+class MailConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/MailFolder.php b/src/Module/Mail/Domain/Entity/MailFolder.php
similarity index 92%
rename from src/Entity/MailFolder.php
rename to src/Module/Mail/Domain/Entity/MailFolder.php
index 0b2462d..8131c48 100644
--- a/src/Entity/MailFolder.php
+++ b/src/Module/Mail/Domain/Entity/MailFolder.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailFolderRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailFolderRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailFolderRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineMailFolderRepository::class)]
 #[ORM\Table(name: 'mail_folder')]
 #[ORM\Index(columns: ['parent_path'], name: 'idx_mail_folder_parent_path')]
 class MailFolder
diff --git a/src/Entity/MailMessage.php b/src/Module/Mail/Domain/Entity/MailMessage.php
similarity index 96%
rename from src/Entity/MailMessage.php
rename to src/Module/Mail/Domain/Entity/MailMessage.php
index 8efee5f..711306d 100644
--- a/src/Entity/MailMessage.php
+++ b/src/Module/Mail/Domain/Entity/MailMessage.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailMessageRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailMessageRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineMailMessageRepository::class)]
 #[ORM\Table(name: 'mail_message')]
 #[ORM\UniqueConstraint(name: 'uq_mail_message_folder_uid', columns: ['folder_id', 'uid'])]
 #[ORM\Index(columns: ['sent_at'], name: 'idx_mail_message_sent_at')]
diff --git a/src/Entity/TaskMailLink.php b/src/Module/Mail/Domain/Entity/TaskMailLink.php
similarity index 70%
rename from src/Entity/TaskMailLink.php
rename to src/Module/Mail/Domain/Entity/TaskMailLink.php
index 652fc22..a55ed8e 100644
--- a/src/Entity/TaskMailLink.php
+++ b/src/Module/Mail/Domain/Entity/TaskMailLink.php
@@ -2,13 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\TaskMailLinkRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineTaskMailLinkRepository;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: TaskMailLinkRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskMailLinkRepository::class)]
 #[ORM\Table(name: 'task_mail_link')]
 #[ORM\UniqueConstraint(name: 'uq_task_mail_link', columns: ['task_id', 'mail_message_id'])]
 class TaskMailLink
@@ -18,9 +20,9 @@ class TaskMailLink
     #[ORM\Column]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
-    private Task $task;
+    private TaskInterface $task;
 
     #[ORM\ManyToOne(targetEntity: MailMessage::class)]
     #[ORM\JoinColumn(name: 'mail_message_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
@@ -29,21 +31,21 @@ class TaskMailLink
     #[ORM\Column(type: 'datetimetz_immutable')]
     private DateTimeImmutable $linkedAt;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(name: 'linked_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
-    private ?User $linkedBy = null;
+    private ?UserInterface $linkedBy = null;
 
     public function getId(): ?int
     {
         return $this->id;
     }
 
-    public function getTask(): Task
+    public function getTask(): TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(Task $task): static
+    public function setTask(TaskInterface $task): static
     {
         $this->task = $task;
 
@@ -74,12 +76,12 @@ class TaskMailLink
         return $this;
     }
 
-    public function getLinkedBy(): ?User
+    public function getLinkedBy(): ?UserInterface
     {
         return $this->linkedBy;
     }
 
-    public function setLinkedBy(?User $linkedBy): static
+    public function setLinkedBy(?UserInterface $linkedBy): static
     {
         $this->linkedBy = $linkedBy;
 
diff --git a/src/Mail/Exception/MailProviderException.php b/src/Module/Mail/Domain/Exception/MailProviderException.php
similarity index 91%
rename from src/Mail/Exception/MailProviderException.php
rename to src/Module/Mail/Domain/Exception/MailProviderException.php
index af4e6da..656d8a3 100644
--- a/src/Mail/Exception/MailProviderException.php
+++ b/src/Module/Mail/Domain/Exception/MailProviderException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Exception;
+namespace App\Module\Mail\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Mail/MailProviderInterface.php b/src/Module/Mail/Domain/Provider/MailProviderInterface.php
similarity index 88%
rename from src/Mail/MailProviderInterface.php
rename to src/Module/Mail/Domain/Provider/MailProviderInterface.php
index c233846..d5b698d 100644
--- a/src/Mail/MailProviderInterface.php
+++ b/src/Module/Mail/Domain/Provider/MailProviderInterface.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Domain\Provider;
 
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\Dto\MailMessageDetailDto;
-use App\Mail\Dto\MailMessageHeaderDto;
-use App\Mail\Exception\MailProviderException;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Dto\MailMessageDetailDto;
+use App\Module\Mail\Application\Dto\MailMessageHeaderDto;
+use App\Module\Mail\Domain\Exception\MailProviderException;
 
 interface MailProviderInterface
 {
diff --git a/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..479a5e1
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+
+interface MailConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?MailConfiguration;
+}
diff --git a/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
new file mode 100644
index 0000000..6b940a0
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailFolder;
+
+interface MailFolderRepositoryInterface
+{
+    /**
+     * @return list<MailFolder>
+     */
+    public function findAllOrderedByPath(): array;
+
+    public function findByPath(string $path): ?MailFolder;
+}
diff --git a/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
new file mode 100644
index 0000000..b55a1b2
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+
+interface MailMessageRepositoryInterface
+{
+    public function findById(int $id): ?MailMessage;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findAll(): array;
+
+    public function findByMessageId(string $messageId): ?MailMessage;
+
+    public function findByFolderAndUid(MailFolder $folder, int $uid): ?MailMessage;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findByFolderPaginated(MailFolder $folder, int $limit, int $offset): array;
+
+    public function countUnreadByFolder(MailFolder $folder): int;
+
+    public function findMaxUidInFolder(MailFolder $folder): int;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findLastNByFolder(MailFolder $folder, int $limit): array;
+
+    /**
+     * @return list<int>
+     */
+    public function findAllUidsByFolder(MailFolder $folder): array;
+
+    /**
+     * Pagination cursor : retourne $limit messages apres le cursor (sentAt DESC, id DESC).
+     * Cursor format : base64url(sentAt_iso8601:id) - null pour la premiere page.
+     *
+     * @return array{messages: list<MailMessage>, nextCursor: ?string}
+     */
+    public function findByFolderCursor(MailFolder $folder, int $limit, ?string $cursor): array;
+}
diff --git a/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php b/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
new file mode 100644
index 0000000..092ecc0
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Shared\Domain\Contract\TaskInterface;
+
+interface TaskMailLinkRepositoryInterface
+{
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByTask(TaskInterface $task): array;
+
+    public function findByTaskAndMessage(TaskInterface $task, MailMessage $message): ?TaskMailLink;
+
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByMessage(MailMessage $message): array;
+}
diff --git a/src/ApiResource/MailSettings.php b/src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
similarity index 90%
rename from src/ApiResource/MailSettings.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
index 615b9d1..aae9704 100644
--- a/src/ApiResource/MailSettings.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Patch;
-use App\State\Mail\MailSettingsProcessor;
-use App\State\Mail\MailSettingsProvider;
+use App\Module\Mail\Infrastructure\ApiPlatform\State\MailSettingsProcessor;
+use App\Module\Mail\Infrastructure\ApiPlatform\State\MailSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/State/Mail/MailSettingsProcessor.php b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
similarity index 87%
rename from src/State/Mail/MailSettingsProcessor.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
index 9b7a7df..5b05420 100644
--- a/src/State/Mail/MailSettingsProcessor.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State\Mail;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\MailSettings;
-use App\Entity\MailConfiguration;
-use App\Repository\MailConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\ApiPlatform\Resource\MailSettings;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class MailSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private MailConfigurationRepository $configRepository,
+        private MailConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/Mail/MailSettingsProvider.php b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
similarity index 80%
rename from src/State/Mail/MailSettingsProvider.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
index 9a60292..4274a69 100644
--- a/src/State/Mail/MailSettingsProvider.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State\Mail;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\MailSettings;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\ApiPlatform\Resource\MailSettings;
 
 final readonly class MailSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private MailConfigurationRepository $configRepository,
+        private MailConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): MailSettings
diff --git a/src/Command/MailRedecodeHeadersCommand.php b/src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
similarity index 90%
rename from src/Command/MailRedecodeHeadersCommand.php
rename to src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
index 5bb7f59..b4aaa9f 100644
--- a/src/Command/MailRedecodeHeadersCommand.php
+++ b/src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Mail\Infrastructure\Console;
 
-use App\Mail\MimeHeaderDecoder;
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Imap\MimeHeaderDecoder;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -21,7 +21,7 @@ use Symfony\Component\Console\Style\SymfonyStyle;
 final class MailRedecodeHeadersCommand extends Command
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $entityManager,
     ) {
         parent::__construct();
diff --git a/src/Command/MailSyncCommand.php b/src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
similarity index 88%
rename from src/Command/MailSyncCommand.php
rename to src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
index 1f787af..517f806 100644
--- a/src/Command/MailSyncCommand.php
+++ b/src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Mail\Infrastructure\Console;
 
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
@@ -22,8 +22,8 @@ final class MailSyncCommand extends Command
 {
     public function __construct(
         private readonly MailSyncService $mailSyncService,
-        private readonly MailConfigurationRepository $configRepository,
-        private readonly MailFolderRepository $folderRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
     ) {
         parent::__construct();
     }
diff --git a/src/Controller/Mail/MailAttachmentDownloadController.php b/src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
similarity index 87%
rename from src/Controller/Mail/MailAttachmentDownloadController.php
rename to src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
index f2be423..9a8ef2f 100644
--- a/src/Controller/Mail/MailAttachmentDownloadController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
@@ -20,7 +20,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailAttachmentDownloadController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -37,7 +37,7 @@ class MailAttachmentDownloadController extends AbstractController
         [$messageDbIdStr, $partNumber] = explode(':', $decoded, 2);
         $messageDbId                   = (int) $messageDbIdStr;
 
-        $message = $this->messageRepository->find($messageDbId);
+        $message = $this->messageRepository->findById($messageDbId);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailCreateTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
similarity index 83%
rename from src/Controller/Mail/MailCreateTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
index 436b8f7..7a515d0 100644
--- a/src/Controller/Mail/MailCreateTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskGroup;
-use App\Entity\TaskMailLink;
-use App\Entity\TaskStatus;
-use App\Entity\User;
-use App\Repository\MailMessageRepository;
-use App\Repository\TaskRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -28,17 +28,17 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailCreateTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function __invoke(Request $request, int $id): JsonResponse
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailFoldersListController.php b/src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
similarity index 83%
rename from src/Controller/Mail/MailFoldersListController.php
rename to src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
index 879ac19..3a91d6c 100644
--- a/src/Controller/Mail/MailFoldersListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Repository\MailFolderRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -17,7 +17,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailFoldersListController extends AbstractController
 {
     public function __construct(
-        private readonly MailFolderRepository $folderRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
diff --git a/src/Controller/Mail/MailLinkTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
similarity index 74%
rename from src/Controller/Mail/MailLinkTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
index 86d96b8..5496bc8 100644
--- a/src/Controller/Mail/MailLinkTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\Task;
-use App\Entity\TaskMailLink;
-use App\Repository\MailMessageRepository;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -24,8 +24,9 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailLinkTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -34,7 +35,7 @@ class MailLinkTaskController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
@@ -46,7 +47,7 @@ class MailLinkTaskController extends AbstractController
             throw new UnprocessableEntityHttpException('taskId is required');
         }
 
-        $task = $this->em->getRepository(Task::class)->find($taskId);
+        $task = $this->taskRepository->findById((int) $taskId);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Controller/Mail/MailMessageDetailController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
similarity index 87%
rename from src/Controller/Mail/MailMessageDetailController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
index c6a7e29..8fabc6b 100644
--- a/src/Controller/Mail/MailMessageDetailController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Psr\Cache\CacheItemPoolInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -22,7 +22,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageDetailController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly MailAccessChecker $accessChecker,
         private readonly CacheItemPoolInterface $cache,
@@ -32,7 +32,7 @@ class MailMessageDetailController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessageFlagController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
similarity index 78%
rename from src/Controller/Mail/MailMessageFlagController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
index 262b13a..6eedfbe 100644
--- a/src/Controller/Mail/MailMessageFlagController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,7 +21,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageFlagController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
@@ -31,7 +31,7 @@ class MailMessageFlagController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessageReadController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
similarity index 78%
rename from src/Controller/Mail/MailMessageReadController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
index 3ec9504..cc6ad7e 100644
--- a/src/Controller/Mail/MailMessageReadController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,7 +21,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageReadController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
@@ -31,7 +31,7 @@ class MailMessageReadController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessagesListController.php b/src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
similarity index 84%
rename from src/Controller/Mail/MailMessagesListController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
index ccb4e02..1600164 100644
--- a/src/Controller/Mail/MailMessagesListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -20,8 +20,8 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessagesListController extends AbstractController
 {
     public function __construct(
-        private readonly MailFolderRepository $folderRepository,
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
diff --git a/src/Controller/Mail/MailSyncTriggerController.php b/src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
similarity index 87%
rename from src/Controller/Mail/MailSyncTriggerController.php
rename to src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
index 165293b..3d35524 100644
--- a/src/Controller/Mail/MailSyncTriggerController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Message\MailSyncRequested;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Application\Message\MailSyncRequested;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
diff --git a/src/Controller/Mail/MailTestConnectionController.php b/src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
similarity index 88%
rename from src/Controller/Mail/MailTestConnectionController.php
rename to src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
index 6d25518..20d3f2d 100644
--- a/src/Controller/Mail/MailTestConnectionController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
diff --git a/src/Controller/Mail/MailUnlinkTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
similarity index 69%
rename from src/Controller/Mail/MailUnlinkTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
index 399959e..c7db3d0 100644
--- a/src/Controller/Mail/MailUnlinkTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\Task;
-use App\Repository\MailMessageRepository;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,8 +21,9 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailUnlinkTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -31,12 +32,12 @@ class MailUnlinkTaskController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
 
-        $task = $this->em->getRepository(Task::class)->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Controller/Mail/TaskMailsListController.php b/src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
similarity index 79%
rename from src/Controller/Mail/TaskMailsListController.php
rename to src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
index 6b2180e..b7f3975 100644
--- a/src/Controller/Mail/TaskMailsListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
@@ -2,13 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\Task;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeInterface;
-use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -20,8 +19,8 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class TaskMailsListController extends AbstractController
 {
     public function __construct(
-        private readonly EntityManagerInterface $em,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
@@ -29,7 +28,7 @@ class TaskMailsListController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $task = $this->em->getRepository(Task::class)->find($id);
+        $task = $this->taskRepository->findById($id);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Repository/MailConfigurationRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
similarity index 58%
rename from src/Repository/MailConfigurationRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
index 9be3993..8852d15 100644
--- a/src/Repository/MailConfigurationRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailConfiguration>
+ */
+class DoctrineMailConfigurationRepository extends ServiceEntityRepository implements MailConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/MailFolderRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
similarity index 66%
rename from src/Repository/MailFolderRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
index d228d35..662fd77 100644
--- a/src/Repository/MailFolderRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailFolderRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailFolder>
+ */
+class DoctrineMailFolderRepository extends ServiceEntityRepository implements MailFolderRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/MailMessageRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
similarity index 90%
rename from src/Repository/MailMessageRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
index 78e07cd..f98c36b 100644
--- a/src/Repository/MailMessageRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
@@ -2,22 +2,31 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use DateTimeImmutable;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailMessageRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailMessage>
+ */
+class DoctrineMailMessageRepository extends ServiceEntityRepository implements MailMessageRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, MailMessage::class);
     }
 
+    public function findById(int $id): ?MailMessage
+    {
+        return $this->find($id);
+    }
+
     public function findByMessageId(string $messageId): ?MailMessage
     {
         return $this->findOneBy(['messageId' => $messageId]);
diff --git a/src/Repository/TaskMailLinkRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
similarity index 59%
rename from src/Repository/TaskMailLinkRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
index 565e71d..68b4eb2 100644
--- a/src/Repository/TaskMailLinkRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
@@ -2,15 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailMessage;
-use App\Entity\Task;
-use App\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Shared\Domain\Contract\TaskInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class TaskMailLinkRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<TaskMailLink>
+ */
+class DoctrineTaskMailLinkRepository extends ServiceEntityRepository implements TaskMailLinkRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -20,7 +24,7 @@ class TaskMailLinkRepository extends ServiceEntityRepository
     /**
      * @return list<TaskMailLink>
      */
-    public function findByTask(Task $task): array
+    public function findByTask(TaskInterface $task): array
     {
         return $this->createQueryBuilder('l')
             ->andWhere('l.task = :task')
@@ -31,7 +35,7 @@ class TaskMailLinkRepository extends ServiceEntityRepository
         ;
     }
 
-    public function findByTaskAndMessage(Task $task, MailMessage $message): ?TaskMailLink
+    public function findByTaskAndMessage(TaskInterface $task, MailMessage $message): ?TaskMailLink
     {
         return $this->findOneBy(['task' => $task, 'mailMessage' => $message]);
     }
diff --git a/src/Mail/ImapMailProvider.php b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
similarity index 95%
rename from src/Mail/ImapMailProvider.php
rename to src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
index 5db92c8..57e9b69 100644
--- a/src/Mail/ImapMailProvider.php
+++ b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
@@ -2,15 +2,16 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Infrastructure\Imap;
 
-use App\Mail\Dto\MailAttachmentDto;
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\Dto\MailMessageDetailDto;
-use App\Mail\Dto\MailMessageHeaderDto;
-use App\Mail\Exception\MailProviderException;
-use App\Repository\MailConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Mail\Application\Dto\MailAttachmentDto;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Dto\MailMessageDetailDto;
+use App\Module\Mail\Application\Dto\MailMessageHeaderDto;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use DateTimeImmutable;
 use Psr\Log\LoggerInterface;
 use SodiumException;
@@ -24,7 +25,7 @@ final class ImapMailProvider implements MailProviderInterface
     private ?Client $client = null;
 
     public function __construct(
-        private readonly MailConfigurationRepository $configRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly LoggerInterface $logger,
     ) {}
diff --git a/src/Mail/MimeHeaderDecoder.php b/src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
similarity index 96%
rename from src/Mail/MimeHeaderDecoder.php
rename to src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
index 655282b..7809870 100644
--- a/src/Mail/MimeHeaderDecoder.php
+++ b/src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Infrastructure\Imap;
 
 use const ICONV_MIME_DECODE_CONTINUE_ON_ERROR;
 
diff --git a/src/Security/MailAccessChecker.php b/src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
similarity index 80%
rename from src/Security/MailAccessChecker.php
rename to src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
index 85b73f8..78e7f7a 100644
--- a/src/Security/MailAccessChecker.php
+++ b/src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Security;
+namespace App\Module\Mail\Infrastructure\Security;
 
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -23,7 +23,7 @@ final readonly class MailAccessChecker
      */
     public function ensureCanAccessMail(?UserInterface $user): void
     {
-        if (!$user instanceof User) {
+        if (!$user instanceof SharedUserInterface) {
             throw new AccessDeniedException('Authentication required');
         }
 
@@ -41,7 +41,7 @@ final readonly class MailAccessChecker
      */
     public function ensureIsAdmin(?UserInterface $user): void
     {
-        if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+        if (!$user instanceof SharedUserInterface || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Admin only');
         }
     }
diff --git a/src/Module/Mail/MailModule.php b/src/Module/Mail/MailModule.php
new file mode 100644
index 0000000..3d6b555
--- /dev/null
+++ b/src/Module/Mail/MailModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class MailModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'mail';
+    }
+
+    public static function label(): string
+    {
+        return 'Messagerie';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Mail.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'mail.access', 'label' => 'Accéder à la messagerie'],
+            ['code' => 'mail.configure', 'label' => 'Configurer la messagerie'],
+        ];
+    }
+}
diff --git a/src/Entity/Project.php b/src/Module/ProjectManagement/Domain/Entity/Project.php
similarity index 87%
rename from src/Entity/Project.php
rename to src/Module/ProjectManagement/Domain/Entity/Project.php
index 6b5267b..793883e 100644
--- a/src/Entity/Project.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Project.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Metadata\ApiFilter;
@@ -13,9 +13,14 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\ApiResource\SwitchWorkflowOutput;
-use App\Repository\ProjectRepository;
-use App\State\SwitchProjectWorkflowProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource\SwitchWorkflowOutput;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\SwitchProjectWorkflowProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineProjectRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -52,10 +57,12 @@ use Symfony\Component\Validator\Constraints as Assert;
     order: ['name' => 'ASC'],
 )]
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
-#[ORM\Entity(repositoryClass: ProjectRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineProjectRepository::class)]
 #[UniqueEntity(fields: ['code'], message: 'Ce code de projet est déjà utilisé.')]
-class Project
+class Project implements ProjectInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -80,10 +87,10 @@ class Project
     #[Groups(['project:read', 'project:write', 'time_entry:read', 'task:read'])]
     private ?string $color = '#222783';
 
-    #[ORM\ManyToOne(targetEntity: Client::class, inversedBy: 'projects')]
+    #[ORM\ManyToOne(targetEntity: ClientInterface::class, inversedBy: 'projects')]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['project:read', 'project:write'])]
-    private ?Client $client = null;
+    private ?ClientInterface $client = null;
 
     #[ORM\ManyToOne(targetEntity: Workflow::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'RESTRICT')]
@@ -173,12 +180,12 @@ class Project
         return $this;
     }
 
-    public function getClient(): ?Client
+    public function getClient(): ?ClientInterface
     {
         return $this->client;
     }
 
-    public function setClient(?Client $client): static
+    public function setClient(?ClientInterface $client): static
     {
         $this->client = $client;
 
diff --git a/src/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
similarity index 91%
rename from src/Entity/Task.php
rename to src/Module/ProjectManagement/Domain/Entity/Task.php
index 984dc15..661a531 100644
--- a/src/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Doctrine\Orm\Filter\DateFilter;
@@ -15,9 +15,14 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskRepository;
-use App\State\TaskCalendarProcessor;
-use App\State\TaskNumberProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -42,11 +47,13 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 #[ApiFilter(DateFilter::class, properties: ['scheduledStart', 'scheduledEnd', 'deadline'])]
 #[ApiFilter(BooleanFilter::class, properties: ['archived', 'syncToCalendar'])]
 #[ApiFilter(OrderFilter::class, properties: ['scheduledStart', 'deadline'])]
-#[ORM\Entity(repositoryClass: TaskRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskRepository::class)]
 #[ORM\Table(name: 'task')]
 #[ORM\UniqueConstraint(name: 'uniq_task_project_number', columns: ['project_id', 'number'])]
-class Task
+class Task implements TaskInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -80,13 +87,13 @@ class Task
     #[Groups(['task:read', 'task:write'])]
     private ?TaskPriority $priority = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task:read', 'task:write'])]
-    private ?User $assignee = null;
+    private ?UserInterface $assignee = null;
 
-    /** @var Collection<int, User> */
-    #[ORM\ManyToMany(targetEntity: User::class)]
+    /** @var Collection<int, UserInterface> */
+    #[ORM\ManyToMany(targetEntity: UserInterface::class)]
     #[ORM\JoinTable(
         name: 'task_collaborator',
         joinColumns: [new ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
@@ -103,6 +110,7 @@ class Task
     #[ORM\ManyToOne(targetEntity: Project::class, inversedBy: 'tasks')]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['task:read', 'task:write'])]
+    #[Assert\NotNull]
     private ?Project $project = null;
 
     /** @var Collection<int, TaskTag> */
@@ -239,25 +247,25 @@ class Task
         return $this;
     }
 
-    public function getAssignee(): ?User
+    public function getAssignee(): ?UserInterface
     {
         return $this->assignee;
     }
 
-    public function setAssignee(?User $assignee): static
+    public function setAssignee(?UserInterface $assignee): static
     {
         $this->assignee = $assignee;
 
         return $this;
     }
 
-    /** @return Collection<int, User> */
+    /** @return Collection<int, UserInterface> */
     public function getCollaborators(): Collection
     {
         return $this->collaborators;
     }
 
-    public function addCollaborator(User $user): static
+    public function addCollaborator(UserInterface $user): static
     {
         if (!$this->collaborators->contains($user)) {
             $this->collaborators->add($user);
@@ -266,7 +274,7 @@ class Task
         return $this;
     }
 
-    public function removeCollaborator(User $user): static
+    public function removeCollaborator(UserInterface $user): static
     {
         $this->collaborators->removeElement($user);
 
diff --git a/src/Entity/TaskDocument.php b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
similarity index 88%
rename from src/Entity/TaskDocument.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
index 5e1d5f0..3d2d5f3 100644
--- a/src/Entity/TaskDocument.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
@@ -11,9 +11,10 @@ use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
-use App\EventListener\TaskDocumentListener;
-use App\State\TaskDocumentProcessor;
-use App\State\TaskDocumentProvider;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProvider;
+use App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -77,10 +78,10 @@ class TaskDocument
     #[Groups(['task_document:read', 'task:read'])]
     private ?DateTimeImmutable $createdAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task_document:read', 'task:read'])]
-    private ?User $uploadedBy = null;
+    private ?UserInterface $uploadedBy = null;
 
     public function getId(): ?int
     {
@@ -176,12 +177,12 @@ class TaskDocument
         return $this;
     }
 
-    public function getUploadedBy(): ?User
+    public function getUploadedBy(): ?UserInterface
     {
         return $this->uploadedBy;
     }
 
-    public function setUploadedBy(?User $uploadedBy): static
+    public function setUploadedBy(?UserInterface $uploadedBy): static
     {
         $this->uploadedBy = $uploadedBy;
 
diff --git a/src/Entity/TaskEffort.php b/src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
similarity index 87%
rename from src/Entity/TaskEffort.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
index 04ce397..5dabd51 100644
--- a/src/Entity/TaskEffort.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskEffortRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -26,7 +26,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_effort:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskEffortRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskEffortRepository::class)]
 class TaskEffort
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskGroup.php b/src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
similarity index 93%
rename from src/Entity/TaskGroup.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
index 8a5ecf8..c013da7 100644
--- a/src/Entity/TaskGroup.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
@@ -13,7 +13,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskGroupRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -31,7 +31,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ApiFilter(SearchFilter::class, properties: ['project' => 'exact'])]
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
-#[ORM\Entity(repositoryClass: TaskGroupRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskGroupRepository::class)]
 class TaskGroup
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskPriority.php b/src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
similarity index 89%
rename from src/Entity/TaskPriority.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
index c960977..9840bee 100644
--- a/src/Entity/TaskPriority.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskPriorityRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -26,7 +26,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_priority:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskPriorityRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskPriorityRepository::class)]
 class TaskPriority
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskRecurrence.php b/src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
similarity index 94%
rename from src/Entity/TaskRecurrence.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
index a6a6dc5..eb82b3e 100644
--- a/src/Entity/TaskRecurrence.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRecurrenceRepository;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRecurrenceRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -29,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     normalizationContext: ['groups' => ['task_recurrence:read']],
     denormalizationContext: ['groups' => ['task_recurrence:write']],
 )]
-#[ORM\Entity(repositoryClass: TaskRecurrenceRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskRecurrenceRepository::class)]
 class TaskRecurrence
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskStatus.php b/src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
similarity index 93%
rename from src/Entity/TaskStatus.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
index 021afdc..301d417 100644
--- a/src/Entity/TaskStatus.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\StatusCategory;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskStatusRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 use Symfony\Component\Validator\Constraints as Assert;
@@ -28,7 +28,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['task_status:write']],
     order: ['position' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskStatusRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskStatusRepository::class)]
 class TaskStatus
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskTag.php b/src/Module/ProjectManagement/Domain/Entity/TaskTag.php
similarity index 85%
rename from src/Entity/TaskTag.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskTag.php
index 4f3a864..136cc91 100644
--- a/src/Entity/TaskTag.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskTag.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskTagRepository;
+use App\Shared\Domain\Contract\TaskTagInterface;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -26,9 +27,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_tag:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskTagRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskTagRepository::class)]
 #[ORM\Table(name: 'task_type')]
-class TaskTag
+class TaskTag implements TaskTagInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Entity/Workflow.php b/src/Module/ProjectManagement/Domain/Entity/Workflow.php
similarity index 92%
rename from src/Entity/Workflow.php
rename to src/Module/ProjectManagement/Domain/Entity/Workflow.php
index 1b3ffff..1afa1a3 100644
--- a/src/Entity/Workflow.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Workflow.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\WorkflowRepository;
-use App\State\WorkflowDeleteProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\WorkflowDeleteProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineWorkflowRepository;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -31,7 +31,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['workflow:write']],
     order: ['position' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: WorkflowRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineWorkflowRepository::class)]
 #[UniqueEntity(fields: ['name'], message: 'Ce nom de workflow est déjà utilisé.')]
 class Workflow
 {
diff --git a/src/Enum/RecurrenceType.php b/src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
similarity index 77%
rename from src/Enum/RecurrenceType.php
rename to src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
index 0df9a70..8db59b3 100644
--- a/src/Enum/RecurrenceType.php
+++ b/src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\ProjectManagement\Domain\Enum;
 
 enum RecurrenceType: string
 {
diff --git a/src/Enum/StatusCategory.php b/src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
similarity index 81%
rename from src/Enum/StatusCategory.php
rename to src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
index c9eaef5..70114d1 100644
--- a/src/Enum/StatusCategory.php
+++ b/src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\ProjectManagement\Domain\Enum;
 
 enum StatusCategory: string
 {
diff --git a/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
new file mode 100644
index 0000000..e057b50
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+
+interface ProjectRepositoryInterface
+{
+    public function findById(int $id): ?Project;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Project[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
new file mode 100644
index 0000000..c3bac00
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+
+interface TaskEffortRepositoryInterface
+{
+    public function findById(int $id): ?TaskEffort;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskEffort[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
new file mode 100644
index 0000000..9226827
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+
+interface TaskGroupRepositoryInterface
+{
+    public function findById(int $id): ?TaskGroup;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskGroup[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
new file mode 100644
index 0000000..645462b
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+
+interface TaskPriorityRepositoryInterface
+{
+    public function findById(int $id): ?TaskPriority;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskPriority[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
new file mode 100644
index 0000000..76b2f81
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+
+interface TaskRecurrenceRepositoryInterface
+{
+    public function findById(int $id): ?TaskRecurrence;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
new file mode 100644
index 0000000..d9e3e2f
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use Doctrine\ORM\QueryBuilder;
+
+interface TaskRepositoryInterface
+{
+    public function createQueryBuilder(string $alias, ?string $indexBy = null): QueryBuilder;
+
+    public function findById(int $id): ?Task;
+
+    /**
+     * Returns the max task number for a project, using an advisory lock
+     * to prevent race conditions when creating tasks concurrently.
+     */
+    public function findMaxNumberByProjectForUpdate(Project $project): int;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
new file mode 100644
index 0000000..53c676b
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+
+interface TaskStatusRepositoryInterface
+{
+    public function findById(int $id): ?TaskStatus;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskStatus[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findFirstNonFinal(): ?TaskStatus;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
new file mode 100644
index 0000000..8ead853
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+
+interface TaskTagRepositoryInterface
+{
+    public function findById(int $id): ?TaskTag;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskTag[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
new file mode 100644
index 0000000..6da80d3
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+
+interface WorkflowRepositoryInterface
+{
+    public function findById(int $id): ?Workflow;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Workflow[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findDefault(): ?Workflow;
+}
diff --git a/src/ApiResource/SwitchWorkflowOutput.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
similarity index 88%
rename from src/ApiResource/SwitchWorkflowOutput.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
index ddc3133..7594f8b 100644
--- a/src/ApiResource/SwitchWorkflowOutput.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource;
 
 use Symfony\Component\Serializer\Attribute\Groups;
 
diff --git a/src/State/RecurrenceHandler.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
similarity index 82%
rename from src/State/RecurrenceHandler.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
index 2e587bd..7a98b7f 100644
--- a/src/State/RecurrenceHandler.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
-use App\Entity\Task;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Service\CalDavService;
-use App\Service\RecurrenceCalculator;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Module\ProjectManagement\Infrastructure\Service\RecurrenceCalculator;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class RecurrenceHandler
 {
     public function __construct(
         private RecurrenceCalculator $calculator,
-        private TaskRepository $taskRepository,
-        private TaskStatusRepository $statusRepository,
+        private TaskRepositoryInterface $taskRepository,
+        private TaskStatusRepositoryInterface $statusRepository,
         private CalDavService $calDavService,
         private EntityManagerInterface $entityManager,
     ) {}
@@ -81,8 +81,12 @@ final readonly class RecurrenceHandler
         $newTask->setCalendarEventUid($savedEventUid);
 
         // Generate task number in transaction
-        $this->entityManager->wrapInTransaction(function () use ($newTask): void {
-            $maxNumber = $this->taskRepository->findMaxNumberByProjectForUpdate($newTask->getProject());
+        $project = $newTask->getProject();
+        if (null === $project) {
+            return;
+        }
+        $this->entityManager->wrapInTransaction(function () use ($newTask, $project): void {
+            $maxNumber = $this->taskRepository->findMaxNumberByProjectForUpdate($project);
             $newTask->setNumber($maxNumber + 1);
             $this->entityManager->persist($newTask);
             $this->entityManager->flush();
diff --git a/src/State/SwitchProjectWorkflowProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
similarity index 92%
rename from src/State/SwitchProjectWorkflowProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
index c5822ae..822f085 100644
--- a/src/State/SwitchProjectWorkflowProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\SwitchWorkflowOutput;
-use App\Entity\Project;
-use App\Entity\TaskStatus;
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource\SwitchWorkflowOutput;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
diff --git a/src/State/TaskCalendarProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
similarity index 91%
rename from src/State/TaskCalendarProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
index 5e3013e..cb130f1 100644
--- a/src/State/TaskCalendarProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Entity\TaskStatus;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
diff --git a/src/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
similarity index 94%
rename from src/State/TaskDocumentProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index 51c6750..5c579c9 100644
--- a/src/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -2,18 +2,18 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Entity\TaskDocument;
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/State/TaskDocumentProvider.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
similarity index 86%
rename from src/State/TaskDocumentProvider.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
index f998d17..4687569 100644
--- a/src/State/TaskDocumentProvider.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\TaskDocument;
-use App\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class TaskDocumentProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|TaskDocument|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo = $this->entityManager->getRepository(TaskDocument::class);
 
diff --git a/src/State/TaskNumberProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
similarity index 82%
rename from src/State/TaskNumberProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
index 038a865..e6fdfef 100644
--- a/src/State/TaskNumberProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
@@ -24,7 +24,7 @@ final readonly class TaskNumberProcessor implements ProcessorInterface
     public function __construct(
         #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
         private ProcessorInterface $persistProcessor,
-        private TaskRepository $taskRepository,
+        private TaskRepositoryInterface $taskRepository,
         private EntityManagerInterface $entityManager,
         private CalDavService $calDavService,
     ) {}
diff --git a/src/State/WorkflowDeleteProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
similarity index 89%
rename from src/State/WorkflowDeleteProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
index a0efec9..8e30b88 100644
--- a/src/State/WorkflowDeleteProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 
diff --git a/src/Controller/TaskDocumentDownloadController.php b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
similarity index 91%
rename from src/Controller/TaskDocumentDownloadController.php
rename to src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
index ce05ede..9d8e2b7 100644
--- a/src/Controller/TaskDocumentDownloadController.php
+++ b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\ProjectManagement\Infrastructure\Controller;
 
-use App\Entity\TaskDocument;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileSource;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
new file mode 100644
index 0000000..1a1719f
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Project>
+ */
+class DoctrineProjectRepository extends ServiceEntityRepository implements ProjectRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Project::class);
+    }
+
+    public function findById(int $id): ?Project
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
new file mode 100644
index 0000000..d343363
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskEffort>
+ */
+class DoctrineTaskEffortRepository extends ServiceEntityRepository implements TaskEffortRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskEffort::class);
+    }
+
+    public function findById(int $id): ?TaskEffort
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
new file mode 100644
index 0000000..4fd5100
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskGroup>
+ */
+class DoctrineTaskGroupRepository extends ServiceEntityRepository implements TaskGroupRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskGroup::class);
+    }
+
+    public function findById(int $id): ?TaskGroup
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
new file mode 100644
index 0000000..749e020
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskPriority>
+ */
+class DoctrineTaskPriorityRepository extends ServiceEntityRepository implements TaskPriorityRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskPriority::class);
+    }
+
+    public function findById(int $id): ?TaskPriority
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
new file mode 100644
index 0000000..838ae46
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskRecurrence>
+ */
+class DoctrineTaskRecurrenceRepository extends ServiceEntityRepository implements TaskRecurrenceRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskRecurrence::class);
+    }
+
+    public function findById(int $id): ?TaskRecurrence
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Repository/TaskRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
similarity index 72%
rename from src/Repository/TaskRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
index 5922bcc..3e5a94f 100644
--- a/src/Repository/TaskRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
@@ -2,23 +2,29 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\Project;
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<Task>
  */
-class TaskRepository extends ServiceEntityRepository
+class DoctrineTaskRepository extends ServiceEntityRepository implements TaskRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, Task::class);
     }
 
+    public function findById(int $id): ?Task
+    {
+        return $this->find($id);
+    }
+
     /**
      * Returns the max task number for a project, using an advisory lock
      * to prevent race conditions when creating tasks concurrently.
diff --git a/src/Repository/TaskStatusRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
similarity index 57%
rename from src/Repository/TaskStatusRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
index fdc80b5..0142acf 100644
--- a/src/Repository/TaskStatusRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
@@ -2,19 +2,28 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class TaskStatusRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<TaskStatus>
+ */
+class DoctrineTaskStatusRepository extends ServiceEntityRepository implements TaskStatusRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, TaskStatus::class);
     }
 
+    public function findById(int $id): ?TaskStatus
+    {
+        return $this->find($id);
+    }
+
     public function findFirstNonFinal(): ?TaskStatus
     {
         return $this->createQueryBuilder('s')
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
new file mode 100644
index 0000000..2c19038
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskTag>
+ */
+class DoctrineTaskTagRepository extends ServiceEntityRepository implements TaskTagRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskTag::class);
+    }
+
+    public function findById(int $id): ?TaskTag
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Repository/WorkflowRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
similarity index 52%
rename from src/Repository/WorkflowRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
index fafd288..b635402 100644
--- a/src/Repository/WorkflowRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
@@ -2,22 +2,28 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<Workflow>
  */
-class WorkflowRepository extends ServiceEntityRepository
+class DoctrineWorkflowRepository extends ServiceEntityRepository implements WorkflowRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, Workflow::class);
     }
 
+    public function findById(int $id): ?Workflow
+    {
+        return $this->find($id);
+    }
+
     public function findDefault(): ?Workflow
     {
         return $this->findOneBy(['isDefault' => true]);
diff --git a/src/EventListener/TaskDocumentListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
similarity index 87%
rename from src/EventListener/TaskDocumentListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
index 3e762d2..414a9a9 100644
--- a/src/EventListener/TaskDocumentListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\Event\PreRemoveEventArgs;
 use Psr\Log\LoggerInterface;
 
diff --git a/src/EventListener/TaskNotificationListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
similarity index 73%
rename from src/EventListener/TaskNotificationListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
index 1795184..07539d5 100644
--- a/src/EventListener/TaskNotificationListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
@@ -2,12 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\Notification;
-use App\Entity\Task;
-use App\Entity\User;
-use DateTimeImmutable;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
 use Doctrine\ORM\Event\PostFlushEventArgs;
@@ -18,15 +17,18 @@ use Symfony\Bundle\SecurityBundle\Security;
 #[AsDoctrineListener(event: Events::postFlush)]
 final class TaskNotificationListener
 {
-    /** @var list<array{user: User, type: string, task: Task}> */
+    /** @var list<array{user: UserInterface, type: string, task: Task}> */
     private array $pending = [];
 
-    public function __construct(private readonly Security $security) {}
+    public function __construct(
+        private readonly Security $security,
+        private readonly NotifierInterface $notifier,
+    ) {}
 
     public function onFlush(OnFlushEventArgs $args): void
     {
         $actor = $this->security->getUser();
-        if (!$actor instanceof User) {
+        if (!$actor instanceof UserInterface) {
             return;
         }
 
@@ -38,7 +40,7 @@ final class TaskNotificationListener
                 continue;
             }
             $assignee = $entity->getAssignee();
-            if ($assignee instanceof User && $assignee !== $actor) {
+            if ($assignee instanceof UserInterface && $assignee !== $actor) {
                 $this->pending[] = ['user' => $assignee, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -53,7 +55,7 @@ final class TaskNotificationListener
                 continue;
             }
             $new = $changeSet['assignee'][1];
-            if ($new instanceof User && $new !== $actor) {
+            if ($new instanceof UserInterface && $new !== $actor) {
                 $this->pending[] = ['user' => $new, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -68,7 +70,7 @@ final class TaskNotificationListener
                 continue;
             }
             foreach ($collection->getInsertDiff() as $user) {
-                if ($user instanceof User && $user !== $actor) {
+                if ($user instanceof UserInterface && $user !== $actor) {
                     $this->pending[] = ['user' => $user, 'type' => 'task_collaborator_added', 'task' => $owner];
                 }
             }
@@ -84,25 +86,10 @@ final class TaskNotificationListener
         $pending       = $this->pending;
         $this->pending = [];
 
-        $em = $args->getObjectManager();
         foreach ($pending as $item) {
-            $em->persist($this->buildNotification($item['user'], $item['type'], $item['task']));
+            [$title, $message] = $this->render($item['type'], $item['task']);
+            $this->notifier->notify($item['user'], $item['type'], $title, $message);
         }
-        $em->flush();
-    }
-
-    private function buildNotification(User $user, string $type, Task $task): Notification
-    {
-        [$title, $message] = $this->render($type, $task);
-
-        $notification = new Notification();
-        $notification->setUser($user);
-        $notification->setType($type);
-        $notification->setTitle($title);
-        $notification->setMessage($message);
-        $notification->setCreatedAt(new DateTimeImmutable());
-
-        return $notification;
     }
 
     /**
diff --git a/src/EventListener/UniqueDefaultWorkflowListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
similarity index 91%
rename from src/EventListener/UniqueDefaultWorkflowListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
index 15b61c4..7db1599 100644
--- a/src/EventListener/UniqueDefaultWorkflowListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
 use Doctrine\ORM\Events;
diff --git a/src/Mcp/Tool/Project/CreateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
similarity index 80%
rename from src/Mcp/Tool/Project/CreateProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
index b901ab1..a423644 100644
--- a/src/Mcp/Tool/Project/CreateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Entity\Project;
-use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -20,7 +20,7 @@ class CreateProjectTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
@@ -46,7 +46,7 @@ class CreateProjectTool
             $project->setColor($color);
         }
         if (null !== $clientId) {
-            $client = $this->clientRepository->find($clientId);
+            $client = $this->clientRepository->findById($clientId);
             if (null === $client) {
                 throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $clientId));
             }
diff --git a/src/Mcp/Tool/Project/DeleteProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
similarity index 80%
rename from src/Mcp/Tool/Project/DeleteProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
index ed0f488..8cef311 100644
--- a/src/Mcp/Tool/Project/DeleteProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteProjectTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Project/GetProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
similarity index 77%
rename from src/Mcp/Tool/Project/GetProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
index 8674fd4..fa4b13a 100644
--- a/src/Mcp/Tool/Project/GetProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,8 +18,8 @@ use function sprintf;
 class GetProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
@@ -29,7 +29,7 @@ class GetProjectTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
 
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Project/ListProjectsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
similarity index 74%
rename from src/Mcp/Tool/Project/ListProjectsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
index 1d3e227..4e4b1be 100644
--- a/src/Mcp/Tool/Project/ListProjectsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListProjectsTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Project/UpdateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
similarity index 77%
rename from src/Mcp/Tool/Project/UpdateProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
index d2d9460..6214297 100644
--- a/src/Mcp/Tool/Project/UpdateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
-use App\Repository\ProjectRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,8 +19,8 @@ use function sprintf;
 class UpdateProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
-        private readonly ClientRepository $clientRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -38,7 +38,7 @@ class UpdateProjectTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
 
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
@@ -57,7 +57,7 @@ class UpdateProjectTool
             $project->setColor($color);
         }
         if (null !== $clientId) {
-            $client = $this->clientRepository->find($clientId);
+            $client = $this->clientRepository->findById($clientId);
             if (null === $client) {
                 throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $clientId));
             }
diff --git a/src/Mcp/Tool/Task/AddTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
similarity index 92%
rename from src/Mcp/Tool/Task/AddTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
index e879d3b..c480396 100644
--- a/src/Mcp/Tool/Task/AddTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -33,7 +33,7 @@ class AddTaskDocumentTool
 
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -52,7 +52,7 @@ class AddTaskDocumentTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
         }
diff --git a/src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
similarity index 86%
rename from src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
index 499e687..d661606 100644
--- a/src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -22,7 +22,7 @@ class CreateTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -41,7 +41,7 @@ class CreateTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
         }
diff --git a/src/Mcp/Tool/Task/CreateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
similarity index 76%
rename from src/Mcp/Tool/Task/CreateTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
index 651ef11..bc41c7e 100644
--- a/src/Mcp/Tool/Task/CreateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
@@ -2,19 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\Task;
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskEffortRepository;
-use App\Repository\TaskGroupRepository;
-use App\Repository\TaskPriorityRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
-use App\Service\CalDavService;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -29,14 +29,14 @@ class CreateTaskTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskStatusRepository $taskStatusRepository,
-        private readonly TaskPriorityRepository $taskPriorityRepository,
-        private readonly TaskEffortRepository $taskEffortRepository,
-        private readonly TaskGroupRepository $taskGroupRepository,
-        private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -65,7 +65,7 @@ class CreateTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($projectId);
+        $project = $this->projectRepository->findById($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
         }
@@ -78,21 +78,21 @@ class CreateTaskTool
             $task->setDescription($description);
         }
         if (null !== $statusId) {
-            $status = $this->taskStatusRepository->find($statusId);
+            $status = $this->taskStatusRepository->findById($statusId);
             if (null === $status) {
                 throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $statusId));
             }
             $task->setStatus($status);
         }
         if (null !== $priorityId) {
-            $priority = $this->taskPriorityRepository->find($priorityId);
+            $priority = $this->taskPriorityRepository->findById($priorityId);
             if (null === $priority) {
                 throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $priorityId));
             }
             $task->setPriority($priority);
         }
         if (null !== $effortId) {
-            $effort = $this->taskEffortRepository->find($effortId);
+            $effort = $this->taskEffortRepository->findById($effortId);
             if (null === $effort) {
                 throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $effortId));
             }
@@ -106,7 +106,7 @@ class CreateTaskTool
             $task->setAssignee($assignee);
         }
         if (null !== $groupId) {
-            $group = $this->taskGroupRepository->find($groupId);
+            $group = $this->taskGroupRepository->findById($groupId);
             if (null === $group) {
                 throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $groupId));
             }
@@ -114,7 +114,7 @@ class CreateTaskTool
         }
         if (null !== $tagIds) {
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Mcp/Tool/Task/DeleteTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
similarity index 92%
rename from src/Mcp/Tool/Task/DeleteTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
index 99ffa12..25ed3d7 100644
--- a/src/Mcp/Tool/Task/DeleteTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
similarity index 82%
rename from src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
index 4039fff..8a0399a 100644
--- a/src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Repository\TaskRecurrenceRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,7 +19,7 @@ class DeleteTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRecurrenceRepository $taskRecurrenceRepository,
+        private readonly TaskRecurrenceRepositoryInterface $taskRecurrenceRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -30,7 +30,7 @@ class DeleteTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $recurrence = $this->taskRecurrenceRepository->find($recurrenceId);
+        $recurrence = $this->taskRecurrenceRepository->findById($recurrenceId);
         if (null === $recurrence) {
             throw new InvalidArgumentException(sprintf('TaskRecurrence with ID %d not found.', $recurrenceId));
         }
diff --git a/src/Mcp/Tool/Task/DeleteTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
similarity index 82%
rename from src/Mcp/Tool/Task/DeleteTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
index fa006a3..bbf0a04 100644
--- a/src/Mcp/Tool/Task/DeleteTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class DeleteTaskTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
@@ -30,7 +30,7 @@ class DeleteTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Task/GetTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
similarity index 85%
rename from src/Mcp/Tool/Task/GetTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
index 94f0bfb..8440f05 100644
--- a/src/Mcp/Tool/Task/GetTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetTaskTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Task/ListTasksTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
similarity index 93%
rename from src/Mcp/Tool/Task/ListTasksTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
index 9722ad0..addaa9f 100644
--- a/src/Mcp/Tool/Task/ListTasksTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTasksTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Task/UpdateTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
similarity index 96%
rename from src/Mcp/Tool/Task/UpdateTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
index 59cc4a4..d80e695 100644
--- a/src/Mcp/Tool/Task/UpdateTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
similarity index 85%
rename from src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
index ae03b4f..6c2b7c6 100644
--- a/src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRecurrenceRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -21,7 +21,7 @@ class UpdateTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRecurrenceRepository $taskRecurrenceRepository,
+        private readonly TaskRecurrenceRepositoryInterface $taskRecurrenceRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -40,7 +40,7 @@ class UpdateTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $recurrence = $this->taskRecurrenceRepository->find($recurrenceId);
+        $recurrence = $this->taskRecurrenceRepository->findById($recurrenceId);
         if (null === $recurrence) {
             throw new InvalidArgumentException(sprintf('TaskRecurrence with ID %d not found.', $recurrenceId));
         }
diff --git a/src/Mcp/Tool/Task/UpdateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
similarity index 79%
rename from src/Mcp/Tool/Task/UpdateTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
index 09c53dc..4954240 100644
--- a/src/Mcp/Tool/Task/UpdateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TaskEffortRepository;
-use App\Repository\TaskGroupRepository;
-use App\Repository\TaskPriorityRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
-use App\Service\CalDavService;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -27,13 +27,13 @@ class UpdateTaskTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskStatusRepository $taskStatusRepository,
-        private readonly TaskPriorityRepository $taskPriorityRepository,
-        private readonly TaskEffortRepository $taskEffortRepository,
-        private readonly TaskGroupRepository $taskGroupRepository,
-        private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -63,7 +63,7 @@ class UpdateTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
@@ -76,21 +76,21 @@ class UpdateTaskTool
             $task->setDescription($description);
         }
         if (null !== $statusId) {
-            $status = $this->taskStatusRepository->find($statusId);
+            $status = $this->taskStatusRepository->findById($statusId);
             if (null === $status) {
                 throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $statusId));
             }
             $task->setStatus($status);
         }
         if (null !== $priorityId) {
-            $priority = $this->taskPriorityRepository->find($priorityId);
+            $priority = $this->taskPriorityRepository->findById($priorityId);
             if (null === $priority) {
                 throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $priorityId));
             }
             $task->setPriority($priority);
         }
         if (null !== $effortId) {
-            $effort = $this->taskEffortRepository->find($effortId);
+            $effort = $this->taskEffortRepository->findById($effortId);
             if (null === $effort) {
                 throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $effortId));
             }
@@ -104,7 +104,7 @@ class UpdateTaskTool
             $task->setAssignee($assignee);
         }
         if (null !== $groupId) {
-            $group = $this->taskGroupRepository->find($groupId);
+            $group = $this->taskGroupRepository->findById($groupId);
             if (null === $group) {
                 throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $groupId));
             }
@@ -116,7 +116,7 @@ class UpdateTaskTool
                 $task->removeTag($existingTag);
             }
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Mcp/Tool/TaskMeta/CreateEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
similarity index 87%
rename from src/Mcp/Tool/TaskMeta/CreateEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
index 5c2fb95..6f73d94 100644
--- a/src/Mcp/Tool/TaskMeta/CreateEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/CreateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/CreateGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
index a65a2e7..17a8a0d 100644
--- a/src/Mcp/Tool/TaskMeta/CreateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskGroup;
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -20,7 +20,7 @@ class CreateGroupTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly Security $security,
     ) {}
 
@@ -34,7 +34,7 @@ class CreateGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($projectId);
+        $project = $this->projectRepository->findById($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
         }
diff --git a/src/Mcp/Tool/TaskMeta/CreatePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
similarity index 89%
rename from src/Mcp/Tool/TaskMeta/CreatePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
index 9e324f9..814d060 100644
--- a/src/Mcp/Tool/TaskMeta/CreatePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/CreateStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
similarity index 84%
rename from src/Mcp/Tool/TaskMeta/CreateStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
index ae978f3..d847c8e 100644
--- a/src/Mcp/Tool/TaskMeta/CreateStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskStatus;
-use App\Enum\StatusCategory;
-use App\Repository\WorkflowRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,7 +19,7 @@ use function sprintf;
 class CreateStatusTool
 {
     public function __construct(
-        private readonly WorkflowRepository $workflowRepository,
+        private readonly WorkflowRepositoryInterface $workflowRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -36,7 +36,7 @@ class CreateStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $workflow = $this->workflowRepository->find($workflowId);
+        $workflow = $this->workflowRepository->findById($workflowId);
         if (null === $workflow) {
             throw new InvalidArgumentException(sprintf('Workflow with ID %d not found.', $workflowId));
         }
diff --git a/src/Mcp/Tool/TaskMeta/CreateTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
similarity index 89%
rename from src/Mcp/Tool/TaskMeta/CreateTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
index 867ea25..b5b2ffd 100644
--- a/src/Mcp/Tool/TaskMeta/CreateTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/DeleteEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeleteEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
index 92dc8e1..fa662fc 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteEffortTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $effortRepository,
+        private readonly TaskEffortRepositoryInterface $effortRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteEffortTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $effort = $this->effortRepository->find($id);
+        $effort = $this->effortRepository->findById($id);
         if (null === $effort) {
             throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeleteGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
index ae65342..41565cf 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteGroupTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $group = $this->taskGroupRepository->find($id);
+        $group = $this->taskGroupRepository->findById($id);
         if (null === $group) {
             throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeletePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeletePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
index 4c9b25a..025b986 100644
--- a/src/Mcp/Tool/TaskMeta/DeletePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeletePriorityTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $priorityRepository,
+        private readonly TaskPriorityRepositoryInterface $priorityRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeletePriorityTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $priority = $this->priorityRepository->find($id);
+        $priority = $this->priorityRepository->findById($id);
         if (null === $priority) {
             throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
similarity index 80%
rename from src/Mcp/Tool/TaskMeta/DeleteStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
index d5aab15..5a4122d 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteStatusTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $statusRepository,
+        private readonly TaskStatusRepositoryInterface $statusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $status = $this->statusRepository->find($id);
+        $status = $this->statusRepository->findById($id);
         if (null === $status) {
             throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
similarity index 80%
rename from src/Mcp/Tool/TaskMeta/DeleteTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
index 78e2660..cc7538e 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteTagTool
 {
     public function __construct(
-        private readonly TaskTagRepository $tagRepository,
+        private readonly TaskTagRepositoryInterface $tagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteTagTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $tag = $this->tagRepository->find($id);
+        $tag = $this->tagRepository->findById($id);
         if (null === $tag) {
             throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/ListEffortsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/ListEffortsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
index c7d67d0..c47f201 100644
--- a/src/Mcp/Tool/TaskMeta/ListEffortsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListEffortsTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $taskEffortRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListGroupsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/ListGroupsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
index 373e7f1..6f42412 100644
--- a/src/Mcp/Tool/TaskMeta/ListGroupsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListGroupsTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
index df06447..ed590ad 100644
--- a/src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListPrioritiesTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $taskPriorityRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListStatusesTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
similarity index 85%
rename from src/Mcp/Tool/TaskMeta/ListStatusesTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
index db6c8e3..709b60a 100644
--- a/src/Mcp/Tool/TaskMeta/ListStatusesTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\Project;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,7 +18,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListStatusesTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $taskStatusRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
diff --git a/src/Mcp/Tool/TaskMeta/ListTagsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/ListTagsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
index d43287d..0650400 100644
--- a/src/Mcp/Tool/TaskMeta/ListTagsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTagsTool
 {
     public function __construct(
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/UpdateEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/UpdateEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
index b317d6c..657495a 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdateEffortTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $effortRepository,
+        private readonly TaskEffortRepositoryInterface $effortRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdateEffortTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $effort = $this->effortRepository->find($id);
+        $effort = $this->effortRepository->findById($id);
         if (null === $effort) {
             throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
similarity index 81%
rename from src/Mcp/Tool/TaskMeta/UpdateGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
index 1b78ac0..67362e2 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateGroupTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -34,7 +34,7 @@ class UpdateGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $group = $this->taskGroupRepository->find($id);
+        $group = $this->taskGroupRepository->findById($id);
 
         if (null === $group) {
             throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
similarity index 81%
rename from src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
index 992feff..26c37db 100644
--- a/src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdatePriorityTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $priorityRepository,
+        private readonly TaskPriorityRepositoryInterface $priorityRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdatePriorityTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $priority = $this->priorityRepository->find($id);
+        $priority = $this->priorityRepository->findById($id);
         if (null === $priority) {
             throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
similarity index 86%
rename from src/Mcp/Tool/TaskMeta/UpdateStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
index 09e12cb..23b2f33 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Enum\StatusCategory;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateStatusTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $statusRepository,
+        private readonly TaskStatusRepositoryInterface $statusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -35,7 +35,7 @@ class UpdateStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $status = $this->statusRepository->find($id);
+        $status = $this->statusRepository->findById($id);
         if (null === $status) {
             throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
similarity index 82%
rename from src/Mcp/Tool/TaskMeta/UpdateTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
index 60cff41..37482f2 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdateTagTool
 {
     public function __construct(
-        private readonly TaskTagRepository $tagRepository,
+        private readonly TaskTagRepositoryInterface $tagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdateTagTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $tag = $this->tagRepository->find($id);
+        $tag = $this->tagRepository->findById($id);
         if (null === $tag) {
             throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Workflow/ListWorkflowsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
similarity index 86%
rename from src/Mcp/Tool/Workflow/ListWorkflowsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
index 03701d2..b1d713c 100644
--- a/src/Mcp/Tool/Workflow/ListWorkflowsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Workflow;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Workflow;
 
-use App\Repository\WorkflowRepository;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -16,7 +16,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListWorkflowsTool
 {
     public function __construct(
-        private readonly WorkflowRepository $workflowRepository,
+        private readonly WorkflowRepositoryInterface $workflowRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
similarity index 90%
rename from src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
index f0448f7..07f2b82 100644
--- a/src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Workflow;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Workflow;
 
 use ApiPlatform\Metadata\Post;
-use App\Entity\Project;
-use App\State\SwitchProjectWorkflowProcessor;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\SwitchProjectWorkflowProcessor;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Service/CalDavService.php b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
similarity index 94%
rename from src/Service/CalDavService.php
rename to src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
index cd56476..a35ef38 100644
--- a/src/Service/CalDavService.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\ProjectManagement\Infrastructure\Service;
 
-use App\Entity\Task;
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use DateTimeZone;
 use Psr\Log\LoggerInterface;
 use Sabre\VObject\Component\VCalendar;
@@ -20,7 +21,7 @@ use const ENT_QUOTES;
 final class CalDavService
 {
     public function __construct(
-        private readonly ZimbraConfigurationRepository $configRepository,
+        private readonly ZimbraConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly HttpClientInterface $httpClient,
         private readonly LoggerInterface $logger,
@@ -133,6 +134,12 @@ final class CalDavService
 
     public function syncTask(Task $task): void
     {
+        // No CalDAV server configured/enabled: skip all remote interaction so a
+        // task save never triggers a doomed HTTP request nor stores a sync error.
+        if (!$this->isConfigured()) {
+            return;
+        }
+
         if (!$task->isSyncToCalendar()) {
             $this->deleteEvent($task->getCalendarEventUid());
             $this->deleteTodo($task->getCalendarTodoUid());
diff --git a/src/Service/RecurrenceCalculator.php b/src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
similarity index 96%
rename from src/Service/RecurrenceCalculator.php
rename to src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
index f501a0b..fc67fca 100644
--- a/src/Service/RecurrenceCalculator.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\ProjectManagement\Infrastructure\Service;
 
-use App\Entity\Task;
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
 use DateTimeImmutable;
 
 final class RecurrenceCalculator
diff --git a/src/Module/ProjectManagement/ProjectManagementModule.php b/src/Module/ProjectManagement/ProjectManagementModule.php
new file mode 100644
index 0000000..06dddd0
--- /dev/null
+++ b/src/Module/ProjectManagement/ProjectManagementModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class ProjectManagementModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'project-management';
+    }
+
+    public static function label(): string
+    {
+        return 'Projets & Tâches';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module ProjectManagement (2.2).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'project-management.projects.view', 'label' => 'Voir les projets'],
+            ['code' => 'project-management.projects.manage', 'label' => 'Gérer les projets'],
+            ['code' => 'project-management.tasks.view', 'label' => 'Voir les tâches'],
+            ['code' => 'project-management.tasks.manage', 'label' => 'Gérer les tâches'],
+        ];
+    }
+}
diff --git a/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php b/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
new file mode 100644
index 0000000..2064eed
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Absences approuvees agregees par type sur une periode.
+ */
+final readonly class AbsencesByTypeOutput
+{
+    public function __construct(
+        public string $type,
+        public int $count,
+        public float $totalDays,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php b/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
new file mode 100644
index 0000000..01fd0ab
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Nombre de taches non archivees regroupees par statut.
+ *
+ * `statusId` peut etre null pour les taches sans statut (LEFT JOIN).
+ */
+final readonly class TasksByStatusOutput
+{
+    public function __construct(
+        public ?int $statusId,
+        public string $statusLabel,
+        public int $count,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php b/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
new file mode 100644
index 0000000..cacddd0
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Heures travaillees agregees par projet sur une periode.
+ */
+final readonly class TimePerProjectOutput
+{
+    public function __construct(
+        public int $projectId,
+        public string $projectCode,
+        public string $projectName,
+        public float $hours,
+        public int $entryCount,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TimePerUserOutput.php b/src/Module/Reporting/Application/DTO/TimePerUserOutput.php
new file mode 100644
index 0000000..07f2cfc
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TimePerUserOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Heures travaillees agregees par utilisateur sur une periode.
+ */
+final readonly class TimePerUserOutput
+{
+    public function __construct(
+        public int $userId,
+        public string $username,
+        public string $fullName,
+        public float $hours,
+        public int $entryCount,
+    ) {}
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
new file mode 100644
index 0000000..5b90f1b
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\AbsencesByTypeOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\AbsencesByTypeProvider;
+
+/**
+ * Rapport en lecture seule : absences approuvees par type sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&userId=
+ * (bornes facultatives, sans defaut — un filtre absent n'applique pas la clause).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de AbsencesByTypeOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportAbsencesByType',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/absences-by-type',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: AbsencesByTypeProvider::class,
+        ),
+    ],
+    output: AbsencesByTypeOutput::class,
+)]
+final class AbsencesByTypeResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
new file mode 100644
index 0000000..b164f55
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TasksByStatusOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TasksByStatusProvider;
+
+/**
+ * Rapport en lecture seule : nombre de taches non archivees par statut.
+ *
+ * Filtre query-param : ?projectId=
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TasksByStatusOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportTasksByStatus',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/tasks-by-status',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TasksByStatusProvider::class,
+        ),
+    ],
+    output: TasksByStatusOutput::class,
+)]
+final class TasksByStatusResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
new file mode 100644
index 0000000..14b1b97
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TimePerProjectOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TimePerProjectProvider;
+
+/**
+ * Rapport en lecture seule : heures travaillees par projet sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&userId=&projectId=
+ * (from/to par defaut = mois courant si absents).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TimePerProjectOutput. Pagination desactivee
+ * (volume borne par le nombre de projets).
+ */
+#[ApiResource(
+    shortName: 'ReportTimePerProject',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/time-per-project',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TimePerProjectProvider::class,
+        ),
+    ],
+    output: TimePerProjectOutput::class,
+)]
+final class TimePerProjectResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
new file mode 100644
index 0000000..b6eba8a
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TimePerUserOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TimePerUserProvider;
+
+/**
+ * Rapport en lecture seule : heures travaillees par utilisateur sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&projectId=
+ * (from/to par defaut = mois courant si absents).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TimePerUserOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportTimePerUser',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/time-per-user',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TimePerUserProvider::class,
+        ),
+    ],
+    output: TimePerUserOutput::class,
+)]
+final class TimePerUserResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
new file mode 100644
index 0000000..75cb4b1
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\AbsencesByTypeOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport absences-par-type.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. La valeur du
+ * statut filtre ('approved') correspond au backing-value de
+ * App\Module\Absence\Domain\Enum\AbsenceStatus::Approved, mais est ecrite ici
+ * en litteral pour eviter tout import inter-module. Tous les filtres sont
+ * passes en bound params. Les bornes de date sont facultatives et sans defaut.
+ *
+ * @implements ProviderInterface<AbsencesByTypeOutput>
+ */
+final readonly class AbsencesByTypeProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    /**
+     * Backing-value de AbsenceStatus::Approved (litteral pour rester decouple).
+     */
+    private const string STATUS_APPROVED = 'approved';
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<AbsencesByTypeOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        $from   = $this->validateDate($filters['from'] ?? null, 'from');
+        $to     = $this->validateDate($filters['to'] ?? null, 'to');
+        $userId = $this->validatePositiveInt($filters['userId'] ?? null, 'userId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'ar.type AS type',
+                'COUNT(ar.id) AS cnt',
+                'COALESCE(SUM(ar.counted_days), 0) AS total_days',
+            )
+            ->from('absence_request', 'ar')
+            ->where('ar.status = :status')
+            ->setParameter('status', self::STATUS_APPROVED)
+            ->groupBy('ar.type')
+            ->orderBy('total_days', 'DESC')
+        ;
+
+        if (null !== $from) {
+            $qb->andWhere('ar.start_date >= :from')->setParameter('from', $from);
+        }
+        if (null !== $to) {
+            $qb->andWhere('ar.end_date < :to')->setParameter('to', $to);
+        }
+        if (null !== $userId) {
+            $qb->andWhere('ar.user_id = :userId')->setParameter('userId', $userId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): AbsencesByTypeOutput => new AbsencesByTypeOutput(
+            type: (string) $row['type'],
+            count: (int) $row['cnt'],
+            totalDays: round((float) $row['total_days'], 2),
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
new file mode 100644
index 0000000..82da962
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
@@ -0,0 +1,89 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use DateTimeImmutable;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Validation stricte des filtres query-param partages par les providers de reporting.
+ *
+ * Toutes les valeurs validees ici sont destinees a etre passees en bound params
+ * (jamais interpolees dans le SQL). On rejette en 400 explicite tout input
+ * malforme plutot que de laisser PostgreSQL lever une 500.
+ */
+trait ReportFilterTrait
+{
+    /**
+     * Valide une date au format strict YYYY-MM-DD.
+     *
+     * @param mixed $value valeur brute issue des query-params
+     *
+     * @return null|string la date validee, ou null si absente/vide
+     */
+    private function validateDate(mixed $value, string $paramName): ?string
+    {
+        if (null === $value || '' === $value) {
+            return null;
+        }
+
+        if (!is_string($value)) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : date YYYY-MM-DD attendue.', $paramName));
+        }
+
+        $date = DateTimeImmutable::createFromFormat('!Y-m-d', $value);
+
+        if (false === $date || $date->format('Y-m-d') !== $value) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : date YYYY-MM-DD attendue (recu: "%s").', $paramName, $value));
+        }
+
+        return $value;
+    }
+
+    /**
+     * Valide un identifiant entier strictement positif.
+     *
+     * @param mixed $value valeur brute issue des query-params
+     *
+     * @return null|int l'identifiant valide, ou null si absent/vide
+     */
+    private function validatePositiveInt(mixed $value, string $paramName): ?int
+    {
+        if (null === $value || '' === $value) {
+            return null;
+        }
+
+        // Les query-params arrivent sous forme de chaine : on valide donc le
+        // format decimal positif via regex (rejette "1.5", "abc", "-3", "01"...)
+        // plutot qu'une comparaison de type juggling sensible au cs-fixer.
+        if ((!is_string($value) && !is_int($value)) || 1 !== preg_match('/^[1-9][0-9]*$/', (string) $value)) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : entier positif attendu.', $paramName));
+        }
+
+        return (int) $value;
+    }
+
+    /**
+     * Resout la plage [from, to[ avec defaut = mois courant si les deux bornes sont absentes.
+     *
+     * @param array<string, mixed> $filters
+     *
+     * @return array{0: string, 1: string} [from inclus, to exclus] au format YYYY-MM-DD
+     */
+    private function resolveDateRange(array $filters): array
+    {
+        $from = $this->validateDate($filters['from'] ?? null, 'from');
+        $to   = $this->validateDate($filters['to'] ?? null, 'to');
+
+        if (null === $from) {
+            $from = new DateTimeImmutable('first day of this month')->format('Y-m-d');
+        }
+        if (null === $to) {
+            $to = new DateTimeImmutable('first day of next month')->format('Y-m-d');
+        }
+
+        return [$from, $to];
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
new file mode 100644
index 0000000..9727f50
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TasksByStatusOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport taches-par-statut.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. Le filtre
+ * projectId est passe en bound param.
+ *
+ * @implements ProviderInterface<TasksByStatusOutput>
+ */
+final readonly class TasksByStatusProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TasksByStatusOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        $projectId = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                's.id AS status_id',
+                's.label AS status_label',
+                'COUNT(t.id) AS cnt',
+            )
+            ->from('task', 't')
+            ->leftJoin('t', 'task_status', 's', 't.status_id = s.id')
+            ->where('t.archived = false')
+            ->groupBy('s.id')
+            ->addGroupBy('s.label')
+            ->orderBy('cnt', 'DESC')
+        ;
+
+        if (null !== $projectId) {
+            $qb->andWhere('t.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TasksByStatusOutput => new TasksByStatusOutput(
+            statusId: null !== $row['status_id'] ? (int) $row['status_id'] : null,
+            statusLabel: null !== $row['status_label'] ? (string) $row['status_label'] : 'Sans statut',
+            count: (int) $row['cnt'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
new file mode 100644
index 0000000..e7f217a
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TimePerProjectOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport heures-par-projet.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. Tous les
+ * filtres sont passes en bound params (jamais interpoles).
+ *
+ * @implements ProviderInterface<TimePerProjectOutput>
+ */
+final readonly class TimePerProjectProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TimePerProjectOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        [$from, $to] = $this->resolveDateRange($filters);
+        $userId      = $this->validatePositiveInt($filters['userId'] ?? null, 'userId');
+        $projectId   = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'p.id AS project_id',
+                'p.code AS project_code',
+                'p.name AS project_name',
+                'COALESCE(SUM(EXTRACT(EPOCH FROM (te.stopped_at - te.started_at)) / 3600), 0) AS hours',
+                'COUNT(te.id) AS entry_count',
+            )
+            ->from('time_entry', 'te')
+            ->innerJoin('te', 'project', 'p', 'te.project_id = p.id')
+            ->where('te.stopped_at IS NOT NULL')
+            ->andWhere('te.started_at >= :from')
+            ->andWhere('te.started_at < :to')
+            ->setParameter('from', $from)
+            ->setParameter('to', $to)
+            ->groupBy('p.id')
+            ->addGroupBy('p.code')
+            ->addGroupBy('p.name')
+            ->orderBy('hours', 'DESC')
+        ;
+
+        if (null !== $userId) {
+            $qb->andWhere('te.user_id = :userId')->setParameter('userId', $userId);
+        }
+        if (null !== $projectId) {
+            $qb->andWhere('te.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TimePerProjectOutput => new TimePerProjectOutput(
+            projectId: (int) $row['project_id'],
+            projectCode: (string) $row['project_code'],
+            projectName: (string) $row['project_name'],
+            hours: round((float) $row['hours'], 2),
+            entryCount: (int) $row['entry_count'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
new file mode 100644
index 0000000..dc49581
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TimePerUserOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport heures-par-utilisateur.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. La table
+ * "user" est un mot reserve PostgreSQL et reste systematiquement quotee. Tous
+ * les filtres sont passes en bound params.
+ *
+ * @implements ProviderInterface<TimePerUserOutput>
+ */
+final readonly class TimePerUserProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TimePerUserOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        [$from, $to] = $this->resolveDateRange($filters);
+        $projectId   = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'u.id AS user_id',
+                'u.username AS username',
+                "TRIM(COALESCE(u.first_name, '') || ' ' || COALESCE(u.last_name, '')) AS full_name",
+                'COALESCE(SUM(EXTRACT(EPOCH FROM (te.stopped_at - te.started_at)) / 3600), 0) AS hours',
+                'COUNT(te.id) AS entry_count',
+            )
+            ->from('time_entry', 'te')
+            ->innerJoin('te', '"user"', 'u', 'te.user_id = u.id')
+            ->where('te.stopped_at IS NOT NULL')
+            ->andWhere('te.started_at >= :from')
+            ->andWhere('te.started_at < :to')
+            ->setParameter('from', $from)
+            ->setParameter('to', $to)
+            ->groupBy('u.id')
+            ->addGroupBy('u.username')
+            ->addGroupBy('u.first_name')
+            ->addGroupBy('u.last_name')
+            ->orderBy('hours', 'DESC')
+        ;
+
+        if (null !== $projectId) {
+            $qb->andWhere('te.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TimePerUserOutput => new TimePerUserOutput(
+            userId: (int) $row['user_id'],
+            username: (string) $row['username'],
+            fullName: (string) $row['full_name'],
+            hours: round((float) $row['hours'], 2),
+            entryCount: (int) $row['entry_count'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/ReportingModule.php b/src/Module/Reporting/ReportingModule.php
new file mode 100644
index 0000000..d5eca17
--- /dev/null
+++ b/src/Module/Reporting/ReportingModule.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+/**
+ * Module de reporting transverse en lecture seule.
+ *
+ * Ce module n'introduit AUCUNE entite Doctrine ni migration : il agrege les
+ * donnees existantes (time_entry, project, task, absence_request, "user") via
+ * des requetes DBAL en lecture seule. Il n'importe deliberement aucune entite
+ * d'un autre module — couplage uniquement au schema SQL physique partage.
+ */
+final class ReportingModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'reporting';
+    }
+
+    public static function label(): string
+    {
+        return 'Rapports';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'reporting.view', 'label' => 'Consulter les rapports'],
+            ['code' => 'reporting.export', 'label' => 'Exporter les rapports'],
+        ];
+    }
+}
diff --git a/src/Entity/TimeEntry.php b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
similarity index 76%
rename from src/Entity/TimeEntry.php
rename to src/Module/TimeTracking/Domain/Entity/TimeEntry.php
index b6c68a3..1ed090d 100644
--- a/src/Entity/TimeEntry.php
+++ b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\TimeTracking\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\DateFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
@@ -13,8 +13,15 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TimeEntryRepository;
-use App\State\ActiveTimeEntryProvider;
+use App\Module\TimeTracking\Infrastructure\ApiPlatform\State\ActiveTimeEntryProvider;
+use App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TaskTagInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -51,10 +58,12 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ApiFilter(SearchFilter::class, properties: ['user' => 'exact', 'project' => 'exact', 'tags' => 'exact'])]
 #[ApiFilter(DateFilter::class, properties: ['startedAt'])]
-#[ORM\Entity(repositoryClass: TimeEntryRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTimeEntryRepository::class)]
 #[ORM\UniqueConstraint(name: 'uniq_active_timer', columns: ['user_id'], options: ['where' => '(stopped_at IS NULL)'])]
-class TimeEntry
+class TimeEntry implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -77,23 +86,23 @@ class TimeEntry
     #[Groups(['time_entry:read', 'time_entry:write'])]
     private ?DateTimeImmutable $stoppedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
-    #[ORM\ManyToOne(targetEntity: Project::class)]
+    #[ORM\ManyToOne(targetEntity: ProjectInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?Project $project = null;
+    private ?ProjectInterface $project = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?Task $task = null;
+    private ?TaskInterface $task = null;
 
-    /** @var Collection<int, TaskTag> */
-    #[ORM\ManyToMany(targetEntity: TaskTag::class)]
+    /** @var Collection<int, TaskTagInterface> */
+    #[ORM\ManyToMany(targetEntity: TaskTagInterface::class)]
     #[ORM\JoinTable(
         name: 'time_entry_task_type',
         joinColumns: [new ORM\JoinColumn(name: 'time_entry_id', referencedColumnName: 'id')],
@@ -160,49 +169,49 @@ class TimeEntry
         return $this;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
         return $this;
     }
 
-    public function getProject(): ?Project
+    public function getProject(): ?ProjectInterface
     {
         return $this->project;
     }
 
-    public function setProject(?Project $project): static
+    public function setProject(?ProjectInterface $project): static
     {
         $this->project = $project;
 
         return $this;
     }
 
-    public function getTask(): ?Task
+    public function getTask(): ?TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(?Task $task): static
+    public function setTask(?TaskInterface $task): static
     {
         $this->task = $task;
 
         return $this;
     }
 
-    /** @return Collection<int, TaskTag> */
+    /** @return Collection<int, TaskTagInterface> */
     public function getTags(): Collection
     {
         return $this->tags;
     }
 
-    public function addTag(TaskTag $tag): static
+    public function addTag(TaskTagInterface $tag): static
     {
         if (!$this->tags->contains($tag)) {
             $this->tags->add($tag);
@@ -211,7 +220,7 @@ class TimeEntry
         return $this;
     }
 
-    public function removeTag(TaskTag $tag): static
+    public function removeTag(TaskTagInterface $tag): static
     {
         $this->tags->removeElement($tag);
 
diff --git a/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
new file mode 100644
index 0000000..e9c2c16
--- /dev/null
+++ b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\TimeTracking\Domain\Repository;
+
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\QueryBuilder;
+
+interface TimeEntryRepositoryInterface
+{
+    public function createQueryBuilder(string $alias, ?string $indexBy = null): QueryBuilder;
+
+    public function findById(int $id): ?TimeEntry;
+
+    public function findActiveByUser(UserInterface $user): ?TimeEntry;
+
+    /**
+     * @param null|UserInterface[]    $users
+     * @param null|ProjectInterface[] $projects
+     * @param null|int[]              $tagIds
+     *
+     * @return TimeEntry[]
+     */
+    public function findForExport(
+        DateTimeImmutable $after,
+        DateTimeImmutable $before,
+        ?array $users = null,
+        ?array $projects = null,
+        ?array $tagIds = null,
+    ): array;
+}
diff --git a/src/State/ActiveTimeEntryProvider.php b/src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
similarity index 72%
rename from src/State/ActiveTimeEntryProvider.php
rename to src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
index f366ec7..f04cfca 100644
--- a/src/State/ActiveTimeEntryProvider.php
+++ b/src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\TimeTracking\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\TimeEntry;
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**
@@ -17,7 +17,7 @@ final readonly class ActiveTimeEntryProvider implements ProviderInterface
 {
     public function __construct(
         private Security $security,
-        private TimeEntryRepository $timeEntryRepository,
+        private TimeEntryRepositoryInterface $timeEntryRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
diff --git a/src/Controller/TimeEntryExportController.php b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
similarity index 80%
rename from src/Controller/TimeEntryExportController.php
rename to src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
index 0ae7ba5..cd4894a 100644
--- a/src/Controller/TimeEntryExportController.php
+++ b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
@@ -2,14 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\TimeTracking\Infrastructure\Controller;
 
-use App\Entity\Project;
-use App\Entity\User;
-use App\Repository\TimeEntryRepository;
-use App\Service\TimeEntryExportService;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Module\TimeTracking\Infrastructure\Export\TimeEntryExportService;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
-use Doctrine\ORM\EntityManagerInterface;
 use Exception;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -23,9 +24,10 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class TimeEntryExportController extends AbstractController
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly TimeEntryExportService $exportService,
-        private readonly EntityManagerInterface $entityManager,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -54,7 +56,7 @@ class TimeEntryExportController extends AbstractController
         // --- Users ---
         $users = null;
         if (!$this->security->isGranted('ROLE_ADMIN')) {
-            /** @var User $currentUser */
+            /** @var UserInterface $currentUser */
             $currentUser = $this->security->getUser();
             $users       = [$currentUser];
         } else {
@@ -64,7 +66,7 @@ class TimeEntryExportController extends AbstractController
                 fn (int $id) => $id > 0,
             );
             if ([] !== $userIds) {
-                $users = $this->entityManager->getRepository(User::class)->findBy(['id' => $userIds]);
+                $users = $this->userRepository->findByIds($userIds);
             }
         }
 
@@ -72,7 +74,7 @@ class TimeEntryExportController extends AbstractController
         $clientId       = $request->query->getInt('client');
         $clientProjects = null;
         if ($clientId > 0) {
-            $clientProjects = $this->entityManager->getRepository(Project::class)->findBy(['client' => $clientId]);
+            $clientProjects = $this->projectRepository->findBy(['client' => $clientId]);
         }
 
         // --- Projects ---
@@ -84,13 +86,13 @@ class TimeEntryExportController extends AbstractController
             fn (int $id) => $id > 0,
         );
         if ([] !== $projectIds) {
-            $projects = $this->entityManager->getRepository(Project::class)->findBy(['id' => $projectIds]);
+            $projects = $this->projectRepository->findBy(['id' => $projectIds]);
         }
 
         // Merge: if both client and projects are set, intersect; if only client, use client projects
         if (null !== $clientProjects && null !== $projects) {
-            $clientProjectIds = array_map(fn (Project $p) => $p->getId(), $clientProjects);
-            $projects         = array_values(array_filter($projects, fn (Project $p) => in_array($p->getId(), $clientProjectIds, true)));
+            $clientProjectIds = array_map(fn (ProjectInterface $p) => $p->getId(), $clientProjects);
+            $projects         = array_values(array_filter($projects, fn (ProjectInterface $p) => in_array($p->getId(), $clientProjectIds, true)));
             if ([] === $projects) {
                 $projects = null;
                 // No matching projects — force empty result by using a dummy condition
diff --git a/src/Repository/TimeEntryRepository.php b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
similarity index 70%
rename from src/Repository/TimeEntryRepository.php
rename to src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
index b5865b1..399771b 100644
--- a/src/Repository/TimeEntryRepository.php
+++ b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\TimeTracking\Infrastructure\Doctrine;
 
-use App\Entity\Project;
-use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -14,14 +15,19 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<TimeEntry>
  */
-class TimeEntryRepository extends ServiceEntityRepository
+class DoctrineTimeEntryRepository extends ServiceEntityRepository implements TimeEntryRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, TimeEntry::class);
     }
 
-    public function findActiveByUser(User $user): ?TimeEntry
+    public function findById(int $id): ?TimeEntry
+    {
+        return $this->find($id);
+    }
+
+    public function findActiveByUser(UserInterface $user): ?TimeEntry
     {
         return $this->findOneBy([
             'user'      => $user,
@@ -30,9 +36,9 @@ class TimeEntryRepository extends ServiceEntityRepository
     }
 
     /**
-     * @param null|User[]    $users
-     * @param null|Project[] $projects
-     * @param null|int[]     $tagIds
+     * @param null|UserInterface[]    $users
+     * @param null|ProjectInterface[] $projects
+     * @param null|int[]              $tagIds
      *
      * @return TimeEntry[]
      */
diff --git a/src/Service/TimeEntryExportService.php b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
similarity index 98%
rename from src/Service/TimeEntryExportService.php
rename to src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
index f078f3a..ebbbf8f 100644
--- a/src/Service/TimeEntryExportService.php
+++ b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
@@ -2,9 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\TimeTracking\Infrastructure\Export;
 
-use App\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
 use DateTimeImmutable;
 use PhpOffice\PhpSpreadsheet\Cell\Coordinate;
 use PhpOffice\PhpSpreadsheet\Spreadsheet;
@@ -70,6 +71,7 @@ class TimeEntryExportService
             $task      = $entry->getTask();
             $taskLabel = '';
             if (null !== $task) {
+                /** @var null|ProjectInterface $project */
                 $project   = $task->getProject();
                 $code      = $project?->getCode() ?? '';
                 $taskLabel = $code.'-'.$task->getNumber().' - '.$task->getTitle();
diff --git a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
similarity index 74%
rename from src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
index 5f5a223..464f4df 100644
--- a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Entity\TimeEntry;
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskTagRepository;
-use App\Repository\TimeEntryRepository;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -25,11 +25,11 @@ class CreateTimeEntryTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskTagRepository $taskTagRepository,
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly DoctrineUserRepository $userRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly Security $security,
     ) {}
 
@@ -77,14 +77,14 @@ class CreateTimeEntryTool
             $entry->setDescription($description);
         }
         if (null !== $projectId) {
-            $project = $this->projectRepository->find($projectId);
+            $project = $this->projectRepository->findById($projectId);
             if (null === $project) {
                 throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
             }
             $entry->setProject($project);
         }
         if (null !== $taskId) {
-            $task = $this->taskRepository->find($taskId);
+            $task = $this->taskRepository->findById($taskId);
             if (null === $task) {
                 throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
             }
@@ -92,7 +92,7 @@ class CreateTimeEntryTool
         }
         if (null !== $tagIds) {
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
similarity index 80%
rename from src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
index 2e50a0f..dd5f13a 100644
--- a/src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteTimeEntryTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteTimeEntryTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $entry = $this->timeEntryRepository->find($id);
+        $entry = $this->timeEntryRepository->findById($id);
 
         if (null === $entry) {
             throw new InvalidArgumentException(sprintf('TimeEntry with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
similarity index 89%
rename from src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
index 243e8a7..2fb7612 100644
--- a/src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -15,7 +15,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTimeEntriesTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
similarity index 74%
rename from src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
index c164fc9..8d70bab 100644
--- a/src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskTagRepository;
-use App\Repository\TimeEntryRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -22,10 +22,10 @@ use function sprintf;
 class UpdateTimeEntryTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -47,7 +47,7 @@ class UpdateTimeEntryTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $entry = $this->timeEntryRepository->find($id);
+        $entry = $this->timeEntryRepository->findById($id);
 
         if (null === $entry) {
             throw new InvalidArgumentException(sprintf('TimeEntry with ID %d not found.', $id));
@@ -66,14 +66,14 @@ class UpdateTimeEntryTool
             $entry->setDescription($description);
         }
         if (null !== $projectId) {
-            $project = $this->projectRepository->find($projectId);
+            $project = $this->projectRepository->findById($projectId);
             if (null === $project) {
                 throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
             }
             $entry->setProject($project);
         }
         if (null !== $taskId) {
-            $task = $this->taskRepository->find($taskId);
+            $task = $this->taskRepository->findById($taskId);
             if (null === $task) {
                 throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
             }
@@ -84,7 +84,7 @@ class UpdateTimeEntryTool
                 $entry->removeTag($existingTag);
             }
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Module/TimeTracking/TimeTrackingModule.php b/src/Module/TimeTracking/TimeTrackingModule.php
new file mode 100644
index 0000000..d7982d0
--- /dev/null
+++ b/src/Module/TimeTracking/TimeTrackingModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\TimeTracking;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class TimeTrackingModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'time-tracking';
+    }
+
+    public static function label(): string
+    {
+        return 'Suivi des temps';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module TimeTracking (2.1).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'time-tracking.entries.view', 'label' => 'Voir les saisies de temps'],
+            ['code' => 'time-tracking.entries.export', 'label' => 'Exporter les saisies de temps'],
+        ];
+    }
+}
diff --git a/src/Repository/AbsenceBalanceRepository.php b/src/Repository/AbsenceBalanceRepository.php
deleted file mode 100644
index 9e74b73..0000000
--- a/src/Repository/AbsenceBalanceRepository.php
+++ /dev/null
@@ -1,31 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\AbsenceBalance;
-use App\Entity\User;
-use App\Enum\AbsenceType;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-/**
- * @extends ServiceEntityRepository<AbsenceBalance>
- */
-class AbsenceBalanceRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, AbsenceBalance::class);
-    }
-
-    public function findOneForPeriod(User $user, AbsenceType $type, string $period): ?AbsenceBalance
-    {
-        return $this->findOneBy([
-            'user'   => $user,
-            'type'   => $type,
-            'period' => $period,
-        ]);
-    }
-}
diff --git a/src/Repository/BookStackConfigurationRepository.php b/src/Repository/BookStackConfigurationRepository.php
deleted file mode 100644
index 648321d..0000000
--- a/src/Repository/BookStackConfigurationRepository.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\BookStackConfiguration;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class BookStackConfigurationRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, BookStackConfiguration::class);
-    }
-
-    public function findSingleton(): ?BookStackConfiguration
-    {
-        return $this->findOneBy([]);
-    }
-}
diff --git a/src/Repository/ClientRepository.php b/src/Repository/ClientRepository.php
deleted file mode 100644
index 198e9d2..0000000
--- a/src/Repository/ClientRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\Client;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class ClientRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, Client::class);
-    }
-}
diff --git a/src/Repository/ProjectRepository.php b/src/Repository/ProjectRepository.php
deleted file mode 100644
index 6455dae..0000000
--- a/src/Repository/ProjectRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\Project;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class ProjectRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, Project::class);
-    }
-}
diff --git a/src/Repository/TaskBookStackLinkRepository.php b/src/Repository/TaskBookStackLinkRepository.php
deleted file mode 100644
index 8096ccb..0000000
--- a/src/Repository/TaskBookStackLinkRepository.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskBookStackLink;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskBookStackLinkRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskBookStackLink::class);
-    }
-
-    /** @return TaskBookStackLink[] */
-    public function findByTaskId(int $taskId): array
-    {
-        return $this->findBy(['task' => $taskId], ['createdAt' => 'DESC']);
-    }
-}
diff --git a/src/Repository/TaskEffortRepository.php b/src/Repository/TaskEffortRepository.php
deleted file mode 100644
index 22c2c90..0000000
--- a/src/Repository/TaskEffortRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskEffort;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskEffortRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskEffort::class);
-    }
-}
diff --git a/src/Repository/TaskGroupRepository.php b/src/Repository/TaskGroupRepository.php
deleted file mode 100644
index a8c9053..0000000
--- a/src/Repository/TaskGroupRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskGroup;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskGroupRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskGroup::class);
-    }
-}
diff --git a/src/Repository/TaskPriorityRepository.php b/src/Repository/TaskPriorityRepository.php
deleted file mode 100644
index b6ffca6..0000000
--- a/src/Repository/TaskPriorityRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskPriority;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskPriorityRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskPriority::class);
-    }
-}
diff --git a/src/Repository/TaskRecurrenceRepository.php b/src/Repository/TaskRecurrenceRepository.php
deleted file mode 100644
index b73eb6b..0000000
--- a/src/Repository/TaskRecurrenceRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskRecurrence;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskRecurrenceRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskRecurrence::class);
-    }
-}
diff --git a/src/Repository/TaskTagRepository.php b/src/Repository/TaskTagRepository.php
deleted file mode 100644
index 43540a8..0000000
--- a/src/Repository/TaskTagRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskTag;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskTagRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskTag::class);
-    }
-}
diff --git a/src/Security/ApiTokenAuthenticator.php b/src/Security/ApiTokenAuthenticator.php
index 1d091a0..03b1978 100644
--- a/src/Security/ApiTokenAuthenticator.php
+++ b/src/Security/ApiTokenAuthenticator.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Security;
 
-use App\Entity\User;
-use App\Repository\UserRepository;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -20,7 +20,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPasspor
 class ApiTokenAuthenticator extends AbstractAuthenticator
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
     ) {}
 
     public function supports(Request $request): ?bool
diff --git a/src/Shared/Application/CurrentUserProviderInterface.php b/src/Shared/Application/CurrentUserProviderInterface.php
new file mode 100644
index 0000000..da670e2
--- /dev/null
+++ b/src/Shared/Application/CurrentUserProviderInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Application;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface CurrentUserProviderInterface
+{
+    public function getCurrentUser(): ?UserInterface;
+}
diff --git a/src/Shared/Domain/Attribute/AuditIgnore.php b/src/Shared/Domain/Attribute/AuditIgnore.php
new file mode 100644
index 0000000..8f95350
--- /dev/null
+++ b/src/Shared/Domain/Attribute/AuditIgnore.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore {}
diff --git a/src/Shared/Domain/Attribute/Auditable.php b/src/Shared/Domain/Attribute/Auditable.php
new file mode 100644
index 0000000..94c78a9
--- /dev/null
+++ b/src/Shared/Domain/Attribute/Auditable.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable {}
diff --git a/src/Shared/Domain/Contract/BlamableInterface.php b/src/Shared/Domain/Contract/BlamableInterface.php
new file mode 100644
index 0000000..8063312
--- /dev/null
+++ b/src/Shared/Domain/Contract/BlamableInterface.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface BlamableInterface
+{
+    public function getCreatedBy(): ?UserInterface;
+
+    public function setCreatedBy(?UserInterface $user): void;
+
+    public function getUpdatedBy(): ?UserInterface;
+
+    public function setUpdatedBy(?UserInterface $user): void;
+}
diff --git a/src/Shared/Domain/Contract/ClientInterface.php b/src/Shared/Domain/Contract/ClientInterface.php
new file mode 100644
index 0000000..afe7b3a
--- /dev/null
+++ b/src/Shared/Domain/Contract/ClientInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un client, consommé hors du module qui le possède.
+ */
+interface ClientInterface
+{
+    public function getId(): ?int;
+
+    public function getName(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/LeaveProfileInterface.php b/src/Shared/Domain/Contract/LeaveProfileInterface.php
new file mode 100644
index 0000000..b8656b8
--- /dev/null
+++ b/src/Shared/Domain/Contract/LeaveProfileInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * HR leave profile of an employee, consumed by the Absence module without
+ * coupling it to the concrete Core User entity.
+ *
+ * Exposes only the RH getters actually used by AbsenceBalanceService and
+ * AccrueLeaveCommand. This is a service-level typing contract, not a Doctrine
+ * relation (no resolve_target_entities entry).
+ */
+interface LeaveProfileInterface
+{
+    public function getWorkTimeRatio(): float;
+
+    public function getAnnualLeaveDays(): float;
+
+    public function getReferencePeriodStart(): string;
+
+    public function getInitialLeaveBalance(): float;
+}
diff --git a/src/Shared/Domain/Contract/NotifierInterface.php b/src/Shared/Domain/Contract/NotifierInterface.php
new file mode 100644
index 0000000..b3643f1
--- /dev/null
+++ b/src/Shared/Domain/Contract/NotifierInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(
+        UserInterface $user,
+        string $type,
+        string $title,
+        string $message,
+    ): void;
+}
diff --git a/src/Shared/Domain/Contract/ProjectInterface.php b/src/Shared/Domain/Contract/ProjectInterface.php
new file mode 100644
index 0000000..12af6f1
--- /dev/null
+++ b/src/Shared/Domain/Contract/ProjectInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un projet, consommé hors du module qui le possède.
+ */
+interface ProjectInterface
+{
+    public function getId(): ?int;
+
+    public function getCode(): ?string;
+
+    public function getName(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/TaskInterface.php b/src/Shared/Domain/Contract/TaskInterface.php
new file mode 100644
index 0000000..4742c4a
--- /dev/null
+++ b/src/Shared/Domain/Contract/TaskInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'une tâche, consommé hors du module qui la possède.
+ */
+interface TaskInterface
+{
+    public function getId(): ?int;
+
+    public function getNumber(): ?int;
+
+    public function getTitle(): ?string;
+
+    public function getProject(): ?ProjectInterface;
+}
diff --git a/src/Shared/Domain/Contract/TaskTagInterface.php b/src/Shared/Domain/Contract/TaskTagInterface.php
new file mode 100644
index 0000000..3887c46
--- /dev/null
+++ b/src/Shared/Domain/Contract/TaskTagInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un tag de tâche, consommé hors du module qui le possède.
+ */
+interface TaskTagInterface
+{
+    public function getId(): ?int;
+
+    public function getLabel(): ?string;
+
+    public function getColor(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/TimestampableInterface.php b/src/Shared/Domain/Contract/TimestampableInterface.php
new file mode 100644
index 0000000..2a272ac
--- /dev/null
+++ b/src/Shared/Domain/Contract/TimestampableInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+use DateTimeImmutable;
+
+interface TimestampableInterface
+{
+    public function getCreatedAt(): ?DateTimeImmutable;
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): void;
+
+    public function getUpdatedAt(): ?DateTimeImmutable;
+
+    public function setUpdatedAt(DateTimeImmutable $updatedAt): void;
+}
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
new file mode 100644
index 0000000..7a3e89a
--- /dev/null
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
+interface UserInterface
+{
+    public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): ?string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function getIsEmployee(): bool;
+
+    /** @return list<string> */
+    public function getEffectivePermissions(): array;
+}
diff --git a/src/Shared/Domain/Module/ModuleInterface.php b/src/Shared/Domain/Module/ModuleInterface.php
new file mode 100644
index 0000000..c390297
--- /dev/null
+++ b/src/Shared/Domain/Module/ModuleInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+/**
+ * Implemented by every `*Module` declaration class. The set of active modules
+ * is listed in config/modules.php and exposed via GET /api/modules.
+ */
+interface ModuleInterface
+{
+    public static function id(): string;
+
+    public static function label(): string;
+
+    public static function isRequired(): bool;
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array;
+}
diff --git a/src/Shared/Domain/Module/ModuleRegistry.php b/src/Shared/Domain/Module/ModuleRegistry.php
new file mode 100644
index 0000000..b0ce7e0
--- /dev/null
+++ b/src/Shared/Domain/Module/ModuleRegistry.php
@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+use InvalidArgumentException;
+
+final class ModuleRegistry
+{
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<string>
+     */
+    public static function ids(array $moduleClasses): array
+    {
+        $ids = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
+            }
+            $id = $moduleClass::id();
+            if (in_array($id, $ids, true)) {
+                throw new InvalidArgumentException(sprintf('Module ID "%s" déclaré plusieurs fois dans la configuration des modules.', $id));
+            }
+            $ids[] = $id;
+        }
+
+        return $ids;
+    }
+
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<array{code: string, label: string, module: string}>
+     */
+    public static function permissions(array $moduleClasses): array
+    {
+        $out = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
+            }
+            $moduleId = $moduleClass::id();
+            foreach ($moduleClass::permissions() as $perm) {
+                $code = $perm['code'];
+                if (!str_starts_with($code, $moduleId.'.')) {
+                    throw new InvalidArgumentException(sprintf('Permission "%s" du module "%s" doit être préfixée par "%s.".', $code, $moduleId, $moduleId));
+                }
+                $out[] = ['code' => $code, 'label' => $perm['label'], 'module' => $moduleId];
+            }
+        }
+
+        return $out;
+    }
+}
diff --git a/src/Shared/Domain/Sidebar/SidebarFilter.php b/src/Shared/Domain/Sidebar/SidebarFilter.php
new file mode 100644
index 0000000..e39f8c4
--- /dev/null
+++ b/src/Shared/Domain/Sidebar/SidebarFilter.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, roles?:list<string>, permission?:string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:string}>}> $sections
+     * @param list<string>                                                                                                                                                                                       $activeModuleIds
+     * @param list<string>                                                                                                                                                                                       $activeRoles
+     * @param list<string>                                                                                                                                                                                       $activePermissions
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = [], array $activePermissions = []): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            // Gate de rôle au niveau section (ne pollue pas disabledRoutes : réservé au filtrage module).
+            if (!self::rolesSatisfied($section['roles'] ?? null, $activeRoles)) {
+                continue;
+            }
+
+            // Gate de permission au niveau section (RBAC fin).
+            if (!self::permissionSatisfied($section['permission'] ?? null, $activePermissions)) {
+                continue;
+            }
+
+            $items = [];
+            foreach ($section['items'] as $item) {
+                // Gate de rôle au niveau item.
+                if (!self::rolesSatisfied($item['roles'] ?? null, $activeRoles)) {
+                    continue;
+                }
+
+                // Gate de permission au niveau item (RBAC fin).
+                if (!self::permissionSatisfied($item['permission'] ?? null, $activePermissions)) {
+                    continue;
+                }
+
+                // Filtrage par module actif (pilote la redirection front via disabledRoutes).
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+
+    /**
+     * @param null|list<string> $required
+     * @param list<string>      $activeRoles
+     */
+    private static function rolesSatisfied(?array $required, array $activeRoles): bool
+    {
+        if (null === $required || [] === $required) {
+            return true;
+        }
+
+        foreach ($required as $role) {
+            if (in_array($role, $activeRoles, true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @param list<string> $activePermissions
+     */
+    private static function permissionSatisfied(?string $required, array $activePermissions): bool
+    {
+        if (null === $required || '' === $required) {
+            return true;
+        }
+
+        return in_array($required, $activePermissions, true);
+    }
+}
diff --git a/src/Shared/Domain/Trait/TimestampableBlamableTrait.php b/src/Shared/Domain/Trait/TimestampableBlamableTrait.php
new file mode 100644
index 0000000..41a421b
--- /dev/null
+++ b/src/Shared/Domain/Trait/TimestampableBlamableTrait.php
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Trait;
+
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+trait TimestampableBlamableTrait
+{
+    #[ORM\Column(name: 'created_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\Column(name: 'updated_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?DateTimeImmutable $updatedAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'created_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $createdBy = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'updated_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $updatedBy = null;
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): void
+    {
+        $this->createdAt = $createdAt;
+    }
+
+    public function getUpdatedAt(): ?DateTimeImmutable
+    {
+        return $this->updatedAt;
+    }
+
+    public function setUpdatedAt(DateTimeImmutable $updatedAt): void
+    {
+        $this->updatedAt = $updatedAt;
+    }
+
+    public function getCreatedBy(): ?UserInterface
+    {
+        return $this->createdBy;
+    }
+
+    public function setCreatedBy(?UserInterface $user): void
+    {
+        $this->createdBy = $user;
+    }
+
+    public function getUpdatedBy(): ?UserInterface
+    {
+        return $this->updatedBy;
+    }
+
+    public function setUpdatedBy(?UserInterface $user): void
+    {
+        $this->updatedBy = $user;
+    }
+}
diff --git a/src/ApiResource/AppVersion.php b/src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
similarity index 78%
rename from src/ApiResource/AppVersion.php
rename to src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
index ba3c071..583e22c 100644
--- a/src/ApiResource/AppVersion.php
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use App\State\AppVersionProvider;
+use App\Shared\Infrastructure\ApiPlatform\State\AppVersionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php b/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
new file mode 100644
index 0000000..b00fd3a
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\ModulesProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/modules',
+            normalizationContext: ['groups' => ['modules:read']],
+            provider: ModulesProvider::class,
+        ),
+    ],
+)]
+final class ModulesResource
+{
+    /**
+     * @var list<string>
+     */
+    #[Groups(['modules:read'])]
+    public array $modules = [];
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php b/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
new file mode 100644
index 0000000..c90877e
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\SidebarProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/sidebar',
+            normalizationContext: ['groups' => ['sidebar:read']],
+            provider: SidebarProvider::class,
+        ),
+    ],
+)]
+final class SidebarResource
+{
+    /**
+     * @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $sections = [];
+
+    /**
+     * @var list<string>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $disabledRoutes = [];
+}
diff --git a/src/State/AppVersionProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
similarity index 83%
rename from src/State/AppVersionProvider.php
rename to src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
index cc65752..5ef11be 100644
--- a/src/State/AppVersionProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Shared\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\AppVersion;
+use App\Shared\Infrastructure\ApiPlatform\Resource\AppVersion;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
 final readonly class AppVersionProvider implements ProviderInterface
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
new file mode 100644
index 0000000..b5204b7
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Infrastructure\ApiPlatform\Resource\ModulesResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class ModulesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ModulesResource
+    {
+        /** @var list<class-string> $classes */
+        $classes = require $this->projectDir.'/config/modules.php';
+
+        $dto          = new ModulesResource();
+        $dto->modules = ModuleRegistry::ids($classes);
+
+        return $dto;
+    }
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
new file mode 100644
index 0000000..8f7ee43
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+        private Security $security,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        /** @var list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $user  = $this->security->getUser();
+        $roles = null !== $user ? $user->getRoles() : [];
+
+        // RBAC fin : permissions effectives du contrat. ROLE_ADMIN bypasse tout (Décision 1) :
+        // on lui injecte le catalogue complet des permissions déclarées pour satisfaire les gates.
+        if (in_array('ROLE_ADMIN', $roles, true)) {
+            $permissions = array_column(ModuleRegistry::permissions($moduleClasses), 'code');
+        } else {
+            $permissions = $user instanceof UserInterface ? $user->getEffectivePermissions() : [];
+        }
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles), $permissions);
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
diff --git a/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php b/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
new file mode 100644
index 0000000..16d070e
--- /dev/null
+++ b/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Database;
+
+final class ColumnCommentsCatalog
+{
+    /**
+     * SQL `COMMENT ON COLUMN` statements for the 4 standard Timestampable/Blamable columns.
+     * Call from a migration: foreach (...) { $this->addSql($statement); }.
+     *
+     * @return list<string>
+     */
+    public static function timestampableBlamableComments(string $table): array
+    {
+        return [
+            "COMMENT ON COLUMN {$table}.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.updated_at IS 'Date de derniere modification (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.created_by IS 'Auteur de la creation (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+            "COMMENT ON COLUMN {$table}.updated_by IS 'Auteur de la derniere modification (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+        ];
+    }
+}
diff --git a/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php b/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
new file mode 100644
index 0000000..2aa832a
--- /dev/null
+++ b/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use DateTimeImmutable;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\ORM\Events;
+
+#[AsDoctrineListener(event: Events::prePersist)]
+#[AsDoctrineListener(event: Events::preUpdate)]
+final readonly class TimestampableBlamableSubscriber
+{
+    public function __construct(
+        private CurrentUserProviderInterface $currentUserProvider,
+    ) {}
+
+    public function prePersist(PrePersistEventArgs $args): void
+    {
+        $this->applyOnCreate($args->getObject());
+    }
+
+    public function preUpdate(PreUpdateEventArgs $args): void
+    {
+        $this->applyOnUpdate($args->getObject());
+    }
+
+    public function applyOnCreate(object $entity): void
+    {
+        $now = new DateTimeImmutable();
+
+        if ($entity instanceof TimestampableInterface) {
+            if (null === $entity->getCreatedAt()) {
+                $entity->setCreatedAt($now);
+            }
+            $entity->setUpdatedAt($now);
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $user = $this->currentUserProvider->getCurrentUser();
+            if (null === $entity->getCreatedBy()) {
+                $entity->setCreatedBy($user);
+            }
+            $entity->setUpdatedBy($user);
+        }
+    }
+
+    public function applyOnUpdate(object $entity): void
+    {
+        if ($entity instanceof TimestampableInterface) {
+            $entity->setUpdatedAt(new DateTimeImmutable());
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $entity->setUpdatedBy($this->currentUserProvider->getCurrentUser());
+        }
+    }
+}
diff --git a/src/Mcp/Tool/Serializer.php b/src/Shared/Infrastructure/Mcp/Serializer.php
similarity index 81%
rename from src/Mcp/Tool/Serializer.php
rename to src/Shared/Infrastructure/Mcp/Serializer.php
index 51a47f0..c8269d7 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Shared/Infrastructure/Mcp/Serializer.php
@@ -2,22 +2,26 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool;
+namespace App\Shared\Infrastructure\Mcp;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Entity\AbsenceRequest;
-use App\Entity\Client;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskDocument;
-use App\Entity\TaskEffort;
-use App\Entity\TaskGroup;
-use App\Entity\TaskPriority;
-use App\Entity\TaskStatus;
-use App\Entity\TaskTag;
-use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TaskTagInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Common\Collections\Collection;
 
 /**
@@ -30,7 +34,7 @@ final class Serializer
     /**
      * @return array{id: ?int, code: ?string, name: ?string}
      */
-    public static function projectRef(Project $project): array
+    public static function projectRef(ProjectInterface $project): array
     {
         return [
             'id'   => $project->getId(),
@@ -125,7 +129,7 @@ final class Serializer
     /**
      * @return null|array{id: ?int, username: ?string}
      */
-    public static function user(?User $user): ?array
+    public static function user(?UserInterface $user): ?array
     {
         if (null === $user) {
             return null;
@@ -138,13 +142,13 @@ final class Serializer
     }
 
     /**
-     * @param Collection<int, User> $users
+     * @param Collection<int, UserInterface> $users
      *
      * @return list<array{id: ?int, username: ?string}>
      */
     public static function users(Collection $users): array
     {
-        return $users->map(fn (User $u) => [
+        return $users->map(fn (UserInterface $u) => [
             'id'       => $u->getId(),
             'username' => $u->getUsername(),
         ])->toArray();
@@ -199,13 +203,13 @@ final class Serializer
     }
 
     /**
-     * @param Collection<int, TaskTag> $tags
+     * @param Collection<int, TaskTagInterface> $tags
      *
      * @return list<array{id: ?int, label: ?string}>
      */
     public static function tags(Collection $tags): array
     {
-        return $tags->map(fn (TaskTag $t) => [
+        return $tags->map(fn (TaskTagInterface $t) => [
             'id'    => $t->getId(),
             'label' => $t->getLabel(),
         ])->toArray();
@@ -243,7 +247,7 @@ final class Serializer
     /**
      * @return null|array{id: ?int, number: ?int, title: ?string}
      */
-    public static function taskRef(?Task $task): ?array
+    public static function taskRef(?TaskInterface $task): ?array
     {
         if (null === $task) {
             return null;
@@ -362,13 +366,36 @@ final class Serializer
     public static function client(Client $c): array
     {
         return [
-            'id'         => $c->getId(),
-            'name'       => $c->getName(),
-            'email'      => $c->getEmail(),
-            'phone'      => $c->getPhone(),
-            'street'     => $c->getStreet(),
-            'city'       => $c->getCity(),
-            'postalCode' => $c->getPostalCode(),
+            'id'    => $c->getId(),
+            'name'  => $c->getName(),
+            'email' => $c->getEmail(),
+            'phone' => $c->getPhone(),
+        ];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public static function prospect(Prospect $p): array
+    {
+        $client = $p->getConvertedClient();
+
+        return [
+            'id'              => $p->getId(),
+            'name'            => $p->getName(),
+            'company'         => $p->getCompany(),
+            'email'           => $p->getEmail(),
+            'phone'           => $p->getPhone(),
+            'status'          => $p->getStatus()->value,
+            'statusLabel'     => $p->getStatus()->label(),
+            'source'          => $p->getSource(),
+            'notes'           => $p->getNotes(),
+            'convertedClient' => null === $client ? null : [
+                'id'   => $client->getId(),
+                'name' => $client->getName(),
+            ],
+            'createdAt' => $p->getCreatedAt()?->format('c'),
+            'updatedAt' => $p->getUpdatedAt()?->format('c'),
         ];
     }
 
diff --git a/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php b/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
new file mode 100644
index 0000000..2d9a5b3
--- /dev/null
+++ b/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Security;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class SecurityCurrentUserProvider implements CurrentUserProviderInterface
+{
+    public function __construct(
+        private Security $security,
+    ) {}
+
+    public function getCurrentUser(): ?UserInterface
+    {
+        $user = $this->security->getUser();
+
+        return $user instanceof UserInterface ? $user : null;
+    }
+}
diff --git a/src/Service/TokenEncryptor.php b/src/Shared/Infrastructure/Service/TokenEncryptor.php
similarity index 97%
rename from src/Service/TokenEncryptor.php
rename to src/Shared/Infrastructure/Service/TokenEncryptor.php
index 4ba94ce..cdcebc9 100644
--- a/src/Service/TokenEncryptor.php
+++ b/src/Shared/Infrastructure/Service/TokenEncryptor.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Shared\Infrastructure\Service;
 
 use RuntimeException;
 use SodiumException;
diff --git a/tests/Functional/Controller/Mail/MailFoldersControllerTest.php b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
index 2266047..49dfa6d 100644
--- a/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailMessagesControllerTest.php b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
index 041cc21..adbe9ab 100644
--- a/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailSettingsControllerTest.php b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
index 63c1d0c..8811958 100644
--- a/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
index 4cdc7cf..e947556 100644
--- a/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
index ba9e55a..52322fe 100644
--- a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareBrowseTest.php b/tests/Functional/Controller/ShareBrowseTest.php
index d415f12..397bdf4 100644
--- a/tests/Functional/Controller/ShareBrowseTest.php
+++ b/tests/Functional/Controller/ShareBrowseTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareSearchTest.php b/tests/Functional/Controller/ShareSearchTest.php
index 62e9bbd..ea48784 100644
--- a/tests/Functional/Controller/ShareSearchTest.php
+++ b/tests/Functional/Controller/ShareSearchTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareSettingsTest.php b/tests/Functional/Controller/ShareSettingsTest.php
index b257b08..869d362 100644
--- a/tests/Functional/Controller/ShareSettingsTest.php
+++ b/tests/Functional/Controller/ShareSettingsTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/EventListener/TaskNotificationListenerTest.php b/tests/Functional/EventListener/TaskNotificationListenerTest.php
index 158fd17..d63bd55 100644
--- a/tests/Functional/EventListener/TaskNotificationListenerTest.php
+++ b/tests/Functional/EventListener/TaskNotificationListenerTest.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\EventListener;
 
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
@@ -19,7 +19,7 @@ use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 class TaskNotificationListenerTest extends KernelTestCase
 {
     private EntityManagerInterface $em;
-    private NotificationRepository $notifications;
+    private DoctrineNotificationRepository $notifications;
     private TokenStorageInterface $tokenStorage;
     private Project $project;
     private User $actor;
@@ -31,7 +31,7 @@ class TaskNotificationListenerTest extends KernelTestCase
         self::bootKernel();
         $c                   = self::getContainer();
         $this->em            = $c->get(EntityManagerInterface::class);
-        $this->notifications = $c->get(NotificationRepository::class);
+        $this->notifications = $c->get(DoctrineNotificationRepository::class);
         $this->tokenStorage  = $c->get(TokenStorageInterface::class);
 
         $project = $this->em->getRepository(Project::class)->findOneBy([]);
diff --git a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
index 55fa495..b636505 100644
--- a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
+++ b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
@@ -4,19 +4,19 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Mcp;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Entity\User;
-use App\Enum\AbsenceType;
-use App\Mcp\Tool\Absence\CancelAbsenceRequestTool;
-use App\Mcp\Tool\Absence\CreateAbsenceRequestTool;
-use App\Mcp\Tool\Absence\ReviewAbsenceRequestTool;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository;
+use App\Module\Absence\Infrastructure\Mcp\Tool\CancelAbsenceRequestTool;
+use App\Module\Absence\Infrastructure\Mcp\Tool\CreateAbsenceRequestTool;
+use App\Module\Absence\Infrastructure\Mcp\Tool\ReviewAbsenceRequestTool;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
@@ -93,7 +93,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         self::assertSame(5.0, (float) $data['countedDays']);
         self::assertSame($this->employee->getId(), $data['user']['id']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertNotNull($balance);
@@ -113,7 +113,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         self::assertSame('approved', $data['status']);
         self::assertSame($this->admin->getId(), $data['reviewedBy']['id']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertSame(0.0, $balance->getPending());
@@ -128,7 +128,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         );
 
         // Shrink the entitlement below the 5 requested days.
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         $balance->setAcquired(2.0);
@@ -158,7 +158,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         $data = json_decode(($this->cancelTool($this->admin))($created['id']), true);
         self::assertSame('cancelled', $data['status']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertSame(0.0, $balance->getTaken());
@@ -195,7 +195,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         );
         self::assertSame('pending', $data['status']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::Bereavement, '2026')
         ;
         self::assertNull($balance, 'Bereavement must not create or touch any balance.');
@@ -216,9 +216,9 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new CreateAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(UserRepository::class),
-            $c->get(AbsencePolicyRepository::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineUserRepository::class),
+            $c->get(DoctrineAbsencePolicyRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceDayCalculator::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
@@ -231,7 +231,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new ReviewAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
         );
@@ -243,7 +243,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new CancelAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
         );
diff --git a/tests/Functional/Module/Core/AuditListenerTest.php b/tests/Functional/Module/Core/AuditListenerTest.php
new file mode 100644
index 0000000..48e979b
--- /dev/null
+++ b/tests/Functional/Module/Core/AuditListenerTest.php
@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container             = self::getContainer();
+        $this->em              = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions: these tests are not wrapped
+        // in a rolled-back transaction, so remove any leftover rows from a
+        // previous run before each test.
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username LIKE 'audit\\_%'");
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+}
diff --git a/tests/Functional/Module/Core/AuditLogApiTest.php b/tests/Functional/Module/Core/AuditLogApiTest.php
new file mode 100644
index 0000000..2900857
--- /dev/null
+++ b/tests/Functional/Module/Core/AuditLogApiTest.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * @internal
+ */
+final class AuditLogApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'alice');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanListAuditLogs(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+        self::assertArrayHasKey('totalItems', $data);
+        self::assertGreaterThanOrEqual(3, $data['totalItems']);
+    }
+
+    public function testFilterByActionReturnsOnlyMatchingEntries(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=update');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('update', $entry['action']);
+        }
+    }
+
+    public function testFilterByEntityType(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?entity_type=core.User');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('core.User', $entry['entityType']);
+        }
+    }
+
+    public function testInvalidActionFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=bogus');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    /**
+     * Insert deterministic audit rows directly through the audit connection.
+     *
+     * The table audit_log has no ORM entity (written via raw DBAL), so we
+     * clean and seed it via the dedicated connection. These tests are not
+     * wrapped in a rolled-back transaction, hence the upfront DELETE.
+     */
+    private function seedAuditLog(): void
+    {
+        /** @var Connection $audit */
+        $audit = self::getContainer()->get('doctrine.dbal.audit_connection');
+        $audit->executeStatement('DELETE FROM audit_log');
+
+        $rows = [
+            ['core.User', 'create', '{"username":"seed-create"}'],
+            ['core.User', 'update', '{"firstName":{"old":"a","new":"b"}}'],
+            ['core.Role', 'delete', '{}'],
+        ];
+
+        $performedAt = '2026-04-22 10:00:00';
+        foreach ($rows as $i => [$entityType, $action, $changes]) {
+            $audit->insert('audit_log', [
+                'id'           => Uuid::v7()->toRfc4122(),
+                'entity_type'  => $entityType,
+                'entity_id'    => (string) ($i + 1),
+                'action'       => $action,
+                'changes'      => $changes,
+                'performed_by' => 'admin',
+                'performed_at' => $performedAt,
+                'ip_address'   => '127.0.0.1',
+                'request_id'   => 'req-'.$i,
+            ]);
+        }
+    }
+
+    private function loginUser(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Functional/Module/Core/NotifierTest.php b/tests/Functional/Module/Core/NotifierTest.php
new file mode 100644
index 0000000..66a3bb7
--- /dev/null
+++ b/tests/Functional/Module/Core/NotifierTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $title = 'Titre-'.uniqid('', true);
+        $notifier->notify($user, 'task_assigned', $title, 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\Module\Core\Domain\Entity\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', $title)->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}
diff --git a/tests/Functional/Module/Core/RoleApiTest.php b/tests/Functional/Module/Core/RoleApiTest.php
new file mode 100644
index 0000000..8fcce1d
--- /dev/null
+++ b/tests/Functional/Module/Core/RoleApiTest.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class RoleApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanListRoles(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+    }
+
+    public function testAdminCanCreateRole(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+
+        $code = 'bureau_'.uniqid();
+        $client->request('POST', '/api/roles', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode(['code' => $code, 'label' => 'Bureau']));
+
+        self::assertResponseStatusCodeSame(201);
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertSame($code, $data['code']);
+        self::assertSame('Bureau', $data['label']);
+        self::assertFalse($data['isSystem']);
+    }
+
+    public function testDeletingSystemRoleIsForbidden(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $systemRole = new Role('sys_'.uniqid(), 'System role', 'Rôle système', true);
+        $em->persist($systemRole);
+        $em->flush();
+        $id = $systemRole->getId();
+
+        $this->loginAdmin($client);
+
+        $client->request('DELETE', '/api/roles/'.$id);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function loginAdmin(KernelBrowser $client): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Functional/Module/Core/SeedRbacCommandTest.php b/tests/Functional/Module/Core/SeedRbacCommandTest.php
new file mode 100644
index 0000000..2eb6c71
--- /dev/null
+++ b/tests/Functional/Module/Core/SeedRbacCommandTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SeedRbacCommandTest extends KernelTestCase
+{
+    public function testSeedsSystemRolesIdempotently(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:seed-rbac'));
+
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+        $tester->execute([]); // idempotent
+        $tester->assertCommandIsSuccessful();
+
+        $repo  = self::getContainer()->get(RoleRepositoryInterface::class);
+        $admin = $repo->findByCode(SystemRoles::ADMIN_CODE);
+        self::assertNotNull($admin);
+        self::assertTrue($admin->isSystem());
+        self::assertNotNull($repo->findByCode(SystemRoles::USER_CODE));
+    }
+}
diff --git a/tests/Functional/Module/Core/SyncPermissionsCommandTest.php b/tests/Functional/Module/Core/SyncPermissionsCommandTest.php
new file mode 100644
index 0000000..f39d44c
--- /dev/null
+++ b/tests/Functional/Module/Core/SyncPermissionsCommandTest.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SyncPermissionsCommandTest extends KernelTestCase
+{
+    public function testSyncCreatesCorePermissions(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:sync-permissions'));
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+
+        $repo = self::getContainer()->get(PermissionRepositoryInterface::class);
+        self::assertNotNull($repo->findByCode('core.users.manage'));
+        self::assertContains('core.roles.manage', $repo->findAllCodes());
+    }
+}
diff --git a/tests/Functional/Module/Core/UserRbacApiTest.php b/tests/Functional/Module/Core/UserRbacApiTest.php
new file mode 100644
index 0000000..f5623cf
--- /dev/null
+++ b/tests/Functional/Module/Core/UserRbacApiTest.php
@@ -0,0 +1,134 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class UserRbacApiTest extends WebTestCase
+{
+    public function testAdminCanReadUserRbac(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+        $aliceId = $this->userId('alice');
+
+        $client->request('GET', '/api/users/'.$aliceId.'/rbac');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('rbacRoles', $data);
+        self::assertArrayHasKey('directPermissions', $data);
+        self::assertArrayHasKey('effectivePermissions', $data);
+    }
+
+    public function testRbacRequiresAuthentication(): void
+    {
+        $client  = self::createClient();
+        $aliceId = $this->userId('alice');
+
+        $client->request('GET', '/api/users/'.$aliceId.'/rbac');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanAssignRoleViaPatch(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $roleCode = 'reviewer_'.uniqid();
+        $role     = new Role($roleCode, 'Reviewer');
+        $em->persist($role);
+
+        $target = $this->createUser($em, 'rbac-assign-'.uniqid());
+        $em->flush();
+        $roleId   = $role->getId();
+        $targetId = $target->getId();
+
+        $this->loginAdmin($client);
+
+        $client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertCount(1, $data['rbacRoles']);
+
+        $em->clear();
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        self::assertCount(1, $reloaded->getRbacRoles());
+        self::assertSame($roleCode, $reloaded->getRbacRoles()->first()->getCode());
+    }
+
+    public function testPartialPatchDoesNotWipeOtherCollection(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'core.users.view']);
+        self::assertInstanceOf(Permission::class, $permission);
+
+        $role = new Role('auditor_'.uniqid(), 'Auditor');
+        $em->persist($role);
+
+        // Dedicated user pre-loaded with a direct permission.
+        $target = $this->createUser($em, 'rbac-partial-'.uniqid());
+        $target->addDirectPermission($permission);
+        $em->flush();
+        $roleId   = $role->getId();
+        $targetId = $target->getId();
+
+        $this->loginAdmin($client);
+
+        // PATCH only rbacRoles — directPermissions is absent from the payload.
+        $client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
+
+        self::assertResponseIsSuccessful();
+
+        $em->clear();
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        self::assertCount(1, $reloaded->getRbacRoles(), 'Role should have been assigned');
+        self::assertCount(1, $reloaded->getDirectPermissions(), 'Direct permission must not be wiped by a partial PATCH');
+    }
+
+    private function createUser(EntityManagerInterface $em, string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('x');
+        $user->setRoles(['ROLE_USER']);
+        $em->persist($user);
+
+        return $user;
+    }
+
+    private function loginAdmin(KernelBrowser $client): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+
+    private function userId(string $username): int
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+
+        return $user->getId();
+    }
+}
diff --git a/tests/Functional/Module/Directory/ProspectConversionTest.php b/tests/Functional/Module/Directory/ProspectConversionTest.php
new file mode 100644
index 0000000..5bbf7b0
--- /dev/null
+++ b/tests/Functional/Module/Directory/ProspectConversionTest.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Directory;
+
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+class ProspectConversionTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+    }
+
+    public function testConvertCreatesClientAndFlagsProspectWon(): void
+    {
+        $prospect = new Prospect();
+        $prospect->setName('Lead Test');
+        $prospect->setCompany('Lead Company '.uniqid());
+        $prospect->setEmail('lead@example.com');
+        $prospect->setPhone('06 00 00 00 00');
+        $prospect->setStatus(ProspectStatus::Qualified);
+        $this->em->persist($prospect);
+        $this->em->flush();
+
+        $result = $this->processor()->process($prospect, new Post(), ['id' => $prospect->getId()]);
+
+        self::assertSame(ProspectStatus::Won, $result->getStatus());
+        $client = $result->getConvertedClient();
+        self::assertNotNull($client);
+        self::assertSame($prospect->getCompany(), $client->getName());
+    }
+
+    public function testConvertIsIdempotent(): void
+    {
+        $prospect = new Prospect();
+        $prospect->setName('Idempotent Lead');
+        $prospect->setStatus(ProspectStatus::New);
+        $this->em->persist($prospect);
+        $this->em->flush();
+
+        $processor = $this->processor();
+        $first     = $processor->process($prospect, new Post(), ['id' => $prospect->getId()]);
+        $clientId  = $first->getConvertedClient()?->getId();
+
+        $second = $processor->process($prospect, new Post(), ['id' => $prospect->getId()]);
+
+        self::assertNotNull($clientId);
+        self::assertSame($clientId, $second->getConvertedClient()?->getId());
+    }
+
+    private function processor(): ConvertProspectProcessor
+    {
+        $c = self::getContainer();
+
+        return new ConvertProspectProcessor(
+            $c->get(EntityManagerInterface::class),
+            $c->get(DoctrineProspectRepository::class),
+        );
+    }
+}
diff --git a/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php b/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php
new file mode 100644
index 0000000..b457cec
--- /dev/null
+++ b/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php
@@ -0,0 +1,102 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\ProjectManagement;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * Task adopts TimestampableBlamableTrait (LST-65 slice 3).
+ * Verifies the TimestampableBlamableSubscriber populates created_at on
+ * persist and refreshes updated_at on update.
+ *
+ * @internal
+ */
+final class TaskTimestampableTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+        $this->em->getConnection()->executeStatement("DELETE FROM task WHERE title = 'ts-test-task'");
+    }
+
+    protected function tearDown(): void
+    {
+        $this->em->getConnection()->executeStatement("DELETE FROM task WHERE title = 'ts-test-task'");
+        parent::tearDown();
+        unset($this->em);
+    }
+
+    public function testCreatedAtIsSetOnPersist(): void
+    {
+        $task = $this->makeTask();
+        $this->em->persist($task);
+        $this->em->flush();
+
+        self::assertInstanceOf(DateTimeImmutable::class, $task->getCreatedAt(), 'createdAt must be set after flush');
+        self::assertInstanceOf(DateTimeImmutable::class, $task->getUpdatedAt(), 'updatedAt must be set after flush');
+
+        $taskId = $task->getId();
+        $this->em->clear();
+        $reloaded = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertNotNull($reloaded);
+        self::assertNotNull($reloaded->getCreatedAt(), 'created_at must be persisted in DB');
+    }
+
+    public function testUpdatedAtIsRefreshedOnUpdate(): void
+    {
+        $task = $this->makeTask();
+        $this->em->persist($task);
+        $this->em->flush();
+
+        $taskId           = $task->getId();
+        $initialUpdatedAt = $task->getUpdatedAt();
+        self::assertNotNull($initialUpdatedAt);
+
+        // Backdate the persisted value so the preUpdate refresh is observable
+        // even within the same second.
+        $this->em->getConnection()->executeStatement(
+            "UPDATE task SET updated_at = '2000-01-01 00:00:00' WHERE id = :id",
+            ['id' => $taskId],
+        );
+        $this->em->clear();
+
+        /** @var Task $managed */
+        $managed = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertSame('2000-01-01 00:00:00', $managed->getUpdatedAt()?->format('Y-m-d H:i:s'));
+
+        $managed->setDescription('changed description');
+        $this->em->flush();
+        $this->em->clear();
+
+        /** @var Task $reloaded */
+        $reloaded = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertNotNull($reloaded->getUpdatedAt());
+        self::assertNotSame(
+            '2000-01-01 00:00:00',
+            $reloaded->getUpdatedAt()->format('Y-m-d H:i:s'),
+            'updated_at must be refreshed and persisted on UPDATE',
+        );
+    }
+
+    private function makeTask(): Task
+    {
+        $project = $this->em->getRepository(Project::class)->findOneBy([]);
+        self::assertNotNull($project, 'Les fixtures doivent fournir au moins un projet.');
+
+        $task = new Task();
+        $task->setNumber(random_int(100000, 999999));
+        $task->setTitle('ts-test-task');
+        $task->setProject($project);
+
+        return $task;
+    }
+}
diff --git a/tests/Functional/Module/Reporting/ReportingApiTest.php b/tests/Functional/Module/Reporting/ReportingApiTest.php
new file mode 100644
index 0000000..d67594b
--- /dev/null
+++ b/tests/Functional/Module/Reporting/ReportingApiTest.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Reporting;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ReportingApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanListTimePerProject(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+
+        // Le rapport est non pagine : la structure hydra expose tout de meme un
+        // tableau `member`. Si des projets ont du temps logge, chaque membre
+        // porte au minimum projectId et hours.
+        foreach ($data['member'] as $row) {
+            self::assertArrayHasKey('projectId', $row);
+            self::assertArrayHasKey('hours', $row);
+            self::assertIsInt($row['projectId']);
+        }
+    }
+
+    public function testValidProjectIdFilterIsAccepted(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        // projectId arrive en chaine ("1") : la validation doit l'accepter (200),
+        // garde-fou contre une regression de type-juggling sur le filtre entier.
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01&projectId=1');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testInvalidProjectIdFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?projectId=abc');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    public function testInvalidDateFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?from=not-a-date');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    public function testUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'alice');
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function loginUser(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php b/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php
new file mode 100644
index 0000000..fc8211a
--- /dev/null
+++ b/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php
@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\TimeTracking;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * TimeEntry is the first adopter of TimestampableBlamableTrait.
+ * Verifies the TimestampableBlamableSubscriber populates created_at on
+ * persist and refreshes updated_at on update.
+ *
+ * @internal
+ */
+final class TimeEntryTimestampableTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+        // Clean slate for deterministic assertions: these tests are not wrapped
+        // in a rolled-back transaction.
+        $this->em->getConnection()->executeStatement("DELETE FROM time_entry WHERE title = 'ts-test-entry'");
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username = 'ts_test_user'");
+    }
+
+    protected function tearDown(): void
+    {
+        $this->em->getConnection()->executeStatement("DELETE FROM time_entry WHERE title = 'ts-test-entry'");
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username = 'ts_test_user'");
+        parent::tearDown();
+        unset($this->em);
+    }
+
+    public function testCreatedAtIsSetOnPersist(): void
+    {
+        $entry = $this->makeEntry();
+        $this->em->persist($entry);
+        $this->em->flush();
+
+        self::assertInstanceOf(DateTimeImmutable::class, $entry->getCreatedAt(), 'createdAt must be set after flush');
+        self::assertInstanceOf(DateTimeImmutable::class, $entry->getUpdatedAt(), 'updatedAt must be set after flush');
+
+        // Confirm it was actually persisted to the DB, not just the in-memory object.
+        $this->em->clear();
+        $reloaded = $this->em->getRepository(TimeEntry::class)->find($entry->getId());
+        self::assertNotNull($reloaded);
+        self::assertNotNull($reloaded->getCreatedAt(), 'created_at must be persisted in DB');
+    }
+
+    public function testUpdatedAtIsRefreshedOnUpdate(): void
+    {
+        $entry = $this->makeEntry();
+        $this->em->persist($entry);
+        $this->em->flush();
+
+        $entryId          = $entry->getId();
+        $initialUpdatedAt = $entry->getUpdatedAt();
+        self::assertNotNull($initialUpdatedAt);
+
+        // Force a distinguishable timestamp by backdating the persisted value,
+        // so the preUpdate refresh is observable even within the same second.
+        $this->em->getConnection()->executeStatement(
+            "UPDATE time_entry SET updated_at = '2000-01-01 00:00:00' WHERE id = :id",
+            ['id' => $entryId],
+        );
+        $this->em->clear();
+
+        /** @var TimeEntry $managed */
+        $managed = $this->em->getRepository(TimeEntry::class)->find($entryId);
+        self::assertSame('2000-01-01 00:00:00', $managed->getUpdatedAt()?->format('Y-m-d H:i:s'));
+
+        // Mutate a tracked field and flush -> preUpdate must refresh updated_at.
+        $managed->setTitle('ts-test-entry');
+        $managed->setDescription('changed description');
+        $this->em->flush();
+        $this->em->clear();
+
+        /** @var TimeEntry $reloaded */
+        $reloaded = $this->em->getRepository(TimeEntry::class)->find($entryId);
+        self::assertNotNull($reloaded->getUpdatedAt());
+        self::assertNotSame(
+            '2000-01-01 00:00:00',
+            $reloaded->getUpdatedAt()->format('Y-m-d H:i:s'),
+            'updated_at must be refreshed and persisted on UPDATE',
+        );
+    }
+
+    private function makeEntry(): TimeEntry
+    {
+        $user = new User();
+        $user->setUsername('ts_test_user');
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+        $this->em->persist($user);
+
+        $entry = new TimeEntry();
+        $entry->setUser($user);
+        $entry->setTitle('ts-test-entry');
+        $entry->setStartedAt(new DateTimeImmutable());
+
+        return $entry;
+    }
+}
diff --git a/tests/Functional/Shared/ModulesEndpointTest.php b/tests/Functional/Shared/ModulesEndpointTest.php
new file mode 100644
index 0000000..837510d
--- /dev/null
+++ b/tests/Functional/Shared/ModulesEndpointTest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ModulesEndpointTest extends WebTestCase
+{
+    public function testModulesEndpointIsPublicAndReturnsModulesKey(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('modules', $data);
+        self::assertIsArray($data['modules']);
+    }
+
+    public function testCoreModuleIsActive(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertContains('core', $data['modules']);
+    }
+}
diff --git a/tests/Functional/Shared/SidebarEndpointTest.php b/tests/Functional/Shared/SidebarEndpointTest.php
new file mode 100644
index 0000000..bc7c079
--- /dev/null
+++ b/tests/Functional/Shared/SidebarEndpointTest.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+
+    public function testAdminSectionHiddenForNonAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']); // ROLE_USER
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertNotContains('sidebar.admin.section', $labels);
+    }
+
+    public function testAdminSectionVisibleForAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']); // ROLE_ADMIN
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertContains('sidebar.admin.section', $labels);
+    }
+}
diff --git a/tests/Module/Directory/ConvertProspectProcessorTest.php b/tests/Module/Directory/ConvertProspectProcessorTest.php
new file mode 100644
index 0000000..c232318
--- /dev/null
+++ b/tests/Module/Directory/ConvertProspectProcessorTest.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class ConvertProspectProcessorTest extends KernelTestCase
+{
+    public function testConvertReassignsContactsAddressesAndReports(): void
+    {
+        self::bootKernel();
+
+        /** @var EntityManagerInterface $em */
+        $em = self::getContainer()->get(EntityManagerInterface::class);
+
+        $prospect = new Prospect();
+        $prospect->setName('Atelier Test');
+        $prospect->setCompany('Atelier Test SARL');
+        $em->persist($prospect);
+
+        $contact = new Contact()->setLastName('Durand')->setProspect($prospect);
+        $address = new Address()->setCity('Niort')->setProspect($prospect);
+        $report  = new CommercialReport()
+            ->setSubject('Premier contact')
+            ->setOccurredAt(new DateTimeImmutable('2026-06-01'))
+            ->setType(ReportType::Call)
+            ->setProspect($prospect)
+        ;
+        $em->persist($contact);
+        $em->persist($address);
+        $em->persist($report);
+        $em->flush();
+
+        $processor = self::getContainer()->get(ConvertProspectProcessor::class);
+        $operation = new Post();
+        $processor->process($prospect, $operation, ['id' => $prospect->getId()]);
+
+        $em->refresh($contact);
+        $em->refresh($address);
+        $em->refresh($report);
+
+        $client = $prospect->getConvertedClient();
+        self::assertNotNull($client, 'Prospect should be converted to a client');
+
+        // Invariants (pas de counts absolus) : chaque sous-entité pointe vers le client, plus vers le prospect.
+        self::assertSame($client->getId(), $contact->getClient()?->getId());
+        self::assertNull($contact->getProspect());
+        self::assertSame($client->getId(), $address->getClient()?->getId());
+        self::assertNull($address->getProspect());
+        self::assertSame($client->getId(), $report->getClient()?->getId());
+        self::assertNull($report->getProspect());
+    }
+}
diff --git a/tests/Module/Directory/Domain/Enum/ReportTypeTest.php b/tests/Module/Directory/Domain/Enum/ReportTypeTest.php
new file mode 100644
index 0000000..40bec90
--- /dev/null
+++ b/tests/Module/Directory/Domain/Enum/ReportTypeTest.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory\Domain\Enum;
+
+use App\Module\Directory\Domain\Enum\ReportType;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ReportTypeTest extends TestCase
+{
+    public function testValuesAndLabels(): void
+    {
+        self::assertSame('call', ReportType::Call->value);
+        self::assertSame('Appel', ReportType::Call->label());
+        self::assertSame('Rendez-vous', ReportType::Meeting->label());
+        self::assertSame('Email', ReportType::Email->label());
+        self::assertSame('Note', ReportType::Note->label());
+    }
+}
diff --git a/tests/Unit/Mail/ImapMailProviderTest.php b/tests/Unit/Mail/ImapMailProviderTest.php
index 3720d35..311bbbf 100644
--- a/tests/Unit/Mail/ImapMailProviderTest.php
+++ b/tests/Unit/Mail/ImapMailProviderTest.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Entity\MailConfiguration;
-use App\Mail\Exception\MailProviderException;
-use App\Mail\ImapMailProvider;
-use App\Repository\MailConfigurationRepository;
-use App\Service\TokenEncryptor;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\Imap\ImapMailProvider;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\NullLogger;
 
@@ -22,7 +22,7 @@ class ImapMailProviderTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(false);
 
-        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $repo->method('findSingleton')->willReturn($config);
 
         $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
@@ -33,7 +33,7 @@ class ImapMailProviderTest extends TestCase
 
     public function testThrowsWhenConfigMissing(): void
     {
-        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $repo->method('findSingleton')->willReturn(null);
 
         $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
diff --git a/tests/Unit/Mail/MailSyncReportTest.php b/tests/Unit/Mail/MailSyncReportTest.php
index bea5283..032d5a2 100644
--- a/tests/Unit/Mail/MailSyncReportTest.php
+++ b/tests/Unit/Mail/MailSyncReportTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Mail\Dto\MailSyncReport;
+use App\Module\Mail\Application\Dto\MailSyncReport;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
diff --git a/tests/Unit/Mail/MimeHeaderDecoderTest.php b/tests/Unit/Mail/MimeHeaderDecoderTest.php
index 75793e3..535b849 100644
--- a/tests/Unit/Mail/MimeHeaderDecoderTest.php
+++ b/tests/Unit/Mail/MimeHeaderDecoderTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Mail\MimeHeaderDecoder;
+use App\Module\Mail\Infrastructure\Imap\MimeHeaderDecoder;
 use PHPUnit\Framework\TestCase;
 
 /**
diff --git a/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php b/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
index d878905..481c4a9 100644
--- a/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
+++ b/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Tests\Unit\Mcp;
 
 use App\Mcp\Schema\CoercingSchemaGenerator;
-use App\Mcp\Tool\Task\CreateTaskTool;
-use App\Mcp\Tool\Task\ListTasksTool;
+use App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\CreateTaskTool;
+use App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\ListTasksTool;
 use PHPUnit\Framework\TestCase;
 use ReflectionMethod;
 
diff --git a/tests/Unit/Module/Core/CoreModuleTest.php b/tests/Unit/Module/Core/CoreModuleTest.php
new file mode 100644
index 0000000..6c8bc9f
--- /dev/null
+++ b/tests/Unit/Module/Core/CoreModuleTest.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+
+    public function testPermissionsExposeAuditLogView(): void
+    {
+        $codes = array_column(CoreModule::permissions(), 'code');
+
+        self::assertCount(6, $codes);
+        self::assertContains('core.audit_log.view', $codes);
+    }
+}
diff --git a/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php b/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
new file mode 100644
index 0000000..5dab1c4
--- /dev/null
+++ b/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class PermissionTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $p = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        self::assertSame('core.users.view', $p->getCode());
+        self::assertSame('Voir les utilisateurs', $p->getLabel());
+        self::assertSame('core', $p->getModule());
+        self::assertFalse($p->isOrphan());
+    }
+
+    public function testCodeMustContainADot(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('coreusersview', 'x', 'core');
+    }
+
+    public function testCodeCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('', 'x', 'core');
+    }
+
+    public function testLabelCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('core.users.view', '', 'core');
+    }
+
+    public function testModuleCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('core.users.view', 'x', '');
+    }
+
+    public function testMarkOrphanAndRevive(): void
+    {
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $p->markOrphan();
+        self::assertTrue($p->isOrphan());
+        $p->revive('Voir maj', 'core');
+        self::assertFalse($p->isOrphan());
+        self::assertSame('Voir maj', $p->getLabel());
+    }
+}
diff --git a/tests/Unit/Module/Core/Domain/Entity/RoleTest.php b/tests/Unit/Module/Core/Domain/Entity/RoleTest.php
new file mode 100644
index 0000000..13ef824
--- /dev/null
+++ b/tests/Unit/Module/Core/Domain/Entity/RoleTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class RoleTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        self::assertSame('bureau', $r->getCode());
+        self::assertSame('Bureau', $r->getLabel());
+        self::assertFalse($r->isSystem());
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testCodeMustBeSnakeCase(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Role('Bureau Commercial', 'x');
+    }
+
+    public function testAddRemovePermission(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $r->addPermission($p);
+        self::assertCount(1, $r->getPermissions());
+        $r->addPermission($p); // idempotent
+        self::assertCount(1, $r->getPermissions());
+        $r->removePermission($p);
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testSystemRoleCannotBeDeleted(): void
+    {
+        $r = new Role('admin', 'Administrateur', null, true);
+        $this->expectException(SystemRoleDeletionException::class);
+        $r->ensureDeletable();
+    }
+
+    public function testNonSystemRoleIsDeletable(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $r->ensureDeletable();
+        self::assertFalse($r->isSystem());
+    }
+}
diff --git a/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php b/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php
new file mode 100644
index 0000000..c1094f9
--- /dev/null
+++ b/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Security\PermissionVoter;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * @internal
+ */
+final class PermissionVoterTest extends TestCase
+{
+    public function testAbstainsOnNonRbacAttributes(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['ROLE_ADMIN']));
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['IS_AUTHENTICATED_FULLY']));
+    }
+
+    public function testGrantsWhenUserHasPermissionViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $role  = new Role('bureau', 'Bureau');
+        $role->addPermission(new Permission('core.users.view', 'Voir', 'core'));
+        $user = new User();
+        $user->addRbacRole($role);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.view']));
+        self::assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    public function testAdminBypassesViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        $user->setRoles(['ROLE_ADMIN']);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    private function token(User $user): UsernamePasswordToken
+    {
+        return new UsernamePasswordToken($user, 'main', $user->getRoles());
+    }
+}
diff --git a/tests/Unit/Repository/MailConfigurationRepositoryTest.php b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
index f903ee6..daec61c 100644
--- a/tests/Unit/Repository/MailConfigurationRepositoryTest.php
+++ b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Repository;
 
-use App\Entity\MailConfiguration;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 
@@ -14,14 +14,14 @@ use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
  */
 class MailConfigurationRepositoryTest extends KernelTestCase
 {
-    private MailConfigurationRepository $repository;
+    private DoctrineMailConfigurationRepository $repository;
     private EntityManagerInterface $em;
 
     protected function setUp(): void
     {
         self::bootKernel();
         $container        = static::getContainer();
-        $this->repository = $container->get(MailConfigurationRepository::class);
+        $this->repository = $container->get(DoctrineMailConfigurationRepository::class);
         $this->em         = $container->get('doctrine.orm.entity_manager');
         $this->em->getConnection()->executeStatement('TRUNCATE TABLE mail_configuration RESTART IDENTITY CASCADE');
     }
diff --git a/tests/Unit/Service/AbsenceDayCalculatorTest.php b/tests/Unit/Service/AbsenceDayCalculatorTest.php
index 33b96a3..6aa6347 100644
--- a/tests/Unit/Service/AbsenceDayCalculatorTest.php
+++ b/tests/Unit/Service/AbsenceDayCalculatorTest.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Enum\HalfDay;
-use App\Service\AbsenceDayCalculator;
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
diff --git a/tests/Unit/Service/MailSyncServiceTest.php b/tests/Unit/Service/MailSyncServiceTest.php
index 76abdf4..39c6eeb 100644
--- a/tests/Unit/Service/MailSyncServiceTest.php
+++ b/tests/Unit/Service/MailSyncServiceTest.php
@@ -4,14 +4,14 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Entity\MailConfiguration;
-use App\Entity\MailFolder;
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\Persistence\ManagerRegistry;
 use PHPUnit\Framework\TestCase;
@@ -29,12 +29,12 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(false);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $provider    = $this->createMock(MailProviderInterface::class);
-        $folderRepo  = $this->createMock(MailFolderRepository::class);
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $folderRepo  = $this->createMock(MailFolderRepositoryInterface::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $lockFactory = $this->makeLockFactory();
 
@@ -62,12 +62,12 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $provider    = $this->createMock(MailProviderInterface::class);
-        $folderRepo  = $this->createMock(MailFolderRepository::class);
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $folderRepo  = $this->createMock(MailFolderRepositoryInterface::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $lockFactory = $this->makeLockFactory(false);
 
@@ -93,7 +93,7 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $folderDto = new MailFolderDto(
@@ -107,11 +107,11 @@ class MailSyncServiceTest extends TestCase
         $provider = $this->createMock(MailProviderInterface::class);
         $provider->method('listFolders')->willReturn([$folderDto]);
 
-        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $folderRepo = $this->createMock(MailFolderRepositoryInterface::class);
         $folderRepo->method('findByPath')->willReturn(null);
         $folderRepo->method('findAllOrderedByPath')->willReturn([]);
 
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $em->expects(self::once())->method('persist');
         $em->expects(self::once())->method('flush');
@@ -137,13 +137,13 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $folder = new MailFolder();
         $folder->setPath('INBOX');
 
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $messageRepo->method('findMaxUidInFolder')->willReturn(10);
         $messageRepo->method('findAllUidsByFolder')->willReturn([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]);
         $messageRepo->method('findLastNByFolder')->willReturn([]);
@@ -151,7 +151,7 @@ class MailSyncServiceTest extends TestCase
         $provider = $this->createMock(MailProviderInterface::class);
         $provider->method('listMessages')->willReturn([]);
 
-        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $folderRepo = $this->createMock(MailFolderRepositoryInterface::class);
         $em         = $this->createMock(EntityManagerInterface::class);
         $em->expects(self::never())->method('remove');
 
diff --git a/tests/Unit/Service/PublicHolidayProviderTest.php b/tests/Unit/Service/PublicHolidayProviderTest.php
index ff1716c..f59084f 100644
--- a/tests/Unit/Service/PublicHolidayProviderTest.php
+++ b/tests/Unit/Service/PublicHolidayProviderTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
diff --git a/tests/Unit/Service/SharePathResolverTest.php b/tests/Unit/Service/SharePathResolverTest.php
index bc344ee..8e73819 100644
--- a/tests/Unit/Service/SharePathResolverTest.php
+++ b/tests/Unit/Service/SharePathResolverTest.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use PHPUnit\Framework\TestCase;
 
 /**
diff --git a/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php b/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php
new file mode 100644
index 0000000..bb41001
--- /dev/null
+++ b/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Database;
+
+use App\Shared\Infrastructure\Database\ColumnCommentsCatalog;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ColumnCommentsCatalogTest extends TestCase
+{
+    public function testTimestampableBlamableCommentsCoverFourColumns(): void
+    {
+        $sql = ColumnCommentsCatalog::timestampableBlamableComments('task');
+
+        self::assertCount(4, $sql);
+        self::assertSame(
+            "COMMENT ON COLUMN task.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            $sql[0],
+        );
+        self::assertStringContainsString('COMMENT ON COLUMN task.created_by IS', $sql[2]);
+    }
+
+    public function testTableNameIsInterpolatedForEveryColumn(): void
+    {
+        foreach (ColumnCommentsCatalog::timestampableBlamableComments('time_entry') as $statement) {
+            self::assertStringContainsString('COMMENT ON COLUMN time_entry.', $statement);
+        }
+    }
+}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
new file mode 100644
index 0000000..750e9da
--- /dev/null
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -0,0 +1,132 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
+use DateTimeImmutable;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+
+/**
+ * @internal
+ */
+final class TimestampableBlamableSubscriberTest extends TestCase
+{
+    public function testApplyOnCreateSetsTimestampsAndAuthor(): void
+    {
+        $user       = $this->makeUser(7);
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning($user));
+        $entity     = $this->makeEntity();
+
+        $subscriber->applyOnCreate($entity);
+
+        self::assertInstanceOf(DateTimeImmutable::class, $entity->getCreatedAt());
+        self::assertInstanceOf(DateTimeImmutable::class, $entity->getUpdatedAt());
+        self::assertSame($user, $entity->getCreatedBy());
+        self::assertSame($user, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnUpdateLeavesCreatedUntouched(): void
+    {
+        $creator = $this->makeUser(1);
+        $editor  = $this->makeUser(2);
+        $entity  = $this->makeEntity();
+
+        new TimestampableBlamableSubscriber($this->providerReturning($creator))->applyOnCreate($entity);
+        $createdAt = $entity->getCreatedAt();
+
+        new TimestampableBlamableSubscriber($this->providerReturning($editor))->applyOnUpdate($entity);
+
+        self::assertSame($createdAt, $entity->getCreatedAt());
+        self::assertSame($creator, $entity->getCreatedBy());
+        self::assertSame($editor, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnCreateIgnoresNonTimestampableEntities(): void
+    {
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning(null));
+
+        // Must not throw.
+        $subscriber->applyOnCreate(new stdClass());
+        $this->addToAssertionCount(1);
+    }
+
+    private function providerReturning(?UserInterface $user): CurrentUserProviderInterface
+    {
+        return new class($user) implements CurrentUserProviderInterface {
+            public function __construct(private ?UserInterface $user) {}
+
+            public function getCurrentUser(): ?UserInterface
+            {
+                return $this->user;
+            }
+        };
+    }
+
+    private function makeUser(int $id): UserInterface
+    {
+        return new class($id) implements UserInterface {
+            public function __construct(private int $id) {}
+
+            public function getId(): ?int
+            {
+                return $this->id;
+            }
+
+            public function getUserIdentifier(): string
+            {
+                return 'user-'.$this->id;
+            }
+
+            public function getUsername(): ?string
+            {
+                return 'user-'.$this->id;
+            }
+
+            /** @return list<string> */
+            public function getRoles(): array
+            {
+                return ['ROLE_USER'];
+            }
+
+            public function getFirstName(): ?string
+            {
+                return null;
+            }
+
+            public function getLastName(): ?string
+            {
+                return null;
+            }
+
+            public function getAvatarUrl(): ?string
+            {
+                return null;
+            }
+
+            public function getIsEmployee(): bool
+            {
+                return false;
+            }
+
+            public function getEffectivePermissions(): array
+            {
+                return [];
+            }
+        };
+    }
+
+    private function makeEntity(): object
+    {
+        return new class implements TimestampableInterface, BlamableInterface {
+            use TimestampableBlamableTrait;
+        };
+    }
+}
diff --git a/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php b/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php
new file mode 100644
index 0000000..a76de2d
--- /dev/null
+++ b/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryPermissionsTest extends TestCase
+{
+    public function testAggregatesPermissionsWithModuleId(): void
+    {
+        $perms = ModuleRegistry::permissions([CoreModule::class]);
+
+        self::assertNotEmpty($perms);
+        foreach ($perms as $perm) {
+            self::assertArrayHasKey('code', $perm);
+            self::assertArrayHasKey('label', $perm);
+            self::assertArrayHasKey('module', $perm);
+            self::assertSame('core', $perm['module']);
+            self::assertStringStartsWith('core.', $perm['code']);
+        }
+    }
+}
diff --git a/tests/Unit/Shared/Module/ModuleRegistryTest.php b/tests/Unit/Shared/Module/ModuleRegistryTest.php
new file mode 100644
index 0000000..a5ea1aa
--- /dev/null
+++ b/tests/Unit/Shared/Module/ModuleRegistryTest.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Shared\Domain\Module\ModuleInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryTest extends TestCase
+{
+    public function testIdsExtractsDeclaredModuleIds(): void
+    {
+        $classes = [FakeAlphaModule::class, FakeBetaModule::class];
+
+        self::assertSame(['alpha', 'beta'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsIgnoresClassesNotImplementingModuleInterface(): void
+    {
+        $classes = [FakeAlphaModule::class, stdClass::class];
+
+        self::assertSame(['alpha'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsReturnsEmptyArrayForNoModules(): void
+    {
+        self::assertSame([], ModuleRegistry::ids([]));
+    }
+}
+
+final class FakeAlphaModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'alpha';
+    }
+
+    public static function label(): string
+    {
+        return 'Alpha';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    public static function permissions(): array
+    {
+        return [];
+    }
+}
+
+final class FakeBetaModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'beta';
+    }
+
+    public static function label(): string
+    {
+        return 'Beta';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    public static function permissions(): array
+    {
+        return [];
+    }
+}
diff --git a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
new file mode 100644
index 0000000..939c1f1
--- /dev/null
+++ b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
@@ -0,0 +1,130 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking'], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        // Filtrage par rôle => PAS de disabledRoutes (réservé au filtrage par module).
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsVisibleWhenRolePresent(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER', 'ROLE_ADMIN']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/admin', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]);
+    }
+
+    public function testItemWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.hr.section', 'icon' => 'mdi:calendar', 'items' => [
+                ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group', 'roles' => ['ROLE_ADMIN']],
+                ['label' => 'sidebar.hr.x', 'to' => '/x', 'icon' => 'mdi:x'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertCount(1, $result['sections'][0]['items']);
+        self::assertSame('/x', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemHiddenWhenPermissionMissing(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [
+                ['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view'],
+                ['label' => 'b', 'to' => '/b', 'icon' => 'i'],
+            ],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], []);
+        self::assertCount(1, $out['sections'][0]['items']);
+        self::assertSame('/b', $out['sections'][0]['items'][0]['to']);
+    }
+
+    public function testItemVisibleWhenPermissionGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view']],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
+        self::assertCount(1, $out['sections'][0]['items']);
+    }
+}