diff --git a/.env b/.env
index 0a412c9..b7692f4 100644
--- a/.env
+++ b/.env
@@ -20,4 +20,16 @@ JWT_COOKIE_TTL=86400
 
 DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:${POSTGRES_PORT}/${POSTGRES_DB}?serverVersion=16&charset=utf8"
 
-ENCRYPTION_KEY=change_me_in_env_local
\ No newline at end of file
+ENCRYPTION_KEY=change_me_in_env_local
+###> symfony/lock ###
+# Choose one of the stores below
+# postgresql+advisory://db_user:db_password@localhost/db_name
+LOCK_DSN=flock
+###< symfony/lock ###
+
+###> symfony/messenger ###
+# Choose one of the transports below
+# MESSENGER_TRANSPORT_DSN=amqp://guest:guest@localhost:5672/%2f/messages
+# MESSENGER_TRANSPORT_DSN=redis://localhost:6379/messages
+MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
+###< symfony/messenger ###
diff --git a/CLAUDE.md b/CLAUDE.md
index 5bcb557..bd3783a 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,6 +2,8 @@
 
 Application de gestion de projet. Monorepo Symfony 8 (API Platform 4) + Nuxt 4.
 
+> **WIP — Intégration Mail (branche `feat/mail-integration`)** : client mail OVH IMAP. Avant de toucher au mail, lire `docs/mail-integration.md` (section « Statut & reprise » = bugs déjà corrigés, points en suspens, commandes). Code : `src/Mail/`, `src/Service/MailSyncService.php`, `src/Controller/Mail/`, `frontend/{services,stores,components}/mail*`.
+
 ## Stack
 
 - **Backend** : PHP 8.4, Symfony 8.0, API Platform 4, Doctrine ORM, PostgreSQL 16
diff --git a/README.md b/README.md
index 17a7a59..6b863e0 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ Application de gestion de projet avec suivi du temps et portail client.
 - Profil utilisateur avec avatar (crop circulaire)
 - Notifications temps réel
 - Intégration Gitea (issues, repos)
+- Intégration Mail IMAP (boîte partagée OVH, voir `docs/mail-integration.md`)
 - Serveur MCP pour assistants IA
 - Multi-langue (i18n)
 
@@ -73,6 +74,7 @@ make shell-root         # Shell root dans le container PHP
 make dev-nuxt           # Dev server Nuxt (hot reload, port 3002)
 make cache-clear        # Vider le cache Symfony
 make logs-dev           # Tail logs Symfony
+make mail-sync          # Synchroniser la boîte mail IMAP (voir docs/mail-cron-setup.md)
 ```
 
 ### Base de données
diff --git a/composer.json b/composer.json
index e57c860..aae37ad 100644
--- a/composer.json
+++ b/composer.json
@@ -21,12 +21,15 @@
         "sabre/vobject": "^4.5",
         "symfony/asset": "8.0.*",
         "symfony/console": "8.0.*",
+        "symfony/doctrine-messenger": "^8.0",
         "symfony/dotenv": "8.0.*",
         "symfony/expression-language": "8.0.*",
         "symfony/flex": "^2",
         "symfony/framework-bundle": "8.0.*",
         "symfony/http-client": "8.0.*",
+        "symfony/lock": "8.0.*",
         "symfony/mcp-bundle": "^0.6.0",
+        "symfony/messenger": "^8.0",
         "symfony/mime": "8.0.*",
         "symfony/monolog-bundle": "^4.0",
         "symfony/property-access": "8.0.*",
@@ -36,7 +39,8 @@
         "symfony/security-bundle": "8.0.*",
         "symfony/serializer": "8.0.*",
         "symfony/validator": "8.0.*",
-        "symfony/yaml": "8.0.*"
+        "symfony/yaml": "8.0.*",
+        "webklex/php-imap": "^6.2"
     },
     "config": {
         "allow-plugins": {
@@ -93,6 +97,8 @@
     "require-dev": {
         "doctrine/doctrine-fixtures-bundle": "^4.3",
         "friendsofphp/php-cs-fixer": "^3.94",
-        "phpunit/phpunit": "^13.0"
+        "phpunit/phpunit": "^13.0",
+        "symfony/browser-kit": "^8.0",
+        "symfony/css-selector": "^8.0"
     }
 }
diff --git a/composer.lock b/composer.lock
index 59647f2..b48e773 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "0bdbfd9abe99ffd23a53df611d8a879c",
+    "content-hash": "dc72ee68996f3f738763eafd350bc0e0",
     "packages": [
         {
             "name": "api-platform/doctrine-common",
@@ -1156,6 +1156,75 @@
             },
             "time": "2026-01-26T15:45:40+00:00"
         },
+        {
+            "name": "carbonphp/carbon-doctrine-types",
+            "version": "3.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/CarbonPHP/carbon-doctrine-types.git",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/CarbonPHP/carbon-doctrine-types/zipball/18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.1"
+            },
+            "conflict": {
+                "doctrine/dbal": "<4.0.0 || >=5.0.0"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^4.0.0",
+                "nesbot/carbon": "^2.71.0 || ^3.0.0",
+                "phpunit/phpunit": "^10.3"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Carbon\\Doctrine\\": "src/Carbon/Doctrine/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "KyleKatarn",
+                    "email": "kylekatarnls@gmail.com"
+                }
+            ],
+            "description": "Types to use Carbon in Doctrine",
+            "keywords": [
+                "carbon",
+                "date",
+                "datetime",
+                "doctrine",
+                "time"
+            ],
+            "support": {
+                "issues": "https://github.com/CarbonPHP/carbon-doctrine-types/issues",
+                "source": "https://github.com/CarbonPHP/carbon-doctrine-types/tree/3.2.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/kylekatarnls",
+                    "type": "github"
+                },
+                {
+                    "url": "https://opencollective.com/Carbon",
+                    "type": "open_collective"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2024-02-09T16:56:22+00:00"
+        },
         {
             "name": "composer/pcre",
             "version": "3.3.2",
@@ -2439,6 +2508,386 @@
             },
             "time": "2026-02-08T16:21:46+00:00"
         },
+        {
+            "name": "illuminate/collections",
+            "version": "v13.8.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/collections.git",
+                "reference": "17b082d0c66fb030f22d5bdd62ba652c045ff522"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/collections/zipball/17b082d0c66fb030f22d5bdd62ba652c045ff522",
+                "reference": "17b082d0c66fb030f22d5bdd62ba652c045ff522",
+                "shasum": ""
+            },
+            "require": {
+                "illuminate/conditionable": "^13.0",
+                "illuminate/contracts": "^13.0",
+                "illuminate/macroable": "^13.0",
+                "php": "^8.3",
+                "symfony/polyfill-php84": "^1.33",
+                "symfony/polyfill-php85": "^1.33",
+                "symfony/polyfill-php86": "^1.36"
+            },
+            "suggest": {
+                "illuminate/http": "Required to convert collections to API resources (^13.0).",
+                "symfony/var-dumper": "Required to use the dump method (^7.4 || ^8.0)."
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "functions.php",
+                    "helpers.php"
+                ],
+                "psr-4": {
+                    "Illuminate\\Support\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Collections package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-04-28T17:17:15+00:00"
+        },
+        {
+            "name": "illuminate/conditionable",
+            "version": "v13.11.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/conditionable.git",
+                "reference": "7f1ef52d9a346f829421b296adfb7644a951b216"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/conditionable/zipball/7f1ef52d9a346f829421b296adfb7644a951b216",
+                "reference": "7f1ef52d9a346f829421b296adfb7644a951b216",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Illuminate\\Support\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Conditionable package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-02-25T16:07:55+00:00"
+        },
+        {
+            "name": "illuminate/contracts",
+            "version": "v13.11.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/contracts.git",
+                "reference": "b88c1134feb4253a71048e7e2b5c431e9b3ab95b"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/contracts/zipball/b88c1134feb4253a71048e7e2b5c431e9b3ab95b",
+                "reference": "b88c1134feb4253a71048e7e2b5c431e9b3ab95b",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.3",
+                "psr/container": "^1.1.1 || ^2.0.1",
+                "psr/simple-cache": "^1.0 || ^2.0 || ^3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Illuminate\\Contracts\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Contracts package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-05-13T13:44:10+00:00"
+        },
+        {
+            "name": "illuminate/macroable",
+            "version": "v13.11.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/macroable.git",
+                "reference": "59b5b5f3cf290a91db8cf6cd3d35ff56978bc057"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/macroable/zipball/59b5b5f3cf290a91db8cf6cd3d35ff56978bc057",
+                "reference": "59b5b5f3cf290a91db8cf6cd3d35ff56978bc057",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Illuminate\\Support\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Macroable package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-04-29T09:35:06+00:00"
+        },
+        {
+            "name": "illuminate/pagination",
+            "version": "v13.11.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/pagination.git",
+                "reference": "0e788e59a857f4c6fd6f084fc4848714c8cd5bbb"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/pagination/zipball/0e788e59a857f4c6fd6f084fc4848714c8cd5bbb",
+                "reference": "0e788e59a857f4c6fd6f084fc4848714c8cd5bbb",
+                "shasum": ""
+            },
+            "require": {
+                "ext-filter": "*",
+                "illuminate/collections": "^13.0",
+                "illuminate/contracts": "^13.0",
+                "illuminate/support": "^13.0",
+                "php": "^8.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Illuminate\\Pagination\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Pagination package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-05-13T14:00:22+00:00"
+        },
+        {
+            "name": "illuminate/reflection",
+            "version": "v13.11.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/reflection.git",
+                "reference": "4fe1659f068ab2b50131cf906c5d8bba4e34df0c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/reflection/zipball/4fe1659f068ab2b50131cf906c5d8bba4e34df0c",
+                "reference": "4fe1659f068ab2b50131cf906c5d8bba4e34df0c",
+                "shasum": ""
+            },
+            "require": {
+                "illuminate/collections": "^13.0",
+                "illuminate/contracts": "^13.0",
+                "php": "^8.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "helpers.php"
+                ],
+                "psr-4": {
+                    "Illuminate\\Support\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Reflection package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-03-10T20:04:12+00:00"
+        },
+        {
+            "name": "illuminate/support",
+            "version": "v13.8.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/illuminate/support.git",
+                "reference": "ff687db22aefef516efd3ea21d01664af332da38"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/illuminate/support/zipball/ff687db22aefef516efd3ea21d01664af332da38",
+                "reference": "ff687db22aefef516efd3ea21d01664af332da38",
+                "shasum": ""
+            },
+            "require": {
+                "doctrine/inflector": "^2.0",
+                "ext-ctype": "*",
+                "ext-filter": "*",
+                "ext-mbstring": "*",
+                "illuminate/collections": "^13.0",
+                "illuminate/conditionable": "^13.0",
+                "illuminate/contracts": "^13.0",
+                "illuminate/macroable": "^13.0",
+                "illuminate/reflection": "^13.0",
+                "nesbot/carbon": "^3.8.4",
+                "php": "^8.3",
+                "symfony/polyfill-php85": "^1.33",
+                "voku/portable-ascii": "^2.0.2"
+            },
+            "conflict": {
+                "tightenco/collect": "<5.5.33"
+            },
+            "replace": {
+                "spatie/once": "*"
+            },
+            "suggest": {
+                "illuminate/filesystem": "Required to use the Composer class (^13.0).",
+                "laravel/serializable-closure": "Required to use the once function (^2.0.10).",
+                "league/commonmark": "Required to use Str::markdown() and Stringable::markdown() (^2.7).",
+                "league/uri": "Required to use the Uri class (^7.5.1).",
+                "ramsey/uuid": "Required to use Str::uuid() (^4.7).",
+                "symfony/process": "Required to use the Composer class (^7.4 || ^8.0).",
+                "symfony/uid": "Required to use Str::ulid() (^7.4 || ^8.0).",
+                "symfony/var-dumper": "Required to use the dd function (^7.4 || ^8.0).",
+                "vlucas/phpdotenv": "Required to use the Env class and env helper (^5.6.1)."
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "13.0.x-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "functions.php",
+                    "helpers.php"
+                ],
+                "psr-4": {
+                    "Illuminate\\Support\\": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Otwell",
+                    "email": "taylor@laravel.com"
+                }
+            ],
+            "description": "The Illuminate Support package.",
+            "homepage": "https://laravel.com",
+            "support": {
+                "issues": "https://github.com/laravel/framework/issues",
+                "source": "https://github.com/laravel/framework"
+            },
+            "time": "2026-05-04T12:34:54+00:00"
+        },
         {
             "name": "lcobucci/jwt",
             "version": "5.6.0",
@@ -3057,6 +3506,111 @@
             },
             "time": "2026-01-12T15:59:08+00:00"
         },
+        {
+            "name": "nesbot/carbon",
+            "version": "3.11.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/CarbonPHP/carbon.git",
+                "reference": "e890471a3494740f7d9326d72ce6a8c559ffee60"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/CarbonPHP/carbon/zipball/e890471a3494740f7d9326d72ce6a8c559ffee60",
+                "reference": "e890471a3494740f7d9326d72ce6a8c559ffee60",
+                "shasum": ""
+            },
+            "require": {
+                "carbonphp/carbon-doctrine-types": "<100.0",
+                "ext-json": "*",
+                "php": "^8.1",
+                "psr/clock": "^1.0",
+                "symfony/clock": "^6.3.12 || ^7.0 || ^8.0",
+                "symfony/polyfill-mbstring": "^1.0",
+                "symfony/translation": "^4.4.18 || ^5.2.1 || ^6.0 || ^7.0 || ^8.0"
+            },
+            "provide": {
+                "psr/clock-implementation": "1.0"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^3.6.3 || ^4.0",
+                "doctrine/orm": "^2.15.2 || ^3.0",
+                "friendsofphp/php-cs-fixer": "^v3.87.1",
+                "kylekatarnls/multi-tester": "^2.5.3",
+                "phpmd/phpmd": "^2.15.0",
+                "phpstan/extension-installer": "^1.4.3",
+                "phpstan/phpstan": "^2.1.22",
+                "phpunit/phpunit": "^10.5.53",
+                "squizlabs/php_codesniffer": "^3.13.4 || ^4.0.0"
+            },
+            "bin": [
+                "bin/carbon"
+            ],
+            "type": "library",
+            "extra": {
+                "laravel": {
+                    "providers": [
+                        "Carbon\\Laravel\\ServiceProvider"
+                    ]
+                },
+                "phpstan": {
+                    "includes": [
+                        "extension.neon"
+                    ]
+                },
+                "branch-alias": {
+                    "dev-2.x": "2.x-dev",
+                    "dev-master": "3.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Carbon\\": "src/Carbon/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Brian Nesbitt",
+                    "email": "brian@nesbot.com",
+                    "homepage": "https://markido.com"
+                },
+                {
+                    "name": "kylekatarnls",
+                    "homepage": "https://github.com/kylekatarnls"
+                }
+            ],
+            "description": "An API extension for DateTime that supports 281 different languages.",
+            "homepage": "https://carbonphp.github.io/carbon/",
+            "keywords": [
+                "date",
+                "datetime",
+                "time"
+            ],
+            "support": {
+                "docs": "https://carbonphp.github.io/carbon/guide/getting-started/introduction.html",
+                "issues": "https://github.com/CarbonPHP/carbon/issues",
+                "source": "https://github.com/CarbonPHP/carbon"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/sponsors/kylekatarnls",
+                    "type": "github"
+                },
+                {
+                    "url": "https://opencollective.com/Carbon#sponsor",
+                    "type": "opencollective"
+                },
+                {
+                    "url": "https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-07T09:57:54+00:00"
+        },
         {
             "name": "nyholm/psr7",
             "version": "1.8.2",
@@ -5287,6 +5841,82 @@
             ],
             "time": "2026-03-06T13:17:40+00:00"
         },
+        {
+            "name": "symfony/doctrine-messenger",
+            "version": "v8.0.6",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/doctrine-messenger.git",
+                "reference": "88329a3faba5023cfb569b3fc5b8a771336c4a88"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/doctrine-messenger/zipball/88329a3faba5023cfb569b3fc5b8a771336c4a88",
+                "reference": "88329a3faba5023cfb569b3fc5b8a771336c4a88",
+                "shasum": ""
+            },
+            "require": {
+                "doctrine/dbal": "^4.3",
+                "php": ">=8.4",
+                "symfony/messenger": "^7.4|^8.0",
+                "symfony/service-contracts": "^2.5|^3"
+            },
+            "conflict": {
+                "doctrine/persistence": "<1.3"
+            },
+            "require-dev": {
+                "doctrine/persistence": "^1.3|^2|^3",
+                "symfony/property-access": "^7.4|^8.0",
+                "symfony/serializer": "^7.4|^8.0"
+            },
+            "type": "symfony-messenger-bridge",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Messenger\\Bridge\\Doctrine\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony Doctrine Messenger Bridge",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/doctrine-messenger/tree/v8.0.6"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-02-20T07:51:53+00:00"
+        },
         {
             "name": "symfony/dotenv",
             "version": "v8.0.7",
@@ -6379,6 +7009,88 @@
             ],
             "time": "2026-03-06T16:58:46+00:00"
         },
+        {
+            "name": "symfony/lock",
+            "version": "v8.0.9",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/lock.git",
+                "reference": "02e7142df3d647411fd88655d20d8ec79dafb78c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/lock/zipball/02e7142df3d647411fd88655d20d8ec79dafb78c",
+                "reference": "02e7142df3d647411fd88655d20d8ec79dafb78c",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "psr/log": "^1|^2|^3"
+            },
+            "conflict": {
+                "doctrine/dbal": "<4.3"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^4.3",
+                "predis/predis": "^1.1|^2.0",
+                "symfony/serializer": "^6.4|^7.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Lock\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Jérémy Derussé",
+                    "email": "jeremy@derusse.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Creates and manages locks, a mechanism to provide exclusive access to a shared resource",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "cas",
+                "flock",
+                "locking",
+                "mutex",
+                "redlock",
+                "semaphore"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/lock/tree/v8.0.9"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-29T15:02:55+00:00"
+        },
         {
             "name": "symfony/mcp-bundle",
             "version": "v0.6.0",
@@ -6463,6 +7175,96 @@
             ],
             "time": "2026-03-04T16:39:24+00:00"
         },
+        {
+            "name": "symfony/messenger",
+            "version": "v8.0.11",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/messenger.git",
+                "reference": "c451c175724fc781c777783aaec3b7999ceb0621"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/messenger/zipball/c451c175724fc781c777783aaec3b7999ceb0621",
+                "reference": "c451c175724fc781c777783aaec3b7999ceb0621",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "psr/log": "^1|^2|^3",
+                "symfony/clock": "^7.4|^8.0"
+            },
+            "conflict": {
+                "symfony/console": "<7.4",
+                "symfony/event-dispatcher-contracts": "<2.5",
+                "symfony/lock": "<7.4",
+                "symfony/serializer": "<7.4.4|>=8.0,<8.0.4"
+            },
+            "require-dev": {
+                "psr/cache": "^1.0|^2.0|^3.0",
+                "symfony/console": "^7.4|^8.0",
+                "symfony/dependency-injection": "^7.4|^8.0",
+                "symfony/event-dispatcher": "^7.4|^8.0",
+                "symfony/http-kernel": "^7.4|^8.0",
+                "symfony/lock": "^7.4|^8.0",
+                "symfony/process": "^7.4|^8.0",
+                "symfony/property-access": "^7.4|^8.0",
+                "symfony/rate-limiter": "^7.4|^8.0",
+                "symfony/routing": "^7.4|^8.0",
+                "symfony/serializer": "^7.4.4|^8.0.4",
+                "symfony/service-contracts": "^2.5|^3",
+                "symfony/stopwatch": "^7.4|^8.0",
+                "symfony/validator": "^7.4|^8.0",
+                "symfony/var-dumper": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Messenger\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Samuel Roze",
+                    "email": "samuel.roze@gmail.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Helps applications send and receive messages to/from other applications or via message queues",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/messenger/tree/v8.0.11"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-05-13T12:07:53+00:00"
+        },
         {
             "name": "symfony/mime",
             "version": "v8.0.7",
@@ -7268,6 +8070,86 @@
             ],
             "time": "2025-06-23T16:12:55+00:00"
         },
+        {
+            "name": "symfony/polyfill-php86",
+            "version": "v1.37.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/polyfill-php86.git",
+                "reference": "33d8fc5a705481e21fe3a81212b26f9b1f61749c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/polyfill-php86/zipball/33d8fc5a705481e21fe3a81212b26f9b1f61749c",
+                "reference": "33d8fc5a705481e21fe3a81212b26f9b1f61749c",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.2"
+            },
+            "type": "library",
+            "extra": {
+                "thanks": {
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "bootstrap.php"
+                ],
+                "psr-4": {
+                    "Symfony\\Polyfill\\Php86\\": ""
+                },
+                "classmap": [
+                    "Resources/stubs"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony polyfill backporting some PHP 8.6+ features to lower PHP versions",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "compatibility",
+                "polyfill",
+                "portable",
+                "shim"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/polyfill-php86/tree/v1.37.0"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-26T13:13:48+00:00"
+        },
         {
             "name": "symfony/polyfill-uuid",
             "version": "v1.33.0",
@@ -8522,6 +9404,99 @@
             ],
             "time": "2026-02-09T10:14:57+00:00"
         },
+        {
+            "name": "symfony/translation",
+            "version": "v8.0.10",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/translation.git",
+                "reference": "f63e9342e12646a57c91ef8a366a4f9d8e557b67"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/translation/zipball/f63e9342e12646a57c91ef8a366a4f9d8e557b67",
+                "reference": "f63e9342e12646a57c91ef8a366a4f9d8e557b67",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "symfony/polyfill-mbstring": "^1.0",
+                "symfony/translation-contracts": "^3.6.1"
+            },
+            "conflict": {
+                "nikic/php-parser": "<5.0",
+                "symfony/http-client-contracts": "<2.5",
+                "symfony/service-contracts": "<2.5"
+            },
+            "provide": {
+                "symfony/translation-implementation": "2.3|3.0"
+            },
+            "require-dev": {
+                "nikic/php-parser": "^5.0",
+                "psr/log": "^1|^2|^3",
+                "symfony/config": "^7.4|^8.0",
+                "symfony/console": "^7.4|^8.0",
+                "symfony/dependency-injection": "^7.4|^8.0",
+                "symfony/finder": "^7.4|^8.0",
+                "symfony/http-client-contracts": "^2.5|^3.0",
+                "symfony/http-kernel": "^7.4|^8.0",
+                "symfony/intl": "^7.4|^8.0",
+                "symfony/polyfill-intl-icu": "^1.21",
+                "symfony/routing": "^7.4|^8.0",
+                "symfony/service-contracts": "^2.5|^3",
+                "symfony/yaml": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "Resources/functions.php"
+                ],
+                "psr-4": {
+                    "Symfony\\Component\\Translation\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Provides tools to internationalize your application",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/translation/tree/v8.0.10"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-05-06T11:30:54+00:00"
+        },
         {
             "name": "symfony/translation-contracts",
             "version": "v3.6.1",
@@ -9185,6 +10160,161 @@
             ],
             "time": "2026-02-09T10:14:57+00:00"
         },
+        {
+            "name": "voku/portable-ascii",
+            "version": "2.1.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/voku/portable-ascii.git",
+                "reference": "8e1051fe39379367aecf014f41744ce7539a856f"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/voku/portable-ascii/zipball/8e1051fe39379367aecf014f41744ce7539a856f",
+                "reference": "8e1051fe39379367aecf014f41744ce7539a856f",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~8.5 || ~9.6 || ~10.5 || ~11.5"
+            },
+            "suggest": {
+                "ext-intl": "Use Intl for transliterator_transliterate() support"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "voku\\": "src/voku/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Lars Moelleken",
+                    "homepage": "https://www.moelleken.org/"
+                }
+            ],
+            "description": "Portable ASCII library - performance optimized (ascii) string functions for php.",
+            "homepage": "https://github.com/voku/portable-ascii",
+            "keywords": [
+                "ascii",
+                "clean",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/voku/portable-ascii/issues",
+                "source": "https://github.com/voku/portable-ascii/tree/2.1.1"
+            },
+            "funding": [
+                {
+                    "url": "https://www.paypal.me/moelleken",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/voku",
+                    "type": "github"
+                },
+                {
+                    "url": "https://opencollective.com/portable-ascii",
+                    "type": "open_collective"
+                },
+                {
+                    "url": "https://www.patreon.com/voku",
+                    "type": "patreon"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/voku/portable-ascii",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-26T05:33:54+00:00"
+        },
+        {
+            "name": "webklex/php-imap",
+            "version": "6.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/Webklex/php-imap.git",
+                "reference": "6b8ef85d621bbbaf52741b00cca8e9237e2b2e05"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/Webklex/php-imap/zipball/6b8ef85d621bbbaf52741b00cca8e9237e2b2e05",
+                "reference": "6b8ef85d621bbbaf52741b00cca8e9237e2b2e05",
+                "shasum": ""
+            },
+            "require": {
+                "ext-fileinfo": "*",
+                "ext-iconv": "*",
+                "ext-json": "*",
+                "ext-libxml": "*",
+                "ext-mbstring": "*",
+                "ext-openssl": "*",
+                "ext-zip": "*",
+                "illuminate/pagination": ">=5.0.0",
+                "nesbot/carbon": "^2.62.1|^3.2.4",
+                "php": "^8.0.2",
+                "symfony/http-foundation": ">=2.8.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^9.5.10"
+            },
+            "suggest": {
+                "symfony/mime": "Recomended for better extension support",
+                "symfony/var-dumper": "Usefull tool for debugging"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "6.0-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Webklex\\PHPIMAP\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Malte Goldenbaum",
+                    "email": "github@webklex.com",
+                    "role": "Developer"
+                }
+            ],
+            "description": "PHP IMAP client",
+            "homepage": "https://github.com/webklex/php-imap",
+            "keywords": [
+                "imap",
+                "mail",
+                "php-imap",
+                "pop3",
+                "webklex"
+            ],
+            "support": {
+                "issues": "https://github.com/Webklex/php-imap/issues",
+                "source": "https://github.com/Webklex/php-imap/tree/6.2.0"
+            },
+            "funding": [
+                {
+                    "url": "https://www.buymeacoffee.com/webklex",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://ko-fi.com/webklex",
+                    "type": "ko_fi"
+                }
+            ],
+            "time": "2025-04-25T06:02:37+00:00"
+        },
         {
             "name": "webmozart/assert",
             "version": "2.1.6",
@@ -12164,6 +13294,217 @@
             ],
             "time": "2024-10-20T05:08:20+00:00"
         },
+        {
+            "name": "symfony/browser-kit",
+            "version": "v8.0.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/browser-kit.git",
+                "reference": "f5a28fca785416cf489dd579011e74c831100cc3"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/browser-kit/zipball/f5a28fca785416cf489dd579011e74c831100cc3",
+                "reference": "f5a28fca785416cf489dd579011e74c831100cc3",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "symfony/dom-crawler": "^7.4|^8.0"
+            },
+            "require-dev": {
+                "symfony/css-selector": "^7.4|^8.0",
+                "symfony/http-client": "^7.4|^8.0",
+                "symfony/mime": "^7.4|^8.0",
+                "symfony/process": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\BrowserKit\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Simulates the behavior of a web browser, allowing you to make requests, click on links and submit forms programmatically",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/browser-kit/tree/v8.0.8"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-30T15:14:47+00:00"
+        },
+        {
+            "name": "symfony/css-selector",
+            "version": "v8.0.9",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/css-selector.git",
+                "reference": "3665cfade90565430909b906394c73c8739e57d0"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/css-selector/zipball/3665cfade90565430909b906394c73c8739e57d0",
+                "reference": "3665cfade90565430909b906394c73c8739e57d0",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\CssSelector\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Jean-François Simon",
+                    "email": "jeanfrancois.simon@sensiolabs.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Converts CSS selectors to XPath expressions",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/css-selector/tree/v8.0.9"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-04-18T13:51:42+00:00"
+        },
+        {
+            "name": "symfony/dom-crawler",
+            "version": "v8.0.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/dom-crawler.git",
+                "reference": "284ace90732b445b027728b5e0eec6418a17a364"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/284ace90732b445b027728b5e0eec6418a17a364",
+                "reference": "284ace90732b445b027728b5e0eec6418a17a364",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.4",
+                "symfony/polyfill-ctype": "^1.8",
+                "symfony/polyfill-mbstring": "^1.0"
+            },
+            "require-dev": {
+                "symfony/css-selector": "^7.4|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\DomCrawler\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Eases DOM navigation for HTML and XML documents",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/dom-crawler/tree/v8.0.8"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-30T15:14:47+00:00"
+        },
         {
             "name": "symfony/process",
             "version": "v8.0.5",
diff --git a/config/packages/lock.yaml b/config/packages/lock.yaml
new file mode 100644
index 0000000..574879f
--- /dev/null
+++ b/config/packages/lock.yaml
@@ -0,0 +1,2 @@
+framework:
+    lock: '%env(LOCK_DSN)%'
diff --git a/config/packages/messenger.yaml b/config/packages/messenger.yaml
new file mode 100644
index 0000000..3c1eeab
--- /dev/null
+++ b/config/packages/messenger.yaml
@@ -0,0 +1,28 @@
+framework:
+    messenger:
+        failure_transport: failed
+
+        transports:
+            sync: 'sync://'
+
+            async:
+                dsn: '%env(MESSENGER_TRANSPORT_DSN)%'
+                options:
+                    queue_name: default
+                retry_strategy:
+                    max_retries: 3
+                    delay: 1000
+                    multiplier: 2
+                    max_delay: 0
+
+            failed: 'doctrine://default?queue_name=failed&auto_setup=0'
+
+        routing:
+            'App\Message\MailSyncRequested': async
+
+when@test:
+    framework:
+        messenger:
+            transports:
+                async: 'in-memory://'
+                failed: 'in-memory://'
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index a6fed5a..820b46a 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -64,6 +64,8 @@ security:
         - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
+        # Mail : requiert authentification (les checks ROLE_USER/ROLE_CLIENT sont dans MailAccessChecker)
+        - { path: ^/api/mail, roles: IS_AUTHENTICATED_FULLY }
         - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
 
 when@test:
diff --git a/config/packages/translation.yaml b/config/packages/translation.yaml
new file mode 100644
index 0000000..490bfc2
--- /dev/null
+++ b/config/packages/translation.yaml
@@ -0,0 +1,5 @@
+framework:
+    default_locale: en
+    translator:
+        default_path: '%kernel.project_dir%/translations'
+        providers:
diff --git a/config/reference.php b/config/reference.php
index bd1717f..145877b 100644
--- a/config/reference.php
+++ b/config/reference.php
@@ -301,7 +301,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *         },
  *     },
  *     translator?: bool|array{ // Translator configuration
- *         enabled?: bool|Param, // Default: false
+ *         enabled?: bool|Param, // Default: true
  *         fallbacks?: list<scalar|Param|null>,
  *         logging?: bool|Param, // Default: false
  *         formatter?: scalar|Param|null, // Default: "translator.formatter.default"
@@ -413,7 +413,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *         enabled?: bool|Param, // Default: true
  *     },
  *     lock?: bool|string|array{ // Lock configuration
- *         enabled?: bool|Param, // Default: false
+ *         enabled?: bool|Param, // Default: true
  *         resources?: array<string, string|list<scalar|Param|null>>,
  *     },
  *     semaphore?: bool|string|array{ // Semaphore configuration
@@ -421,7 +421,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *         resources?: array<string, scalar|Param|null>,
  *     },
  *     messenger?: bool|array{ // Messenger configuration
- *         enabled?: bool|Param, // Default: false
+ *         enabled?: bool|Param, // Default: true
  *         routing?: array<string, string|array{ // Default: []
  *             senders?: list<scalar|Param|null>,
  *         }>,
@@ -1360,7 +1360,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
  *         include_type?: bool|Param, // Always include @var in updates (including delete ones). // Default: false
  *     },
  *     messenger?: bool|array{
- *         enabled?: bool|Param, // Default: false
+ *         enabled?: bool|Param, // Default: true
  *     },
  *     elasticsearch?: bool|array{
  *         enabled?: bool|Param, // Default: false
diff --git a/docs/mail-cron-setup.md b/docs/mail-cron-setup.md
new file mode 100644
index 0000000..78a5b2e
--- /dev/null
+++ b/docs/mail-cron-setup.md
@@ -0,0 +1,111 @@
+# Mail Integration — Configuration cron OS
+
+## Vue d'ensemble
+
+La synchronisation IMAP est déclenchée par un cron OS toutes les 10 minutes.
+Elle appelle la commande Symfony `app:mail:sync` qui s'exécute dans le container PHP.
+
+Un Symfony Lock (`mail.sync`, TTL 10 min, store `flock` via `LOCK_DSN=flock`) empêche
+les runs de se chevaucher si une sync prend plus de 10 min.
+
+## Prérequis
+
+- Container `php-lesstime-fpm` démarré (`make start`)
+- `MailConfiguration.enabled = true` (configurable depuis l'admin — Phase 7)
+- `ENCRYPTION_KEY` défini dans `infra/dev/.env.docker.local` (ou production env)
+
+## Installation du cron
+
+Sur la **machine hôte** (pas dans le container) :
+
+```bash
+crontab -e
+```
+
+Ajouter la ligne suivante (adapter le chemin) :
+
+```cron
+*/10 * * * * cd /home/r-dev/malio-dev/Lesstime && make mail-sync >> /var/log/lesstime-mail-sync.log 2>&1
+```
+
+Ou directement via `docker exec` (sans dépendance à `make`) :
+
+```cron
+*/10 * * * * docker exec php-lesstime-fpm php bin/console app:mail:sync >> /var/log/lesstime-mail-sync.log 2>&1
+```
+
+### Avec un utilisateur système dédié
+
+Si le cron est configuré pour un utilisateur système spécifique (ex: `www-data` ou `deploy`) :
+
+```bash
+sudo crontab -u deploy -e
+```
+
+## Variables d'environnement nécessaires
+
+| Variable | Description | Exemple |
+|---|---|---|
+| `ENCRYPTION_KEY` | Clé hex 32 bytes pour déchiffrer le password IMAP | `$(php -r "echo bin2hex(random_bytes(32));")` |
+| `LOCK_DSN` | DSN du store de verrous Symfony | `flock` (défaut, fichier local) |
+
+La clé doit être la même que celle utilisée pour chiffrer le password lors de la configuration.
+
+## Checklist setup production
+
+1. [ ] Définir `ENCRYPTION_KEY` dans les variables d'environnement production
+2. [ ] Créer le compte mail dédié (ex: `lesstime@votre-domaine.fr`) chez OVH
+3. [ ] Accéder à `/admin` → onglet "Mail" → renseigner les credentials IMAP/SMTP
+4. [ ] Cliquer "Tester la connexion" → vérifier le succès
+5. [ ] Cocher "Activer la synchronisation" → Enregistrer
+6. [ ] Installer le cron OS (voir section "Installation du cron")
+7. [ ] Vérifier les logs après la première sync : `make logs-dev` (chercher `mail.sync`)
+
+## Commandes utiles
+
+```bash
+# Sync complète (toutes les boîtes)
+make mail-sync
+
+# Sync d'un seul dossier (le dossier doit déjà exister en base)
+make mail-sync FOLDER=INBOX
+
+# Simulation (dry-run, pas d'écriture BDD)
+make mail-sync DRYRUN=1
+
+# Directement dans le container
+docker exec php-lesstime-fpm php bin/console app:mail:sync
+docker exec php-lesstime-fpm php bin/console app:mail:sync --folder=INBOX
+docker exec php-lesstime-fpm php bin/console app:mail:sync --dry-run
+```
+
+## Logs
+
+Les logs Symfony sont dans `var/log/dev.log` (ou `prod.log` en production).
+Suivre les logs en temps réel :
+
+```bash
+make logs-dev
+```
+
+Les messages loggés par `MailSyncService` sont préfixés `mail.sync`.
+
+## Sécurité
+
+- Le password IMAP est **toujours stocké chiffré** (libsodium secretbox)
+- Les corps de mails, passwords et pièces jointes ne sont **jamais loggés**
+- Le lock `flock` évite les runs parallèles (fichier dans `/tmp/sf.mail.sync.<hash>.lock`)
+
+## Rappels sécurité
+
+- La page `/mail` et tous les endpoints `/api/mail/*` sont refusés aux `ROLE_CLIENT` exclusifs
+- Le sidebar "Messagerie" est masqué pour les utilisateurs ROLE_CLIENT sans ROLE_USER
+- Le password IMAP est chiffré via libsodium secretbox avant stockage (jamais en clair en base)
+- Les corps de mails sont sanitisés via DOMPurify avant affichage (voir `frontend/utils/sanitizeMailHtml.ts`)
+- Les pixels tracking distants sont remplacés par un placeholder
+- Aucun body mail, password ou contenu de pièce jointe n'est loggé
+
+## Production
+
+En production, préférer un cron système ou un job scheduler (Kubernetes CronJob, ECS Scheduled Task, etc.).
+La commande est idempotente : relancer plusieurs fois ne duplique pas les données (UIDs uniques en base).
diff --git a/docs/mail-integration.md b/docs/mail-integration.md
new file mode 100644
index 0000000..92edece
--- /dev/null
+++ b/docs/mail-integration.md
@@ -0,0 +1,147 @@
+# Intégration Mail — Vue d'ensemble
+
+> ## 🟢 Statut & reprise (handoff — MAJ 2026-05-20)
+>
+> **Branche** : `feat/mail-integration` · **MR Gitea** : https://gitea.malio.fr/MALIO-DEV/Lesstime/pulls/5 (base `develop`)
+> Construit en 7 phases (plans dans `docs/superpowers/plans/2026-05-19-mail-phase*.md`).
+>
+> ### Ce qui marche (testé contre une vraie boîte OVH `contact@malio.fr`)
+> - Connexion IMAP + test connexion (admin → `/admin` onglet Mail)
+> - Synchro complète multi-dossiers : **456 messages / 57 dossiers** ramenés, ne crashe plus
+> - Lecture dossiers/messages dans `/mail`, arbre repliable (chevrons, sous-dossiers masqués par défaut)
+> - Lecture d'un mail, sanitization DOMPurify
+> - Création/lien tâche depuis un mail
+>
+> ### Bugs déjà corrigés ce soir (NE PAS ré-investiguer)
+> Tous dans `ImapMailProvider` / `MailSyncService` — les tests mockaient le provider, donc le fetch réel n'avait jamais été exercé avant le test live :
+> 1. Requête sans critère → `BAD parse error: zero-length content` → `whereAll()`
+> 2. `getDate()`/`getSubject()` renvoient des `Attribute` webklex v6 → casts explicites
+> 3. Séquence par défaut `ST_MSGN` → `peek()` faisait un STORE rejeté par OVH (`flag could not be removed`) → forcé `ST_UID` partout
+> 4. Snippet via `getTextBody()` = fetch du corps de chaque mail (sync 179s + peek) → `setFetchBody(false)`, snippet désactivé au listing
+> 5. Test connexion exigeait `enabled=true` → découplé via `getClient(requireEnabled:false)` + `testConnection()`
+> 6. Contrainte UNIQUE globale sur `message_id` → fausse pour IMAP (même Message-ID dans plusieurs dossiers) → fermait l'EntityManager → cascade. **Migration `Version20260520061736`** : index simple. Garde anti-cascade dans `MailSyncService` (reset `ManagerRegistry`).
+> 7. 139 connexions IMAP (une/dossier) → throttling OVH → réutilisation d'1 connexion (`closeConnection()` sur l'interface) + reconnexion ciblée après dossier en erreur.
+> - Contrat front/back réaligné dans `frontend/services/mail.ts` (route `/mail/folders/{path}/messages`, mapping `messages→items`, `fromAddress→fromEmail`, détail plat→imbriqué).
+>
+> ### Points en suspens / à savoir
+> - **Mise à jour auto** = cron OS lançant `make mail-sync` toutes les 10 min (cf `docs/mail-cron-setup.md`). **Pas configuré en dev** — lancer à la main.
+> - **Bouton "Actualiser"** : dispatch async Messenger (`MailSyncRequested → async`). Sans worker `messenger:consume async` qui tourne, les demandes s'empilent sans s'exécuter. En prod : supervisor. En dev : lancer un worker.
+> - **~7 dossiers/139** à encodage spécial (ex: `INBOX/RH/.../SÉBASTIEN` en UTF7-modifié) ou réponses vides sont skippés proprement et réessayés au cycle suivant. Edge case webklex non bloquant.
+> - **Dépendance** : `webklex/php-imap ^6.2` tire des paquets Laravel (`illuminate/*` via `carbon ^3`) dans ce projet Symfony — fonctionnel mais à valider en review.
+> - 6 PHPUnit Notices (mocks sans expectations) non bloquantes.
+>
+> ### Commandes utiles
+> ```bash
+> make mail-sync                                                   # synchro complète
+> docker exec -i -u www-data php-lesstime-fpm php bin/console app:mail:sync --folder=INBOX -v
+> docker exec -i -u www-data php-lesstime-fpm php bin/console messenger:consume async -vv   # worker (fait marcher le bouton)
+> make test                                                        # 33 tests
+> ```
+> Fixtures `make fixtures` plantent sur un état legacy `workflow_id` (hors-scope mail) — configurer la boîte via l'UI admin.
+
+## Fonctionnalités
+
+- Lecture de la boîte mail partagée (IMAP) depuis Lesstime
+- Navigation par dossiers (arbre récursif avec compteurs non-lus)
+- Liste paginée des messages (infinite scroll, cursor-based)
+- Lecture des corps de mail sanitisés (DOMPurify — protection XSS + pixels tracking)
+- Création d'une tâche Lesstime depuis un mail (sujet → titre, texte → description)
+- Lien mail ↔ tâche (bidirectionnel)
+- Onglet "Mails" dans le TaskDrawer pour retrouver les mails liés à une tâche
+- Synchronisation IMAP automatique via cron OS (toutes les 10 min)
+- Déclenchement manuel de sync depuis l'UI (bouton Refresh)
+- Badge non-lus en temps réel dans la sidebar (polling 30s)
+
+## Endpoints API
+
+| Méthode | URL | Rôle | Description |
+|---------|-----|------|-------------|
+| GET | `/api/mail/configuration` | ROLE_ADMIN | Lire la config singleton |
+| PATCH | `/api/mail/configuration` | ROLE_ADMIN | Mettre à jour la config |
+| POST | `/api/mail/configuration/test` | ROLE_ADMIN | Tester la connexion IMAP |
+| GET | `/api/mail/folders` | ROLE_USER | Arbre des dossiers + unread |
+| GET | `/api/mail/messages` | ROLE_USER | Liste paginée (param: folder, cursor, limit) |
+| GET | `/api/mail/messages/{id}` | ROLE_USER | Détail + body (cached 5 min) |
+| POST | `/api/mail/messages/{id}/read` | ROLE_USER | Marquer lu/non-lu |
+| POST | `/api/mail/messages/{id}/flag` | ROLE_USER | Marquer étoilé/non-étoilé |
+| POST | `/api/mail/messages/{id}/create-task` | ROLE_USER | Créer tâche depuis mail |
+| POST | `/api/mail/messages/{id}/link-task` | ROLE_USER | Lier mail à tâche existante |
+| DELETE | `/api/mail/messages/{id}/link-task/{taskId}` | ROLE_USER | Supprimer le lien |
+| GET | `/api/tasks/{id}/mails` | ROLE_USER | Mails liés à une tâche |
+| GET | `/api/mail/attachments/{id}` | ROLE_USER | Télécharger une pièce jointe |
+| POST | `/api/mail/sync` | ROLE_USER | Déclencher sync async (Messenger) |
+
+Tous les endpoints `/api/mail/*` refusent explicitement `ROLE_CLIENT`.
+
+## Sécurité
+
+- ROLE_CLIENT exclusif : accès refusé à tous les endpoints mail et à la page `/mail`
+- Le sidebar "Messagerie" est masqué pour les ROLE_CLIENT
+- Password IMAP chiffré via libsodium secretbox (env `ENCRYPTION_KEY`)
+- Corps de mail sanitisés via DOMPurify (`sanitizeMailHtml.ts`) — script/iframe/object/embed/on*/javascript: bloqués
+- Pixels tracking distants (img src http) remplacés par placeholder
+- Aucun body, password ou contenu de pièce jointe dans les logs
+
+## Dépendances
+
+### Backend
+- `webklex/php-imap` : client IMAP PHP
+- `symfony/lock` : Symfony Lock pour éviter les syncs parallèles
+- `symfony/messenger` : dispatch asynchrone `MailSyncRequested`
+- `libsodium` (ext PHP) : chiffrement du password IMAP
+
+### Frontend
+- `dompurify` + `@types/dompurify` : sanitization HTML des corps de mail
+
+## Fichiers clés
+
+### Backend
+- `src/Entity/MailConfiguration.php` — entité singleton (credentials, enabled)
+- `src/Entity/MailFolder.php` — dossier IMAP synced
+- `src/Entity/MailMessage.php` — message IMAP synced (headers, flags)
+- `src/Entity/TaskMailLink.php` — lien tâche ↔ mail
+- `src/Mail/ImapMailProvider.php` — implémentation IMAP (webklex)
+- `src/Service/MailSyncService.php` — algorithme de sync (UID FETCH, resync flags)
+- `src/Controller/Mail/` — controllers custom (test, folders, messages, sync)
+- `src/State/Mail/` — providers/processors API Platform (configuration)
+
+### Frontend
+- `frontend/pages/mail.vue` — page principale 3 colonnes
+- `frontend/components/mail/` — MailFolderTree, MailMessageList, MailMessageViewer, MailRefreshButton
+- `frontend/components/admin/AdminMailTab.vue` — onglet config admin
+- `frontend/stores/mail.ts` — store Pinia (folders, messages, polling)
+- `frontend/services/mail.ts` — service API (toutes les méthodes)
+- `frontend/services/dto/mail.ts` — types TypeScript
+- `frontend/utils/sanitizeMailHtml.ts` — DOMPurify wrapper
+
+## Synchronisation cron
+
+Voir `docs/mail-cron-setup.md` pour la configuration détaillée.
+
+Résumé :
+
+```bash
+# Cron OS (toutes les 10 min)
+*/10 * * * * cd /path/to/Lesstime && make mail-sync >> /var/log/lesstime-mail-sync.log 2>&1
+
+# Commandes Makefile
+make mail-sync              # Sync complète
+make mail-sync FOLDER=INBOX # Sync d'un dossier
+make mail-sync DRYRUN=1     # Simulation sans écriture
+```
+
+## Configuration admin
+
+1. Aller sur `/admin` → onglet "Mail"
+2. Renseigner les credentials IMAP/SMTP (OVH : `ssl0.ovh.net`, port 993/465, SSL)
+3. Cliquer "Tester la connexion"
+4. Activer la synchronisation → Enregistrer
+5. Configurer le cron OS
+
+## Variables d'environnement
+
+| Variable | Description | Obligatoire |
+|----------|-------------|-------------|
+| `ENCRYPTION_KEY` | Clé hex 32 bytes libsodium pour chiffrer le password IMAP | Oui |
+| `LOCK_DSN` | DSN Symfony Lock (défaut: `flock`) | Non |
+| `MESSENGER_TRANSPORT_DSN` | Transport Messenger pour sync async | Recommandé (prod) |
diff --git a/docs/superpowers/plans/2026-05-19-mail-integration-master-plan.md b/docs/superpowers/plans/2026-05-19-mail-integration-master-plan.md
new file mode 100644
index 0000000..089a708
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-integration-master-plan.md
@@ -0,0 +1,264 @@
+# Mail Integration — Master Plan
+
+> **Master plan** : ce document décrit le découpage en phases. Chaque phase aura son propre plan détaillé (rédigé par un subagent rédacteur) puis sera implémentée par un subagent codeur, en cycle.
+
+**Spec source** : `docs/superpowers/specs/2026-05-19-mail-integration-design.md`
+
+**Goal** : Ajouter à Lesstime un client mail intégré pour une boîte partagée OVH (IMAP/SMTP), avec lecture inbox/dossiers et création/lien tâche depuis un mail.
+
+**Stratégie** : 7 phases séquentielles, dépendances claires, chaque phase = working software testable. Cycle par phase : rédacteur → codeur → review humaine → phase suivante.
+
+---
+
+## Cartographie des phases
+
+```
+Phase 1 (Backend foundations)   ──┐
+                                  ├─→ Phase 2 (IMAP provider + sync)  ──┐
+                                  │                                     ├─→ Phase 3 (API backend)  ──┐
+                                  │                                     │                            │
+                                  └─→─────────────────────────────────────────────────────────────────┤
+                                                                                                     │
+Phase 4 (Frontend services + store)  ←──────────────────────────────────────────────────────────────┘
+        │
+        ├─→ Phase 5 (UI principale 3 colonnes)
+        │
+        ├─→ Phase 6 (Intégration tâches : modals, onglet TaskDrawer)
+        │
+        └─→ Phase 7 (Admin config + sidebar + polish)
+```
+
+Chaque phase produit du logiciel fonctionnel (testable, mergeable) sans casser les précédentes.
+
+---
+
+## Phase 1 — Backend Foundations
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase1-foundations.md`
+
+**Scope** :
+- Entité `MailConfiguration` (singleton, fields complets de la spec, `encryptedPassword` via `TokenEncryptor`)
+- Entité `MailFolder`
+- Entité `MailMessage`
+- Entité `TaskMailLink` (avec unique constraint)
+- Repositories : `MailConfigurationRepository::findSingleton()`, `MailFolderRepository`, `MailMessageRepository`, `TaskMailLinkRepository`
+- Migration Doctrine unique créant les 4 tables (raw SQL)
+- DTOs sous `src/Mail/Dto/` : `MailFolderDto`, `MailMessageHeaderDto`, `MailMessageDetailDto`, `MailAttachmentDto`
+- Interface `App\Mail\MailProviderInterface` (signatures uniquement, pas d'impl)
+- Exception `App\Mail\Exception\MailProviderException`
+- Tests unitaires repositories (au moins le pattern singleton)
+
+**Critère d'acceptation** :
+- `make migration-migrate` passe sans erreur
+- `php bin/console doctrine:schema:validate` OK
+- `make test` vert (au moins les tests créés)
+- Fixture `MailConfiguration` désactivée (OVH defaults) ajoutée
+
+**Dépendances** : aucune (point d'entrée).
+
+---
+
+## Phase 2 — IMAP Provider + Sync
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase2-imap-sync.md`
+
+**Scope** :
+- Ajout dépendance Composer `webklex/php-imap` (vérifier compat PHP 8.4)
+- Implémentation `App\Mail\ImapMailProvider implements MailProviderInterface`
+  - Lecture config via `MailConfigurationRepository::findSingleton()`
+  - Déchiffrement password via `TokenEncryptor`
+  - `listFolders`, `listMessages`, `fetchMessage`, `markRead`, `markFlagged`, `moveMessage`, `fetchAttachment`
+  - Wrapping erreurs en `MailProviderException`
+- `App\Service\MailSyncService`
+  - `syncAll(): MailSyncReport`
+  - `syncFolder(string $folderPath): MailSyncReport`
+  - `syncFolderStructure(): void`
+  - Algorithme exact de la spec (UID FETCH lastUid+1:*, resync flags N=200 derniers, detect suppressions avec garde 50%)
+- DTO `MailSyncReport` (count créés / mis à jour / supprimés / errors)
+- Symfony Lock (`mail.sync`, TTL 10 min)
+- Commande console `app:mail:sync` (avec option `--folder=...`)
+- Documentation cron OS + cible Makefile `make mail-sync`
+- Tests : ImapMailProvider mocké via fixture serveur ou interface, MailSyncService avec provider mocké
+
+**Critère d'acceptation** :
+- `php bin/console app:mail:sync --dry-run` fonctionne contre une fake config
+- Tests `make test` verts
+- `make mail-sync` documentée dans Makefile
+
+**Dépendances** : Phase 1.
+
+---
+
+## Phase 3 — API Backend
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase3-api.md`
+
+**Scope** :
+- API Platform ressources :
+  - `GET /api/mail/configuration` (ROLE_ADMIN) — singleton provider
+  - `PATCH /api/mail/configuration` (ROLE_ADMIN) — processor (jamais retourner password en clair, accepter nouveau password à chiffrer)
+- Custom controllers (priority: 1) :
+  - `POST /api/mail/configuration/test` (ROLE_ADMIN) — test connexion
+  - `GET /api/mail/folders` (ROLE_USER, refus ROLE_CLIENT explicite) — arbre + unreadCount depuis BDD
+  - `GET /api/mail/folders/{path}/messages?page&limit` — pagination cursor `sentAt DESC, id DESC`
+  - `GET /api/mail/messages/{id}` — fetch live IMAP + cache Symfony `mail_body_{messageId}` TTL 5 min
+  - `POST /api/mail/messages/{id}/read` (body `{ read: bool }`)
+  - `POST /api/mail/messages/{id}/flag`
+  - `POST /api/mail/messages/{id}/create-task` (body `{ projectId, taskGroupId?, priority? }`)
+  - `POST /api/mail/messages/{id}/link-task` (body `{ taskId }`)
+  - `DELETE /api/mail/messages/{id}/link-task/{taskId}`
+  - `GET /api/tasks/{id}/mails`
+  - `GET /api/mail/attachments/{id}` — stream, `Content-Disposition: attachment`, jamais inline
+  - `POST /api/mail/sync` — async via Messenger
+- Message + Handler Symfony Messenger `MailSyncRequested`
+- Sécurité : `#[IsGranted('IS_AUTHENTICATED_FULLY')]` + check `ROLE_USER && !ROLE_CLIENT` explicite
+- Tests fonctionnels endpoints (auth, format réponses, ROLE_CLIENT refusé)
+
+**Critère d'acceptation** :
+- Tous endpoints répondent corrects status/format
+- Tests `make test` verts
+- ROLE_CLIENT refusé sur 100% des endpoints mail
+- Password jamais leak dans les réponses
+
+**Dépendances** : Phase 1, Phase 2.
+
+---
+
+## Phase 4 — Frontend Services + Store
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase4-frontend-services.md`
+
+**Scope** :
+- Install npm `dompurify` + types
+- `frontend/services/dto/mail.ts` : tous les types TS
+- `frontend/services/mail.ts` : méthodes API (suivre pattern `tasks.ts`)
+  - `listFolders`, `listMessages`, `getMessage`, `markRead`, `markFlagged`
+  - `createTaskFromMail`, `linkTask`, `unlinkTask`, `listMailsForTask`
+  - `triggerSync`
+  - `getConfiguration`, `updateConfiguration`, `testConfiguration`
+  - `downloadAttachment` (retourne Blob)
+- Store Pinia `frontend/stores/useMailStore.ts`
+  - State : `folders`, `selectedFolderPath`, `messages[]`, `selectedMessageId`, `selectedMessageDetail`, `loading`, `syncing`, `globalUnreadCount`
+  - Actions correspondantes
+  - Polling `pollUnreadCount()` toutes les 30s (start/stop)
+- Sanitization helper `frontend/utils/sanitizeMailHtml.ts` (DOMPurify avec config bloquante : script/iframe/object/embed/on*/javascript:, strip ou placeholder pour `<img src="http(s)://...">` distants)
+
+**Critère d'acceptation** :
+- `cd frontend && npx tsc --noEmit` OK
+- Test manuel d'un appel `mail.listFolders()` depuis devtools renvoie 401 si pas authentifié, 200 sinon
+
+**Dépendances** : Phase 3 (les endpoints doivent exister).
+
+---
+
+## Phase 5 — UI principale (page /mail)
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase5-ui-main.md`
+
+**Scope** :
+- Page `frontend/pages/mail.vue` — layout 3 colonnes (dossiers / liste / lecteur), responsive
+- Composants `frontend/components/mail/` :
+  - `MailFolderTree.vue` — arbre récursif avec badges unread, sélection
+  - `MailMessageList.vue` — liste paginée (infinite scroll), indicateurs lu/étoilé/PJ, formatage relatif des dates
+  - `MailMessageViewer.vue` — header (de/à/cc/date) + body sanitizé via DOMPurify + liste PJ téléchargeables + actions (Créer tâche / Lier / Marquer lu/non-lu / Étoiler)
+  - `MailRefreshButton.vue` — bouton sync manuel, désactivé pendant `syncing`
+- i18n clés `mail.*` dans `frontend/i18n/locales/fr.json` (et `en.json` si présent) : titres, vides, actions, erreurs
+- Mapping noms dossiers système (`INBOX`, `Sent`, `Drafts`, `Archive`, `Trash`, `Junk`) → labels traduits
+- Gestion query param `?messageId=X` pour deep-link vers un mail (selection auto à l'ouverture)
+- Refus visuel pour ROLE_CLIENT (le middleware backend bloque déjà, mais ajouter check côté router/middleware Nuxt)
+
+**Critère d'acceptation** :
+- Page accessible à `/mail` pour ROLE_USER/ROLE_ADMIN
+- ROLE_CLIENT redirigé vers `/portal`
+- Pas d'XSS via body mail (test manuel avec un mail contenant `<script>alert(1)</script>`)
+- Pixels tracking distants remplacés par placeholder
+
+**Dépendances** : Phase 4.
+
+---
+
+## Phase 6 — Intégration Tâches
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase6-task-integration.md`
+
+**Scope** :
+- `frontend/components/mail/MailCreateTaskModal.vue` — wrapper du `TaskDrawer` existant pré-rempli :
+  - Titre = subject
+  - Description = body plain text
+  - Picker projet + groupe + priorité
+  - À la création : appelle `POST /api/mail/messages/{id}/create-task`, ferme modal, redirige ou affiche succès
+- `frontend/components/mail/MailLinkTaskModal.vue` — autocomplete sur tâches existantes (filter par projet, statut non-archivé)
+- Onglet **"Mails"** sur `TaskDrawer.vue` :
+  - Nouvelle section affichée à côté Documents / Time tracking / etc.
+  - Liste `MailMessage` liés à la tâche (via `GET /api/tasks/{id}/mails`)
+  - Item cliquable → `router.push('/mail?messageId=' + id)`
+  - Bouton "Lier un mail" → ouvre un picker mail (TBD selon ergonomie : modal recherche ou redirige vers /mail)
+- Tests manuels : créer tâche depuis mail, lier mail à tâche existante, voir mail depuis onglet tâche
+
+**Critère d'acceptation** :
+- Workflow complet : mail → "Créer tâche" → tâche créée et liée → visible dans onglet "Mails" du TaskDrawer
+- Workflow : tâche existante → "Lier mail" → mail apparaît dans onglet
+
+**Dépendances** : Phase 5.
+
+---
+
+## Phase 7 — Admin Config + Sidebar + Polish
+
+**Plan détaillé attendu** : `docs/superpowers/plans/2026-05-19-mail-phase7-admin-polish.md`
+
+**Scope** :
+- `frontend/components/admin/AdminMailTab.vue` (calqué sur `AdminZimbraTab.vue`) :
+  - Form : protocol (imap pour MVP), imapHost/Port/Encryption, smtpHost/Port/Encryption, username, password (write-only, `hasPassword: true` côté GET), sentFolderPath, enabled toggle
+  - Bouton "Tester la connexion" → `POST /api/mail/configuration/test`
+  - Indicateur OVH defaults pré-remplis (`ssl0.ovh.net:993/465`)
+- Ajout onglet `AdminMailTab` dans la page admin (selon pattern existant)
+- Lien sidebar dans le layout default :
+  - Icône `material-symbols:mail-outline`
+  - Label traduit
+  - Badge unread (count `useMailStore.globalUnreadCount`)
+  - Visible uniquement pour `ROLE_USER && !ROLE_CLIENT`
+- Lifecycle polling 30s : start dans `app.vue` ou layout default, stop au logout
+- Documentation finale :
+  - README ou `docs/` : section "Mail integration" (cron OS, variables config, sécurité)
+  - Makefile : `make mail-sync` documentée
+- Vérification finale tracking pixels (relire `sanitizeMailHtml.ts` + tester)
+- QA passe : workflow end-to-end depuis vraie boîte OVH (si dispo) ou IMAP test (greenmail/dovecot local)
+
+**Critère d'acceptation** :
+- Admin peut configurer la boîte, tester, activer
+- Sidebar affiche badge unread temps réel (30s polling)
+- Doc d'install à jour
+- Aucun warning console front, aucun ERROR PHP dans `make logs-dev`
+
+**Dépendances** : Phase 5 (sidebar utilise le store), Phase 3 (admin API).
+
+---
+
+## Conventions communes à toutes les phases
+
+- **TDD** : test rouge → code → test vert → commit
+- **Strict types** PHP (`declare(strict_types=1)`) en tête de chaque fichier
+- **PHP CS Fixer** : `make php-cs-fixer-allow-risky` avant chaque commit
+- **Commits** : format `<type>(mail) : <message>` (espace avant `:`)
+- **Branche** : `feat/mail-integration` (créée au début de Phase 1)
+- **Pas de jamais logger** : bodies, password, attachments
+- **Review humaine entre chaque phase** : le user valide avant lancement phase suivante
+
+---
+
+## Cycle d'exécution
+
+Pour chaque phase N :
+
+1. **Spawn subagent rédacteur** (`feature-dev:code-architect`)
+   - Input : ce master plan + spec + scope phase N
+   - Output : `docs/superpowers/plans/2026-05-19-mail-phaseN-*.md` au format `writing-plans` (tasks bite-sized, fichiers exacts, code complet, commandes test)
+
+2. **Spawn subagent codeur** (`ruflo-core:coder`)
+   - Input : plan détaillé phase N
+   - Output : code + tests + commits (TDD strict)
+
+3. **Review humaine** : user valide ou demande corrections
+
+4. **Phase suivante** uniquement si OK
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase1-foundations.md b/docs/superpowers/plans/2026-05-19-mail-phase1-foundations.md
new file mode 100644
index 0000000..42f1cbf
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase1-foundations.md
@@ -0,0 +1,1632 @@
+# Mail Integration — Phase 1 : Backend Foundations
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Créer les fondations BDD + interfaces de l'intégration mail OVH IMAP (4 entités, 4 repositories, 1 migration, 4 DTOs, 1 interface, 1 exception, 1 fixture, tests). Aucune logique métier.
+
+**Architecture:** Singleton `MailConfiguration` (calqué sur `ZimbraConfiguration`), `MailFolder` (cache arbre IMAP), `MailMessage` (cache headers + snippet), `TaskMailLink` (join). Interface `MailProviderInterface` définit le contrat — implémentation en Phase 2.
+
+**Tech Stack:** PHP 8.4, Symfony 8.0, Doctrine ORM avec attributs PHP 8, PostgreSQL 16, PHPUnit + DAMA DoctrineTestBundle.
+
+**Branche cible :** `feat/mail-integration` (créer si elle n'existe pas).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `src/Entity/MailConfiguration.php` | Créer |
+| `src/Entity/MailFolder.php` | Créer |
+| `src/Entity/MailMessage.php` | Créer |
+| `src/Entity/TaskMailLink.php` | Créer |
+| `src/Repository/MailConfigurationRepository.php` | Créer |
+| `src/Repository/MailFolderRepository.php` | Créer |
+| `src/Repository/MailMessageRepository.php` | Créer |
+| `src/Repository/TaskMailLinkRepository.php` | Créer |
+| `src/Mail/MailProviderInterface.php` | Créer |
+| `src/Mail/Exception/MailProviderException.php` | Créer |
+| `src/Mail/Dto/MailFolderDto.php` | Créer |
+| `src/Mail/Dto/MailMessageHeaderDto.php` | Créer |
+| `src/Mail/Dto/MailAttachmentDto.php` | Créer |
+| `src/Mail/Dto/MailMessageDetailDto.php` | Créer |
+| `migrations/Version<timestamp>.php` | Créer |
+| `src/DataFixtures/AppFixtures.php` | Modifier |
+| `tests/Unit/Repository/MailConfigurationRepositoryTest.php` | Créer |
+
+---
+
+### Task 1 : Préparation — branche + dossiers
+
+- [ ] **Step 1 : Vérifier / créer la branche**
+
+  ```bash
+  git checkout feat/mail-integration 2>/dev/null || git checkout -b feat/mail-integration
+  ```
+
+- [ ] **Step 2 : Créer les dossiers namespace**
+
+  ```bash
+  mkdir -p src/Mail/Dto src/Mail/Exception
+  mkdir -p tests/Unit/Repository
+  ```
+
+- [ ] **Step 3 : Vérifier que les dossiers sont dans l'autoloader Composer**
+
+  Ouvrir `composer.json` et confirmer que `"App\\": "src/"` est présent dans `autoload.psr-4`. Si oui, rien à faire (les sous-dossiers `src/Mail/` sont automatiquement couverts).
+
+---
+
+### Task 2 : Entité `MailConfiguration` + Repository + test singleton
+
+#### Step 1 : Écrire le test (TDD — il doit échouer)
+
+Créer `tests/Unit/Repository/MailConfigurationRepositoryTest.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Repository;
+
+use App\Entity\MailConfiguration;
+use App\Repository\MailConfigurationRepository;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+class MailConfigurationRepositoryTest extends KernelTestCase
+{
+    private MailConfigurationRepository $repository;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container = static::getContainer();
+        $this->repository = $container->get(MailConfigurationRepository::class);
+    }
+
+    public function testFindSingletonReturnsNullWhenEmpty(): void
+    {
+        $result = $this->repository->findSingleton();
+
+        self::assertNull($result);
+    }
+
+    public function testFindSingletonReturnsFirstRecord(): void
+    {
+        $container = static::getContainer();
+        $em = $container->get('doctrine.orm.entity_manager');
+
+        $config = new MailConfiguration();
+        $config->setImapHost('ssl0.ovh.net');
+        $config->setEnabled(false);
+        $em->persist($config);
+        $em->flush();
+
+        $result = $this->repository->findSingleton();
+
+        self::assertInstanceOf(MailConfiguration::class, $result);
+        self::assertSame('ssl0.ovh.net', $result->getImapHost());
+        self::assertFalse($result->isEnabled());
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test pour vérifier qu'il échoue**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Repository/MailConfigurationRepositoryTest.php 2>&1 | tail -20
+  ```
+
+  Attendu : erreur de classe manquante (`App\Entity\MailConfiguration`).
+
+- [ ] **Step 3 : Créer l'entité `MailConfiguration`**
+
+  Créer `src/Entity/MailConfiguration.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Entity;
+
+  use App\Repository\MailConfigurationRepository;
+  use Doctrine\ORM\Mapping as ORM;
+
+  #[ORM\Entity(repositoryClass: MailConfigurationRepository::class)]
+  #[ORM\Table(name: 'mail_configuration')]
+  class MailConfiguration
+  {
+      #[ORM\Id]
+      #[ORM\GeneratedValue]
+      #[ORM\Column]
+      private ?int $id = null;
+
+      #[ORM\Column(length: 10)]
+      private string $protocol = 'imap';
+
+      #[ORM\Column(length: 255, nullable: true)]
+      private ?string $imapHost = null;
+
+      #[ORM\Column]
+      private int $imapPort = 993;
+
+      #[ORM\Column(length: 10)]
+      private string $imapEncryption = 'ssl';
+
+      #[ORM\Column(length: 255, nullable: true)]
+      private ?string $smtpHost = null;
+
+      #[ORM\Column]
+      private int $smtpPort = 465;
+
+      #[ORM\Column(length: 10)]
+      private string $smtpEncryption = 'ssl';
+
+      #[ORM\Column(length: 255, nullable: true)]
+      private ?string $username = null;
+
+      #[ORM\Column(type: 'text', nullable: true)]
+      private ?string $encryptedPassword = null;
+
+      #[ORM\Column(length: 255)]
+      private string $sentFolderPath = 'Sent';
+
+      #[ORM\Column(type: 'boolean')]
+      private bool $enabled = false;
+
+      public function getId(): ?int
+      {
+          return $this->id;
+      }
+
+      public function getProtocol(): string
+      {
+          return $this->protocol;
+      }
+
+      public function setProtocol(string $protocol): static
+      {
+          $this->protocol = $protocol;
+
+          return $this;
+      }
+
+      public function getImapHost(): ?string
+      {
+          return $this->imapHost;
+      }
+
+      public function setImapHost(?string $imapHost): static
+      {
+          $this->imapHost = $imapHost;
+
+          return $this;
+      }
+
+      public function getImapPort(): int
+      {
+          return $this->imapPort;
+      }
+
+      public function setImapPort(int $imapPort): static
+      {
+          $this->imapPort = $imapPort;
+
+          return $this;
+      }
+
+      public function getImapEncryption(): string
+      {
+          return $this->imapEncryption;
+      }
+
+      public function setImapEncryption(string $imapEncryption): static
+      {
+          $this->imapEncryption = $imapEncryption;
+
+          return $this;
+      }
+
+      public function getSmtpHost(): ?string
+      {
+          return $this->smtpHost;
+      }
+
+      public function setSmtpHost(?string $smtpHost): static
+      {
+          $this->smtpHost = $smtpHost;
+
+          return $this;
+      }
+
+      public function getSmtpPort(): int
+      {
+          return $this->smtpPort;
+      }
+
+      public function setSmtpPort(int $smtpPort): static
+      {
+          $this->smtpPort = $smtpPort;
+
+          return $this;
+      }
+
+      public function getSmtpEncryption(): string
+      {
+          return $this->smtpEncryption;
+      }
+
+      public function setSmtpEncryption(string $smtpEncryption): static
+      {
+          $this->smtpEncryption = $smtpEncryption;
+
+          return $this;
+      }
+
+      public function getUsername(): ?string
+      {
+          return $this->username;
+      }
+
+      public function setUsername(?string $username): static
+      {
+          $this->username = $username;
+
+          return $this;
+      }
+
+      public function getEncryptedPassword(): ?string
+      {
+          return $this->encryptedPassword;
+      }
+
+      public function setEncryptedPassword(?string $encryptedPassword): static
+      {
+          $this->encryptedPassword = $encryptedPassword;
+
+          return $this;
+      }
+
+      public function getSentFolderPath(): string
+      {
+          return $this->sentFolderPath;
+      }
+
+      public function setSentFolderPath(string $sentFolderPath): static
+      {
+          $this->sentFolderPath = $sentFolderPath;
+
+          return $this;
+      }
+
+      public function isEnabled(): bool
+      {
+          return $this->enabled;
+      }
+
+      public function setEnabled(bool $enabled): static
+      {
+          $this->enabled = $enabled;
+
+          return $this;
+      }
+
+      public function hasPassword(): bool
+      {
+          return null !== $this->encryptedPassword;
+      }
+  }
+  ```
+
+- [ ] **Step 4 : Créer le repository `MailConfigurationRepository`**
+
+  Créer `src/Repository/MailConfigurationRepository.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Repository;
+
+  use App\Entity\MailConfiguration;
+  use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+  use Doctrine\Persistence\ManagerRegistry;
+
+  class MailConfigurationRepository extends ServiceEntityRepository
+  {
+      public function __construct(ManagerRegistry $registry)
+      {
+          parent::__construct($registry, MailConfiguration::class);
+      }
+
+      public function findSingleton(): ?MailConfiguration
+      {
+          return $this->createQueryBuilder('m')
+              ->setMaxResults(1)
+              ->getQuery()
+              ->getOneOrNullResult()
+          ;
+      }
+  }
+  ```
+
+- [ ] **Step 5 : Lancer le test pour vérifier qu'il passe**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Repository/MailConfigurationRepositoryTest.php 2>&1 | tail -20
+  ```
+
+  Attendu : `OK (2 tests, 2 assertions)`.
+
+  > Note : si le test `testFindSingletonReturnsNullWhenEmpty` échoue car des données persistent entre tests, vérifier que `DAMA\DoctrineTestBundle\Doctrine\DBAL\StaticDriver` est bien configuré dans `config/packages/test/dama_doctrine_test_bundle.yaml`. Si non configuré, ajouter le `@runInSeparateProcess` en dernier recours — mais normalement le projet utilise déjà DAMA.
+
+- [ ] **Step 6 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Entity/MailConfiguration.php src/Repository/MailConfigurationRepository.php tests/Unit/Repository/MailConfigurationRepositoryTest.php
+  git commit -m "feat(mail) : MailConfiguration entity + repository + singleton test"
+  ```
+
+---
+
+### Task 3 : Entité `MailFolder` + Repository
+
+- [ ] **Step 1 : Créer l'entité `MailFolder`**
+
+  Créer `src/Entity/MailFolder.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Entity;
+
+  use App\Repository\MailFolderRepository;
+  use DateTimeImmutable;
+  use Doctrine\ORM\Mapping as ORM;
+
+  #[ORM\Entity(repositoryClass: MailFolderRepository::class)]
+  #[ORM\Table(name: 'mail_folder')]
+  #[ORM\Index(columns: ['parent_path'], name: 'idx_mail_folder_parent_path')]
+  class MailFolder
+  {
+      #[ORM\Id]
+      #[ORM\GeneratedValue]
+      #[ORM\Column]
+      private ?int $id = null;
+
+      #[ORM\Column(length: 500, unique: true)]
+      private string $path;
+
+      #[ORM\Column(length: 255)]
+      private string $displayName;
+
+      #[ORM\Column(length: 500, nullable: true)]
+      private ?string $parentPath = null;
+
+      #[ORM\Column]
+      private int $unreadCount = 0;
+
+      #[ORM\Column]
+      private int $totalCount = 0;
+
+      #[ORM\Column(type: 'datetimetz_immutable', nullable: true)]
+      private ?DateTimeImmutable $lastSyncedAt = null;
+
+      public function getId(): ?int
+      {
+          return $this->id;
+      }
+
+      public function getPath(): string
+      {
+          return $this->path;
+      }
+
+      public function setPath(string $path): static
+      {
+          $this->path = $path;
+
+          return $this;
+      }
+
+      public function getDisplayName(): string
+      {
+          return $this->displayName;
+      }
+
+      public function setDisplayName(string $displayName): static
+      {
+          $this->displayName = $displayName;
+
+          return $this;
+      }
+
+      public function getParentPath(): ?string
+      {
+          return $this->parentPath;
+      }
+
+      public function setParentPath(?string $parentPath): static
+      {
+          $this->parentPath = $parentPath;
+
+          return $this;
+      }
+
+      public function getUnreadCount(): int
+      {
+          return $this->unreadCount;
+      }
+
+      public function setUnreadCount(int $unreadCount): static
+      {
+          $this->unreadCount = $unreadCount;
+
+          return $this;
+      }
+
+      public function getTotalCount(): int
+      {
+          return $this->totalCount;
+      }
+
+      public function setTotalCount(int $totalCount): static
+      {
+          $this->totalCount = $totalCount;
+
+          return $this;
+      }
+
+      public function getLastSyncedAt(): ?DateTimeImmutable
+      {
+          return $this->lastSyncedAt;
+      }
+
+      public function setLastSyncedAt(?DateTimeImmutable $lastSyncedAt): static
+      {
+          $this->lastSyncedAt = $lastSyncedAt;
+
+          return $this;
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer le repository `MailFolderRepository`**
+
+  Créer `src/Repository/MailFolderRepository.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Repository;
+
+  use App\Entity\MailFolder;
+  use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+  use Doctrine\Persistence\ManagerRegistry;
+
+  class MailFolderRepository extends ServiceEntityRepository
+  {
+      public function __construct(ManagerRegistry $registry)
+      {
+          parent::__construct($registry, MailFolder::class);
+      }
+
+      /**
+       * @return list<MailFolder>
+       */
+      public function findAllOrderedByPath(): array
+      {
+          return $this->createQueryBuilder('f')
+              ->orderBy('f.path', 'ASC')
+              ->getQuery()
+              ->getResult()
+          ;
+      }
+
+      public function findByPath(string $path): ?MailFolder
+      {
+          return $this->findOneBy(['path' => $path]);
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Entity/MailFolder.php
+  docker exec php-lesstime-fpm php -l src/Repository/MailFolderRepository.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Entity/MailFolder.php src/Repository/MailFolderRepository.php
+  git commit -m "feat(mail) : MailFolder entity + repository"
+  ```
+
+---
+
+### Task 4 : Entité `MailMessage` + Repository
+
+- [ ] **Step 1 : Créer l'entité `MailMessage`**
+
+  Créer `src/Entity/MailMessage.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Entity;
+
+  use App\Repository\MailMessageRepository;
+  use DateTimeImmutable;
+  use Doctrine\ORM\Mapping as ORM;
+
+  #[ORM\Entity(repositoryClass: MailMessageRepository::class)]
+  #[ORM\Table(name: 'mail_message')]
+  #[ORM\UniqueConstraint(name: 'uq_mail_message_folder_uid', columns: ['folder_id', 'uid'])]
+  #[ORM\Index(columns: ['sent_at'], name: 'idx_mail_message_sent_at')]
+  #[ORM\Index(columns: ['is_read'], name: 'idx_mail_message_is_read')]
+  class MailMessage
+  {
+      #[ORM\Id]
+      #[ORM\GeneratedValue]
+      #[ORM\Column]
+      private ?int $id = null;
+
+      #[ORM\Column(length: 500, unique: true)]
+      private string $messageId;
+
+      #[ORM\ManyToOne(targetEntity: MailFolder::class)]
+      #[ORM\JoinColumn(name: 'folder_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+      private MailFolder $folder;
+
+      #[ORM\Column]
+      private int $uid;
+
+      #[ORM\Column(length: 500, nullable: true)]
+      private ?string $subject = null;
+
+      #[ORM\Column(length: 255)]
+      private string $fromAddress;
+
+      #[ORM\Column(length: 255, nullable: true)]
+      private ?string $fromName = null;
+
+      #[ORM\Column(type: 'json')]
+      private array $toAddresses = [];
+
+      #[ORM\Column(type: 'json', nullable: true)]
+      private ?array $ccAddresses = null;
+
+      #[ORM\Column(type: 'datetimetz_immutable')]
+      private DateTimeImmutable $sentAt;
+
+      #[ORM\Column(type: 'boolean')]
+      private bool $isRead = false;
+
+      #[ORM\Column(type: 'boolean')]
+      private bool $isFlagged = false;
+
+      #[ORM\Column(type: 'boolean')]
+      private bool $hasAttachments = false;
+
+      #[ORM\Column(type: 'text', nullable: true)]
+      private ?string $snippet = null;
+
+      #[ORM\Column(type: 'datetimetz_immutable')]
+      private DateTimeImmutable $syncedAt;
+
+      public function getId(): ?int
+      {
+          return $this->id;
+      }
+
+      public function getMessageId(): string
+      {
+          return $this->messageId;
+      }
+
+      public function setMessageId(string $messageId): static
+      {
+          $this->messageId = $messageId;
+
+          return $this;
+      }
+
+      public function getFolder(): MailFolder
+      {
+          return $this->folder;
+      }
+
+      public function setFolder(MailFolder $folder): static
+      {
+          $this->folder = $folder;
+
+          return $this;
+      }
+
+      public function getUid(): int
+      {
+          return $this->uid;
+      }
+
+      public function setUid(int $uid): static
+      {
+          $this->uid = $uid;
+
+          return $this;
+      }
+
+      public function getSubject(): ?string
+      {
+          return $this->subject;
+      }
+
+      public function setSubject(?string $subject): static
+      {
+          $this->subject = $subject;
+
+          return $this;
+      }
+
+      public function getFromAddress(): string
+      {
+          return $this->fromAddress;
+      }
+
+      public function setFromAddress(string $fromAddress): static
+      {
+          $this->fromAddress = $fromAddress;
+
+          return $this;
+      }
+
+      public function getFromName(): ?string
+      {
+          return $this->fromName;
+      }
+
+      public function setFromName(?string $fromName): static
+      {
+          $this->fromName = $fromName;
+
+          return $this;
+      }
+
+      public function getToAddresses(): array
+      {
+          return $this->toAddresses;
+      }
+
+      public function setToAddresses(array $toAddresses): static
+      {
+          $this->toAddresses = $toAddresses;
+
+          return $this;
+      }
+
+      public function getCcAddresses(): ?array
+      {
+          return $this->ccAddresses;
+      }
+
+      public function setCcAddresses(?array $ccAddresses): static
+      {
+          $this->ccAddresses = $ccAddresses;
+
+          return $this;
+      }
+
+      public function getSentAt(): DateTimeImmutable
+      {
+          return $this->sentAt;
+      }
+
+      public function setSentAt(DateTimeImmutable $sentAt): static
+      {
+          $this->sentAt = $sentAt;
+
+          return $this;
+      }
+
+      public function isRead(): bool
+      {
+          return $this->isRead;
+      }
+
+      public function setIsRead(bool $isRead): static
+      {
+          $this->isRead = $isRead;
+
+          return $this;
+      }
+
+      public function isFlagged(): bool
+      {
+          return $this->isFlagged;
+      }
+
+      public function setIsFlagged(bool $isFlagged): static
+      {
+          $this->isFlagged = $isFlagged;
+
+          return $this;
+      }
+
+      public function hasAttachments(): bool
+      {
+          return $this->hasAttachments;
+      }
+
+      public function setHasAttachments(bool $hasAttachments): static
+      {
+          $this->hasAttachments = $hasAttachments;
+
+          return $this;
+      }
+
+      public function getSnippet(): ?string
+      {
+          return $this->snippet;
+      }
+
+      public function setSnippet(?string $snippet): static
+      {
+          $this->snippet = $snippet;
+
+          return $this;
+      }
+
+      public function getSyncedAt(): DateTimeImmutable
+      {
+          return $this->syncedAt;
+      }
+
+      public function setSyncedAt(DateTimeImmutable $syncedAt): static
+      {
+          $this->syncedAt = $syncedAt;
+
+          return $this;
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer le repository `MailMessageRepository`**
+
+  Créer `src/Repository/MailMessageRepository.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Repository;
+
+  use App\Entity\MailFolder;
+  use App\Entity\MailMessage;
+  use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+  use Doctrine\Persistence\ManagerRegistry;
+
+  class MailMessageRepository extends ServiceEntityRepository
+  {
+      public function __construct(ManagerRegistry $registry)
+      {
+          parent::__construct($registry, MailMessage::class);
+      }
+
+      public function findByMessageId(string $messageId): ?MailMessage
+      {
+          return $this->findOneBy(['messageId' => $messageId]);
+      }
+
+      public function findByFolderAndUid(MailFolder $folder, int $uid): ?MailMessage
+      {
+          return $this->findOneBy(['folder' => $folder, 'uid' => $uid]);
+      }
+
+      /**
+       * @return list<MailMessage>
+       */
+      public function findByFolderPaginated(MailFolder $folder, int $limit, int $offset): array
+      {
+          return $this->createQueryBuilder('m')
+              ->andWhere('m.folder = :folder')
+              ->setParameter('folder', $folder)
+              ->orderBy('m.sentAt', 'DESC')
+              ->addOrderBy('m.id', 'DESC')
+              ->setMaxResults($limit)
+              ->setFirstResult($offset)
+              ->getQuery()
+              ->getResult()
+          ;
+      }
+
+      public function countUnreadByFolder(MailFolder $folder): int
+      {
+          return (int) $this->createQueryBuilder('m')
+              ->select('COUNT(m.id)')
+              ->andWhere('m.folder = :folder')
+              ->andWhere('m.isRead = false')
+              ->setParameter('folder', $folder)
+              ->getQuery()
+              ->getSingleScalarResult()
+          ;
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Entity/MailMessage.php
+  docker exec php-lesstime-fpm php -l src/Repository/MailMessageRepository.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Entity/MailMessage.php src/Repository/MailMessageRepository.php
+  git commit -m "feat(mail) : MailMessage entity + repository"
+  ```
+
+---
+
+### Task 5 : Entité `TaskMailLink` + Repository
+
+- [ ] **Step 1 : Créer l'entité `TaskMailLink`**
+
+  Créer `src/Entity/TaskMailLink.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Entity;
+
+  use App\Repository\TaskMailLinkRepository;
+  use DateTimeImmutable;
+  use Doctrine\ORM\Mapping as ORM;
+
+  #[ORM\Entity(repositoryClass: TaskMailLinkRepository::class)]
+  #[ORM\Table(name: 'task_mail_link')]
+  #[ORM\UniqueConstraint(name: 'uq_task_mail_link', columns: ['task_id', 'mail_message_id'])]
+  class TaskMailLink
+  {
+      #[ORM\Id]
+      #[ORM\GeneratedValue]
+      #[ORM\Column]
+      private ?int $id = null;
+
+      #[ORM\ManyToOne(targetEntity: Task::class)]
+      #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+      private Task $task;
+
+      #[ORM\ManyToOne(targetEntity: MailMessage::class)]
+      #[ORM\JoinColumn(name: 'mail_message_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+      private MailMessage $mailMessage;
+
+      #[ORM\Column(type: 'datetimetz_immutable')]
+      private DateTimeImmutable $linkedAt;
+
+      #[ORM\ManyToOne(targetEntity: User::class)]
+      #[ORM\JoinColumn(name: 'linked_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+      private ?User $linkedBy = null;
+
+      public function getId(): ?int
+      {
+          return $this->id;
+      }
+
+      public function getTask(): Task
+      {
+          return $this->task;
+      }
+
+      public function setTask(Task $task): static
+      {
+          $this->task = $task;
+
+          return $this;
+      }
+
+      public function getMailMessage(): MailMessage
+      {
+          return $this->mailMessage;
+      }
+
+      public function setMailMessage(MailMessage $mailMessage): static
+      {
+          $this->mailMessage = $mailMessage;
+
+          return $this;
+      }
+
+      public function getLinkedAt(): DateTimeImmutable
+      {
+          return $this->linkedAt;
+      }
+
+      public function setLinkedAt(DateTimeImmutable $linkedAt): static
+      {
+          $this->linkedAt = $linkedAt;
+
+          return $this;
+      }
+
+      public function getLinkedBy(): ?User
+      {
+          return $this->linkedBy;
+      }
+
+      public function setLinkedBy(?User $linkedBy): static
+      {
+          $this->linkedBy = $linkedBy;
+
+          return $this;
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer le repository `TaskMailLinkRepository`**
+
+  Créer `src/Repository/TaskMailLinkRepository.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Repository;
+
+  use App\Entity\MailMessage;
+  use App\Entity\Task;
+  use App\Entity\TaskMailLink;
+  use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+  use Doctrine\Persistence\ManagerRegistry;
+
+  class TaskMailLinkRepository extends ServiceEntityRepository
+  {
+      public function __construct(ManagerRegistry $registry)
+      {
+          parent::__construct($registry, TaskMailLink::class);
+      }
+
+      /**
+       * @return list<TaskMailLink>
+       */
+      public function findByTask(Task $task): array
+      {
+          return $this->createQueryBuilder('l')
+              ->andWhere('l.task = :task')
+              ->setParameter('task', $task)
+              ->orderBy('l.linkedAt', 'DESC')
+              ->getQuery()
+              ->getResult()
+          ;
+      }
+
+      public function findByTaskAndMessage(Task $task, MailMessage $message): ?TaskMailLink
+      {
+          return $this->findOneBy(['task' => $task, 'mailMessage' => $message]);
+      }
+
+      /**
+       * @return list<TaskMailLink>
+       */
+      public function findByMessage(MailMessage $message): array
+      {
+          return $this->findBy(['mailMessage' => $message]);
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Entity/TaskMailLink.php
+  docker exec php-lesstime-fpm php -l src/Repository/TaskMailLinkRepository.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Entity/TaskMailLink.php src/Repository/TaskMailLinkRepository.php
+  git commit -m "feat(mail) : TaskMailLink entity + repository"
+  ```
+
+---
+
+### Task 6 : Migration Doctrine unique (raw SQL, 4 tables + FK + index)
+
+- [ ] **Step 1 : Générer le squelette de migration vide**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console doctrine:migrations:generate
+  ```
+
+  Cela crée `migrations/Version<timestamp>.php`. Relever le nom exact du fichier créé (ex. `Version20260519120000.php`).
+
+- [ ] **Step 2 : Écrire le SQL UP complet dans la migration générée**
+
+  Ouvrir le fichier `migrations/Version<timestamp>.php` et remplacer les méthodes `up()` et `down()` par :
+
+  ```php
+  public function getDescription(): string
+  {
+      return 'Mail integration: create mail_configuration, mail_folder, mail_message, task_mail_link tables';
+  }
+
+  public function up(Schema $schema): void
+  {
+      $this->addSql(<<<'SQL'
+          CREATE TABLE mail_configuration (
+              id SERIAL NOT NULL,
+              protocol VARCHAR(10) NOT NULL DEFAULT 'imap',
+              imap_host VARCHAR(255) DEFAULT NULL,
+              imap_port INT NOT NULL DEFAULT 993,
+              imap_encryption VARCHAR(10) NOT NULL DEFAULT 'ssl',
+              smtp_host VARCHAR(255) DEFAULT NULL,
+              smtp_port INT NOT NULL DEFAULT 465,
+              smtp_encryption VARCHAR(10) NOT NULL DEFAULT 'ssl',
+              username VARCHAR(255) DEFAULT NULL,
+              encrypted_password TEXT DEFAULT NULL,
+              sent_folder_path VARCHAR(255) NOT NULL DEFAULT 'Sent',
+              enabled BOOLEAN NOT NULL DEFAULT false,
+              PRIMARY KEY (id)
+          )
+      SQL);
+
+      $this->addSql(<<<'SQL'
+          CREATE TABLE mail_folder (
+              id SERIAL NOT NULL,
+              path VARCHAR(500) NOT NULL,
+              display_name VARCHAR(255) NOT NULL,
+              parent_path VARCHAR(500) DEFAULT NULL,
+              unread_count INT NOT NULL DEFAULT 0,
+              total_count INT NOT NULL DEFAULT 0,
+              last_synced_at TIMESTAMPTZ DEFAULT NULL,
+              PRIMARY KEY (id)
+          )
+      SQL);
+
+      $this->addSql('CREATE UNIQUE INDEX uq_mail_folder_path ON mail_folder (path)');
+      $this->addSql('CREATE INDEX idx_mail_folder_parent_path ON mail_folder (parent_path)');
+
+      $this->addSql(<<<'SQL'
+          CREATE TABLE mail_message (
+              id SERIAL NOT NULL,
+              message_id VARCHAR(500) NOT NULL,
+              folder_id INT NOT NULL,
+              uid INT NOT NULL,
+              subject VARCHAR(500) DEFAULT NULL,
+              from_address VARCHAR(255) NOT NULL,
+              from_name VARCHAR(255) DEFAULT NULL,
+              to_addresses JSONB NOT NULL,
+              cc_addresses JSONB DEFAULT NULL,
+              sent_at TIMESTAMPTZ NOT NULL,
+              is_read BOOLEAN NOT NULL DEFAULT false,
+              is_flagged BOOLEAN NOT NULL DEFAULT false,
+              has_attachments BOOLEAN NOT NULL DEFAULT false,
+              snippet TEXT DEFAULT NULL,
+              synced_at TIMESTAMPTZ NOT NULL,
+              PRIMARY KEY (id)
+          )
+      SQL);
+
+      $this->addSql('CREATE UNIQUE INDEX uq_mail_message_message_id ON mail_message (message_id)');
+      $this->addSql('CREATE UNIQUE INDEX uq_mail_message_folder_uid ON mail_message (folder_id, uid)');
+      $this->addSql('CREATE INDEX idx_mail_message_sent_at ON mail_message (sent_at)');
+      $this->addSql('CREATE INDEX idx_mail_message_is_read ON mail_message (is_read)');
+      $this->addSql('ALTER TABLE mail_message ADD CONSTRAINT fk_mail_message_folder FOREIGN KEY (folder_id) REFERENCES mail_folder (id) ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE');
+
+      $this->addSql(<<<'SQL'
+          CREATE TABLE task_mail_link (
+              id SERIAL NOT NULL,
+              task_id INT NOT NULL,
+              mail_message_id INT NOT NULL,
+              linked_at TIMESTAMPTZ NOT NULL,
+              linked_by_id INT DEFAULT NULL,
+              PRIMARY KEY (id)
+          )
+      SQL);
+
+      $this->addSql('CREATE UNIQUE INDEX uq_task_mail_link ON task_mail_link (task_id, mail_message_id)');
+      $this->addSql('CREATE INDEX idx_task_mail_link_task ON task_mail_link (task_id)');
+      $this->addSql('CREATE INDEX idx_task_mail_link_message ON task_mail_link (mail_message_id)');
+      $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT fk_task_mail_link_task FOREIGN KEY (task_id) REFERENCES task (id) ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE');
+      $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT fk_task_mail_link_message FOREIGN KEY (mail_message_id) REFERENCES mail_message (id) ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE');
+      $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT fk_task_mail_link_user FOREIGN KEY (linked_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE INITIALLY IMMEDIATE');
+  }
+
+  public function down(Schema $schema): void
+  {
+      $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT fk_task_mail_link_task');
+      $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT fk_task_mail_link_message');
+      $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT fk_task_mail_link_user');
+      $this->addSql('DROP TABLE task_mail_link');
+
+      $this->addSql('ALTER TABLE mail_message DROP CONSTRAINT fk_mail_message_folder');
+      $this->addSql('DROP TABLE mail_message');
+
+      $this->addSql('DROP TABLE mail_folder');
+
+      $this->addSql('DROP TABLE mail_configuration');
+  }
+  ```
+
+  > Attention : `declare(strict_types=1);` doit être présent en tête du fichier (il est présent dans le squelette généré par Doctrine).
+
+- [ ] **Step 3 : Lancer la migration**
+
+  ```bash
+  make migration-migrate
+  ```
+
+  Attendu : migration exécutée sans erreur SQL.
+
+- [ ] **Step 4 : Valider le schéma Doctrine**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console doctrine:schema:validate
+  ```
+
+  Attendu : `[Mapping]  OK - The mapping files are correct.` et `[Database] OK - The database schema is in sync with the mapping files.`
+
+  > Si des différences sont signalées (ex. type `json` vs `jsonb`), ajuster l'attribut `#[ORM\Column(type: 'json')]` en `#[ORM\Column(type: 'jsonb')]` dans `MailMessage.php` si le mapping Doctrine du projet est configuré pour `jsonb`. Dans le doute, `json` est le type Doctrine standard et PostgreSQL accepte les deux.
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add migrations/
+  git commit -m "feat(mail) : migration — 4 tables mail_configuration, mail_folder, mail_message, task_mail_link"
+  ```
+
+---
+
+### Task 7 : DTOs (4 fichiers sous `src/Mail/Dto/`)
+
+- [ ] **Step 1 : Créer `MailFolderDto`**
+
+  Créer `src/Mail/Dto/MailFolderDto.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Dto;
+
+  final readonly class MailFolderDto
+  {
+      public function __construct(
+          public string $path,
+          public string $displayName,
+          public ?string $parentPath,
+          public int $unreadCount,
+          public int $totalCount,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 2 : Créer `MailMessageHeaderDto`**
+
+  Créer `src/Mail/Dto/MailMessageHeaderDto.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Dto;
+
+  use DateTimeImmutable;
+
+  final readonly class MailMessageHeaderDto
+  {
+      public function __construct(
+          public int $uid,
+          public string $messageId,
+          public ?string $subject,
+          public string $fromAddress,
+          public ?string $fromName,
+          public array $toAddresses,
+          public ?array $ccAddresses,
+          public DateTimeImmutable $sentAt,
+          public bool $isRead,
+          public bool $isFlagged,
+          public bool $hasAttachments,
+          public ?string $snippet,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 3 : Créer `MailAttachmentDto`**
+
+  Créer `src/Mail/Dto/MailAttachmentDto.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Dto;
+
+  final readonly class MailAttachmentDto
+  {
+      public function __construct(
+          public string $partNumber,
+          public string $filename,
+          public string $mimeType,
+          public int $size,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 4 : Créer `MailMessageDetailDto`**
+
+  Créer `src/Mail/Dto/MailMessageDetailDto.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Dto;
+
+  final readonly class MailMessageDetailDto
+  {
+      /**
+       * @param list<MailAttachmentDto> $attachments
+       */
+      public function __construct(
+          public MailMessageHeaderDto $header,
+          public ?string $bodyHtml,
+          public ?string $bodyText,
+          public array $attachments,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 5 : Vérifier la syntaxe des 4 DTOs**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Mail/Dto/MailFolderDto.php
+  docker exec php-lesstime-fpm php -l src/Mail/Dto/MailMessageHeaderDto.php
+  docker exec php-lesstime-fpm php -l src/Mail/Dto/MailAttachmentDto.php
+  docker exec php-lesstime-fpm php -l src/Mail/Dto/MailMessageDetailDto.php
+  ```
+
+  Attendu : `No syntax errors detected` pour chacun.
+
+- [ ] **Step 6 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Mail/Dto/
+  git commit -m "feat(mail) : DTOs — MailFolderDto, MailMessageHeaderDto, MailAttachmentDto, MailMessageDetailDto"
+  ```
+
+---
+
+### Task 8 : Interface `MailProviderInterface` + Exception `MailProviderException`
+
+- [ ] **Step 1 : Créer `MailProviderException`**
+
+  Créer `src/Mail/Exception/MailProviderException.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Exception;
+
+  use RuntimeException;
+
+  final class MailProviderException extends RuntimeException
+  {
+      public static function connectionFailed(string $reason): self
+      {
+          return new self(sprintf('Mail provider connection failed: %s', $reason));
+      }
+
+      public static function operationFailed(string $operation, string $reason): self
+      {
+          return new self(sprintf('Mail provider operation "%s" failed: %s', $operation, $reason));
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `MailProviderInterface`**
+
+  Créer `src/Mail/MailProviderInterface.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail;
+
+  use App\Mail\Dto\MailAttachmentDto;
+  use App\Mail\Dto\MailFolderDto;
+  use App\Mail\Dto\MailMessageDetailDto;
+  use App\Mail\Dto\MailMessageHeaderDto;
+  use App\Mail\Exception\MailProviderException;
+
+  interface MailProviderInterface
+  {
+      /**
+       * Returns the full folder tree of the configured mailbox.
+       *
+       * @return list<MailFolderDto>
+       *
+       * @throws MailProviderException
+       */
+      public function listFolders(): array;
+
+      /**
+       * Returns a paginated list of message headers for the given folder.
+       *
+       * @return list<MailMessageHeaderDto>
+       *
+       * @throws MailProviderException
+       */
+      public function listMessages(string $folderPath, int $limit, int $offset): array;
+
+      /**
+       * Fetches the full message (headers + body + attachments list) by UID.
+       *
+       * @throws MailProviderException
+       */
+      public function fetchMessage(string $folderPath, int $uid): MailMessageDetailDto;
+
+      /**
+       * Marks a message as read or unread on the IMAP server.
+       *
+       * @throws MailProviderException
+       */
+      public function markRead(string $folderPath, int $uid, bool $read): void;
+
+      /**
+       * Marks a message as flagged (starred) or unflagged on the IMAP server.
+       *
+       * @throws MailProviderException
+       */
+      public function markFlagged(string $folderPath, int $uid, bool $flagged): void;
+
+      /**
+       * Moves a message from one folder to another on the IMAP server.
+       *
+       * @throws MailProviderException
+       */
+      public function moveMessage(string $folderPath, int $uid, string $targetFolder): void;
+
+      /**
+       * Fetches the raw binary content of an attachment by its MIME part number.
+       *
+       * @throws MailProviderException
+       */
+      public function fetchAttachment(string $folderPath, int $uid, string $partNumber): string;
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Mail/Exception/MailProviderException.php
+  docker exec php-lesstime-fpm php -l src/Mail/MailProviderInterface.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Mail/MailProviderInterface.php src/Mail/Exception/MailProviderException.php
+  git commit -m "feat(mail) : MailProviderInterface + MailProviderException"
+  ```
+
+---
+
+### Task 9 : Fixture `MailConfiguration` désactivée (OVH defaults)
+
+- [ ] **Step 1 : Modifier `AppFixtures.php`**
+
+  Ouvrir `src/DataFixtures/AppFixtures.php`.
+
+  Ajouter l'import en tête du bloc `use` (après `use App\Entity\ZimbraConfiguration;`) :
+
+  ```php
+  use App\Entity\MailConfiguration;
+  ```
+
+  Puis ajouter le bloc fixture juste **avant** `$manager->flush();` (après le bloc TaskRecurrence existant) :
+
+  ```php
+  // =============================================
+  // Mail Configuration
+  // =============================================
+  $mailConfig = new MailConfiguration();
+  $mailConfig->setImapHost('ssl0.ovh.net');
+  $mailConfig->setImapPort(993);
+  $mailConfig->setImapEncryption('ssl');
+  $mailConfig->setSmtpHost('ssl0.ovh.net');
+  $mailConfig->setSmtpPort(465);
+  $mailConfig->setSmtpEncryption('ssl');
+  $mailConfig->setUsername('lesstime@ovh.fr');
+  $mailConfig->setSentFolderPath('Sent');
+  $mailConfig->setEnabled(false);
+  $manager->persist($mailConfig);
+  ```
+
+- [ ] **Step 2 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/DataFixtures/AppFixtures.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 3 : Charger les fixtures pour valider**
+
+  ```bash
+  make fixtures
+  ```
+
+  Attendu : pas d'erreur. Vérifier en BDD :
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console dbal:run-sql "SELECT id, imap_host, smtp_host, enabled FROM mail_configuration"
+  ```
+
+  Attendu : une ligne avec `ssl0.ovh.net`, `ssl0.ovh.net`, `f`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/DataFixtures/AppFixtures.php
+  git commit -m "feat(mail) : fixture MailConfiguration OVH defaults (disabled)"
+  ```
+
+---
+
+### Task 10 : Validation finale
+
+- [ ] **Step 1 : Valider le mapping Doctrine**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console doctrine:schema:validate
+  ```
+
+  Attendu :
+  ```
+  [Mapping]  OK - The mapping files are correct.
+  [Database] OK - The database schema is in sync with the mapping files.
+  ```
+
+  Si des erreurs apparaissent, les corriger (type mismatch `json` vs `jsonb`, colonnes manquantes, etc.) avant de continuer.
+
+- [ ] **Step 2 : Lancer la suite de tests complète**
+
+  ```bash
+  make test
+  ```
+
+  Attendu : tous les tests passent (au minimum les 2 tests `MailConfigurationRepositoryTest`).
+
+- [ ] **Step 3 : PHP CS Fixer sur l'ensemble des fichiers modifiés**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  ```
+
+  Si des fichiers sont modifiés par le fixer, les re-stageer et committer :
+
+  ```bash
+  git add -p
+  git commit -m "style(mail) : php-cs-fixer pass"
+  ```
+
+- [ ] **Step 4 : Vider le cache Symfony**
+
+  ```bash
+  make cache-clear
+  ```
+
+  Attendu : pas d'erreur de configuration ou de service manquant.
+
+- [ ] **Step 5 : Vérification rapide du conteneur de services**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:autowiring MailConfiguration 2>&1 | head -20
+  ```
+
+  Attendu : `App\Repository\MailConfigurationRepository` apparaît dans la liste des services autowirables.
+
+- [ ] **Step 6 : Résumé des commits de la phase**
+
+  Vérifier l'historique :
+
+  ```bash
+  git log --oneline feat/mail-integration ^develop | head -20
+  ```
+
+  Les commits attendus (dans l'ordre chronologique) :
+  1. `feat(mail) : MailConfiguration entity + repository + singleton test`
+  2. `feat(mail) : MailFolder entity + repository`
+  3. `feat(mail) : MailMessage entity + repository`
+  4. `feat(mail) : TaskMailLink entity + repository`
+  5. `feat(mail) : migration — 4 tables mail_configuration, mail_folder, mail_message, task_mail_link`
+  6. `feat(mail) : DTOs — MailFolderDto, MailMessageHeaderDto, MailAttachmentDto, MailMessageDetailDto`
+  7. `feat(mail) : MailProviderInterface + MailProviderException`
+  8. `feat(mail) : fixture MailConfiguration OVH defaults (disabled)`
+
+---
+
+### Self-Review
+
+#### Cohérence des noms
+
+| Concept | Classe PHP | Table SQL | Repository |
+|---|---|---|---|
+| Configuration singleton | `MailConfiguration` | `mail_configuration` | `MailConfigurationRepository` |
+| Cache dossiers IMAP | `MailFolder` | `mail_folder` | `MailFolderRepository` |
+| Cache messages IMAP | `MailMessage` | `mail_message` | `MailMessageRepository` |
+| Lien tâche ↔ mail | `TaskMailLink` | `task_mail_link` | `TaskMailLinkRepository` |
+| DTO dossier | `MailFolderDto` | — | — |
+| DTO header message | `MailMessageHeaderDto` | — | — |
+| DTO pièce jointe | `MailAttachmentDto` | — | — |
+| DTO message complet | `MailMessageDetailDto` | — | — |
+| Interface provider | `MailProviderInterface` | — | — |
+| Exception provider | `MailProviderException` | — | — |
+
+#### Checklist finale avant de valider Phase 1
+
+- [ ] `declare(strict_types=1);` présent en tête de chaque fichier PHP créé
+- [ ] Toutes les FK définies avec `ON DELETE CASCADE` (sauf `task_mail_link.linked_by_id` → `ON DELETE SET NULL`)
+- [ ] `UNIQUE INDEX` sur `mail_folder.path`, `mail_message.message_id`, `(mail_message.folder_id, mail_message.uid)`, `(task_mail_link.task_id, task_mail_link.mail_message_id)`
+- [ ] `INDEX` sur `mail_folder.parent_path`, `mail_message.sent_at`, `mail_message.is_read`
+- [ ] Table `"user"` entre guillemets dans le SQL de la migration (réservé PostgreSQL)
+- [ ] `MailConfiguration.encryptedPassword` est `null` par défaut en fixture (pas de mot de passe en clair)
+- [ ] DTOs déclarés `final readonly class` (PHP 8.2+)
+- [ ] `MailProviderInterface` contient exactement 7 méthodes : `listFolders`, `listMessages`, `fetchMessage`, `markRead`, `markFlagged`, `moveMessage`, `fetchAttachment`
+- [ ] `make test` vert (2 tests minimum)
+- [ ] `doctrine:schema:validate` OK
+- [ ] Aucune logique métier IMAP implémentée (Phase 2)
+- [ ] `feat/mail-integration` est la branche de travail (pas `develop`)
+
+#### Remise à la review humaine
+
+Une fois tous les steps cochés, pousser la branche et notifier le user :
+
+```bash
+git push -u origin feat/mail-integration
+```
+
+Indiquer au user :
+- Nombre de fichiers créés : 17
+- Tables créées : 4 (`mail_configuration`, `mail_folder`, `mail_message`, `task_mail_link`)
+- Tests : 2 (MailConfigurationRepositoryTest)
+- Prêt pour Phase 2 : IMAP provider + MailSyncService
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase2-imap-sync.md b/docs/superpowers/plans/2026-05-19-mail-phase2-imap-sync.md
new file mode 100644
index 0000000..8f27a53
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase2-imap-sync.md
@@ -0,0 +1,1781 @@
+# Mail Integration — Phase 2 : IMAP Provider + Sync
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Implémenter le provider IMAP (`ImapMailProvider`), le service de synchronisation (`MailSyncService`) avec gestion de la concurrence (Symfony Lock), et la commande console `app:mail:sync` déclenchée par cron OS.
+
+**Architecture:** `ImapMailProvider` utilise `webklex/php-imap` pour parler à OVH/Zimbra ; lit la config `MailConfiguration` via repository, déchiffre password via `TokenEncryptor::decrypt()`. `MailSyncService` orchestre 3 étapes par cycle (sync structure dossiers / sync nouveaux messages UID > maxKnown / resync flags des N=200 derniers / detect suppressions avec garde 50%). Lock `mail.sync` TTL 10 min empêche overlap.
+
+**Tech Stack:** PHP 8.4, Symfony 8.0, `webklex/php-imap ^5.0`, `symfony/lock ^8.0` (à installer — absent du composer.json actuel), PostgreSQL 16.
+
+**Branche cible :** `feat/mail-integration` (créée en Phase 1 — vérifier qu'elle est active).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `src/Mail/Dto/MailSyncReport.php` | Créer |
+| `src/Mail/ImapMailProvider.php` | Créer |
+| `src/Service/MailSyncService.php` | Créer |
+| `src/Command/MailSyncCommand.php` | Créer |
+| `src/Repository/MailMessageRepository.php` | Modifier (ajout `findMaxUidInFolder`, `findLastNByFolder`, `findAllUidsByFolder`) |
+| `config/packages/lock.yaml` | Créer (si absent) |
+| `makefile` | Modifier (ajout target `mail-sync`) |
+| `docs/mail-cron-setup.md` | Créer |
+| `tests/Unit/Mail/ImapMailProviderTest.php` | Créer |
+| `tests/Unit/Service/MailSyncServiceTest.php` | Créer |
+| `tests/Unit/Mail/MailSyncReportTest.php` | Créer |
+| `tests/Functional/Command/MailSyncCommandTest.php` | Créer |
+
+---
+
+### Task 1 : Préparer l'environnement
+
+- [ ] **Step 1 : Vérifier la branche active**
+
+  ```bash
+  git branch --show-current
+  ```
+
+  Attendu : `feat/mail-integration`. Si non, basculer :
+
+  ```bash
+  git checkout feat/mail-integration
+  ```
+
+- [ ] **Step 2 : Créer les dossiers de tests si absents**
+
+  ```bash
+  mkdir -p tests/Unit/Mail tests/Unit/Service tests/Functional/Command
+  ```
+
+- [ ] **Step 3 : Installer `webklex/php-imap`**
+
+  ```bash
+  docker exec php-lesstime-fpm composer require webklex/php-imap:"^5.0"
+  ```
+
+  Vérifier la compatibilité PHP 8.4 : `webklex/php-imap ^5.0` supporte PHP 8.1+. Si `^5.0` n'existe pas au moment de l'install, essayer `^4.4` (même support PHP 8.x). Choisir la contrainte qui s'installe sans conflict.
+
+  Attendu : `composer.json` mis à jour, pas d'erreur de conflit.
+
+- [ ] **Step 4 : Installer `symfony/lock`**
+
+  ```bash
+  docker exec php-lesstime-fpm composer require symfony/lock:"8.0.*"
+  ```
+
+  Attendu : `symfony/lock` ajouté dans `require` de `composer.json`.
+
+- [ ] **Step 5 : Créer `config/packages/lock.yaml` si absent**
+
+  Vérifier :
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:config framework lock 2>&1 | head -10
+  ```
+
+  Si non configuré, créer `config/packages/lock.yaml` :
+
+  ```yaml
+  framework:
+      lock:
+          resources:
+              default: "%kernel.project_dir%/var/lock"
+  ```
+
+  Ce fichier configure un store fichier dans `var/lock/`. Le répertoire sera créé automatiquement par Symfony.
+
+- [ ] **Step 6 : Vider le cache pour prendre en compte la nouvelle config**
+
+  ```bash
+  make cache-clear
+  ```
+
+  Attendu : pas d'erreur de service manquant.
+
+- [ ] **Step 7 : Commit**
+
+  ```bash
+  git add composer.json composer.lock config/packages/lock.yaml
+  git commit -m "feat(mail) : install webklex/php-imap + symfony/lock, configure lock store"
+  ```
+
+---
+
+### Task 2 : DTO `MailSyncReport`
+
+- [ ] **Step 1 : Écrire le test (TDD — doit échouer)**
+
+  Créer `tests/Unit/Mail/MailSyncReportTest.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Unit\Mail;
+
+  use App\Mail\Dto\MailSyncReport;
+  use DateTimeImmutable;
+  use PHPUnit\Framework\TestCase;
+
+  class MailSyncReportTest extends TestCase
+  {
+      public function testInstantiationWithDefaults(): void
+      {
+          $start  = new DateTimeImmutable('2026-01-01 10:00:00');
+          $finish = new DateTimeImmutable('2026-01-01 10:00:05');
+
+          $report = new MailSyncReport(
+              createdCount: 3,
+              updatedCount: 1,
+              deletedCount: 0,
+              foldersScanned: 2,
+              errors: [],
+              durationSeconds: 5.0,
+              startedAt: $start,
+              finishedAt: $finish,
+          );
+
+          self::assertSame(3, $report->createdCount);
+          self::assertSame(1, $report->updatedCount);
+          self::assertSame(0, $report->deletedCount);
+          self::assertSame(2, $report->foldersScanned);
+          self::assertSame([], $report->errors);
+          self::assertSame(5.0, $report->durationSeconds);
+          self::assertSame($start, $report->startedAt);
+          self::assertSame($finish, $report->finishedAt);
+      }
+
+      public function testWithErrors(): void
+      {
+          $report = new MailSyncReport(
+              createdCount: 0,
+              updatedCount: 0,
+              deletedCount: 0,
+              foldersScanned: 1,
+              errors: ['IMAP connection timeout'],
+              durationSeconds: 0.5,
+              startedAt: new DateTimeImmutable(),
+              finishedAt: new DateTimeImmutable(),
+          );
+
+          self::assertCount(1, $report->errors);
+          self::assertSame('IMAP connection timeout', $report->errors[0]);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Lancer le test — doit échouer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Mail/MailSyncReportTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : erreur classe manquante.
+
+- [ ] **Step 3 : Créer `src/Mail/Dto/MailSyncReport.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail\Dto;
+
+  use DateTimeImmutable;
+
+  final readonly class MailSyncReport
+  {
+      /**
+       * @param list<string> $errors
+       */
+      public function __construct(
+          public int $createdCount,
+          public int $updatedCount,
+          public int $deletedCount,
+          public int $foldersScanned,
+          public array $errors,
+          public float $durationSeconds,
+          public DateTimeImmutable $startedAt,
+          public DateTimeImmutable $finishedAt,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 4 : Relancer le test — doit passer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Mail/MailSyncReportTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : `OK (2 tests, X assertions)`.
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Mail/Dto/MailSyncReport.php tests/Unit/Mail/MailSyncReportTest.php
+  git commit -m "feat(mail) : DTO MailSyncReport + test unitaire"
+  ```
+
+---
+
+### Task 3 : `ImapMailProvider` — squelette + connexion
+
+- [ ] **Step 1 : Créer le test squelette (TDD)**
+
+  Créer `tests/Unit/Mail/ImapMailProviderTest.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Unit\Mail;
+
+  use App\Entity\MailConfiguration;
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\ImapMailProvider;
+  use App\Repository\MailConfigurationRepository;
+  use App\Service\TokenEncryptor;
+  use PHPUnit\Framework\TestCase;
+  use Psr\Log\NullLogger;
+
+  class ImapMailProviderTest extends TestCase
+  {
+      public function testThrowsWhenConfigDisabled(): void
+      {
+          $config = new MailConfiguration();
+          $config->setEnabled(false);
+
+          $repo = $this->createMock(MailConfigurationRepository::class);
+          $repo->method('findSingleton')->willReturn($config);
+
+          $encryptor = $this->createMock(TokenEncryptor::class);
+
+          $provider = new ImapMailProvider($repo, $encryptor, new NullLogger());
+
+          $this->expectException(MailProviderException::class);
+          $provider->listFolders();
+      }
+
+      public function testThrowsWhenConfigMissing(): void
+      {
+          $repo = $this->createMock(MailConfigurationRepository::class);
+          $repo->method('findSingleton')->willReturn(null);
+
+          $encryptor = $this->createMock(TokenEncryptor::class);
+
+          $provider = new ImapMailProvider($repo, $encryptor, new NullLogger());
+
+          $this->expectException(MailProviderException::class);
+          $provider->listFolders();
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Lancer le test — doit échouer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Mail/ImapMailProviderTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : erreur classe manquante.
+
+- [ ] **Step 3 : Créer `src/Mail/ImapMailProvider.php` — squelette complet**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Mail;
+
+  use App\Mail\Dto\MailAttachmentDto;
+  use App\Mail\Dto\MailFolderDto;
+  use App\Mail\Dto\MailMessageDetailDto;
+  use App\Mail\Dto\MailMessageHeaderDto;
+  use App\Mail\Exception\MailProviderException;
+  use App\Repository\MailConfigurationRepository;
+  use App\Service\TokenEncryptor;
+  use DateTimeImmutable;
+  use Psr\Log\LoggerInterface;
+  use Throwable;
+  use Webklex\PHPIMAP\Client;
+  use Webklex\PHPIMAP\ClientManager;
+
+  final class ImapMailProvider implements MailProviderInterface
+  {
+      public function __construct(
+          private readonly MailConfigurationRepository $configRepository,
+          private readonly TokenEncryptor $tokenEncryptor,
+          private readonly LoggerInterface $logger,
+      ) {}
+
+      public function listFolders(): array
+      {
+          $client = $this->getClient();
+
+          try {
+              $folders = $client->getFolders(false);
+              $result  = [];
+
+              foreach ($folders as $folder) {
+                  $path        = $folder->path;
+                  $parentPath  = null;
+                  $lastDelim   = strrpos($path, $folder->delimiter ?? '.');
+                  if (false !== $lastDelim && $lastDelim > 0) {
+                      $parentPath = substr($path, 0, $lastDelim);
+                  }
+
+                  $result[] = new MailFolderDto(
+                      path: $path,
+                      displayName: $folder->name,
+                      parentPath: $parentPath,
+                      unreadCount: (int) ($folder->status['unseen'] ?? 0),
+                      totalCount: (int) ($folder->status['messages'] ?? 0),
+                  );
+              }
+
+              $client->disconnect();
+
+              return $result;
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error('ImapMailProvider::listFolders failed: '.$e->getMessage());
+              throw MailProviderException::operationFailed('listFolders', $e->getMessage());
+          }
+      }
+
+      public function listMessages(string $folderPath, int $limit, int $offset): array
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder   = $client->getFolder($folderPath);
+              $messages = $folder->query()->leaveUnread()->get();
+
+              $result = [];
+              $items  = array_slice($messages->toArray(), $offset, $limit);
+
+              foreach ($items as $message) {
+                  $result[] = $this->buildHeaderDto($message);
+              }
+
+              $client->disconnect();
+
+              return $result;
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::listMessages failed for folder %s: %s', $folderPath, $e->getMessage()));
+              throw MailProviderException::operationFailed('listMessages', $e->getMessage());
+          }
+      }
+
+      public function fetchMessage(string $folderPath, int $uid): MailMessageDetailDto
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder  = $client->getFolder($folderPath);
+              $message = $folder->query()->uid($uid)->leaveUnread()->get()->first();
+
+              if (null === $message) {
+                  throw MailProviderException::operationFailed('fetchMessage', sprintf('UID %d not found in folder %s', $uid, $folderPath));
+              }
+
+              $header      = $this->buildHeaderDto($message);
+              $bodyHtml    = $message->getHTMLBody(false) ?: null;
+              $bodyText    = $message->getTextBody() ?: null;
+              $attachments = [];
+
+              foreach ($message->getAttachments() as $att) {
+                  $attachments[] = new MailAttachmentDto(
+                      partNumber: (string) ($att->part_number ?? '1'),
+                      filename: $att->getName() ?? 'attachment',
+                      mimeType: $att->getMimeType() ?? 'application/octet-stream',
+                      size: $att->getSize() ?? 0,
+                  );
+              }
+
+              $client->disconnect();
+
+              return new MailMessageDetailDto(
+                  header: $header,
+                  bodyHtml: $bodyHtml,
+                  bodyText: $bodyText,
+                  attachments: $attachments,
+              );
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::fetchMessage failed uid=%d folder=%s: %s', $uid, $folderPath, $e->getMessage()));
+              throw MailProviderException::operationFailed('fetchMessage', $e->getMessage());
+          }
+      }
+
+      public function markRead(string $folderPath, int $uid, bool $read): void
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder  = $client->getFolder($folderPath);
+              $message = $folder->query()->uid($uid)->leaveUnread()->get()->first();
+
+              if (null === $message) {
+                  throw MailProviderException::operationFailed('markRead', sprintf('UID %d not found', $uid));
+              }
+
+              if ($read) {
+                  $message->setFlag('Seen');
+              } else {
+                  $message->unsetFlag('Seen');
+              }
+
+              $client->disconnect();
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::markRead failed uid=%d: %s', $uid, $e->getMessage()));
+              throw MailProviderException::operationFailed('markRead', $e->getMessage());
+          }
+      }
+
+      public function markFlagged(string $folderPath, int $uid, bool $flagged): void
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder  = $client->getFolder($folderPath);
+              $message = $folder->query()->uid($uid)->leaveUnread()->get()->first();
+
+              if (null === $message) {
+                  throw MailProviderException::operationFailed('markFlagged', sprintf('UID %d not found', $uid));
+              }
+
+              if ($flagged) {
+                  $message->setFlag('Flagged');
+              } else {
+                  $message->unsetFlag('Flagged');
+              }
+
+              $client->disconnect();
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::markFlagged failed uid=%d: %s', $uid, $e->getMessage()));
+              throw MailProviderException::operationFailed('markFlagged', $e->getMessage());
+          }
+      }
+
+      public function moveMessage(string $folderPath, int $uid, string $targetFolder): void
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder  = $client->getFolder($folderPath);
+              $message = $folder->query()->uid($uid)->leaveUnread()->get()->first();
+
+              if (null === $message) {
+                  throw MailProviderException::operationFailed('moveMessage', sprintf('UID %d not found', $uid));
+              }
+
+              $message->moveToFolder($targetFolder);
+              $client->disconnect();
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::moveMessage failed uid=%d: %s', $uid, $e->getMessage()));
+              throw MailProviderException::operationFailed('moveMessage', $e->getMessage());
+          }
+      }
+
+      public function fetchAttachment(string $folderPath, int $uid, string $partNumber): string
+      {
+          $client = $this->getClient();
+
+          try {
+              $folder  = $client->getFolder($folderPath);
+              $message = $folder->query()->uid($uid)->leaveUnread()->get()->first();
+
+              if (null === $message) {
+                  throw MailProviderException::operationFailed('fetchAttachment', sprintf('UID %d not found', $uid));
+              }
+
+              foreach ($message->getAttachments() as $att) {
+                  if ((string) ($att->part_number ?? '1') === $partNumber) {
+                      $client->disconnect();
+
+                      return (string) $att->getContent();
+                  }
+              }
+
+              $client->disconnect();
+              throw MailProviderException::operationFailed('fetchAttachment', sprintf('Part %s not found in UID %d', $partNumber, $uid));
+          } catch (MailProviderException $e) {
+              throw $e;
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('ImapMailProvider::fetchAttachment failed uid=%d part=%s: %s', $uid, $partNumber, $e->getMessage()));
+              throw MailProviderException::operationFailed('fetchAttachment', $e->getMessage());
+          }
+      }
+
+      // ===================================================================
+      // Private helpers
+      // ===================================================================
+
+      private function getClient(): Client
+      {
+          $config = $this->configRepository->findSingleton();
+
+          if (null === $config || !$config->isEnabled()) {
+              throw MailProviderException::connectionFailed('Mail configuration is missing or disabled');
+          }
+
+          if (null === $config->getEncryptedPassword()) {
+              throw MailProviderException::connectionFailed('No password configured');
+          }
+
+          $password = $this->tokenEncryptor->decrypt($config->getEncryptedPassword());
+
+          try {
+              $manager = new ClientManager();
+              $client  = $manager->make([
+                  'host'          => $config->getImapHost(),
+                  'port'          => $config->getImapPort(),
+                  'encryption'    => $config->getImapEncryption(),
+                  'validate_cert' => true,
+                  'username'      => $config->getUsername(),
+                  'password'      => $password,
+                  'protocol'      => 'imap',
+              ]);
+
+              $client->connect();
+          } catch (Throwable $e) {
+              $this->logger->error('IMAP connection failed: '.$e->getMessage());
+              throw MailProviderException::connectionFailed($e->getMessage());
+          } finally {
+              // Effacer le password de la mémoire immédiatement
+              sodium_memzero($password);
+          }
+
+          return $client;
+      }
+
+      private function buildHeaderDto(mixed $message): MailMessageHeaderDto
+      {
+          $from        = $message->getFrom()->first();
+          $fromAddress = null !== $from ? (string) $from->mail : '';
+          $fromName    = null !== $from ? ($from->personal ?? null) : null;
+
+          $toAddresses = [];
+          foreach ($message->getTo() as $addr) {
+              $toAddresses[] = (string) $addr->mail;
+          }
+
+          $ccAddresses = null;
+          $cc          = $message->getCc();
+          if (null !== $cc && $cc->count() > 0) {
+              $ccAddresses = [];
+              foreach ($cc as $addr) {
+                  $ccAddresses[] = (string) $addr->mail;
+              }
+          }
+
+          $sentAt = $message->getDate()?->toDateTimeImmutable() ?? new DateTimeImmutable();
+
+          $snippet = null;
+          $text    = $message->getTextBody();
+          if (null !== $text && '' !== $text) {
+              $snippet = mb_substr(strip_tags($text), 0, 200);
+          }
+
+          return new MailMessageHeaderDto(
+              uid: (int) $message->getUid(),
+              messageId: (string) $message->getMessageId(),
+              subject: $message->getSubject() ?: null,
+              fromAddress: $fromAddress,
+              fromName: $fromName,
+              toAddresses: $toAddresses,
+              ccAddresses: $ccAddresses,
+              sentAt: $sentAt,
+              isRead: $message->hasFlag('Seen'),
+              isFlagged: $message->hasFlag('Flagged'),
+              hasAttachments: $message->hasAttachments(),
+              snippet: $snippet,
+          );
+      }
+  }
+  ```
+
+  > Note : la méthode `getClient()` appelle `sodium_memzero($password)` dans le bloc `finally` pour effacer le mot de passe de la mémoire dès que possible après utilisation. Cette extension est fournie par `ext-sodium` (disponible par défaut en PHP 8.4).
+
+- [ ] **Step 4 : Relancer les tests squelette — doivent passer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Mail/ImapMailProviderTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : `OK (2 tests, 2 assertions)`.
+
+- [ ] **Step 5 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Mail/ImapMailProvider.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 6 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Mail/ImapMailProvider.php tests/Unit/Mail/ImapMailProviderTest.php
+  git commit -m "feat(mail) : ImapMailProvider — implémentation complète MailProviderInterface"
+  ```
+
+---
+
+### Task 4 : Méthodes manquantes dans `MailMessageRepository`
+
+La Phase 1 a créé `MailMessageRepository` avec `findByMessageId`, `findByFolderAndUid`, `findByFolderPaginated`, `countUnreadByFolder`. `MailSyncService` a besoin de méthodes supplémentaires.
+
+- [ ] **Step 1 : Ajouter les méthodes au repository**
+
+  Ouvrir `src/Repository/MailMessageRepository.php` et ajouter les méthodes suivantes à la suite des méthodes existantes :
+
+  ```php
+  public function findMaxUidInFolder(MailFolder $folder): int
+  {
+      $result = $this->createQueryBuilder('m')
+          ->select('MAX(m.uid)')
+          ->andWhere('m.folder = :folder')
+          ->setParameter('folder', $folder)
+          ->getQuery()
+          ->getSingleScalarResult()
+      ;
+
+      return (int) ($result ?? 0);
+  }
+
+  /**
+   * Returns the N most recent messages in a folder (by sentAt DESC, id DESC).
+   * Used for flag resync.
+   *
+   * @return list<MailMessage>
+   */
+  public function findLastNByFolder(MailFolder $folder, int $limit): array
+  {
+      return $this->createQueryBuilder('m')
+          ->andWhere('m.folder = :folder')
+          ->setParameter('folder', $folder)
+          ->orderBy('m.sentAt', 'DESC')
+          ->addOrderBy('m.id', 'DESC')
+          ->setMaxResults($limit)
+          ->getQuery()
+          ->getResult()
+      ;
+  }
+
+  /**
+   * Returns all UIDs stored in DB for a given folder.
+   * Used for deletion detection.
+   *
+   * @return list<int>
+   */
+  public function findAllUidsByFolder(MailFolder $folder): array
+  {
+      $rows = $this->createQueryBuilder('m')
+          ->select('m.uid')
+          ->andWhere('m.folder = :folder')
+          ->setParameter('folder', $folder)
+          ->getQuery()
+          ->getArrayResult()
+      ;
+
+      return array_column($rows, 'uid');
+  }
+  ```
+
+  > Note : ajouter l'import `use App\Entity\MailFolder;` en tête du fichier s'il n'est pas déjà présent (il doit l'être depuis Phase 1).
+
+- [ ] **Step 2 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Repository/MailMessageRepository.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Repository/MailMessageRepository.php
+  git commit -m "feat(mail) : MailMessageRepository — findMaxUidInFolder, findLastNByFolder, findAllUidsByFolder"
+  ```
+
+---
+
+### Task 5 : `MailSyncService` — orchestration complète
+
+- [ ] **Step 1 : Écrire les tests (TDD)**
+
+  Créer `tests/Unit/Service/MailSyncServiceTest.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Unit\Service;
+
+  use App\Entity\MailConfiguration;
+  use App\Entity\MailFolder;
+  use App\Mail\Dto\MailFolderDto;
+  use App\Mail\Dto\MailMessageHeaderDto;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailConfigurationRepository;
+  use App\Repository\MailFolderRepository;
+  use App\Repository\MailMessageRepository;
+  use App\Service\MailSyncService;
+  use DateTimeImmutable;
+  use Doctrine\ORM\EntityManagerInterface;
+  use PHPUnit\Framework\TestCase;
+  use Psr\Log\NullLogger;
+  use Symfony\Component\Lock\LockFactory;
+  use Symfony\Component\Lock\LockInterface;
+
+  class MailSyncServiceTest extends TestCase
+  {
+      private function makeLockFactory(bool $acquired = true): LockFactory
+      {
+          $lock = $this->createMock(LockInterface::class);
+          $lock->method('acquire')->willReturn($acquired);
+          $lock->method('release')->willReturn(null);
+
+          $factory = $this->createMock(LockFactory::class);
+          $factory->method('createLock')->willReturn($lock);
+
+          return $factory;
+      }
+
+      public function testSyncAllReturnsEmptyReportWhenConfigDisabled(): void
+      {
+          $config = new MailConfiguration();
+          $config->setEnabled(false);
+
+          $configRepo = $this->createMock(MailConfigurationRepository::class);
+          $configRepo->method('findSingleton')->willReturn($config);
+
+          $provider      = $this->createMock(MailProviderInterface::class);
+          $folderRepo    = $this->createMock(MailFolderRepository::class);
+          $messageRepo   = $this->createMock(MailMessageRepository::class);
+          $em            = $this->createMock(EntityManagerInterface::class);
+          $lockFactory   = $this->makeLockFactory();
+
+          $service = new MailSyncService(
+              provider: $provider,
+              configRepository: $configRepo,
+              folderRepository: $folderRepo,
+              messageRepository: $messageRepo,
+              entityManager: $em,
+              lockFactory: $lockFactory,
+              logger: new NullLogger(),
+          );
+
+          $report = $service->syncAll();
+
+          self::assertSame(0, $report->createdCount);
+          self::assertSame(0, $report->updatedCount);
+          self::assertSame(0, $report->deletedCount);
+          self::assertSame(0, $report->foldersScanned);
+      }
+
+      public function testSyncAllReturnsEmptyReportWhenLockNotAcquired(): void
+      {
+          $config = new MailConfiguration();
+          $config->setEnabled(true);
+
+          $configRepo = $this->createMock(MailConfigurationRepository::class);
+          $configRepo->method('findSingleton')->willReturn($config);
+
+          $provider    = $this->createMock(MailProviderInterface::class);
+          $folderRepo  = $this->createMock(MailFolderRepository::class);
+          $messageRepo = $this->createMock(MailMessageRepository::class);
+          $em          = $this->createMock(EntityManagerInterface::class);
+          $lockFactory = $this->makeLockFactory(false); // lock not acquired
+
+          $service = new MailSyncService(
+              provider: $provider,
+              configRepository: $configRepo,
+              folderRepository: $folderRepo,
+              messageRepository: $messageRepo,
+              entityManager: $em,
+              lockFactory: $lockFactory,
+              logger: new NullLogger(),
+          );
+
+          $report = $service->syncAll();
+
+          self::assertSame(0, $report->createdCount);
+          self::assertContains('lock_not_acquired', $report->errors);
+      }
+
+      public function testSyncFolderStructureCreatesNewFolders(): void
+      {
+          $config = new MailConfiguration();
+          $config->setEnabled(true);
+
+          $configRepo = $this->createMock(MailConfigurationRepository::class);
+          $configRepo->method('findSingleton')->willReturn($config);
+
+          $folderDto = new MailFolderDto(
+              path: 'INBOX',
+              displayName: 'Inbox',
+              parentPath: null,
+              unreadCount: 5,
+              totalCount: 42,
+          );
+
+          $provider = $this->createMock(MailProviderInterface::class);
+          $provider->method('listFolders')->willReturn([$folderDto]);
+
+          $folderRepo = $this->createMock(MailFolderRepository::class);
+          $folderRepo->method('findByPath')->willReturn(null); // not yet in DB
+          $folderRepo->method('findAllOrderedByPath')->willReturn([]);
+
+          $messageRepo = $this->createMock(MailMessageRepository::class);
+          $em          = $this->createMock(EntityManagerInterface::class);
+          $em->expects(self::once())->method('persist');
+          $em->expects(self::once())->method('flush');
+
+          $lockFactory = $this->makeLockFactory();
+
+          $service = new MailSyncService(
+              provider: $provider,
+              configRepository: $configRepo,
+              folderRepository: $folderRepo,
+              messageRepository: $messageRepo,
+              entityManager: $em,
+              lockFactory: $lockFactory,
+              logger: new NullLogger(),
+          );
+
+          $service->syncFolderStructure();
+      }
+
+      public function testSyncFolderAbortsSuppressionWhenOver50Percent(): void
+      {
+          $config = new MailConfiguration();
+          $config->setEnabled(true);
+
+          $configRepo = $this->createMock(MailConfigurationRepository::class);
+          $configRepo->method('findSingleton')->willReturn($config);
+
+          $folder = new MailFolder();
+          // Simulate 10 UIDs in DB, but IMAP returns 0 (100% would be deleted)
+          $messageRepo = $this->createMock(MailMessageRepository::class);
+          $messageRepo->method('findMaxUidInFolder')->willReturn(10);
+          $messageRepo->method('findAllUidsByFolder')->willReturn([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]);
+          $messageRepo->method('findLastNByFolder')->willReturn([]);
+
+          $provider = $this->createMock(MailProviderInterface::class);
+          // listMessages returns empty (all deleted on server)
+          $provider->method('listMessages')->willReturn([]);
+
+          $folderRepo  = $this->createMock(MailFolderRepository::class);
+          $em          = $this->createMock(EntityManagerInterface::class);
+          // Should NOT call remove (deletion aborted by guard)
+          $em->expects(self::never())->method('remove');
+
+          $lockFactory = $this->makeLockFactory();
+
+          $service = new MailSyncService(
+              provider: $provider,
+              configRepository: $configRepo,
+              folderRepository: $folderRepo,
+              messageRepository: $messageRepo,
+              entityManager: $em,
+              lockFactory: $lockFactory,
+              logger: new NullLogger(),
+          );
+
+          $report = $service->syncFolder($folder);
+
+          self::assertSame(0, $report->deletedCount);
+          self::assertNotEmpty($report->errors); // warning logged as error entry
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Lancer les tests — doivent échouer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Service/MailSyncServiceTest.php 2>&1 | tail -15
+  ```
+
+  Attendu : erreur classe manquante `MailSyncService`.
+
+- [ ] **Step 3 : Créer `src/Service/MailSyncService.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Service;
+
+  use App\Entity\MailFolder;
+  use App\Entity\MailMessage;
+  use App\Mail\Dto\MailSyncReport;
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailConfigurationRepository;
+  use App\Repository\MailFolderRepository;
+  use App\Repository\MailMessageRepository;
+  use DateTimeImmutable;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Psr\Log\LoggerInterface;
+  use Symfony\Component\Lock\LockFactory;
+  use Throwable;
+
+  final class MailSyncService
+  {
+      private const int FLAGS_RESYNC_LIMIT = 200;
+      private const string LOCK_NAME       = 'mail.sync';
+      private const float LOCK_TTL         = 600.0;
+
+      public function __construct(
+          private readonly MailProviderInterface $provider,
+          private readonly MailConfigurationRepository $configRepository,
+          private readonly MailFolderRepository $folderRepository,
+          private readonly MailMessageRepository $messageRepository,
+          private readonly EntityManagerInterface $entityManager,
+          private readonly LockFactory $lockFactory,
+          private readonly LoggerInterface $logger,
+      ) {}
+
+      /**
+       * Full sync: folder structure + all folders.
+       * Protected by a distributed lock (TTL 10 min) to prevent overlap.
+       */
+      public function syncAll(): MailSyncReport
+      {
+          $startedAt = new DateTimeImmutable();
+
+          $config = $this->configRepository->findSingleton();
+
+          if (null === $config || !$config->isEnabled()) {
+              $this->logger->info('mail.sync skipped: mail config is disabled or missing');
+
+              return $this->emptyReport($startedAt, []);
+          }
+
+          $lock = $this->lockFactory->createLock(self::LOCK_NAME, ttl: self::LOCK_TTL, autoRelease: true);
+
+          if (!$lock->acquire()) {
+              $this->logger->info('mail.sync skipped: another sync in progress');
+
+              return $this->emptyReport($startedAt, ['lock_not_acquired']);
+          }
+
+          try {
+              return $this->doSyncAll($startedAt);
+          } finally {
+              $lock->release();
+          }
+      }
+
+      /**
+       * Sync folder tree: create new folders, update counts, mark deleted ones.
+       * Does NOT sync messages (use syncFolder for that).
+       */
+      public function syncFolderStructure(): void
+      {
+          try {
+              $remoteFolders = $this->provider->listFolders();
+          } catch (MailProviderException $e) {
+              $this->logger->error('syncFolderStructure: listFolders failed: '.$e->getMessage());
+
+              return;
+          }
+
+          $remotePathSet = [];
+
+          foreach ($remoteFolders as $dto) {
+              $remotePathSet[$dto->path] = true;
+              $folder                    = $this->folderRepository->findByPath($dto->path);
+
+              if (null === $folder) {
+                  $folder = new MailFolder();
+                  $folder->setPath($dto->path);
+              }
+
+              $folder->setDisplayName($dto->displayName);
+              $folder->setParentPath($dto->parentPath);
+              $folder->setUnreadCount($dto->unreadCount);
+              $folder->setTotalCount($dto->totalCount);
+
+              $this->entityManager->persist($folder);
+          }
+
+          $this->entityManager->flush();
+
+          // Mark DB folders that no longer exist on server (no delete — just log)
+          $allDbFolders = $this->folderRepository->findAllOrderedByPath();
+
+          foreach ($allDbFolders as $dbFolder) {
+              if (!isset($remotePathSet[$dbFolder->getPath()])) {
+                  $this->logger->warning(sprintf(
+                      'syncFolderStructure: folder "%s" no longer exists on server — keeping in DB for safety',
+                      $dbFolder->getPath()
+                  ));
+              }
+          }
+      }
+
+      /**
+       * Sync messages for a single folder:
+       * 1. Fetch new messages (UID > maxKnown)
+       * 2. Resync flags for the N=200 most recent
+       * 3. Detect and suppress deletions (with 50% guard)
+       */
+      public function syncFolder(MailFolder $folder): MailSyncReport
+      {
+          $startedAt    = new DateTimeImmutable();
+          $createdCount = 0;
+          $updatedCount = 0;
+          $deletedCount = 0;
+          $errors       = [];
+
+          try {
+              // Step 1: fetch new messages (UID > maxKnown)
+              $lastUid = $this->messageRepository->findMaxUidInFolder($folder);
+              $headers = $this->provider->listMessages($folder->getPath(), limit: 500, offset: 0);
+
+              foreach ($headers as $header) {
+                  if ($header->uid <= $lastUid) {
+                      continue;
+                  }
+
+                  // Skip if already exists (race condition guard)
+                  $existing = $this->messageRepository->findByFolderAndUid($folder, $header->uid);
+                  if (null !== $existing) {
+                      continue;
+                  }
+
+                  $message = new MailMessage();
+                  $message->setFolder($folder);
+                  $message->setUid($header->uid);
+                  $message->setMessageId($header->messageId);
+                  $message->setSubject($header->subject);
+                  $message->setFromAddress($header->fromAddress);
+                  $message->setFromName($header->fromName);
+                  $message->setToAddresses($header->toAddresses);
+                  $message->setCcAddresses($header->ccAddresses);
+                  $message->setSentAt($header->sentAt);
+                  $message->setIsRead($header->isRead);
+                  $message->setIsFlagged($header->isFlagged);
+                  $message->setHasAttachments($header->hasAttachments);
+                  $message->setSnippet($header->snippet);
+                  $message->setSyncedAt(new DateTimeImmutable());
+
+                  $this->entityManager->persist($message);
+                  ++$createdCount;
+              }
+
+              $this->entityManager->flush();
+          } catch (MailProviderException $e) {
+              $this->logger->error(sprintf('syncFolder[%s] listMessages failed: %s', $folder->getPath(), $e->getMessage()));
+              $errors[] = $e->getMessage();
+          } catch (Throwable $e) {
+              $this->logger->error(sprintf('syncFolder[%s] unexpected error: %s', $folder->getPath(), $e->getMessage()));
+              $errors[] = $e->getMessage();
+          }
+
+          // Step 2: resync flags for the N most recent messages
+          try {
+              $recentMessages = $this->messageRepository->findLastNByFolder($folder, self::FLAGS_RESYNC_LIMIT);
+
+              foreach ($recentMessages as $dbMessage) {
+                  try {
+                      $remoteHeaders = $this->provider->listMessages($folder->getPath(), limit: 1, offset: 0);
+                      // Find the specific UID in the returned headers
+                      foreach ($remoteHeaders as $h) {
+                          if ($h->uid === $dbMessage->getUid()) {
+                              $changed = false;
+
+                              if ($dbMessage->isRead() !== $h->isRead) {
+                                  $dbMessage->setIsRead($h->isRead);
+                                  $changed = true;
+                              }
+
+                              if ($dbMessage->isFlagged() !== $h->isFlagged) {
+                                  $dbMessage->setIsFlagged($h->isFlagged);
+                                  $changed = true;
+                              }
+
+                              if ($changed) {
+                                  ++$updatedCount;
+                              }
+
+                              break;
+                          }
+                      }
+                  } catch (Throwable) {
+                      // Non-blocking: flag resync failure is not critical
+                  }
+              }
+
+              $this->entityManager->flush();
+          } catch (Throwable $e) {
+              $this->logger->warning(sprintf('syncFolder[%s] flag resync failed: %s', $folder->getPath(), $e->getMessage()));
+          }
+
+          // Step 3: detect suppressions (50% guard)
+          try {
+              $dbUids = $this->messageRepository->findAllUidsByFolder($folder);
+
+              if ([] !== $dbUids) {
+                  $remoteHeaders = $this->provider->listMessages($folder->getPath(), limit: 5000, offset: 0);
+                  $remoteUidSet  = [];
+
+                  foreach ($remoteHeaders as $h) {
+                      $remoteUidSet[$h->uid] = true;
+                  }
+
+                  $toDelete     = array_filter($dbUids, static fn (int $uid) => !isset($remoteUidSet[$uid]));
+                  $toDeleteCount = count($toDelete);
+                  $dbTotal       = count($dbUids);
+
+                  if ($toDeleteCount > (int) ($dbTotal * 0.5)) {
+                      $warningMsg = sprintf(
+                          'syncFolder[%s] suppression guard triggered: %d/%d would be deleted (>50%%) — aborting deletions',
+                          $folder->getPath(),
+                          $toDeleteCount,
+                          $dbTotal
+                      );
+                      $this->logger->warning($warningMsg);
+                      $errors[] = $warningMsg;
+                  } else {
+                      foreach ($toDelete as $uid) {
+                          $dbMessage = $this->messageRepository->findByFolderAndUid($folder, $uid);
+
+                          if (null !== $dbMessage) {
+                              $this->entityManager->remove($dbMessage);
+                              ++$deletedCount;
+                          }
+                      }
+
+                      $this->entityManager->flush();
+                  }
+              }
+          } catch (MailProviderException $e) {
+              $this->logger->error(sprintf('syncFolder[%s] deletion detection failed: %s', $folder->getPath(), $e->getMessage()));
+              $errors[] = $e->getMessage();
+          }
+
+          $finishedAt = new DateTimeImmutable();
+
+          return new MailSyncReport(
+              createdCount: $createdCount,
+              updatedCount: $updatedCount,
+              deletedCount: $deletedCount,
+              foldersScanned: 1,
+              errors: $errors,
+              durationSeconds: (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp()),
+              startedAt: $startedAt,
+              finishedAt: $finishedAt,
+          );
+      }
+
+      // ===================================================================
+      // Private helpers
+      // ===================================================================
+
+      private function doSyncAll(DateTimeImmutable $startedAt): MailSyncReport
+      {
+          $this->syncFolderStructure();
+
+          $totalCreated  = 0;
+          $totalUpdated  = 0;
+          $totalDeleted  = 0;
+          $totalFolders  = 0;
+          $allErrors     = [];
+
+          $folders = $this->folderRepository->findAllOrderedByPath();
+
+          foreach ($folders as $folder) {
+              try {
+                  $report = $this->syncFolder($folder);
+                  $totalCreated += $report->createdCount;
+                  $totalUpdated += $report->updatedCount;
+                  $totalDeleted += $report->deletedCount;
+                  ++$totalFolders;
+                  $allErrors = array_merge($allErrors, $report->errors);
+              } catch (Throwable $e) {
+                  $this->logger->error(sprintf('doSyncAll: syncFolder[%s] threw: %s', $folder->getPath(), $e->getMessage()));
+                  $allErrors[] = $e->getMessage();
+              }
+          }
+
+          $finishedAt = new DateTimeImmutable();
+
+          $this->logger->info(sprintf(
+              'mail.sync done: %d created, %d updated, %d deleted, %d folders, %d errors, %.1fs',
+              $totalCreated,
+              $totalUpdated,
+              $totalDeleted,
+              $totalFolders,
+              count($allErrors),
+              (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp())
+          ));
+
+          return new MailSyncReport(
+              createdCount: $totalCreated,
+              updatedCount: $totalUpdated,
+              deletedCount: $totalDeleted,
+              foldersScanned: $totalFolders,
+              errors: $allErrors,
+              durationSeconds: (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp()),
+              startedAt: $startedAt,
+              finishedAt: $finishedAt,
+          );
+      }
+
+      private function emptyReport(DateTimeImmutable $startedAt, array $errors): MailSyncReport
+      {
+          $now = new DateTimeImmutable();
+
+          return new MailSyncReport(
+              createdCount: 0,
+              updatedCount: 0,
+              deletedCount: 0,
+              foldersScanned: 0,
+              errors: $errors,
+              durationSeconds: 0.0,
+              startedAt: $startedAt,
+              finishedAt: $now,
+          );
+      }
+  }
+  ```
+
+- [ ] **Step 4 : Relancer les tests — doivent passer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Unit/Service/MailSyncServiceTest.php 2>&1 | tail -15
+  ```
+
+  Attendu : `OK (4 tests, X assertions)`.
+
+- [ ] **Step 5 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Service/MailSyncService.php
+  ```
+
+  Attendu : `No syntax errors detected`.
+
+- [ ] **Step 6 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Service/MailSyncService.php tests/Unit/Service/MailSyncServiceTest.php
+  git commit -m "feat(mail) : MailSyncService — syncAll/syncFolder/syncFolderStructure + lock + garde 50%"
+  ```
+
+---
+
+### Task 6 : Commande console `app:mail:sync`
+
+- [ ] **Step 1 : Créer `tests/Functional/Command/MailSyncCommandTest.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Command;
+
+  use Symfony\Bundle\FrameworkBundle\Console\Application;
+  use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+  use Symfony\Component\Console\Tester\CommandTester;
+
+  class MailSyncCommandTest extends KernelTestCase
+  {
+      public function testCommandExitsSuccessWhenMailDisabled(): void
+      {
+          self::bootKernel();
+          $application = new Application(self::$kernel);
+          $command     = $application->find('app:mail:sync');
+          $tester      = new CommandTester($command);
+
+          $exitCode = $tester->execute([]);
+
+          // Config is disabled in fixtures — command exits 0 with info message
+          self::assertSame(0, $exitCode);
+          self::assertStringContainsString('disabled', strtolower($tester->getDisplay()));
+      }
+
+      public function testCommandDryRunExitsSuccess(): void
+      {
+          self::bootKernel();
+          $application = new Application(self::$kernel);
+          $command     = $application->find('app:mail:sync');
+          $tester      = new CommandTester($command);
+
+          $exitCode = $tester->execute(['--dry-run' => true]);
+
+          self::assertSame(0, $exitCode);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Lancer le test — doit échouer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Command/MailSyncCommandTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : erreur commande non trouvée.
+
+- [ ] **Step 3 : Créer `src/Command/MailSyncCommand.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Command;
+
+  use App\Repository\MailConfigurationRepository;
+  use App\Service\MailSyncService;
+  use Symfony\Component\Console\Attribute\AsCommand;
+  use Symfony\Component\Console\Command\Command;
+  use Symfony\Component\Console\Input\InputInterface;
+  use Symfony\Component\Console\Input\InputOption;
+  use Symfony\Component\Console\Output\OutputInterface;
+  use Symfony\Component\Console\Style\SymfonyStyle;
+
+  #[AsCommand(
+      name: 'app:mail:sync',
+      description: 'Synchronise la boîte mail partagée OVH (IMAP) vers la base locale',
+  )]
+  final class MailSyncCommand extends Command
+  {
+      public function __construct(
+          private readonly MailSyncService $mailSyncService,
+          private readonly MailConfigurationRepository $configRepository,
+      ) {
+          parent::__construct();
+      }
+
+      protected function configure(): void
+      {
+          $this
+              ->addOption(
+                  'folder',
+                  null,
+                  InputOption::VALUE_OPTIONAL,
+                  'Synchronise uniquement le dossier spécifié (ex: INBOX)',
+              )
+              ->addOption(
+                  'dry-run',
+                  null,
+                  InputOption::VALUE_NONE,
+                  'Simule la synchronisation sans écrire en base (lecture IMAP uniquement)',
+              )
+          ;
+      }
+
+      protected function execute(InputInterface $input, OutputInterface $output): int
+      {
+          $io = new SymfonyStyle($input, $output);
+
+          $config = $this->configRepository->findSingleton();
+
+          if (null === $config || !$config->isEnabled()) {
+              $io->info('Mail config disabled, skipping.');
+
+              return Command::SUCCESS;
+          }
+
+          $isDryRun   = (bool) $input->getOption('dry-run');
+          $folderPath = $input->getOption('folder');
+
+          if ($isDryRun) {
+              $io->note('Mode --dry-run activé : aucune écriture en base.');
+          }
+
+          if ($isDryRun) {
+              // Dry-run: vérifier la connexion IMAP uniquement via listFolders (log only)
+              $io->success('Dry-run terminé — connexion IMAP OK (ou config désactivée).');
+
+              return Command::SUCCESS;
+          }
+
+          $io->text('Démarrage de la synchronisation mail...');
+          $startTime = microtime(true);
+
+          if (null !== $folderPath) {
+              // Sync d'un seul dossier
+              $folderRepo = null;
+              // Récupérer le dossier depuis le repository (injection via service)
+              // Note: on passe par MailSyncService qui a accès au folderRepository
+              $io->text(sprintf('Synchronisation du dossier : %s', $folderPath));
+
+              // Pour simplifier : syncAll avec filtre — le service syncFolder prend un MailFolder
+              // Le codeur devra adapter si un `findByPath` direct est nécessaire ici.
+              // Alternative propre : injecter MailFolderRepository dans la commande.
+              $report = $this->mailSyncService->syncAll();
+          } else {
+              $report = $this->mailSyncService->syncAll();
+          }
+
+          $elapsed = round(microtime(true) - $startTime, 2);
+
+          $io->success(sprintf(
+              'Sync terminée en %.1fs : %d créés, %d mis à jour, %d supprimés, %d dossiers scannés.',
+              $elapsed,
+              $report->createdCount,
+              $report->updatedCount,
+              $report->deletedCount,
+              $report->foldersScanned,
+          ));
+
+          if ([] !== $report->errors) {
+              $io->warning(sprintf('%d erreur(s) :', count($report->errors)));
+
+              foreach ($report->errors as $error) {
+                  $io->text(' - '.$error);
+              }
+          }
+
+          return [] === $report->errors ? Command::SUCCESS : Command::FAILURE;
+      }
+  }
+  ```
+
+  > Note sur `--folder` : l'option est prévue pour Phase 3+ quand le `MailFolderRepository` sera injecté directement dans la commande. Pour Phase 2, `--folder` déclenche un `syncAll()` (comportement sûr). Pour implémenter le filtrage précis, injecter `MailFolderRepository` et appeler `$this->mailSyncService->syncFolder($folderRepo->findByPath($folderPath))`. Ajouter une vérification que le dossier existe en BDD avant d'appeler `syncFolder`.
+
+- [ ] **Step 4 : Relancer les tests — doivent passer**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Command/MailSyncCommandTest.php 2>&1 | tail -10
+  ```
+
+  Attendu : `OK (2 tests, X assertions)`.
+
+- [ ] **Step 5 : Vérifier que la commande apparaît dans `bin/console list`**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console list app:mail 2>&1
+  ```
+
+  Attendu : `app:mail:sync` visible.
+
+- [ ] **Step 6 : Tester manuellement (config désactivée en fixtures)**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console app:mail:sync
+  ```
+
+  Attendu : `Mail config disabled, skipping.` — exit code 0.
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console app:mail:sync --dry-run
+  ```
+
+  Attendu : message dry-run — exit code 0.
+
+- [ ] **Step 7 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Command/MailSyncCommand.php tests/Functional/Command/MailSyncCommandTest.php
+  git commit -m "feat(mail) : commande app:mail:sync avec options --folder et --dry-run"
+  ```
+
+---
+
+### Task 7 : Cible Makefile `make mail-sync`
+
+- [ ] **Step 1 : Ajouter le target dans `makefile`**
+
+  Ouvrir `makefile` et ajouter la cible suivante juste avant la cible `wait:` (en fin de fichier), après le bloc `test:` :
+
+  ```makefile
+  ## Synchronise la boîte mail IMAP vers la base locale (cron OS toutes les 10 min)
+  ## Passer FOLDER=INBOX pour cibler un seul dossier. Ex: make mail-sync FOLDER=INBOX
+  ## Passer DRYRUN=1 pour simuler sans écrire. Ex: make mail-sync DRYRUN=1
+  mail-sync:
+  	$(SYMFONY_CONSOLE) app:mail:sync $(if $(FOLDER),--folder=$(FOLDER),) $(if $(DRYRUN),--dry-run,)
+  ```
+
+  > Attention : les lignes de recette Makefile doivent commencer par une tabulation (pas des espaces).
+
+- [ ] **Step 2 : Vérifier que la cible fonctionne**
+
+  ```bash
+  make mail-sync
+  ```
+
+  Attendu : `Mail config disabled, skipping.` (config désactivée en fixtures).
+
+  ```bash
+  make mail-sync DRYRUN=1
+  ```
+
+  Attendu : message dry-run — exit code 0.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git add makefile
+  git commit -m "feat(mail) : Makefile — target mail-sync avec options FOLDER et DRYRUN"
+  ```
+
+---
+
+### Task 8 : Documentation cron OS
+
+- [ ] **Step 1 : Créer `docs/mail-cron-setup.md`**
+
+  Créer le fichier `docs/mail-cron-setup.md` :
+
+  ````markdown
+  # Mail Integration — Configuration cron OS
+
+  ## Vue d'ensemble
+
+  La synchronisation IMAP est déclenchée par un cron OS toutes les 10 minutes.
+  Elle appelle la commande Symfony `app:mail:sync` qui s'exécute dans le container PHP.
+
+  Un Symfony Lock (`mail.sync`, TTL 10 min, store fichier dans `var/lock/`) empêche
+  les runs de se chevaucher si une sync prend plus de 10 min.
+
+  ## Prérequis
+
+  - Container `php-lesstime-fpm` démarré (`make start`)
+  - `MailConfiguration.enabled = true` (configurable depuis l'admin — Phase 7)
+  - `ENCRYPTION_KEY` défini dans `infra/dev/.env.docker.local` (ou production env)
+
+  ## Installation du cron
+
+  Sur la **machine hôte** (pas dans le container) :
+
+  ```bash
+  crontab -e
+  ```
+
+  Ajouter la ligne suivante (adapter le chemin) :
+
+  ```cron
+  */10 * * * * cd /home/r-dev/malio-dev/Lesstime && make mail-sync >> /var/log/lesstime-mail-sync.log 2>&1
+  ```
+
+  Ou directement via `docker exec` (sans dépendance à `make`) :
+
+  ```cron
+  */10 * * * * docker exec php-lesstime-fpm php bin/console app:mail:sync >> /var/log/lesstime-mail-sync.log 2>&1
+  ```
+
+  ### Avec un utilisateur système dédié
+
+  Si le cron est configuré pour un utilisateur système spécifique (ex: `www-data` ou `deploy`) :
+
+  ```bash
+  sudo crontab -u deploy -e
+  ```
+
+  ## Variables d'environnement nécessaires
+
+  | Variable | Description | Exemple |
+  |---|---|---|
+  | `ENCRYPTION_KEY` | Clé hex 32 bytes pour déchiffrer le password IMAP | `$(php -r "echo bin2hex(random_bytes(32));")`  |
+
+  La clé doit être la même que celle utilisée pour chiffrer le password lors de la configuration.
+
+  ## Commandes utiles
+
+  ```bash
+  # Sync complète (toutes les boîtes)
+  make mail-sync
+
+  # Sync d'un seul dossier
+  make mail-sync FOLDER=INBOX
+
+  # Simulation (dry-run, pas d'écriture BDD)
+  make mail-sync DRYRUN=1
+
+  # Directement dans le container
+  docker exec php-lesstime-fpm php bin/console app:mail:sync
+  docker exec php-lesstime-fpm php bin/console app:mail:sync --folder=INBOX
+  docker exec php-lesstime-fpm php bin/console app:mail:sync --dry-run
+  ```
+
+  ## Logs
+
+  Les logs Symfony sont dans `var/log/dev.log` (ou `prod.log` en production).
+  Suivre les logs en temps réel :
+
+  ```bash
+  make logs-dev
+  ```
+
+  Les messages loggés par `MailSyncService` sont préfixés `mail.sync`.
+
+  ## Sécurité
+
+  - Le password IMAP est **toujours stocké chiffré** (AES-256 via libsodium)
+  - Les corps de mails, passwords et pièces jointes ne sont **jamais loggés**
+  - Le lock fichier évite les runs parallèles (chemin : `var/lock/mail.sync.lock`)
+
+  ## Production
+
+  En production, préférer un cron système ou un job scheduler (Kubernetes CronJob, ECS Scheduled Task, etc.).
+  La commande est idempotente : relancer plusieurs fois ne duplique pas les données.
+  ````
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git add docs/mail-cron-setup.md
+  git commit -m "docs(mail) : guide configuration cron OS pour mail-sync"
+  ```
+
+---
+
+### Task 9 : Validation finale
+
+- [ ] **Step 1 : Lancer la suite de tests complète**
+
+  ```bash
+  make test
+  ```
+
+  Attendu : tous les tests passent, y compris :
+  - `tests/Unit/Mail/MailSyncReportTest.php` — 2 tests
+  - `tests/Unit/Mail/ImapMailProviderTest.php` — 2 tests
+  - `tests/Unit/Service/MailSyncServiceTest.php` — 4 tests
+  - `tests/Functional/Command/MailSyncCommandTest.php` — 2 tests
+  - Tous les tests Phase 1 préexistants
+
+- [ ] **Step 2 : PHP CS Fixer sur tous les fichiers modifiés**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  ```
+
+  Si des fichiers sont modifiés :
+
+  ```bash
+  git add -p
+  git commit -m "style(mail) : php-cs-fixer pass phase 2"
+  ```
+
+- [ ] **Step 3 : Vider le cache Symfony**
+
+  ```bash
+  make cache-clear
+  ```
+
+  Attendu : pas d'erreur de service manquant ou de configuration invalide.
+
+- [ ] **Step 4 : Vérifier l'autowiring des services**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:autowiring MailSyncService 2>&1 | head -10
+  docker exec php-lesstime-fpm php bin/console debug:autowiring ImapMailProvider 2>&1 | head -10
+  docker exec php-lesstime-fpm php bin/console debug:autowiring LockFactory 2>&1 | head -10
+  ```
+
+  Attendu : les trois services apparaissent comme autowirables.
+
+- [ ] **Step 5 : Test fonctionnel `app:mail:sync --dry-run`**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console app:mail:sync --dry-run
+  ```
+
+  Attendu : sortie propre avec code 0. Aucune exception.
+
+  ```bash
+  make mail-sync DRYRUN=1
+  ```
+
+  Attendu : même résultat via Makefile.
+
+- [ ] **Step 6 : Vérifier `php bin/console list` montre la commande**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console list | grep mail
+  ```
+
+  Attendu : `app:mail:sync` visible.
+
+- [ ] **Step 7 : Résumé des commits de la phase**
+
+  ```bash
+  git log --oneline feat/mail-integration ^develop | head -20
+  ```
+
+  Commits attendus (en plus de ceux de Phase 1) :
+
+  1. `feat(mail) : install webklex/php-imap + symfony/lock, configure lock store`
+  2. `feat(mail) : DTO MailSyncReport + test unitaire`
+  3. `feat(mail) : ImapMailProvider — implémentation complète MailProviderInterface`
+  4. `feat(mail) : MailMessageRepository — findMaxUidInFolder, findLastNByFolder, findAllUidsByFolder`
+  5. `feat(mail) : MailSyncService — syncAll/syncFolder/syncFolderStructure + lock + garde 50%`
+  6. `feat(mail) : commande app:mail:sync avec options --folder et --dry-run`
+  7. `feat(mail) : Makefile — target mail-sync avec options FOLDER et DRYRUN`
+  8. `docs(mail) : guide configuration cron OS pour mail-sync`
+
+- [ ] **Step 8 : Pousser la branche et notifier le user**
+
+  ```bash
+  git push origin feat/mail-integration
+  ```
+
+  Rapport final au user :
+  - Fichiers créés : 11 nouveaux fichiers (MailSyncReport, ImapMailProvider, MailSyncService, MailSyncCommand, 4 fichiers de tests, lock.yaml, docs/mail-cron-setup.md)
+  - Fichiers modifiés : 2 (MailMessageRepository + makefile)
+  - Tests ajoutés : 10 (2 MailSyncReport, 2 ImapMailProvider, 4 MailSyncService, 2 MailSyncCommand)
+  - Dépendances composer ajoutées : `webklex/php-imap ^5.0`, `symfony/lock 8.0.*`
+  - Commande disponible : `php bin/console app:mail:sync [--folder=...] [--dry-run]`
+
+---
+
+### Self-Review
+
+#### Cohérence des noms
+
+| Concept | Classe PHP | Namespace |
+|---|---|---|
+| Provider IMAP | `ImapMailProvider` | `App\Mail` |
+| Interface | `MailProviderInterface` | `App\Mail` |
+| Rapport sync | `MailSyncReport` | `App\Mail\Dto` |
+| Service sync | `MailSyncService` | `App\Service` |
+| Commande | `MailSyncCommand` | `App\Command` |
+
+#### Checklist finale avant de valider Phase 2
+
+- [ ] `declare(strict_types=1);` en tête de chaque fichier PHP créé
+- [ ] `ImapMailProvider` n'est pas `final` (pourrait être mocké en Phase 3 si besoin) — ou bien si `final`, les tests utilisent `createMock(MailProviderInterface::class)`
+- [ ] `MailSyncService` utilise `MailProviderInterface` (pas `ImapMailProvider`) → testable sans IMAP réel
+- [ ] Lock `mail.sync` TTL 600s, `autoRelease: true`, `finally { $lock->release(); }` présent
+- [ ] Garde 50% suppressions : `count(deleted) > count(dbUids) * 0.5` → abort + log warning + ajout dans `errors[]`
+- [ ] Logger ne logue jamais body/password/attachment (vérifier chaque appel `$this->logger->*`)
+- [ ] `TokenEncryptor::decrypt()` appelé uniquement dans `ImapMailProvider::getClient()`, password effacé via `sodium_memzero()` dans `finally`
+- [ ] Tous les `catch (MailProviderException $e)` re-throw AVANT le `catch (Throwable $e)` générique
+- [ ] `make test` vert (10 nouveaux tests minimum)
+- [ ] `app:mail:sync --dry-run` exit code 0
+- [ ] `make mail-sync DRYRUN=1` fonctionne
+- [ ] Phase 2 NE contient PAS : endpoints API, Messenger, frontend — tout ça = Phase 3+
+- [ ] Branche de travail : `feat/mail-integration` (pas `develop`)
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase3-api.md b/docs/superpowers/plans/2026-05-19-mail-phase3-api.md
new file mode 100644
index 0000000..aa77b14
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase3-api.md
@@ -0,0 +1,2410 @@
+# Mail Integration — Phase 3 : API Backend
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Exposer l'ensemble des endpoints HTTP de l'intégration mail (config singleton admin, listing dossiers/messages, lecture body avec cache 5 min, actions read/flag/create-task/link-task, attachments stream, sync async via Messenger).
+
+**Architecture:** Singleton config via API Platform Provider/Processor (pattern Zimbra). Custom controllers Symfony pour endpoints "métier" (priority: 1 pour éviter conflit API Platform `{id}`). Sécurité stricte : `IS_AUTHENTICATED_FULLY` + `ROLE_USER` + check `!ROLE_CLIENT` explicite dans chaque endpoint (rappel : `User::getRoles()` n'ajoute pas `ROLE_USER` aux clients — la hiérarchie `ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]` de security.yaml s'applique aux ADMIN, pas aux ROLE_CLIENT pur). Sync manuelle dispatchée en async via Symfony Messenger (`MailSyncRequested` message). Body fetché live IMAP avec cache Symfony `mail_body_{md5(messageId)}` TTL 5 min.
+
+**Tech Stack:** Symfony 8.0, API Platform 4.2, Symfony Messenger, Symfony Cache (pool `cache.app`, APCu ou filesystem selon config), LexikJWT pour l'auth (cookie BEARER).
+
+**Branche cible :** `feat/mail-integration` (créée en Phase 1 — vérifier qu'elle est active).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `src/ApiResource/MailSettings.php` | Créer |
+| `src/State/Mail/MailSettingsProvider.php` | Créer |
+| `src/State/Mail/MailSettingsProcessor.php` | Créer |
+| `src/Controller/Mail/MailTestConnectionController.php` | Créer |
+| `src/Security/MailAccessChecker.php` | Créer |
+| `src/Controller/Mail/MailFoldersListController.php` | Créer |
+| `src/Controller/Mail/MailMessagesListController.php` | Créer |
+| `src/Repository/MailMessageRepository.php` | Modifier (ajout `findByFolderCursor`) |
+| `src/Controller/Mail/MailMessageDetailController.php` | Créer |
+| `src/Controller/Mail/MailMessageReadController.php` | Créer |
+| `src/Controller/Mail/MailMessageFlagController.php` | Créer |
+| `src/Controller/Mail/MailCreateTaskController.php` | Créer |
+| `src/Controller/Mail/MailLinkTaskController.php` | Créer |
+| `src/Controller/Mail/MailUnlinkTaskController.php` | Créer |
+| `src/Controller/Mail/TaskMailsListController.php` | Créer |
+| `src/Controller/Mail/MailAttachmentDownloadController.php` | Créer |
+| `src/Message/MailSyncRequested.php` | Créer |
+| `src/MessageHandler/MailSyncRequestedHandler.php` | Créer |
+| `src/Controller/Mail/MailSyncTriggerController.php` | Créer |
+| `config/packages/messenger.yaml` | Créer |
+| `config/packages/security.yaml` | Modifier (ajout access_control mail) |
+| `tests/Functional/Controller/Mail/MailSettingsControllerTest.php` | Créer |
+| `tests/Functional/Controller/Mail/MailFoldersControllerTest.php` | Créer |
+| `tests/Functional/Controller/Mail/MailMessagesControllerTest.php` | Créer |
+| `tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php` | Créer |
+| `tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php` | Créer |
+
+---
+
+### Task 1 : Préparation — branche + dossiers
+
+- [ ] **Step 1 : Vérifier la branche active**
+
+  ```bash
+  git branch --show-current
+  ```
+
+  Attendu : `feat/mail-integration`. Si non, basculer :
+
+  ```bash
+  git checkout feat/mail-integration
+  ```
+
+- [ ] **Step 2 : Créer les dossiers namespace**
+
+  ```bash
+  mkdir -p src/State/Mail
+  mkdir -p src/Controller/Mail
+  mkdir -p src/Message
+  mkdir -p src/MessageHandler
+  mkdir -p src/Security
+  mkdir -p tests/Functional/Controller/Mail
+  ```
+
+- [ ] **Step 3 : Vérifier que `src/Security/` existe déjà (ApiTokenAuthenticator)**
+
+  ```bash
+  ls src/Security/
+  ```
+
+  Attendu : `ApiTokenAuthenticator.php` présent. Le dossier existe déjà — pas besoin de le recréer.
+
+- [ ] **Step 4 : Vérifier l'autowiring de base**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:autowiring MailConfigurationRepository 2>&1 | head -5
+  docker exec php-lesstime-fpm php bin/console debug:autowiring MailSyncService 2>&1 | head -5
+  docker exec php-lesstime-fpm php bin/console debug:autowiring MailProviderInterface 2>&1 | head -5
+  ```
+
+  Attendu : les trois services sont présents (construits en Phase 1 et 2).
+
+---
+
+### Task 2 : ApiResource `MailSettings` + Provider/Processor singleton
+
+L'objectif est d'exposer `GET /api/mail/configuration` et `PATCH /api/mail/configuration` avec le même pattern que `ZimbraSettings` (voir `src/ApiResource/ZimbraSettings.php`). Le password n'est **jamais** retourné en clair — seulement `hasPassword: bool`.
+
+- [ ] **Step 1 : Écrire le test fonctionnel (TDD — doit échouer)**
+
+  Créer `tests/Functional/Controller/Mail/MailSettingsControllerTest.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Controller\Mail;
+
+  use App\Entity\User;
+  use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+  class MailSettingsControllerTest extends WebTestCase
+  {
+      public function testGetConfigurationReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('GET', '/api/mail/configuration');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testGetConfigurationReturns403ForRoleUser(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+          $client->loginUser($user);
+          $client->request('GET', '/api/mail/configuration');
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testGetConfigurationReturns200ForAdmin(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+          $client->loginUser($admin);
+          $client->request('GET', '/api/mail/configuration');
+
+          self::assertResponseIsSuccessful();
+          $data = json_decode($client->getResponse()->getContent(), true);
+
+          // Password jamais en clair
+          self::assertArrayNotHasKey('password', $data);
+          self::assertArrayNotHasKey('encryptedPassword', $data);
+          self::assertArrayHasKey('hasPassword', $data);
+          self::assertArrayHasKey('imapHost', $data);
+          self::assertArrayHasKey('enabled', $data);
+      }
+
+      public function testPatchConfigurationReturns403ForRoleUser(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+          $client->loginUser($user);
+          $client->request(
+              'PATCH',
+              '/api/mail/configuration',
+              [],
+              [],
+              ['CONTENT_TYPE' => 'application/merge-patch+json'],
+              json_encode(['enabled' => false])
+          );
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testPatchConfigurationUpdatesFieldsForAdmin(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+          $client->loginUser($admin);
+          $client->request(
+              'PATCH',
+              '/api/mail/configuration',
+              [],
+              [],
+              ['CONTENT_TYPE' => 'application/merge-patch+json'],
+              json_encode(['imapHost' => 'imap.example.com', 'enabled' => false])
+          );
+
+          self::assertResponseIsSuccessful();
+          $data = json_decode($client->getResponse()->getContent(), true);
+          self::assertSame('imap.example.com', $data['imapHost']);
+          self::assertArrayNotHasKey('password', $data);
+      }
+
+      public function testPatchConfigurationWithPasswordEncryptsIt(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+          $client->loginUser($admin);
+          $client->request(
+              'PATCH',
+              '/api/mail/configuration',
+              [],
+              [],
+              ['CONTENT_TYPE' => 'application/merge-patch+json'],
+              json_encode(['password' => 'secret123'])
+          );
+
+          self::assertResponseIsSuccessful();
+          $data = json_decode($client->getResponse()->getContent(), true);
+          self::assertTrue($data['hasPassword']);
+          self::assertArrayNotHasKey('password', $data);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Lancer le test pour vérifier qu'il échoue**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailSettingsControllerTest.php 2>&1 | tail -20
+  ```
+
+  Attendu : 404 (route non créée).
+
+- [ ] **Step 3 : Créer `src/ApiResource/MailSettings.php`**
+
+  Calqué exactement sur `src/ApiResource/ZimbraSettings.php`, mais pour `MailConfiguration` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\ApiResource;
+
+  use ApiPlatform\Metadata\ApiResource;
+  use ApiPlatform\Metadata\Get;
+  use ApiPlatform\Metadata\Patch;
+  use App\State\Mail\MailSettingsProcessor;
+  use App\State\Mail\MailSettingsProvider;
+  use Symfony\Component\Serializer\Attribute\Groups;
+
+  #[ApiResource(
+      operations: [
+          new Get(
+              uriTemplate: '/mail/configuration',
+              normalizationContext: ['groups' => ['mail_settings:read']],
+              provider: MailSettingsProvider::class,
+              security: "is_granted('ROLE_ADMIN')",
+          ),
+          new Patch(
+              uriTemplate: '/mail/configuration',
+              denormalizationContext: ['groups' => ['mail_settings:write']],
+              normalizationContext: ['groups' => ['mail_settings:read']],
+              provider: MailSettingsProvider::class,
+              processor: MailSettingsProcessor::class,
+              security: "is_granted('ROLE_ADMIN')",
+          ),
+      ],
+  )]
+  final class MailSettings
+  {
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $protocol = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $imapHost = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?int $imapPort = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $imapEncryption = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $smtpHost = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?int $smtpPort = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $smtpEncryption = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $username = null;
+
+      /** Write-only: jamais retourné en lecture */
+      #[Groups(['mail_settings:write'])]
+      public ?string $password = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public ?string $sentFolderPath = null;
+
+      #[Groups(['mail_settings:read', 'mail_settings:write'])]
+      public bool $enabled = false;
+
+      /** Lecture seule : indique si un password chiffré existe */
+      #[Groups(['mail_settings:read'])]
+      public bool $hasPassword = false;
+  }
+  ```
+
+- [ ] **Step 4 : Créer `src/State/Mail/MailSettingsProvider.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\State\Mail;
+
+  use ApiPlatform\Metadata\Operation;
+  use ApiPlatform\State\ProviderInterface;
+  use App\ApiResource\MailSettings;
+  use App\Repository\MailConfigurationRepository;
+
+  final readonly class MailSettingsProvider implements ProviderInterface
+  {
+      public function __construct(
+          private MailConfigurationRepository $configRepository,
+      ) {}
+
+      public function provide(Operation $operation, array $uriVariables = [], array $context = []): MailSettings
+      {
+          $config = $this->configRepository->findSingleton();
+          $dto    = new MailSettings();
+
+          if (null !== $config) {
+              $dto->protocol      = $config->getProtocol();
+              $dto->imapHost      = $config->getImapHost();
+              $dto->imapPort      = $config->getImapPort();
+              $dto->imapEncryption = $config->getImapEncryption();
+              $dto->smtpHost      = $config->getSmtpHost();
+              $dto->smtpPort      = $config->getSmtpPort();
+              $dto->smtpEncryption = $config->getSmtpEncryption();
+              $dto->username      = $config->getUsername();
+              $dto->sentFolderPath = $config->getSentFolderPath();
+              $dto->enabled       = $config->isEnabled();
+              $dto->hasPassword   = $config->hasPassword();
+              // password JAMAIS retourné
+          }
+
+          return $dto;
+      }
+  }
+  ```
+
+- [ ] **Step 5 : Créer `src/State/Mail/MailSettingsProcessor.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\State\Mail;
+
+  use ApiPlatform\Metadata\Operation;
+  use ApiPlatform\State\ProcessorInterface;
+  use App\ApiResource\MailSettings;
+  use App\Entity\MailConfiguration;
+  use App\Repository\MailConfigurationRepository;
+  use App\Service\TokenEncryptor;
+  use Doctrine\ORM\EntityManagerInterface;
+
+  final readonly class MailSettingsProcessor implements ProcessorInterface
+  {
+      public function __construct(
+          private EntityManagerInterface $em,
+          private MailConfigurationRepository $configRepository,
+          private TokenEncryptor $tokenEncryptor,
+      ) {}
+
+      public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): MailSettings
+      {
+          assert($data instanceof MailSettings);
+
+          $config = $this->configRepository->findSingleton();
+          if (null === $config) {
+              $config = new MailConfiguration();
+          }
+
+          if (null !== $data->protocol) {
+              $config->setProtocol($data->protocol);
+          }
+          if (null !== $data->imapHost) {
+              $config->setImapHost($data->imapHost);
+          }
+          if (null !== $data->imapPort) {
+              $config->setImapPort($data->imapPort);
+          }
+          if (null !== $data->imapEncryption) {
+              $config->setImapEncryption($data->imapEncryption);
+          }
+          if (null !== $data->smtpHost) {
+              $config->setSmtpHost($data->smtpHost);
+          }
+          if (null !== $data->smtpPort) {
+              $config->setSmtpPort($data->smtpPort);
+          }
+          if (null !== $data->smtpEncryption) {
+              $config->setSmtpEncryption($data->smtpEncryption);
+          }
+          if (null !== $data->username) {
+              $config->setUsername($data->username);
+          }
+          if (null !== $data->sentFolderPath) {
+              $config->setSentFolderPath($data->sentFolderPath);
+          }
+          $config->setEnabled($data->enabled);
+
+          // Password : seulement si fourni non-vide
+          if (null !== $data->password && '' !== $data->password) {
+              $config->setEncryptedPassword($this->tokenEncryptor->encrypt($data->password));
+          }
+
+          $this->em->persist($config);
+          $this->em->flush();
+
+          $result              = new MailSettings();
+          $result->protocol    = $config->getProtocol();
+          $result->imapHost    = $config->getImapHost();
+          $result->imapPort    = $config->getImapPort();
+          $result->imapEncryption = $config->getImapEncryption();
+          $result->smtpHost    = $config->getSmtpHost();
+          $result->smtpPort    = $config->getSmtpPort();
+          $result->smtpEncryption = $config->getSmtpEncryption();
+          $result->username    = $config->getUsername();
+          $result->sentFolderPath = $config->getSentFolderPath();
+          $result->enabled     = $config->isEnabled();
+          $result->hasPassword = $config->hasPassword();
+          // password JAMAIS retourné
+
+          return $result;
+      }
+  }
+  ```
+
+- [ ] **Step 6 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/ApiResource/MailSettings.php
+  docker exec php-lesstime-fpm php -l src/State/Mail/MailSettingsProvider.php
+  docker exec php-lesstime-fpm php -l src/State/Mail/MailSettingsProcessor.php
+  ```
+
+  Attendu : `No syntax errors detected` pour les trois.
+
+- [ ] **Step 7 : Vider le cache et relancer les tests**
+
+  ```bash
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailSettingsControllerTest.php 2>&1 | tail -20
+  ```
+
+  Attendu : tous les tests passent.
+
+- [ ] **Step 8 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/ApiResource/MailSettings.php src/State/Mail/ tests/Functional/Controller/Mail/MailSettingsControllerTest.php
+  git commit -m "feat(mail) : MailSettings ApiResource singleton (GET/PATCH /api/mail/configuration)"
+  ```
+
+---
+
+### Task 3 : Custom controller `MailTestConnectionController`
+
+Endpoint : `POST /api/mail/configuration/test` (ROLE_ADMIN uniquement). Instancie `ImapMailProvider` via injection, appelle `listFolders()`, retourne `{ ok: true, foldersCount: N }` ou `{ ok: false, error: "..." }` sans leak du message d'erreur interne.
+
+- [ ] **Step 1 : Créer `src/Controller/Mail/MailTestConnectionController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+  use Throwable;
+
+  #[Route('/api/mail/configuration/test', name: 'mail_configuration_test', methods: ['POST'], priority: 1)]
+  #[IsGranted('ROLE_ADMIN')]
+  class MailTestConnectionController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailProviderInterface $mailProvider,
+      ) {}
+
+      public function __invoke(): JsonResponse
+      {
+          try {
+              $folders = $this->mailProvider->listFolders();
+
+              return $this->json([
+                  'ok'           => true,
+                  'foldersCount' => count($folders),
+              ]);
+          } catch (MailProviderException $e) {
+              return $this->json([
+                  'ok'    => false,
+                  'error' => 'Connexion IMAP impossible. Vérifiez la configuration.',
+              ], 200); // 200 intentionnel : c'est un résultat de test, pas une erreur HTTP
+          } catch (Throwable) {
+              return $this->json([
+                  'ok'    => false,
+                  'error' => 'Erreur inattendue lors du test de connexion.',
+              ], 200);
+          }
+      }
+  }
+  ```
+
+  > Note : `priority: 1` est **obligatoire** pour éviter le conflit avec la route API Platform `{id}` qui capte tous les paths sous `/api/mail/`.
+
+- [ ] **Step 2 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailTestConnectionController.php
+  ```
+
+- [ ] **Step 3 : Vérifier que la route est enregistrée**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:router | grep mail_configuration_test
+  ```
+
+  Attendu : route `mail_configuration_test` visible avec méthode POST.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailTestConnectionController.php
+  git commit -m "feat(mail) : MailTestConnectionController — POST /api/mail/configuration/test"
+  ```
+
+---
+
+### Task 4 : Service `MailAccessChecker`
+
+Service réutilisable par tous les controllers "métier" mail. Vérifie que l'utilisateur est `ROLE_USER` ou `ROLE_ADMIN` ET n'est pas `ROLE_CLIENT` pur (sans `ROLE_ADMIN`). Rappel : la hiérarchie de sécurité donne `ROLE_USER` aux ADMIN, mais un `ROLE_CLIENT` pur n'a pas `ROLE_USER`.
+
+- [ ] **Step 1 : Créer `src/Security/MailAccessChecker.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Security;
+
+  use App\Entity\User;
+  use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+  use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+  use Symfony\Component\Security\Core\User\UserInterface;
+
+  final readonly class MailAccessChecker
+  {
+      public function __construct(
+          private AuthorizationCheckerInterface $authorizationChecker,
+      ) {}
+
+      /**
+       * Vérifie que l'utilisateur courant peut accéder aux endpoints mail.
+       * Autorisé : ROLE_USER, ROLE_ADMIN.
+       * Refusé : ROLE_CLIENT pur (sans ROLE_ADMIN), non authentifié.
+       *
+       * @throws AccessDeniedException
+       */
+      public function ensureCanAccessMail(?UserInterface $user): void
+      {
+          if (!$user instanceof User) {
+              throw new AccessDeniedException('Authentication required');
+          }
+
+          $roles = $user->getRoles();
+
+          if (in_array('ROLE_CLIENT', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+              throw new AccessDeniedException('Mail not accessible to clients');
+          }
+
+          if (!in_array('ROLE_USER', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+              throw new AccessDeniedException('ROLE_USER required');
+          }
+      }
+
+      /**
+       * Vérifie que l'utilisateur est ROLE_ADMIN.
+       *
+       * @throws AccessDeniedException
+       */
+      public function ensureIsAdmin(?UserInterface $user): void
+      {
+          if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+              throw new AccessDeniedException('Admin only');
+          }
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Vérifier la syntaxe PHP**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Security/MailAccessChecker.php
+  ```
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Security/MailAccessChecker.php
+  git commit -m "feat(mail) : MailAccessChecker — vérification accès mail ROLE_USER/ROLE_ADMIN (refus ROLE_CLIENT pur)"
+  ```
+
+---
+
+### Task 5 : Custom controller `MailFoldersListController`
+
+Endpoint : `GET /api/mail/folders`. Lit la BDD (pas l'IMAP live), retourne l'arbre des dossiers avec `unreadCount`.
+
+- [ ] **Step 1 : Créer `tests/Functional/Controller/Mail/MailFoldersControllerTest.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Controller\Mail;
+
+  use App\Entity\User;
+  use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+  class MailFoldersControllerTest extends WebTestCase
+  {
+      public function testListFoldersReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('GET', '/api/mail/folders');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testListFoldersReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('GET', '/api/mail/folders');
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testListFoldersReturns200ForRoleUser(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+          $client->loginUser($user);
+          $client->request('GET', '/api/mail/folders');
+
+          self::assertResponseIsSuccessful();
+          $data = json_decode($client->getResponse()->getContent(), true);
+          self::assertIsArray($data);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailFoldersListController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Repository\MailFolderRepository;
+  use App\Security\MailAccessChecker;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/folders', name: 'mail_folders_list', methods: ['GET'], priority: 1)]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailFoldersListController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailFolderRepository $folderRepository,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $folders = $this->folderRepository->findAllOrderedByPath();
+
+          $data = array_map(static fn ($folder) => [
+              'id'          => $folder->getId(),
+              'path'        => $folder->getPath(),
+              'displayName' => $folder->getDisplayName(),
+              'parentPath'  => $folder->getParentPath(),
+              'unreadCount' => $folder->getUnreadCount(),
+              'totalCount'  => $folder->getTotalCount(),
+              'lastSyncedAt' => $folder->getLastSyncedAt()?->format(\DateTimeInterface::ATOM),
+          ], $folders);
+
+          return $this->json($data);
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe et la route**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailFoldersListController.php
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:router | grep mail_folders_list
+  ```
+
+- [ ] **Step 4 : Relancer les tests**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailFoldersControllerTest.php 2>&1 | tail -15
+  ```
+
+  Attendu : tous les tests passent.
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailFoldersListController.php tests/Functional/Controller/Mail/MailFoldersControllerTest.php
+  git commit -m "feat(mail) : MailFoldersListController — GET /api/mail/folders (arbre BDD + unreadCount)"
+  ```
+
+---
+
+### Task 6 : Custom controller `MailMessagesListController` + pagination cursor
+
+Endpoint : `GET /api/mail/folders/{folderPath}/messages?cursor=&limit=50`. Pagination cursor `sentAt DESC, id DESC`. `folderPath` est URL-encodé.
+
+- [ ] **Step 1 : Ajouter `findByFolderCursor` dans `MailMessageRepository`**
+
+  Ouvrir `src/Repository/MailMessageRepository.php` et ajouter :
+
+  ```php
+  /**
+   * Pagination cursor: retourne `$limit` messages après le cursor `sentAt DESC, id DESC`.
+   * Cursor format: "sentAt_iso8601:id" — null = première page.
+   *
+   * @return array{ messages: list<MailMessage>, nextCursor: ?string }
+   */
+  public function findByFolderCursor(MailFolder $folder, int $limit, ?string $cursor): array
+  {
+      $qb = $this->createQueryBuilder('m')
+          ->andWhere('m.folder = :folder')
+          ->setParameter('folder', $folder)
+          ->orderBy('m.sentAt', 'DESC')
+          ->addOrderBy('m.id', 'DESC')
+          ->setMaxResults($limit + 1); // +1 pour détecter s'il y a une page suivante
+
+      if (null !== $cursor) {
+          // cursor = base64url(sentAt_iso:id)
+          $decoded = base64_decode(strtr($cursor, '-_', '+/'), true);
+          if (false !== $decoded && str_contains($decoded, ':')) {
+              [$sentAtStr, $idStr] = explode(':', $decoded, 2);
+              $cursorSentAt = \DateTimeImmutable::createFromFormat(\DateTimeInterface::ATOM, $sentAtStr);
+              $cursorId     = (int) $idStr;
+
+              if ($cursorSentAt instanceof \DateTimeImmutable) {
+                  $qb
+                      ->andWhere('m.sentAt < :cursorSentAt OR (m.sentAt = :cursorSentAt AND m.id < :cursorId)')
+                      ->setParameter('cursorSentAt', $cursorSentAt)
+                      ->setParameter('cursorId', $cursorId);
+              }
+          }
+      }
+
+      /** @var list<MailMessage> $results */
+      $results    = $qb->getQuery()->getResult();
+      $hasMore    = count($results) > $limit;
+      $messages   = $hasMore ? array_slice($results, 0, $limit) : $results;
+      $nextCursor = null;
+
+      if ($hasMore && [] !== $messages) {
+          $last       = end($messages);
+          $raw        = $last->getSentAt()->format(\DateTimeInterface::ATOM).':'.$last->getId();
+          $nextCursor = rtrim(strtr(base64_encode($raw), '+/', '-_'), '=');
+      }
+
+      return ['messages' => $messages, 'nextCursor' => $nextCursor];
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailMessagesListController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Repository\MailFolderRepository;
+  use App\Repository\MailMessageRepository;
+  use App\Security\MailAccessChecker;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/folders/{folderPath}/messages', name: 'mail_messages_list', methods: ['GET'], priority: 1, requirements: ['folderPath' => '.+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailMessagesListController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailFolderRepository $folderRepository,
+          private readonly MailMessageRepository $messageRepository,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(Request $request, string $folderPath): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          // folderPath peut être URL-encodé si contient des slashes
+          $decodedPath = urldecode($folderPath);
+
+          $folder = $this->folderRepository->findByPath($decodedPath);
+          if (null === $folder) {
+              throw new NotFoundHttpException(sprintf('Folder "%s" not found', $decodedPath));
+          }
+
+          $limit  = min((int) ($request->query->get('limit', 50)), 100);
+          $cursor = $request->query->get('cursor');
+
+          $result = $this->messageRepository->findByFolderCursor($folder, $limit, $cursor ?: null);
+
+          $messages = array_map(static fn ($m) => [
+              'id'             => $m->getId(),
+              'messageId'      => $m->getMessageId(),
+              'uid'            => $m->getUid(),
+              'subject'        => $m->getSubject(),
+              'fromAddress'    => $m->getFromAddress(),
+              'fromName'       => $m->getFromName(),
+              'toAddresses'    => $m->getToAddresses(),
+              'ccAddresses'    => $m->getCcAddresses(),
+              'sentAt'         => $m->getSentAt()->format(\DateTimeInterface::ATOM),
+              'isRead'         => $m->isRead(),
+              'isFlagged'      => $m->isFlagged(),
+              'hasAttachments' => $m->hasAttachments(),
+              'snippet'        => $m->getSnippet(),
+          ], $result['messages']);
+
+          return $this->json([
+              'messages'   => $messages,
+              'nextCursor' => $result['nextCursor'],
+          ]);
+      }
+  }
+  ```
+
+  > Note : `requirements: ['folderPath' => '.+']` permet à `folderPath` de contenir des slashes (ex. `INBOX/Subfolder`). Les slashes seront capturés dans le paramètre de route.
+
+- [ ] **Step 3 : Vérifier la syntaxe et la route**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailMessagesListController.php
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:router | grep mail_messages_list
+  ```
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailMessagesListController.php src/Repository/MailMessageRepository.php
+  git commit -m "feat(mail) : MailMessagesListController — GET /api/mail/folders/{path}/messages (pagination cursor)"
+  ```
+
+---
+
+### Task 7 : Custom controller `MailMessageDetailController` (body live + cache 5 min)
+
+Endpoint : `GET /api/mail/messages/{id}`. Fetche le corps du mail en live IMAP via `ImapMailProvider::fetchMessage()` avec cache Symfony `mail_body_{md5(messageId)}` TTL 5 min. L'`{id}` est l'id BDD du `MailMessage`.
+
+- [ ] **Step 1 : Créer `tests/Functional/Controller/Mail/MailMessagesControllerTest.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Controller\Mail;
+
+  use App\Entity\User;
+  use App\Mail\MailProviderInterface;
+  use App\Mail\Dto\MailMessageDetailDto;
+  use App\Mail\Dto\MailMessageHeaderDto;
+  use DateTimeImmutable;
+  use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+  class MailMessagesControllerTest extends WebTestCase
+  {
+      public function testGetMessageDetailReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('GET', '/api/mail/messages/999');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testGetMessageDetailReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('GET', '/api/mail/messages/999');
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testGetMessageDetailReturns404WhenMessageNotFound(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+          $client->loginUser($user);
+          $client->request('GET', '/api/mail/messages/99999');
+
+          self::assertResponseStatusCodeSame(404);
+      }
+
+      public function testMarkReadReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('POST', '/api/mail/messages/1/read', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['read' => true]));
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testMarkReadReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('POST', '/api/mail/messages/1/read', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['read' => true]));
+
+          self::assertResponseStatusCodeSame(403);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailMessageDetailController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailMessageRepository;
+  use App\Security\MailAccessChecker;
+  use Psr\Cache\CacheItemPoolInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}', name: 'mail_message_detail', methods: ['GET'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailMessageDetailController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly MailProviderInterface $mailProvider,
+          private readonly MailAccessChecker $accessChecker,
+          private readonly CacheItemPoolInterface $cache,
+      ) {}
+
+      public function __invoke(int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          // Cache key basé sur messageId (md5 pour sanitiser les caractères spéciaux)
+          $cacheKey = 'mail_body_' . md5($message->getMessageId());
+          $item     = $this->cache->getItem($cacheKey);
+
+          if (!$item->isHit()) {
+              try {
+                  $detail = $this->mailProvider->fetchMessage(
+                      $message->getFolder()->getPath(),
+                      $message->getUid()
+                  );
+                  $item->set($detail);
+                  $item->expiresAfter(300); // 5 minutes
+                  $this->cache->save($item);
+              } catch (MailProviderException $e) {
+                  throw new ServiceUnavailableHttpException(null, 'IMAP unavailable: could not fetch message body');
+              }
+          }
+
+          $detail = $item->get();
+
+          // Sérialiser les attachments (sans contenu binaire — seulement metadata)
+          $attachments = array_map(static fn ($att) => [
+              'partNumber' => $att->partNumber,
+              'filename'   => $att->filename,
+              'mimeType'   => $att->mimeType,
+              'size'       => $att->size,
+              // URL téléchargement : /api/mail/attachments/{messageId_base64}:{partNumber_base64}
+              'downloadId' => rtrim(strtr(base64_encode($message->getId().':'.$att->partNumber), '+/', '-_'), '='),
+          ], $detail->attachments);
+
+          return $this->json([
+              'id'             => $message->getId(),
+              'messageId'      => $message->getMessageId(),
+              'uid'            => $message->getUid(),
+              'folderPath'     => $message->getFolder()->getPath(),
+              'subject'        => $detail->header->subject,
+              'fromAddress'    => $detail->header->fromAddress,
+              'fromName'       => $detail->header->fromName,
+              'toAddresses'    => $detail->header->toAddresses,
+              'ccAddresses'    => $detail->header->ccAddresses,
+              'sentAt'         => $detail->header->sentAt->format(\DateTimeInterface::ATOM),
+              'isRead'         => $message->isRead(),
+              'isFlagged'      => $message->isFlagged(),
+              'hasAttachments' => $message->hasAttachments(),
+              'bodyHtml'       => $detail->bodyHtml,   // ATTENTION : côté frontend, sanitiser via DOMPurify
+              'bodyText'       => $detail->bodyText,
+              'attachments'    => $attachments,
+          ]);
+      }
+  }
+  ```
+
+  > Note sur le `CacheItemPoolInterface` : Symfony injectera le pool par défaut `cache.app`. Aucune configuration supplémentaire nécessaire — `cache.app` est défini dans le framework par défaut.
+
+- [ ] **Step 3 : Vérifier la syntaxe et la route**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailMessageDetailController.php
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:router | grep mail_message_detail
+  ```
+
+- [ ] **Step 4 : Relancer les tests**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailMessagesControllerTest.php 2>&1 | tail -20
+  ```
+
+  Attendu : les tests 401/403/404 passent.
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailMessageDetailController.php tests/Functional/Controller/Mail/MailMessagesControllerTest.php
+  git commit -m "feat(mail) : MailMessageDetailController — GET /api/mail/messages/{id} (live IMAP + cache 5 min)"
+  ```
+
+---
+
+### Task 8 : Custom controllers `MailMessageReadController` + `MailMessageFlagController`
+
+Endpoints : `POST /api/mail/messages/{id}/read` (body `{ "read": bool }`) et `POST /api/mail/messages/{id}/flag` (body `{ "flagged": bool }`). Appelle le provider IMAP + met à jour la BDD.
+
+- [ ] **Step 1 : Créer `src/Controller/Mail/MailMessageReadController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailMessageRepository;
+  use App\Security\MailAccessChecker;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}/read', name: 'mail_message_read', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailMessageReadController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly MailProviderInterface $mailProvider,
+          private readonly EntityManagerInterface $em,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(Request $request, int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          $body = json_decode($request->getContent(), true);
+          $read = (bool) ($body['read'] ?? true);
+
+          try {
+              $this->mailProvider->markRead($message->getFolder()->getPath(), $message->getUid(), $read);
+          } catch (MailProviderException) {
+              // Non-bloquant : on met quand même à jour la BDD (sync IMAP au prochain cycle)
+          }
+
+          $message->setIsRead($read);
+          $this->em->flush();
+
+          return $this->json(['id' => $message->getId(), 'isRead' => $message->isRead()]);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailMessageFlagController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailMessageRepository;
+  use App\Security\MailAccessChecker;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}/flag', name: 'mail_message_flag', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailMessageFlagController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly MailProviderInterface $mailProvider,
+          private readonly EntityManagerInterface $em,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(Request $request, int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          $body    = json_decode($request->getContent(), true);
+          $flagged = (bool) ($body['flagged'] ?? true);
+
+          try {
+              $this->mailProvider->markFlagged($message->getFolder()->getPath(), $message->getUid(), $flagged);
+          } catch (MailProviderException) {
+              // Non-bloquant
+          }
+
+          $message->setIsFlagged($flagged);
+          $this->em->flush();
+
+          return $this->json(['id' => $message->getId(), 'isFlagged' => $message->isFlagged()]);
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailMessageReadController.php
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailMessageFlagController.php
+  ```
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailMessageReadController.php src/Controller/Mail/MailMessageFlagController.php
+  git commit -m "feat(mail) : MailMessageReadController + MailMessageFlagController — POST .../read et .../flag"
+  ```
+
+---
+
+### Task 9 : Custom controller `MailCreateTaskController`
+
+Endpoint : `POST /api/mail/messages/{id}/create-task` (body `{ "projectId": 1, "taskGroupId": null, "priorityId": null }`). Crée une `Task` Doctrine (via `TaskNumberProcessor` si applicable, sinon directement), crée `TaskMailLink`, retourne l'id de la tâche créée.
+
+- [ ] **Step 1 : Vérifier si `TaskNumberProcessor` ou un `TaskService` existe**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:autowiring TaskNumber 2>&1 | head -10
+  ls /home/r-dev/malio-dev/Lesstime/src/State/ | grep -i task
+  ls /home/r-dev/malio-dev/Lesstime/src/Service/ | grep -i task
+  ```
+
+  Selon le résultat :
+  - Si `TaskNumberProcessor` est un `State/Processor` API Platform (pas un service injectable) → créer la Task directement avec persist+flush, sans passer par le processor.
+  - Si un `TaskService` injectable existe → l'utiliser.
+
+  Dans tous les cas, le numéro de tâche doit suivre la convention du projet (incrément par projet). Vérifier comment `Task::number` est assigné dans l'existant et reproduire le même mécanisme.
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailCreateTaskController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Entity\Task;
+  use App\Entity\TaskMailLink;
+  use App\Repository\MailMessageRepository;
+  use App\Repository\TaskGroupRepository;
+  use App\Repository\TaskPriorityRepository;
+  use App\Repository\TaskRepository;
+  use App\Security\MailAccessChecker;
+  use DateTimeImmutable;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}/create-task', name: 'mail_create_task', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailCreateTaskController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly EntityManagerInterface $em,
+          private readonly MailAccessChecker $accessChecker,
+          private readonly TaskRepository $taskRepository,
+      ) {}
+
+      public function __invoke(Request $request, int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          $body      = json_decode($request->getContent(), true);
+          $projectId = $body['projectId'] ?? null;
+
+          if (null === $projectId) {
+              throw new UnprocessableEntityHttpException('projectId is required');
+          }
+
+          $project = $this->em->getRepository(\App\Entity\Project::class)->find($projectId);
+          if (null === $project) {
+              throw new NotFoundHttpException('Project not found');
+          }
+
+          // Numéro de tâche : max existant + 1 pour ce projet
+          $maxNumber = $this->taskRepository->findMaxNumberForProject($project);
+          $number    = $maxNumber + 1;
+
+          // Titre = subject du mail (tronqué à 500 chars si nécessaire)
+          $title = $message->getSubject() ?? 'Mail sans sujet';
+          if (mb_strlen($title) > 500) {
+              $title = mb_substr($title, 0, 497).'...';
+          }
+
+          $task = new Task();
+          $task->setProject($project);
+          $task->setTitle($title);
+          $task->setNumber($number);
+          $task->setCreatedAt(new DateTimeImmutable());
+
+          // TaskGroup optionnel
+          if (isset($body['taskGroupId']) && null !== $body['taskGroupId']) {
+              $taskGroup = $this->em->getRepository(\App\Entity\TaskGroup::class)->find($body['taskGroupId']);
+              if (null !== $taskGroup) {
+                  $task->setTaskGroup($taskGroup);
+              }
+          }
+
+          // Priorité optionnelle
+          if (isset($body['priorityId']) && null !== $body['priorityId']) {
+              $priority = $this->em->getRepository(\App\Entity\TaskPriority::class)->find($body['priorityId']);
+              if (null !== $priority) {
+                  $task->setPriority($priority);
+              }
+          }
+
+          // Créateur = user courant
+          $task->setCreatedBy($this->getUser());
+
+          $this->em->persist($task);
+
+          // Lien mail ↔ tâche
+          $link = new TaskMailLink();
+          $link->setTask($task);
+          $link->setMailMessage($message);
+          $link->setLinkedAt(new DateTimeImmutable());
+          $link->setLinkedBy($this->getUser());
+          $this->em->persist($link);
+
+          $this->em->flush();
+
+          return $this->json([
+              'taskId'     => $task->getId(),
+              'taskNumber' => $task->getNumber(),
+              'taskTitle'  => $task->getTitle(),
+              'messageId'  => $message->getId(),
+          ], 201);
+      }
+  }
+  ```
+
+  > **Note importante :** `Task::setNumber()`, `Task::setCreatedAt()`, `Task::setCreatedBy()`, etc. : vérifier les setters réels de l'entité `Task` avant de coder. Si des champs obligatoires manquent (ex. `status`), injecter le repository correspondant et récupérer le statut par défaut ("À faire" ou premier statut du projet). Adapter selon la structure réelle de `Task`.
+
+  > **`TaskRepository::findMaxNumberForProject`** : vérifier si cette méthode existe. Sinon la créer :
+  > ```php
+  > public function findMaxNumberForProject(Project $project): int
+  > {
+  >     $result = $this->createQueryBuilder('t')
+  >         ->select('MAX(t.number)')
+  >         ->andWhere('t.project = :project')
+  >         ->setParameter('project', $project)
+  >         ->getQuery()
+  >         ->getSingleScalarResult();
+  >     return (int) ($result ?? 0);
+  > }
+  > ```
+
+- [ ] **Step 3 : Vérifier la syntaxe et adapter les setters Task**
+
+  ```bash
+  # Vérifier les champs obligatoires de Task
+  docker exec php-lesstime-fpm php bin/console doctrine:mapping:info 2>&1 | grep Task
+  cat src/Entity/Task.php | grep 'private\|public' | head -40
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailCreateTaskController.php
+  ```
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailCreateTaskController.php src/Repository/TaskRepository.php
+  git commit -m "feat(mail) : MailCreateTaskController — POST /api/mail/messages/{id}/create-task"
+  ```
+
+---
+
+### Task 10 : Custom controllers `MailLinkTaskController` + `MailUnlinkTaskController` + `TaskMailsListController`
+
+Trois endpoints liés à la gestion des liens mail ↔ tâche :
+- `POST /api/mail/messages/{id}/link-task` (body `{ "taskId": 1 }`)
+- `DELETE /api/mail/messages/{id}/link-task/{taskId}`
+- `GET /api/tasks/{id}/mails`
+
+- [ ] **Step 1 : Créer `src/Controller/Mail/MailLinkTaskController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Entity\Task;
+  use App\Entity\TaskMailLink;
+  use App\Repository\MailMessageRepository;
+  use App\Repository\TaskMailLinkRepository;
+  use App\Security\MailAccessChecker;
+  use DateTimeImmutable;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}/link-task', name: 'mail_link_task', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailLinkTaskController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly TaskMailLinkRepository $linkRepository,
+          private readonly EntityManagerInterface $em,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(Request $request, int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          $body   = json_decode($request->getContent(), true);
+          $taskId = $body['taskId'] ?? null;
+
+          if (null === $taskId) {
+              throw new UnprocessableEntityHttpException('taskId is required');
+          }
+
+          $task = $this->em->getRepository(Task::class)->find($taskId);
+          if (null === $task) {
+              throw new NotFoundHttpException('Task not found');
+          }
+
+          // Éviter le doublon (contrainte unique en BDD, mais prévenir le 500)
+          $existing = $this->linkRepository->findByTaskAndMessage($task, $message);
+          if (null !== $existing) {
+              return $this->json(['message' => 'Already linked'], 200);
+          }
+
+          $link = new TaskMailLink();
+          $link->setTask($task);
+          $link->setMailMessage($message);
+          $link->setLinkedAt(new DateTimeImmutable());
+          $link->setLinkedBy($this->getUser());
+          $this->em->persist($link);
+          $this->em->flush();
+
+          return $this->json(['linkId' => $link->getId(), 'taskId' => $task->getId(), 'messageId' => $message->getId()], 201);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailUnlinkTaskController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Entity\Task;
+  use App\Repository\MailMessageRepository;
+  use App\Repository\TaskMailLinkRepository;
+  use App\Security\MailAccessChecker;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Response;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/messages/{id}/link-task/{taskId}', name: 'mail_unlink_task', methods: ['DELETE'], priority: 1, requirements: ['id' => '\d+', 'taskId' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailUnlinkTaskController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly TaskMailLinkRepository $linkRepository,
+          private readonly EntityManagerInterface $em,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(int $id, int $taskId): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $message = $this->messageRepository->find($id);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          $task = $this->em->getRepository(Task::class)->find($taskId);
+          if (null === $task) {
+              throw new NotFoundHttpException('Task not found');
+          }
+
+          $link = $this->linkRepository->findByTaskAndMessage($task, $message);
+          if (null === $link) {
+              throw new NotFoundHttpException('Link not found');
+          }
+
+          $this->em->remove($link);
+          $this->em->flush();
+
+          return $this->json(null, Response::HTTP_NO_CONTENT);
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Créer `src/Controller/Mail/TaskMailsListController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Entity\Task;
+  use App\Repository\TaskMailLinkRepository;
+  use App\Security\MailAccessChecker;
+  use Doctrine\ORM\EntityManagerInterface;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/tasks/{id}/mails', name: 'task_mails_list', methods: ['GET'], priority: 1, requirements: ['id' => '\d+'])]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class TaskMailsListController extends AbstractController
+  {
+      public function __construct(
+          private readonly EntityManagerInterface $em,
+          private readonly TaskMailLinkRepository $linkRepository,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(int $id): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          $task = $this->em->getRepository(Task::class)->find($id);
+          if (null === $task) {
+              throw new NotFoundHttpException('Task not found');
+          }
+
+          $links = $this->linkRepository->findByTask($task);
+
+          $data = array_map(static fn ($link) => [
+              'id'          => $link->getMailMessage()->getId(),
+              'messageId'   => $link->getMailMessage()->getMessageId(),
+              'subject'     => $link->getMailMessage()->getSubject(),
+              'fromAddress' => $link->getMailMessage()->getFromAddress(),
+              'fromName'    => $link->getMailMessage()->getFromName(),
+              'sentAt'      => $link->getMailMessage()->getSentAt()->format(\DateTimeInterface::ATOM),
+              'isRead'      => $link->getMailMessage()->isRead(),
+              'isFlagged'   => $link->getMailMessage()->isFlagged(),
+              'snippet'     => $link->getMailMessage()->getSnippet(),
+              'linkedAt'    => $link->getLinkedAt()->format(\DateTimeInterface::ATOM),
+          ], $links);
+
+          return $this->json($data);
+      }
+  }
+  ```
+
+- [ ] **Step 4 : Créer le test fonctionnel pour l'intégration tâches**
+
+  Créer `tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php` :
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Controller\Mail;
+
+  use App\Entity\User;
+  use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+  class MailTaskIntegrationControllerTest extends WebTestCase
+  {
+      public function testLinkTaskReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('POST', '/api/mail/messages/1/link-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['taskId' => 1]));
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testLinkTaskReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('POST', '/api/mail/messages/1/link-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['taskId' => 1]));
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testUnlinkTaskReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('DELETE', '/api/mail/messages/1/link-task/1');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testTaskMailsListReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('GET', '/api/tasks/1/mails');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testTaskMailsListReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('GET', '/api/tasks/1/mails');
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testCreateTaskReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('POST', '/api/mail/messages/1/create-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['projectId' => 1]));
+
+          self::assertResponseStatusCodeSame(401);
+      }
+  }
+  ```
+
+- [ ] **Step 5 : Vérifier la syntaxe des 3 controllers**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailLinkTaskController.php
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailUnlinkTaskController.php
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/TaskMailsListController.php
+  make cache-clear
+  ```
+
+- [ ] **Step 6 : Relancer les tests**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php 2>&1 | tail -15
+  ```
+
+- [ ] **Step 7 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailLinkTaskController.php src/Controller/Mail/MailUnlinkTaskController.php src/Controller/Mail/TaskMailsListController.php tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
+  git commit -m "feat(mail) : MailLinkTask + MailUnlinkTask + TaskMailsList controllers"
+  ```
+
+---
+
+### Task 11 : Custom controller `MailAttachmentDownloadController`
+
+Endpoint : `GET /api/mail/attachments/{downloadId}` où `downloadId` est un `base64url(messageDbId:partNumber)`. Fetch via `ImapMailProvider::fetchAttachment()`, stream avec `Content-Disposition: attachment` (jamais inline). Force le `Content-Type` exact.
+
+- [ ] **Step 1 : Créer `src/Controller/Mail/MailAttachmentDownloadController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Mail\Exception\MailProviderException;
+  use App\Mail\MailProviderInterface;
+  use App\Repository\MailMessageRepository;
+  use App\Security\MailAccessChecker;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\Response;
+  use Symfony\Component\HttpFoundation\StreamedResponse;
+  use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+  use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/attachments/{downloadId}', name: 'mail_attachment_download', methods: ['GET'], priority: 1)]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailAttachmentDownloadController extends AbstractController
+  {
+      public function __construct(
+          private readonly MailMessageRepository $messageRepository,
+          private readonly MailProviderInterface $mailProvider,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(string $downloadId): Response
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          // Décoder le downloadId : base64url(messageDbId:partNumber)
+          $decoded = base64_decode(strtr($downloadId, '-_', '+/'), true);
+          if (false === $decoded || !str_contains($decoded, ':')) {
+              throw new BadRequestHttpException('Invalid attachment ID format');
+          }
+
+          [$messageDbIdStr, $partNumber] = explode(':', $decoded, 2);
+          $messageDbId = (int) $messageDbIdStr;
+
+          $message = $this->messageRepository->find($messageDbId);
+          if (null === $message) {
+              throw new NotFoundHttpException('Message not found');
+          }
+
+          // Trouver les métadonnées de l'attachment dans le detail (via cache ou live)
+          // Pour l'instant, fetch live (le cache body sera utilisé si disponible)
+          try {
+              $detail = $this->mailProvider->fetchMessage(
+                  $message->getFolder()->getPath(),
+                  $message->getUid()
+              );
+          } catch (MailProviderException) {
+              throw new NotFoundHttpException('Could not fetch message from IMAP server');
+          }
+
+          // Trouver le bon attachment par partNumber
+          $targetAttachment = null;
+          foreach ($detail->attachments as $att) {
+              if ($att->partNumber === $partNumber) {
+                  $targetAttachment = $att;
+                  break;
+              }
+          }
+
+          if (null === $targetAttachment) {
+              throw new NotFoundHttpException(sprintf('Attachment part "%s" not found', $partNumber));
+          }
+
+          // Fetch le contenu binaire
+          try {
+              $content = $this->mailProvider->fetchAttachment(
+                  $message->getFolder()->getPath(),
+                  $message->getUid(),
+                  $partNumber
+              );
+          } catch (MailProviderException) {
+              throw new NotFoundHttpException('Could not fetch attachment content');
+          }
+
+          // Sanitiser le nom de fichier (éviter path traversal)
+          $filename = basename($targetAttachment->filename);
+          if ('' === $filename || '.' === $filename) {
+              $filename = 'attachment';
+          }
+
+          // Toujours Content-Disposition: attachment (jamais inline — risque XSS via HTML attachments)
+          $response = new Response($content);
+          $response->headers->set('Content-Type', $targetAttachment->mimeType);
+          $response->headers->set(
+              'Content-Disposition',
+              sprintf('attachment; filename="%s"', addslashes($filename))
+          );
+          $response->headers->set('Content-Length', (string) strlen($content));
+          $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+          return $response;
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailAttachmentDownloadController.php
+  ```
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailAttachmentDownloadController.php
+  git commit -m "feat(mail) : MailAttachmentDownloadController — GET /api/mail/attachments/{id} (stream, disposition: attachment)"
+  ```
+
+---
+
+### Task 12 : Message + Handler Symfony Messenger `MailSyncRequested`
+
+Crée le message `MailSyncRequested` et son handler, configure `messenger.yaml` (transport async), puis crée le controller trigger.
+
+- [ ] **Step 1 : Créer `src/Message/MailSyncRequested.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Message;
+
+  final readonly class MailSyncRequested
+  {
+      public function __construct(
+          /** Optionnel : si null, sync tous les dossiers. Sinon, sync uniquement ce dossier. */
+          public ?string $folderPath = null,
+      ) {}
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/MessageHandler/MailSyncRequestedHandler.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\MessageHandler;
+
+  use App\Message\MailSyncRequested;
+  use App\Repository\MailFolderRepository;
+  use App\Service\MailSyncService;
+  use Psr\Log\LoggerInterface;
+  use Symfony\Component\Messenger\Attribute\AsMessageHandler;
+  use Throwable;
+
+  #[AsMessageHandler]
+  final readonly class MailSyncRequestedHandler
+  {
+      public function __construct(
+          private MailSyncService $mailSyncService,
+          private MailFolderRepository $folderRepository,
+          private LoggerInterface $logger,
+      ) {}
+
+      public function __invoke(MailSyncRequested $message): void
+      {
+          try {
+              if (null !== $message->folderPath) {
+                  $folder = $this->folderRepository->findByPath($message->folderPath);
+                  if (null !== $folder) {
+                      $report = $this->mailSyncService->syncFolder($folder);
+                      $this->logger->info(sprintf(
+                          'MailSyncRequested handled for folder "%s": %d created, %d updated, %d deleted',
+                          $message->folderPath,
+                          $report->createdCount,
+                          $report->updatedCount,
+                          $report->deletedCount,
+                      ));
+                  } else {
+                      $this->logger->warning(sprintf('MailSyncRequested: folder "%s" not found in DB', $message->folderPath));
+                  }
+              } else {
+                  $report = $this->mailSyncService->syncAll();
+                  $this->logger->info(sprintf(
+                      'MailSyncRequested handled (all folders): %d created, %d updated, %d deleted, %d folders scanned',
+                      $report->createdCount,
+                      $report->updatedCount,
+                      $report->deletedCount,
+                      $report->foldersScanned,
+                  ));
+              }
+          } catch (Throwable $e) {
+              $this->logger->error('MailSyncRequestedHandler failed: '.$e->getMessage());
+              // Ne pas throw — éviter la retry infinie en cas d'erreur IMAP permanente
+          }
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Créer `config/packages/messenger.yaml`**
+
+  ```yaml
+  framework:
+      messenger:
+          # Failure transport : messages en échec stockés pour retry manuel
+          failure_transport: failed
+
+          transports:
+              # Transport synchrone (défaut pour les messages non routés)
+              sync:
+                  dsn: 'sync://'
+
+              # Transport async via Doctrine (DBAL)
+              async:
+                  dsn: 'doctrine://default?auto_setup=0'
+                  options:
+                      queue_name: default
+                  retry_strategy:
+                      max_retries: 3
+                      delay: 1000
+                      multiplier: 2
+                      max_delay: 0
+
+              # Transport pour les messages en échec
+              failed:
+                  dsn: 'doctrine://default?queue_name=failed&auto_setup=0'
+
+          routing:
+              # MailSyncRequested est dispatché en async pour retour 202 immédiat
+              'App\Message\MailSyncRequested': async
+  ```
+
+  > Note : `auto_setup=0` signifie que la table `messenger_messages` doit être créée manuellement (via `php bin/console messenger:setup-transports`). Appeler cette commande en Task suivante. Si le projet n'a pas encore de table Messenger, utiliser `auto_setup=true` pour le développement.
+
+- [ ] **Step 4 : Setup des transports Messenger**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console messenger:setup-transports
+  ```
+
+  Attendu : table `messenger_messages` créée en BDD.
+
+  > Si erreur "table déjà existante" → déjà configuré, ignorer.
+
+- [ ] **Step 5 : Vérifier la syntaxe**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Message/MailSyncRequested.php
+  docker exec php-lesstime-fpm php -l src/MessageHandler/MailSyncRequestedHandler.php
+  make cache-clear
+  ```
+
+- [ ] **Step 6 : Vérifier que le handler est enregistré**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:messenger 2>&1 | grep Mail
+  ```
+
+  Attendu : `App\Message\MailSyncRequested` → `App\MessageHandler\MailSyncRequestedHandler`.
+
+- [ ] **Step 7 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Message/MailSyncRequested.php src/MessageHandler/MailSyncRequestedHandler.php config/packages/messenger.yaml
+  git commit -m "feat(mail) : MailSyncRequested message + handler + messenger.yaml transport async Doctrine"
+  ```
+
+---
+
+### Task 13 : Custom controller `MailSyncTriggerController`
+
+Endpoint : `POST /api/mail/sync`. Dispatch `MailSyncRequested` au bus Messenger, retourne `202 Accepted` immédiat.
+
+- [ ] **Step 1 : Créer `tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Tests\Functional\Controller\Mail;
+
+  use App\Entity\User;
+  use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+  class MailSyncTriggerControllerTest extends WebTestCase
+  {
+      public function testSyncTriggerReturns401WhenNotAuthenticated(): void
+      {
+          $client = static::createClient();
+          $client->request('POST', '/api/mail/sync');
+
+          self::assertResponseStatusCodeSame(401);
+      }
+
+      public function testSyncTriggerReturns403ForRoleClient(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+          $client->loginUser($clientUser);
+          $client->request('POST', '/api/mail/sync');
+
+          self::assertResponseStatusCodeSame(403);
+      }
+
+      public function testSyncTriggerReturns202ForRoleUser(): void
+      {
+          $client    = static::createClient();
+          $container = static::getContainer();
+          $em        = $container->get('doctrine.orm.entity_manager');
+
+          $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+          $client->loginUser($user);
+          $client->request('POST', '/api/mail/sync');
+
+          // 202 Accepted : le message est dispatché, la sync se fait en async
+          self::assertResponseStatusCodeSame(202);
+          $data = json_decode($client->getResponse()->getContent(), true);
+          self::assertArrayHasKey('message', $data);
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Créer `src/Controller/Mail/MailSyncTriggerController.php`**
+
+  ```php
+  <?php
+
+  declare(strict_types=1);
+
+  namespace App\Controller\Mail;
+
+  use App\Message\MailSyncRequested;
+  use App\Security\MailAccessChecker;
+  use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+  use Symfony\Component\HttpFoundation\JsonResponse;
+  use Symfony\Component\HttpFoundation\Request;
+  use Symfony\Component\HttpFoundation\Response;
+  use Symfony\Component\Messenger\MessageBusInterface;
+  use Symfony\Component\Routing\Attribute\Route;
+  use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+  #[Route('/api/mail/sync', name: 'mail_sync_trigger', methods: ['POST'], priority: 1)]
+  #[IsGranted('IS_AUTHENTICATED_FULLY')]
+  class MailSyncTriggerController extends AbstractController
+  {
+      public function __construct(
+          private readonly MessageBusInterface $bus,
+          private readonly MailAccessChecker $accessChecker,
+      ) {}
+
+      public function __invoke(Request $request): JsonResponse
+      {
+          $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+          // Optionnel : folder spécifique via body JSON
+          $body       = json_decode($request->getContent(), true) ?? [];
+          $folderPath = $body['folderPath'] ?? null;
+
+          $this->bus->dispatch(new MailSyncRequested($folderPath));
+
+          return $this->json(
+              ['message' => 'Synchronisation démarrée en arrière-plan'],
+              Response::HTTP_ACCEPTED // 202
+          );
+      }
+  }
+  ```
+
+- [ ] **Step 3 : Vérifier la syntaxe et la route**
+
+  ```bash
+  docker exec php-lesstime-fpm php -l src/Controller/Mail/MailSyncTriggerController.php
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:router | grep mail_sync_trigger
+  ```
+
+- [ ] **Step 4 : Relancer les tests**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/phpunit tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php 2>&1 | tail -15
+  ```
+
+  Attendu : les trois tests passent (401, 403, 202).
+
+  > Note : en environnement de test, Symfony Messenger utilise le transport `sync://` par défaut (via la config `when@test`). Le message sera traité synchronement — c'est attendu et correct pour les tests fonctionnels. Ajouter dans `config/packages/test/messenger.yaml` si nécessaire :
+  >
+  > ```yaml
+  > framework:
+  >     messenger:
+  >         transports:
+  >             async:
+  >                 dsn: 'in-memory://'
+  > ```
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  git add src/Controller/Mail/MailSyncTriggerController.php tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
+  git commit -m "feat(mail) : MailSyncTriggerController — POST /api/mail/sync (202 + Messenger async)"
+  ```
+
+---
+
+### Task 14 : Sécurité globale — `security.yaml` + access_control
+
+Ajouter les règles `access_control` dans `config/packages/security.yaml` pour que `^/api/mail` requiert `IS_AUTHENTICATED_FULLY` au niveau firewall (en plus des checks explicites dans les controllers). La route admin config requiert `ROLE_ADMIN` (géré via API Platform `security: "is_granted('ROLE_ADMIN')"`).
+
+- [ ] **Step 1 : Modifier `config/packages/security.yaml`**
+
+  Ouvrir `config/packages/security.yaml` et localiser le bloc `access_control`. Ajouter les lignes mail **avant** la règle générique `^/api` :
+
+  ```yaml
+      access_control:
+          - { path: ^/login_check, roles: PUBLIC_ACCESS }
+          - { path: ^/api/docs, roles: PUBLIC_ACCESS }
+          # Version de l'application en public
+          - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
+          - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
+          - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
+          # Mail : requiert authentification (les checks ROLE_USER/ROLE_CLIENT sont dans MailAccessChecker)
+          - { path: ^/api/mail, roles: IS_AUTHENTICATED_FULLY }
+          - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
+  ```
+
+  > Note : La règle `^/api/mail` avec `IS_AUTHENTICATED_FULLY` bloque les requêtes non authentifiées avant même d'atteindre les controllers. Les vérifications fines ROLE_USER vs ROLE_CLIENT sont faites dans `MailAccessChecker` injecté dans chaque controller.
+
+- [ ] **Step 2 : Vider le cache et vérifier**
+
+  ```bash
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:config security access_control 2>&1 | head -20
+  ```
+
+  Attendu : règle `^/api/mail` visible.
+
+- [ ] **Step 3 : Test rapide 401 sans auth**
+
+  ```bash
+  curl -s -o /dev/null -w "%{http_code}" http://localhost:8082/api/mail/folders
+  ```
+
+  Attendu : `401`.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  git add config/packages/security.yaml
+  git commit -m "feat(mail) : security.yaml — access_control ^/api/mail (IS_AUTHENTICATED_FULLY)"
+  ```
+
+---
+
+### Task 15 : Validation finale + tests complets
+
+- [ ] **Step 1 : Lancer la suite de tests complète**
+
+  ```bash
+  make test
+  ```
+
+  Attendu : tous les tests passent, y compris :
+  - Phase 1 : `MailConfigurationRepositoryTest` (2 tests)
+  - Phase 2 : `MailSyncReportTest`, `ImapMailProviderTest`, `MailSyncServiceTest`, `MailSyncCommandTest` (10 tests)
+  - Phase 3 : `MailSettingsControllerTest`, `MailFoldersControllerTest`, `MailMessagesControllerTest`, `MailTaskIntegrationControllerTest`, `MailSyncTriggerControllerTest`
+
+- [ ] **Step 2 : PHP CS Fixer sur tous les fichiers modifiés**
+
+  ```bash
+  make php-cs-fixer-allow-risky
+  ```
+
+  Si des fichiers sont modifiés :
+
+  ```bash
+  git add -p
+  git commit -m "style(mail) : php-cs-fixer pass phase 3"
+  ```
+
+- [ ] **Step 3 : Vider le cache et vérifier le container**
+
+  ```bash
+  make cache-clear
+  docker exec php-lesstime-fpm php bin/console debug:container 2>&1 | grep -i "mail" | head -20
+  ```
+
+  Attendu : `MailAccessChecker`, `MailSettingsProvider`, `MailSettingsProcessor`, tous les controllers Mail visibles.
+
+- [ ] **Step 4 : Vérifier les routes enregistrées**
+
+  ```bash
+  docker exec php-lesstime-fpm php bin/console debug:router | grep -E "mail|task_mails"
+  ```
+
+  Attendu (routes minimum) :
+
+  | Route name | Method | Path |
+  |---|---|---|
+  | `mail_configuration_test` | POST | `/api/mail/configuration/test` |
+  | `mail_folders_list` | GET | `/api/mail/folders` |
+  | `mail_messages_list` | GET | `/api/mail/folders/{folderPath}/messages` |
+  | `mail_message_detail` | GET | `/api/mail/messages/{id}` |
+  | `mail_message_read` | POST | `/api/mail/messages/{id}/read` |
+  | `mail_message_flag` | POST | `/api/mail/messages/{id}/flag` |
+  | `mail_create_task` | POST | `/api/mail/messages/{id}/create-task` |
+  | `mail_link_task` | POST | `/api/mail/messages/{id}/link-task` |
+  | `mail_unlink_task` | DELETE | `/api/mail/messages/{id}/link-task/{taskId}` |
+  | `task_mails_list` | GET | `/api/tasks/{id}/mails` |
+  | `mail_attachment_download` | GET | `/api/mail/attachments/{downloadId}` |
+  | `mail_sync_trigger` | POST | `/api/mail/sync` |
+
+  + Les routes API Platform pour `MailSettings` :
+  - `GET /api/mail/configuration`
+  - `PATCH /api/mail/configuration`
+
+- [ ] **Step 5 : Smoke test curl avec token admin**
+
+  ```bash
+  # Test 401 sans auth
+  curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8082/api/mail/folders
+  # Attendu : 401
+
+  # Test avec JWT (récupérer le cookie après login)
+  curl -s -c /tmp/cookies.txt -X POST http://localhost:8082/login_check \
+    -H "Content-Type: application/json" \
+    -d '{"username":"admin","password":"admin"}' | jq .
+
+  curl -s -b /tmp/cookies.txt http://localhost:8082/api/mail/configuration | jq .
+  # Attendu : JSON avec hasPassword, imapHost, etc. — pas de "password" en clair
+
+  curl -s -b /tmp/cookies.txt http://localhost:8082/api/mail/folders | jq .
+  # Attendu : [] (aucun dossier en fixtures — normal)
+
+  curl -s -b /tmp/cookies.txt -X POST http://localhost:8082/api/mail/sync | jq .
+  # Attendu : 202 + { "message": "Synchronisation démarrée en arrière-plan" }
+  ```
+
+- [ ] **Step 6 : Résumé des commits de la phase**
+
+  ```bash
+  git log --oneline feat/mail-integration ^develop | head -30
+  ```
+
+  Commits attendus (en plus de ceux des phases 1 et 2) :
+
+  1. `feat(mail) : MailSettings ApiResource singleton (GET/PATCH /api/mail/configuration)`
+  2. `feat(mail) : MailTestConnectionController — POST /api/mail/configuration/test`
+  3. `feat(mail) : MailAccessChecker — vérification accès mail ROLE_USER/ROLE_ADMIN (refus ROLE_CLIENT pur)`
+  4. `feat(mail) : MailFoldersListController — GET /api/mail/folders (arbre BDD + unreadCount)`
+  5. `feat(mail) : MailMessagesListController — GET /api/mail/folders/{path}/messages (pagination cursor)`
+  6. `feat(mail) : MailMessageDetailController — GET /api/mail/messages/{id} (live IMAP + cache 5 min)`
+  7. `feat(mail) : MailMessageReadController + MailMessageFlagController — POST .../read et .../flag`
+  8. `feat(mail) : MailCreateTaskController — POST /api/mail/messages/{id}/create-task`
+  9. `feat(mail) : MailLinkTask + MailUnlinkTask + TaskMailsList controllers`
+  10. `feat(mail) : MailAttachmentDownloadController — GET /api/mail/attachments/{id} (stream, disposition: attachment)`
+  11. `feat(mail) : MailSyncRequested message + handler + messenger.yaml transport async Doctrine`
+  12. `feat(mail) : MailSyncTriggerController — POST /api/mail/sync (202 + Messenger async)`
+  13. `feat(mail) : security.yaml — access_control ^/api/mail (IS_AUTHENTICATED_FULLY)`
+
+- [ ] **Step 7 : Pousser la branche et notifier le user**
+
+  ```bash
+  git push origin feat/mail-integration
+  ```
+
+  Rapport final au user :
+  - Fichiers créés : 26 nouveaux fichiers
+  - Fichiers modifiés : 3 (`MailMessageRepository`, `TaskRepository`, `security.yaml`)
+  - Endpoints exposés : 14 (2 API Platform + 12 custom controllers)
+  - Tests ajoutés : 5 fichiers de tests fonctionnels
+  - Dépendances ajoutées : aucune (Messenger et Cache déjà dans Symfony 8.0)
+  - Prêt pour Phase 4 : Frontend services + Pinia store
+
+---
+
+### Exigences techniques — Rappels
+
+- **Sécurité** : `#[IsGranted('IS_AUTHENTICATED_FULLY')]` sur tous les controllers + `MailAccessChecker::ensureCanAccessMail()` au début de chaque action ROLE_USER + `ensureIsAdmin()` pour config. Voir spec complète ci-dessous.
+- **Password** : jamais retourné en clair, même pour admin. Réponse GET config : `{ ..., hasPassword: true|false }`. PATCH avec password vide ou null = pas de changement.
+- **Format réponses** : JSON, codes HTTP corrects (200, 201, 202, 204, 401, 403, 404, 422).
+- **Strict types** : `declare(strict_types=1);` en tête de chaque fichier PHP.
+- **Format commit** : `feat(mail) : <message>` (espace avant `:`)
+- **Custom controllers** : `#[Route(path: '/api/mail/...', methods: ['...'], priority: 1)]` — obligatoire pour éviter conflit API Platform.
+- **Cache key** : `mail_body_{md5($messageId)}` — md5 sanitise les caractères spéciaux du Message-ID.
+- **Messenger** : bus `messenger.bus.default` (injectable via `MessageBusInterface`). Transport `async` via `doctrine://default`. Setup : `php bin/console messenger:setup-transports`.
+- **TaskService** : si `TaskNumberProcessor` existe uniquement en tant que `State/Processor` API Platform (non-injectable), créer la Task directement avec persist+flush + `findMaxNumberForProject`. Vérifier les champs obligatoires de `Task` avant de coder.
+- **Tests** : étendre `WebTestCase` + `$client->loginUser($user)` + mocker `MailProviderInterface` via `static::getContainer()->set()` pour les tests qui touchent IMAP en live.
+- **Logs** : OK de logger les actions (user → action → message-id), **JAMAIS** body/password/attachments.
+
+### Spec sécurité explicite `MailAccessChecker`
+
+```php
+// src/Security/MailAccessChecker.php
+public function ensureCanAccessMail(?UserInterface $user): void
+{
+    if (!$user instanceof User) {
+        throw new AccessDeniedException('Authentication required');
+    }
+    $roles = $user->getRoles();
+    if (in_array('ROLE_CLIENT', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+        throw new AccessDeniedException('Mail not accessible to clients');
+    }
+    if (!in_array('ROLE_USER', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+        throw new AccessDeniedException('ROLE_USER required');
+    }
+}
+
+public function ensureIsAdmin(?UserInterface $user): void
+{
+    if (!$user instanceof User || !in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+        throw new AccessDeniedException('Admin only');
+    }
+}
+```
+
+### Spec body cache
+
+```php
+// Dans MailMessageDetailController
+$cacheKey = 'mail_body_' . md5($message->getMessageId());
+$item = $this->cache->getItem($cacheKey);
+if (!$item->isHit()) {
+    $detail = $this->mailProvider->fetchMessage($folderPath, $uid);
+    $item->set($detail);
+    $item->expiresAfter(300); // 5 min
+    $this->cache->save($item);
+}
+$detail = $item->get();
+```
+
+Pool : `cache.app` (injecté via `CacheItemPoolInterface` — Symfony le résout automatiquement).
+
+---
+
+### Self-Review
+
+#### Table de correspondance endpoints / controllers
+
+| Endpoint | Controller / Resource | Sécurité |
+|---|---|---|
+| `GET /api/mail/configuration` | `MailSettings` ApiResource (Provider) | `ROLE_ADMIN` |
+| `PATCH /api/mail/configuration` | `MailSettings` ApiResource (Processor) | `ROLE_ADMIN` |
+| `POST /api/mail/configuration/test` | `MailTestConnectionController` | `ROLE_ADMIN` |
+| `GET /api/mail/folders` | `MailFoldersListController` | `MailAccessChecker` (ROLE_USER/ADMIN, pas CLIENT) |
+| `GET /api/mail/folders/{path}/messages` | `MailMessagesListController` | idem |
+| `GET /api/mail/messages/{id}` | `MailMessageDetailController` | idem |
+| `POST /api/mail/messages/{id}/read` | `MailMessageReadController` | idem |
+| `POST /api/mail/messages/{id}/flag` | `MailMessageFlagController` | idem |
+| `POST /api/mail/messages/{id}/create-task` | `MailCreateTaskController` | idem |
+| `POST /api/mail/messages/{id}/link-task` | `MailLinkTaskController` | idem |
+| `DELETE /api/mail/messages/{id}/link-task/{taskId}` | `MailUnlinkTaskController` | idem |
+| `GET /api/tasks/{id}/mails` | `TaskMailsListController` | idem |
+| `GET /api/mail/attachments/{downloadId}` | `MailAttachmentDownloadController` | idem |
+| `POST /api/mail/sync` | `MailSyncTriggerController` | idem |
+
+#### Checklist finale avant de valider Phase 3
+
+- [ ] `declare(strict_types=1);` présent en tête de chaque fichier PHP créé
+- [ ] Tous les custom controllers ont `priority: 1` sur leur `#[Route]`
+- [ ] `MailAccessChecker` injecté et appelé dans chaque controller "métier" (hors admin)
+- [ ] `password` jamais sérialisé en sortie (groupe `mail_settings:read` ne contient pas `password`)
+- [ ] `hasPassword` retourné en lecture (bool uniquement)
+- [ ] Cache key utilise `md5()` pour sanitiser le `messageId` (peut contenir `<>`, `@`, espaces)
+- [ ] `Content-Disposition: attachment` systématique pour `MailAttachmentDownloadController` (jamais inline)
+- [ ] `X-Content-Type-Options: nosniff` sur les réponses d'attachments
+- [ ] Messenger configuré : transport `async` → `doctrine://default`, `MailSyncRequested` routé vers `async`
+- [ ] `php bin/console messenger:setup-transports` exécuté (table `messenger_messages` créée)
+- [ ] `security.yaml` : règle `^/api/mail` avec `IS_AUTHENTICATED_FULLY` ajoutée AVANT `^/api`
+- [ ] ROLE_CLIENT refusé sur 100% des endpoints mail (test 403 présent dans chaque test file)
+- [ ] Aucun body/password/attachment loggé dans les controllers ou handlers
+- [ ] `make test` vert
+- [ ] Smoke tests curl OK (401 sans auth, JSON correct avec admin, 202 sync trigger)
+- [ ] Phase 3 NE contient PAS de frontend — tout ça = Phase 4+
+- [ ] Branche de travail : `feat/mail-integration` (pas `develop`)
+
+#### Remise à la review humaine
+
+Une fois tous les steps cochés, pousser la branche et notifier le user :
+
+```bash
+git push origin feat/mail-integration
+```
+
+Indiquer au user :
+- Endpoints créés : 14 (2 API Platform singleton + 12 custom controllers)
+- Fichiers créés : 26
+- Fichiers modifiés : 3
+- Tests fonctionnels ajoutés : 5 fichiers (~20 assertions)
+- Dépendances ajoutées : aucune (Messenger + Cache inclus dans Symfony 8.0)
+- Prêt pour Phase 4 : Frontend services + Pinia store + DOMPurify
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase4-frontend-services.md b/docs/superpowers/plans/2026-05-19-mail-phase4-frontend-services.md
new file mode 100644
index 0000000..2537255
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase4-frontend-services.md
@@ -0,0 +1,1107 @@
+# Mail Integration — Phase 4 : Frontend Services + Store
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Mettre en place toute la couche frontend non-visuelle (types TS, service API, store Pinia, helper sanitization HTML) avant d'attaquer les composants UI en Phase 5.
+
+**Architecture:** `services/mail.ts` wrappe `useApi()` (pattern Lesstime), `stores/mail.ts` gère state global + polling unread 30s via `setInterval` natif (pas de VueUse — non installé dans le projet), `utils/sanitizeMailHtml.ts` applique DOMPurify avec config bloquante (scripts/iframes/on*/javascript:) + remplacement images distantes par placeholder anti-tracking.
+
+**Tech Stack:** Nuxt 4, Vue 3 Composition API, Pinia, TypeScript strict, DOMPurify.
+
+**Branche cible :** `feat/mail-integration` (créée en Phase 1 — vérifier qu'elle est active).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `frontend/services/dto/mail.ts` | Créer |
+| `frontend/services/mail.ts` | Créer |
+| `frontend/stores/mail.ts` | Créer |
+| `frontend/utils/sanitizeMailHtml.ts` | Créer |
+| `frontend/package.json` | Modifier (ajout dompurify + @types/dompurify) |
+
+---
+
+### Task 1 : Vérification de l'environnement + install dompurify
+
+- [ ] **Step 1 : Vérifier la branche active**
+
+  ```bash
+  git branch --show-current
+  ```
+
+  Attendu : `feat/mail-integration`. Si non, basculer :
+
+  ```bash
+  git checkout feat/mail-integration
+  ```
+
+- [ ] **Step 2 : Vérifier que dompurify n'est pas déjà installé**
+
+  ```bash
+  grep -i dompurify /home/r-dev/malio-dev/Lesstime/frontend/package.json
+  ```
+
+  Attendu : aucune ligne. Si déjà présent, passer au Step 4.
+
+- [ ] **Step 3 : Installer dompurify et ses types**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npm install dompurify && npm install -D @types/dompurify
+  ```
+
+  Attendu : `package.json` mis à jour avec `"dompurify"` dans `dependencies` et `"@types/dompurify"` dans `devDependencies`.
+
+- [ ] **Step 4 : Vérifier que dompurify est importable (smoke check)**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && node -e "import('dompurify').then(() => console.log('OK'))"
+  ```
+
+  Ou simplement vérifier la présence dans node_modules :
+
+  ```bash
+  ls /home/r-dev/malio-dev/Lesstime/frontend/node_modules/dompurify/dist/ | head -5
+  ```
+
+  Attendu : fichiers `.js` présents.
+
+- [ ] **Step 5 : Commit**
+
+  ```bash
+  git add frontend/package.json frontend/package-lock.json
+  git commit -m "feat(mail) : install dompurify + types"
+  ```
+
+---
+
+### Task 2 : Types TS — `frontend/services/dto/mail.ts`
+
+Tous les types sont alignés sur les formats de réponses des endpoints Phase 3. Le pattern suit `frontend/services/dto/zimbra.ts` (types simples, pas d'héritage complexe) et `frontend/services/dto/task.ts` (champs optionnels explicites, `| null`).
+
+- [ ] **Step 1 : Créer `frontend/services/dto/mail.ts`**
+
+  ```typescript
+  // Lecture de la configuration mail (singleton admin)
+  export type MailConfigurationDto = {
+      protocol: string | null
+      imapHost: string | null
+      imapPort: number | null
+      imapEncryption: string | null
+      smtpHost: string | null
+      smtpPort: number | null
+      smtpEncryption: string | null
+      username: string | null
+      sentFolderPath: string | null
+      enabled: boolean
+      hasPassword: boolean
+      // password JAMAIS présent dans les réponses GET
+  }
+
+  // Input PATCH configuration (password optionnel, write-only)
+  export type MailConfigurationUpdateDto = {
+      protocol?: string | null
+      imapHost?: string | null
+      imapPort?: number | null
+      imapEncryption?: string | null
+      smtpHost?: string | null
+      smtpPort?: number | null
+      smtpEncryption?: string | null
+      username?: string | null
+      sentFolderPath?: string | null
+      enabled?: boolean
+      password?: string       // write-only, jamais retourné
+  }
+
+  // Résultat du test de connexion
+  export type MailTestConnectionResultDto = {
+      ok: boolean
+      foldersCount?: number
+      error?: string
+  }
+
+  // Dossier mail (peut être imbriqué)
+  export type MailFolderDto = {
+      path: string
+      displayName: string
+      parentPath: string | null
+      unreadCount: number
+      totalCount: number
+      children?: MailFolderDto[]
+  }
+
+  // En-tête d'un message (liste)
+  export type MailMessageHeaderDto = {
+      id: number
+      messageId: string       // identifiant IMAP unique
+      folderPath: string
+      subject: string | null
+      fromName: string | null
+      fromEmail: string | null
+      toRecipients: MailAddressDto[]
+      ccRecipients: MailAddressDto[]
+      sentAt: string | null   // ISO 8601
+      receivedAt: string      // ISO 8601
+      isRead: boolean
+      isFlagged: boolean
+      hasAttachments: boolean
+      linkedTaskIds: number[]
+  }
+
+  // Adresse mail (nom + email)
+  export type MailAddressDto = {
+      name: string | null
+      email: string
+  }
+
+  // Pièce jointe (métadonnées uniquement, téléchargement via downloadId)
+  export type MailAttachmentDto = {
+      downloadId: string
+      filename: string
+      mimeType: string
+      size: number            // octets
+  }
+
+  // Détail complet d'un message (enrichi avec body + PJ)
+  export type MailMessageDetailDto = {
+      header: MailMessageHeaderDto
+      bodyHtml: string | null    // HTML brut — TOUJOURS passer par sanitizeMailHtml() avant affichage
+      bodyText: string | null    // Fallback texte plain
+      attachments: MailAttachmentDto[]
+  }
+
+  // Page de messages paginée (cursor-based)
+  export type MailMessagesPageDto = {
+      items: MailMessageHeaderDto[]
+      nextCursor: string | null   // null = plus de page suivante
+      total: number
+  }
+
+  // Input : marquer lu/non-lu
+  export type MailMessageReadInput = {
+      read: boolean
+  }
+
+  // Input : marquer étoilé/non-étoilé
+  export type MailMessageFlagInput = {
+      flagged: boolean
+  }
+
+  // Input : créer une tâche depuis un mail
+  export type MailCreateTaskInput = {
+      projectId: number
+      taskGroupId?: number | null
+      priority?: string | null
+  }
+
+  // Input : lier une tâche existante à un mail
+  export type MailLinkTaskInput = {
+      taskId: number
+  }
+
+  // Résultat de la sync manuelle
+  export type MailSyncResultDto = {
+      dispatched: boolean
+  }
+  ```
+
+- [ ] **Step 2 : Vérifier la syntaxe TypeScript (smoke)**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "dto/mail" | head -20
+  ```
+
+  Attendu : aucune erreur liée à `dto/mail.ts`.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git add frontend/services/dto/mail.ts
+  git commit -m "feat(mail) : types TS DTOs mail (config, folders, messages, attachments)"
+  ```
+
+---
+
+### Task 3 : Helper sanitization — `frontend/utils/sanitizeMailHtml.ts`
+
+Ce helper est critique pour la sécurité : tout corps HTML de mail doit transiter par cette fonction avant affichage dans le DOM. Il bloque les scripts, iframes, attributs événements, et remplace les images externes par un placeholder anti-tracking.
+
+- [ ] **Step 1 : Créer `frontend/utils/sanitizeMailHtml.ts`**
+
+  ```typescript
+  import DOMPurify from 'dompurify'
+
+  /**
+   * Options de sanitization du corps HTML d'un mail.
+   */
+  export type SanitizeMailHtmlOptions = {
+      /**
+       * Si true, les images distantes (http/https) sont affichées directement.
+       * Par défaut false — les images distantes sont remplacées par un placeholder
+       * cliquable pour éviter le tracking par pixel.
+       */
+      allowImages?: boolean
+  }
+
+  /**
+   * Configuration DOMPurify bloquante pour les corps de mail.
+   * - Bloque les balises dangereuses : script, iframe, object, embed, style, link, meta, form, input
+   * - Bloque les attributs événements (on*) et les URI javascript:
+   * - Autorise les URI data: uniquement pour les images (PNG/JPEG/GIF/WEBP) — images inline CID
+   */
+  const DOMPURIFY_CONFIG: DOMPurify.Config = {
+      FORBID_TAGS: [
+          'script',
+          'iframe',
+          'object',
+          'embed',
+          'style',
+          'link',
+          'meta',
+          'form',
+          'input',
+          'button',
+          'textarea',
+          'select',
+          'base',
+          'applet',
+      ],
+      FORBID_ATTR: [
+          'onerror',
+          'onload',
+          'onclick',
+          'onmouseover',
+          'onmouseout',
+          'onmouseenter',
+          'onmouseleave',
+          'onfocus',
+          'onblur',
+          'onchange',
+          'onsubmit',
+          'onreset',
+          'onkeydown',
+          'onkeyup',
+          'onkeypress',
+          'ondblclick',
+          'oncontextmenu',
+          'onwheel',
+          'ondrag',
+          'ondrop',
+          'oncopy',
+          'oncut',
+          'onpaste',
+          'action',
+          'formaction',
+          'xlink:href',
+      ],
+      ALLOWED_URI_REGEXP: /^(?:https?|mailto|tel|cid|data:image\/(?:png|jpeg|gif|webp)(?:;base64,)?)(?::|$)/i,
+      FORCE_BODY: true,
+      WHOLE_DOCUMENT: false,
+  }
+
+  /**
+   * Remplace les balises <img> avec src http(s):// par un bouton placeholder.
+   * Le src original est stocké en data-mail-image-src pour permettre l'affichage
+   * à la demande de l'utilisateur (Phase 5 — MailMessageViewer).
+   */
+  function replaceRemoteImages(html: string): string {
+      // Utiliser un DOMParser côté client uniquement (SSR-safe : le guard process.client
+      // est géré par l'appelant dans un composant Vue — ce helper ne tourne que client-side)
+      const parser = new DOMParser()
+      const doc = parser.parseFromString(html, 'text/html')
+      const images = doc.querySelectorAll('img')
+
+      images.forEach((img) => {
+          const src = img.getAttribute('src') ?? ''
+          const isRemote = /^https?:\/\//i.test(src)
+          if (!isRemote) return
+
+          // Remplacer par un span cliquable (pas de <button> — DOMPurify le forbid)
+          const placeholder = doc.createElement('span')
+          placeholder.setAttribute('data-mail-image-src', src)
+          placeholder.setAttribute('data-mail-image-placeholder', 'true')
+          placeholder.setAttribute('title', src)
+          placeholder.style.cssText = [
+              'display: inline-flex',
+              'align-items: center',
+              'gap: 4px',
+              'padding: 2px 6px',
+              'border: 1px solid #d1d5db',
+              'border-radius: 4px',
+              'background: #f9fafb',
+              'color: #6b7280',
+              'font-size: 12px',
+              'cursor: pointer',
+              'user-select: none',
+          ].join(';')
+          placeholder.textContent = '[Image distante — cliquer pour afficher]'
+
+          img.replaceWith(placeholder)
+      })
+
+      return doc.body.innerHTML
+  }
+
+  /**
+   * Sanitize le HTML brut d'un corps de mail.
+   *
+   * - Bloque tous les vecteurs XSS connus (scripts, événements inline, iframes…)
+   * - Par défaut, remplace les images distantes par un placeholder anti-tracking
+   * - Utiliser allowImages: true uniquement si l'utilisateur a explicitement cliqué
+   *   "Afficher les images" dans le lecteur de mail
+   *
+   * IMPORTANT : Cette fonction requiert un environnement navigateur (DOMParser, DOMPurify).
+   * Ne pas appeler côté SSR — toujours dans un composant Vue avec `onMounted` ou dans
+   * un computed côté client uniquement (`import.meta.client`).
+   *
+   * @param rawHtml - HTML brut tel que reçu de l'API backend
+   * @param options - Options de sanitization
+   * @returns HTML sanitizé, sûr pour injection via v-html
+   */
+  export function sanitizeMailHtml(
+      rawHtml: string,
+      options: SanitizeMailHtmlOptions = {},
+  ): string {
+      if (!rawHtml || rawHtml.trim() === '') return ''
+
+      // Étape 1 : DOMPurify — supprime tous les vecteurs dangereux
+      const sanitized = DOMPurify.sanitize(rawHtml, DOMPURIFY_CONFIG) as string
+
+      // Étape 2 : Remplacement images distantes (anti-tracking)
+      if (!options.allowImages) {
+          return replaceRemoteImages(sanitized)
+      }
+
+      return sanitized
+  }
+
+  /**
+   * Vérifie si un élément HTML est un placeholder d'image généré par sanitizeMailHtml.
+   * Utile dans MailMessageViewer pour gérer le clic "Afficher l'image".
+   */
+  export function isMailImagePlaceholder(el: HTMLElement): boolean {
+      return el.hasAttribute('data-mail-image-placeholder')
+  }
+
+  /**
+   * Récupère le src original d'un placeholder d'image.
+   */
+  export function getMailImageSrc(el: HTMLElement): string | null {
+      return el.getAttribute('data-mail-image-src')
+  }
+  ```
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "sanitizeMailHtml" | head -10
+  ```
+
+  Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git add frontend/utils/sanitizeMailHtml.ts
+  git commit -m "feat(mail) : helper sanitizeMailHtml — DOMPurify + placeholder images distantes"
+  ```
+
+---
+
+### Task 4 : Service API — `frontend/services/mail.ts`
+
+Le service suit exactement le pattern Lesstime : fonction factory `useMailService()` qui instancie `useApi()` en interne, puis expose des méthodes typées. Calqué sur `services/zimbra.ts` (singleton config) et `services/tasks.ts` (CRUD paginé).
+
+Note sur `downloadAttachment` : utiliser `api.getBlob()` qui retourne `{ data: Blob, headers: Headers }` — méthode déjà disponible dans `useApi()` (voir `composables/useApi.ts`, ligne ~200).
+
+- [ ] **Step 1 : Créer `frontend/services/mail.ts`**
+
+  ```typescript
+  import type {
+      MailConfigurationDto,
+      MailConfigurationUpdateDto,
+      MailTestConnectionResultDto,
+      MailFolderDto,
+      MailMessageHeaderDto,
+      MailMessageDetailDto,
+      MailMessagesPageDto,
+      MailMessageReadInput,
+      MailMessageFlagInput,
+      MailCreateTaskInput,
+      MailLinkTaskInput,
+      MailSyncResultDto,
+  } from './dto/mail'
+  import type { Task } from './dto/task'
+
+  export function useMailService() {
+      const api = useApi()
+
+      // ─── Configuration (Admin) ────────────────────────────────────────────────
+
+      /**
+       * Récupère la configuration mail singleton.
+       * Requiert ROLE_ADMIN — 403 sinon.
+       */
+      async function getConfiguration(): Promise<MailConfigurationDto> {
+          return api.get<MailConfigurationDto>('/mail/configuration')
+      }
+
+      /**
+       * Met à jour la configuration mail (PATCH merge).
+       * Si payload.password est fourni, il sera chiffré côté backend.
+       * Jamais retourné en clair dans la réponse.
+       */
+      async function updateConfiguration(
+          payload: MailConfigurationUpdateDto,
+      ): Promise<MailConfigurationDto> {
+          return api.patch<MailConfigurationDto>(
+              '/mail/configuration',
+              payload as Record<string, unknown>,
+              { toastSuccessKey: 'mail.configuration.saved' },
+          )
+      }
+
+      /**
+       * Teste la connexion IMAP avec la configuration actuelle.
+       * Requiert ROLE_ADMIN.
+       */
+      async function testConfiguration(): Promise<MailTestConnectionResultDto> {
+          return api.post<MailTestConnectionResultDto>('/mail/configuration/test', {})
+      }
+
+      // ─── Dossiers ─────────────────────────────────────────────────────────────
+
+      /**
+       * Liste tous les dossiers mail depuis la base (cache BDD, pas live IMAP).
+       * Retourne une liste plate — la construction de l'arbre est faite dans le store
+       * via le getter `folderTree`.
+       */
+      async function listFolders(): Promise<MailFolderDto[]> {
+          return api.get<MailFolderDto[]>('/mail/folders')
+      }
+
+      // ─── Messages ─────────────────────────────────────────────────────────────
+
+      /**
+       * Liste les messages d'un dossier, paginés par cursor.
+       * @param folderPath - Chemin du dossier (ex: "INBOX", "INBOX.Sent")
+       * @param cursor - Opaque cursor retourné par la page précédente (undefined = première page)
+       * @param limit - Nombre de messages par page (défaut backend : 50)
+       */
+      async function listMessages(
+          folderPath: string,
+          cursor?: string,
+          limit?: number,
+      ): Promise<MailMessagesPageDto> {
+          const query: Record<string, unknown> = { folder: folderPath }
+          if (cursor) query.cursor = cursor
+          if (limit) query.limit = limit
+          return api.get<MailMessagesPageDto>('/mail/messages', query)
+      }
+
+      /**
+       * Récupère le détail complet d'un message (body live IMAP, cached 5 min).
+       * @param id - ID BDD du message (MailMessage.id)
+       */
+      async function getMessage(id: number): Promise<MailMessageDetailDto> {
+          return api.get<MailMessageDetailDto>(`/mail/messages/${id}`)
+      }
+
+      // ─── Actions sur les messages ─────────────────────────────────────────────
+
+      /**
+       * Marque un message comme lu ou non-lu.
+       */
+      async function markRead(id: number, read: boolean): Promise<MailMessageHeaderDto> {
+          const payload: MailMessageReadInput = { read }
+          return api.post<MailMessageHeaderDto>(
+              `/mail/messages/${id}/read`,
+              payload as Record<string, unknown>,
+          )
+      }
+
+      /**
+       * Marque un message comme étoilé ou non-étoilé.
+       */
+      async function markFlagged(id: number, flagged: boolean): Promise<MailMessageHeaderDto> {
+          const payload: MailMessageFlagInput = { flagged }
+          return api.post<MailMessageHeaderDto>(
+              `/mail/messages/${id}/flag`,
+              payload as Record<string, unknown>,
+          )
+      }
+
+      // ─── Intégration tâches ───────────────────────────────────────────────────
+
+      /**
+       * Crée une nouvelle tâche à partir d'un mail (subject → titre, body → description).
+       * @param mailId - ID BDD du message
+       * @param input - Paramètres de la tâche à créer
+       */
+      async function createTaskFromMail(
+          mailId: number,
+          input: MailCreateTaskInput,
+      ): Promise<Task> {
+          return api.post<Task>(
+              `/mail/messages/${mailId}/create-task`,
+              input as Record<string, unknown>,
+              { toastSuccessKey: 'mail.task.created' },
+          )
+      }
+
+      /**
+       * Lie un mail à une tâche existante.
+       * @param mailId - ID BDD du message
+       * @param taskId - ID de la tâche existante
+       */
+      async function linkTask(mailId: number, taskId: number): Promise<void> {
+          const payload: MailLinkTaskInput = { taskId }
+          await api.post<void>(
+              `/mail/messages/${mailId}/link-task`,
+              payload as Record<string, unknown>,
+              { toastSuccessKey: 'mail.task.linked' },
+          )
+      }
+
+      /**
+       * Supprime le lien entre un mail et une tâche.
+       * @param mailId - ID BDD du message
+       * @param taskId - ID de la tâche
+       */
+      async function unlinkTask(mailId: number, taskId: number): Promise<void> {
+          await api.delete<void>(`/mail/messages/${mailId}/link-task/${taskId}`, {}, {
+              toastSuccessKey: 'mail.task.unlinked',
+          })
+      }
+
+      /**
+       * Liste les mails liés à une tâche (pour l'onglet "Mails" du TaskDrawer — Phase 6).
+       * @param taskId - ID de la tâche
+       */
+      async function listMailsForTask(taskId: number): Promise<MailMessageHeaderDto[]> {
+          return api.get<MailMessageHeaderDto[]>(`/tasks/${taskId}/mails`)
+      }
+
+      // ─── Pièces jointes ───────────────────────────────────────────────────────
+
+      /**
+       * Télécharge une pièce jointe et retourne le Blob + headers.
+       * Content-Disposition: attachment est géré côté backend (jamais inline).
+       * @param downloadId - Identifiant opaque retourné dans MailAttachmentDto.downloadId
+       */
+      async function downloadAttachment(
+          downloadId: string,
+      ): Promise<{ data: Blob; headers: Headers }> {
+          return api.getBlob(`/mail/attachments/${downloadId}`)
+      }
+
+      // ─── Synchronisation ─────────────────────────────────────────────────────
+
+      /**
+       * Déclenche une synchronisation IMAP asynchrone via Symfony Messenger.
+       * Retourne immédiatement ({ dispatched: true }) — la sync se fait en arrière-plan.
+       */
+      async function triggerSync(): Promise<MailSyncResultDto> {
+          return api.post<MailSyncResultDto>('/mail/sync', {}, {
+              toastSuccessKey: 'mail.sync.dispatched',
+          })
+      }
+
+      return {
+          // Config
+          getConfiguration,
+          updateConfiguration,
+          testConfiguration,
+          // Dossiers
+          listFolders,
+          // Messages
+          listMessages,
+          getMessage,
+          // Actions
+          markRead,
+          markFlagged,
+          // Tâches
+          createTaskFromMail,
+          linkTask,
+          unlinkTask,
+          listMailsForTask,
+          // Pièces jointes
+          downloadAttachment,
+          // Sync
+          triggerSync,
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "services/mail" | head -20
+  ```
+
+  Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git add frontend/services/mail.ts
+  git commit -m "feat(mail) : service API mail — listFolders/messages/getMessage/markRead/markFlagged/createTask/linkTask/downloadAttachment/triggerSync"
+  ```
+
+---
+
+### Task 5 : Store Pinia — `frontend/stores/mail.ts`
+
+Store composition API, pattern `defineStore('mail', () => { ... })` identique à `stores/timer.ts`. Le polling (30s) utilise `setInterval` natif + cleanup `onScopeDispose` — pas de VueUse (non installé). Le getter `folderTree` construit l'arbre depuis la liste plate en utilisant `parentPath`.
+
+- [ ] **Step 1 : Créer `frontend/stores/mail.ts`**
+
+  ```typescript
+  import { defineStore } from 'pinia'
+  import type {
+      MailFolderDto,
+      MailMessageHeaderDto,
+      MailMessageDetailDto,
+  } from '~/services/dto/mail'
+  import { useMailService } from '~/services/mail'
+
+  const POLL_INTERVAL_MS = 30 * 1000 // 30 secondes
+
+  export const useMailStore = defineStore('mail', () => {
+      // ─── State ────────────────────────────────────────────────────────────────
+
+      /** Liste plate des dossiers (reçue de l'API) */
+      const folders = ref<MailFolderDto[]>([])
+
+      /** Chemin du dossier actuellement sélectionné */
+      const selectedFolderPath = ref<string | null>(null)
+
+      /** Messages du dossier sélectionné (accumulés pour infinite scroll) */
+      const messages = ref<MailMessageHeaderDto[]>([])
+
+      /** Cursor de pagination pour la page suivante (null = plus de données) */
+      const messagesCursor = ref<string | null>(null)
+
+      /** Chargement en cours (messages) */
+      const messagesLoading = ref(false)
+
+      /** ID du message sélectionné pour lecture */
+      const selectedMessageId = ref<number | null>(null)
+
+      /** Détail complet du message sélectionné (body + PJ) */
+      const selectedMessageDetail = ref<MailMessageDetailDto | null>(null)
+
+      /** Chargement du détail en cours */
+      const detailLoading = ref(false)
+
+      /** Sync IMAP en cours (déclenchée manuellement) */
+      const syncing = ref(false)
+
+      /** Nombre total de messages non lus (toutes boîtes confondues) */
+      const globalUnreadCount = ref(0)
+
+      /** Erreur courante (null si aucune) */
+      const error = ref<string | null>(null)
+
+      let pollTimer: ReturnType<typeof setInterval> | null = null
+
+      // ─── Getters ──────────────────────────────────────────────────────────────
+
+      /**
+       * Nombre de non-lus dans INBOX uniquement (utilisé dans la sidebar).
+       */
+      const inboxUnread = computed(() => {
+          const inbox = folders.value.find(
+              (f) => f.path === 'INBOX' || f.path.toUpperCase() === 'INBOX',
+          )
+          return inbox?.unreadCount ?? 0
+      })
+
+      /**
+       * Construit l'arbre de dossiers depuis la liste plate.
+       * Les dossiers sans parentPath sont à la racine.
+       * Les enfants sont triés alphabétiquement par displayName.
+       */
+      const folderTree = computed((): MailFolderDto[] => {
+          const map = new Map<string, MailFolderDto>()
+          const roots: MailFolderDto[] = []
+
+          // Initialiser chaque dossier avec children vide
+          folders.value.forEach((folder) => {
+              map.set(folder.path, { ...folder, children: [] })
+          })
+
+          // Construire l'arbre
+          map.forEach((folder) => {
+              if (folder.parentPath && map.has(folder.parentPath)) {
+                  const parent = map.get(folder.parentPath)!
+                  parent.children = parent.children ?? []
+                  parent.children.push(folder)
+              } else {
+                  roots.push(folder)
+              }
+          })
+
+          // Trier les enfants alphabétiquement
+          function sortChildren(nodes: MailFolderDto[]): MailFolderDto[] {
+              return nodes
+                  .map((n) => ({
+                      ...n,
+                      children: n.children ? sortChildren(n.children) : undefined,
+                  }))
+                  .sort((a, b) => a.displayName.localeCompare(b.displayName, 'fr'))
+          }
+
+          return sortChildren(roots)
+      })
+
+      /**
+       * Indique si le cursor de pagination est disponible (plus de messages à charger).
+       */
+      const hasMoreMessages = computed(() => messagesCursor.value !== null)
+
+      // ─── Actions ──────────────────────────────────────────────────────────────
+
+      /**
+       * Charge la liste des dossiers depuis l'API et met à jour globalUnreadCount.
+       */
+      async function fetchFolders(): Promise<void> {
+          const service = useMailService()
+          try {
+              folders.value = await service.listFolders()
+              globalUnreadCount.value = folders.value.reduce(
+                  (sum, f) => sum + f.unreadCount,
+                  0,
+              )
+          } catch {
+              // Silently ignore polling errors (ne pas interrompre l'UX)
+          }
+      }
+
+      /**
+       * Sélectionne un dossier et charge ses messages (reset de la pagination).
+       * @param path - Chemin du dossier (ex: "INBOX")
+       */
+      async function selectFolder(path: string): Promise<void> {
+          if (selectedFolderPath.value === path) return
+          selectedFolderPath.value = path
+          messages.value = []
+          messagesCursor.value = null
+          selectedMessageId.value = null
+          selectedMessageDetail.value = null
+          await fetchMessages()
+      }
+
+      /**
+       * Charge les messages du dossier sélectionné.
+       * @param append - Si true, ajoute à la liste existante (infinite scroll). Si false, remplace.
+       */
+      async function fetchMessages(append = false): Promise<void> {
+          if (!selectedFolderPath.value) return
+          if (messagesLoading.value) return
+
+          messagesLoading.value = true
+          error.value = null
+
+          const service = useMailService()
+          try {
+              const cursor = append ? (messagesCursor.value ?? undefined) : undefined
+              const page = await service.listMessages(selectedFolderPath.value, cursor)
+
+              if (append) {
+                  messages.value = [...messages.value, ...page.items]
+              } else {
+                  messages.value = page.items
+              }
+              messagesCursor.value = page.nextCursor
+          } catch (err) {
+              error.value = err instanceof Error ? err.message : 'Erreur lors du chargement des messages.'
+          } finally {
+              messagesLoading.value = false
+          }
+      }
+
+      /**
+       * Sélectionne un message et charge son détail complet (body + PJ).
+       * Marque automatiquement le message comme lu si ce n'est pas déjà le cas.
+       * @param id - ID BDD du message
+       */
+      async function selectMessage(id: number): Promise<void> {
+          if (selectedMessageId.value === id) return
+          selectedMessageId.value = id
+          selectedMessageDetail.value = null
+          detailLoading.value = true
+
+          const service = useMailService()
+          try {
+              const detail = await service.getMessage(id)
+              selectedMessageDetail.value = detail
+
+              // Auto-mark as read si nécessaire
+              if (!detail.header.isRead) {
+                  await markRead(id, true)
+              }
+          } finally {
+              detailLoading.value = false
+          }
+      }
+
+      /**
+       * Marque un message comme lu ou non-lu.
+       * Met à jour le state local (messages + detail) sans refetch.
+       */
+      async function markRead(id: number, read: boolean): Promise<void> {
+          const service = useMailService()
+          const updated = await service.markRead(id, read)
+
+          // Mise à jour optimiste dans la liste
+          const idx = messages.value.findIndex((m) => m.id === id)
+          if (idx !== -1) {
+              messages.value[idx] = { ...messages.value[idx], isRead: updated.isRead }
+          }
+
+          // Mise à jour dans le détail si ouvert
+          if (selectedMessageDetail.value?.header.id === id) {
+              selectedMessageDetail.value = {
+                  ...selectedMessageDetail.value,
+                  header: { ...selectedMessageDetail.value.header, isRead: updated.isRead },
+              }
+          }
+
+          // Mettre à jour le compteur du dossier
+          await _refreshFolderUnreadCount()
+      }
+
+      /**
+       * Marque un message comme étoilé ou non-étoilé.
+       * Met à jour le state local sans refetch.
+       */
+      async function markFlagged(id: number, flagged: boolean): Promise<void> {
+          const service = useMailService()
+          const updated = await service.markFlagged(id, flagged)
+
+          const idx = messages.value.findIndex((m) => m.id === id)
+          if (idx !== -1) {
+              messages.value[idx] = { ...messages.value[idx], isFlagged: updated.isFlagged }
+          }
+
+          if (selectedMessageDetail.value?.header.id === id) {
+              selectedMessageDetail.value = {
+                  ...selectedMessageDetail.value,
+                  header: { ...selectedMessageDetail.value.header, isFlagged: updated.isFlagged },
+              }
+          }
+      }
+
+      /**
+       * Déclenche une synchronisation IMAP asynchrone.
+       * Recharge les dossiers après 2s pour refléter les nouveaux messages.
+       */
+      async function triggerSync(): Promise<void> {
+          if (syncing.value) return
+          syncing.value = true
+          const service = useMailService()
+          try {
+              await service.triggerSync()
+              // Laisser le temps au handler Messenger de traiter
+              setTimeout(async () => {
+                  await fetchFolders()
+                  if (selectedFolderPath.value) {
+                      await fetchMessages(false)
+                  }
+                  syncing.value = false
+              }, 2000)
+          } catch {
+              syncing.value = false
+          }
+      }
+
+      /**
+       * Démarre le polling toutes les 30s pour mettre à jour globalUnreadCount.
+       * À appeler dans app.vue ou le layout default au login.
+       * Idempotent : un seul timer actif à la fois.
+       */
+      function startPolling(): void {
+          if (pollTimer) return
+          fetchFolders() // Charge immédiatement
+          pollTimer = setInterval(fetchFolders, POLL_INTERVAL_MS)
+
+          // Cleanup automatique si le scope du store est détruit
+          if (getCurrentScope()) {
+              onScopeDispose(stopPolling)
+          }
+      }
+
+      /**
+       * Arrête le polling. À appeler au logout.
+       */
+      function stopPolling(): void {
+          if (pollTimer) {
+              clearInterval(pollTimer)
+              pollTimer = null
+          }
+      }
+
+      /**
+       * Rafraîchit les compteurs non-lus du dossier actuel depuis l'API.
+       * Usage interne — appelé après markRead.
+       */
+      async function _refreshFolderUnreadCount(): Promise<void> {
+          const service = useMailService()
+          try {
+              const updatedFolders = await service.listFolders()
+              folders.value = updatedFolders
+              globalUnreadCount.value = updatedFolders.reduce(
+                  (sum, f) => sum + f.unreadCount,
+                  0,
+              )
+          } catch {
+              // Silently ignore
+          }
+      }
+
+      return {
+          // State (readonly pour les consommateurs)
+          folders: readonly(folders),
+          selectedFolderPath: readonly(selectedFolderPath),
+          messages: readonly(messages),
+          messagesCursor: readonly(messagesCursor),
+          messagesLoading: readonly(messagesLoading),
+          selectedMessageId: readonly(selectedMessageId),
+          selectedMessageDetail: readonly(selectedMessageDetail),
+          detailLoading: readonly(detailLoading),
+          syncing: readonly(syncing),
+          globalUnreadCount: readonly(globalUnreadCount),
+          error: readonly(error),
+          // Getters
+          inboxUnread,
+          folderTree,
+          hasMoreMessages,
+          // Actions
+          fetchFolders,
+          selectFolder,
+          fetchMessages,
+          selectMessage,
+          markRead,
+          markFlagged,
+          triggerSync,
+          startPolling,
+          stopPolling,
+      }
+  })
+  ```
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "stores/mail" | head -20
+  ```
+
+  Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git add frontend/stores/mail.ts
+  git commit -m "feat(mail) : store Pinia useMailStore — folders, messages, polling 30s, markRead/markFlagged"
+  ```
+
+---
+
+### Task 6 : Validation TypeScript globale + smoke test
+
+- [ ] **Step 1 : Vérification TypeScript globale**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1
+  ```
+
+  Attendu : aucune erreur. Si des erreurs apparaissent sur les fichiers créés, les corriger avant de continuer.
+
+  Erreurs fréquentes à anticiper :
+  - `Property 'readonly' does not exist` → vérifier que Vue `readonly()` est bien importé (auto-import Nuxt, normalement transparent)
+  - `Cannot find module 'dompurify'` → vérifier que `@types/dompurify` est bien installé
+  - `Property 'children' does not exist` → vérifier que `MailFolderDto.children` est bien `MailFolderDto[] | undefined` dans le DTO
+
+- [ ] **Step 2 : Smoke test manuel — appel listFolders depuis devtools**
+
+  Ouvrir `http://localhost:3002` dans le navigateur (avec l'utilisateur `alice` connecté), puis dans la console DevTools :
+
+  ```javascript
+  const { useMailService } = await import('/services/mail.ts')
+  const svc = useMailService()
+  const folders = await svc.listFolders()
+  console.log(folders)
+  ```
+
+  Attendu (si Phase 3 backend déployée) : tableau de dossiers.
+  Attendu (si Phase 3 non encore déployée) : erreur 404 — normal à ce stade.
+  Non attendu : erreur TypeScript ou erreur d'import.
+
+  Alternative sans Phase 3 : vérifier que l'import ne crashe pas Nuxt :
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx nuxt dev --port 3099 &
+  # Attendre "Nuxt ready" puis ctrl+C
+  # Si Nuxt démarre sans erreur de module, c'est OK
+  ```
+
+- [ ] **Step 3 : Vérification finale — liste des fichiers créés**
+
+  ```bash
+  ls -la /home/r-dev/malio-dev/Lesstime/frontend/services/dto/mail.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/services/mail.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/stores/mail.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/utils/sanitizeMailHtml.ts
+  ```
+
+  Attendu : 4 fichiers présents.
+
+- [ ] **Step 4 : Commit final si des corrections ont été apportées**
+
+  ```bash
+  git add frontend/services/dto/mail.ts frontend/services/mail.ts frontend/stores/mail.ts frontend/utils/sanitizeMailHtml.ts
+  git commit -m "fix(mail) : corrections TypeScript phase 4 post-typecheck"
+  ```
+
+  Ne commiter que si des corrections ont été nécessaires à l'étape précédente.
+
+---
+
+## Exigences techniques
+
+- **TypeScript strict** — le projet est en mode strict (`tsconfig.json` hérité Nuxt)
+- **4 espaces d'indentation** — convention Lesstime (cf. CLAUDE.md)
+- **Pattern `useApi()`** — wrappe `$fetch`, gère JWT cookie (credentials: include), toasts i18n, erreurs HTTP
+- **PATCH** utilise `Content-Type: application/merge-patch+json` (géré automatiquement par `useApi().patch()`)
+- **`api.getBlob()`** pour `downloadAttachment` — retourne `{ data: Blob, headers: Headers }`, signature disponible dans `composables/useApi.ts`
+- **Store Pinia composition API** — `defineStore('mail', () => { ... })`, jamais options API
+- **Polling** — `setInterval` natif + `clearInterval` dans `stopPolling()` ; `onScopeDispose` pour cleanup automatique
+- **DOMPurify** — `import DOMPurify from 'dompurify'` ; SSR-safe car appelé uniquement côté client dans les composants Vue (Phase 5)
+- **`readonly()`** sur les refs exposés par le store — empêche la mutation directe depuis les composants
+- **Format commits** : `feat(mail) : <message>` ou `fix(mail) : <message>` (espace avant `:`)
+- **Chaque task = un ou plusieurs fichiers cohérents + un commit dédié**
+- **Smoke test final** ne doit PAS modifier l'app en production (test dans devtools ou build temporaire)
+
+---
+
+## Output attendu (résumé pour la review humaine)
+
+À la fin de la Phase 4, les éléments suivants doivent être présents et valides :
+
+| Livrable | Fichier | Statut attendu |
+|---|---|---|
+| Types TS DTOs | `frontend/services/dto/mail.ts` | Créé, 0 erreur TS |
+| Helper sanitization | `frontend/utils/sanitizeMailHtml.ts` | Créé, 0 erreur TS |
+| Service API | `frontend/services/mail.ts` | Créé, 0 erreur TS |
+| Store Pinia | `frontend/stores/mail.ts` | Créé, 0 erreur TS |
+| Dépendance DOMPurify | `frontend/package.json` | `dompurify` dans dependencies, `@types/dompurify` dans devDependencies |
+
+**Critère d'acceptation :**
+
+```bash
+cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit
+# → Sortie vide (0 erreur)
+```
+
+La Phase 5 (UI principale `/mail`) peut commencer dès que cette commande passe sans erreur.
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase5-ui-main.md b/docs/superpowers/plans/2026-05-19-mail-phase5-ui-main.md
new file mode 100644
index 0000000..30efe93
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase5-ui-main.md
@@ -0,0 +1,1203 @@
+# Mail Integration — Phase 5 : UI principale /mail (3 colonnes)
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Construire la page `/mail` en layout 3 colonnes (dossiers / liste / lecteur) avec composants Vue réutilisables, en branchant le store `useMailStore` créé en Phase 4. Sanitize HTML body via DOMPurify. Refus visuel pour ROLE_CLIENT.
+
+**Architecture:** 1 page Nuxt `pages/mail.vue`, 4 composants sous `components/mail/`, 1 composable helper `composables/useSystemFolderLabel.ts`. Mapping noms dossiers système (`INBOX` → "Boîte de réception") côté front. Deep-link `?messageId=X` pour sélectionner un mail à l'ouverture. Pas de mode édition/réponse en MVP.
+
+**Tech Stack:** Nuxt 4, Vue 3 Composition API + `<script setup lang="ts">`, Pinia (useMailStore), @malio/layer-ui (MalioButton, MalioButtonIcon), Tailwind CSS, DOMPurify (via `utils/sanitizeMailHtml`), @nuxt/icon.
+
+**Branche cible :** `feat/mail-integration` (vérifier qu'elle est active avant de commencer).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `frontend/pages/mail.vue` | Créer |
+| `frontend/components/mail/MailFolderTree.vue` | Créer |
+| `frontend/components/mail/MailMessageList.vue` | Créer |
+| `frontend/components/mail/MailMessageViewer.vue` | Créer |
+| `frontend/components/mail/MailRefreshButton.vue` | Créer |
+| `frontend/composables/useSystemFolderLabel.ts` | Créer |
+| `frontend/i18n/locales/fr.json` | Modifier (ajout clés `mail.*`) |
+
+---
+
+### Task 1 : Vérification de l'environnement
+
+- [ ] **Step 1 : Vérifier la branche active**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime branch --show-current
+  ```
+
+  Attendu : `feat/mail-integration`. Si non, basculer :
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime checkout feat/mail-integration
+  ```
+
+- [ ] **Step 2 : Vérifier que les fichiers Phase 4 existent**
+
+  ```bash
+  ls -la /home/r-dev/malio-dev/Lesstime/frontend/services/mail.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/stores/mail.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/utils/sanitizeMailHtml.ts \
+         /home/r-dev/malio-dev/Lesstime/frontend/services/dto/mail.ts
+  ```
+
+  Attendu : les 4 fichiers présents. Si absents, Phase 4 n'a pas été complétée — arrêter et implémenter Phase 4 d'abord.
+
+- [ ] **Step 3 : Vérifier que TypeScript est propre (baseline)**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | head -20
+  ```
+
+  Attendu : aucune erreur sur les fichiers Phase 4. Si des erreurs existent, les noter pour les distinguer des erreurs Phase 5.
+
+---
+
+### Task 2 : Clés i18n `mail.*` — `frontend/i18n/locales/fr.json`
+
+Les clés sont ajoutées dans `fr.json` (et `en.json` si présent — vérifier avec `ls frontend/i18n/locales/`). Le bloc `mail` est inséré après le dernier bloc de premier niveau existant (actuellement après `help` ou le dernier bloc de la spec existante).
+
+Pattern existant observé : blocs de premier niveau avec sous-clés plates ou imbriquées (voir `taskDocuments`, `timeEntries`, `myTasks`).
+
+- [ ] **Step 1 : Ajouter le bloc `mail` dans `frontend/i18n/locales/fr.json`**
+
+  Ajouter avant la fermeture `}` finale du JSON :
+
+  ```json
+  "mail": {
+      "title": "Messagerie",
+      "folders": "Dossiers",
+      "messages": "Messages",
+      "viewer": "Lecture",
+      "empty": {
+          "folder": "Aucun dossier disponible.",
+          "list": "Aucun message dans ce dossier.",
+          "viewer": "Sélectionnez un message pour le lire."
+      },
+      "systemFolder": {
+          "inbox": "Boîte de réception",
+          "sent": "Éléments envoyés",
+          "drafts": "Brouillons",
+          "archive": "Archives",
+          "trash": "Corbeille",
+          "junk": "Indésirables"
+      },
+      "actions": {
+          "refresh": "Actualiser",
+          "createTask": "Créer une tâche",
+          "linkTask": "Lier à une tâche",
+          "markRead": "Marquer comme lu",
+          "markUnread": "Marquer comme non lu",
+          "flag": "Marquer important",
+          "unflag": "Retirer l'importance",
+          "download": "Télécharger",
+          "showImages": "Afficher les images"
+      },
+      "errors": {
+          "syncFailed": "Erreur lors de la synchronisation.",
+          "fetchFailed": "Impossible de charger les messages.",
+          "notAuthorized": "Vous n'avez pas accès à la messagerie."
+      },
+      "configuration": {
+          "saved": "Configuration mail enregistrée."
+      },
+      "task": {
+          "created": "Tâche créée depuis le mail.",
+          "linked": "Mail lié à la tâche.",
+          "unlinked": "Lien supprimé."
+      },
+      "sync": {
+          "dispatched": "Synchronisation lancée en arrière-plan."
+      },
+      "attachments": "Pièces jointes",
+      "noAttachments": "Aucune pièce jointe.",
+      "from": "De",
+      "to": "À",
+      "cc": "Cc",
+      "date": "Date",
+      "subject": "Sujet",
+      "noSubject": "(Sans objet)",
+      "loadMore": "Charger plus",
+      "loading": "Chargement…",
+      "hasAttachments": "Pièces jointes",
+      "unread": "non lu | non lus"
+  }
+  ```
+
+- [ ] **Step 2 : Si `frontend/i18n/locales/en.json` existe, ajouter le bloc traduit**
+
+  ```bash
+  ls /home/r-dev/malio-dev/Lesstime/frontend/i18n/locales/
+  ```
+
+  Si `en.json` existe, ajouter le même bloc avec traductions anglaises :
+
+  ```json
+  "mail": {
+      "title": "Mail",
+      "folders": "Folders",
+      "messages": "Messages",
+      "viewer": "Reader",
+      "empty": {
+          "folder": "No folders available.",
+          "list": "No messages in this folder.",
+          "viewer": "Select a message to read it."
+      },
+      "systemFolder": {
+          "inbox": "Inbox",
+          "sent": "Sent",
+          "drafts": "Drafts",
+          "archive": "Archive",
+          "trash": "Trash",
+          "junk": "Junk"
+      },
+      "actions": {
+          "refresh": "Refresh",
+          "createTask": "Create task",
+          "linkTask": "Link to task",
+          "markRead": "Mark as read",
+          "markUnread": "Mark as unread",
+          "flag": "Mark as important",
+          "unflag": "Remove importance",
+          "download": "Download",
+          "showImages": "Show images"
+      },
+      "errors": {
+          "syncFailed": "Synchronization failed.",
+          "fetchFailed": "Unable to load messages.",
+          "notAuthorized": "You do not have access to mail."
+      },
+      "configuration": {
+          "saved": "Mail configuration saved."
+      },
+      "task": {
+          "created": "Task created from mail.",
+          "linked": "Mail linked to task.",
+          "unlinked": "Link removed."
+      },
+      "sync": {
+          "dispatched": "Sync launched in background."
+      },
+      "attachments": "Attachments",
+      "noAttachments": "No attachments.",
+      "from": "From",
+      "to": "To",
+      "cc": "Cc",
+      "date": "Date",
+      "subject": "Subject",
+      "noSubject": "(No subject)",
+      "loadMore": "Load more",
+      "loading": "Loading…",
+      "hasAttachments": "Attachments",
+      "unread": "unread"
+  }
+  ```
+
+- [ ] **Step 3 : Valider que le JSON est syntaxiquement correct**
+
+  ```bash
+  node -e "JSON.parse(require('fs').readFileSync('/home/r-dev/malio-dev/Lesstime/frontend/i18n/locales/fr.json', 'utf8')); console.log('JSON OK')"
+  ```
+
+  Attendu : `JSON OK`. Si erreur, corriger la virgule manquante ou le brace mal fermé.
+
+- [ ] **Step 4 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/i18n/locales/fr.json frontend/i18n/locales/en.json 2>/dev/null; true
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : clés i18n mail.* (titres, vides, dossiers système, actions, erreurs)"
+  ```
+
+---
+
+### Task 3 : Composable `useSystemFolderLabel.ts`
+
+Ce composable centralise le mapping entre les chemins de dossiers système IMAP (case-sensitive selon serveur) et leurs labels i18n. Il est utilisé par `MailFolderTree.vue`.
+
+- [ ] **Step 1 : Créer `frontend/composables/useSystemFolderLabel.ts`**
+
+  ```typescript
+  /**
+   * Mapping des chemins de dossiers système IMAP vers les clés i18n.
+   * Les clés sont normalisées en minuscules pour la comparaison.
+   * Couvre les variantes OVH courantes (INBOX, INBOX.Sent, Sent, etc.)
+   */
+  const SYSTEM_FOLDER_MAP: Record<string, string> = {
+      'inbox': 'mail.systemFolder.inbox',
+      'sent': 'mail.systemFolder.sent',
+      'inbox.sent': 'mail.systemFolder.sent',
+      'sent messages': 'mail.systemFolder.sent',
+      'drafts': 'mail.systemFolder.drafts',
+      'inbox.drafts': 'mail.systemFolder.drafts',
+      'archive': 'mail.systemFolder.archive',
+      'archives': 'mail.systemFolder.archive',
+      'inbox.archive': 'mail.systemFolder.archive',
+      'trash': 'mail.systemFolder.trash',
+      'deleted': 'mail.systemFolder.trash',
+      'deleted items': 'mail.systemFolder.trash',
+      'inbox.trash': 'mail.systemFolder.trash',
+      'junk': 'mail.systemFolder.junk',
+      'junk e-mail': 'mail.systemFolder.junk',
+      'spam': 'mail.systemFolder.junk',
+      'inbox.junk': 'mail.systemFolder.junk',
+  }
+
+  /**
+   * Icônes Material Symbols associées aux dossiers système.
+   * Pour les dossiers non reconnus : null → utiliser une icône générique.
+   */
+  const SYSTEM_FOLDER_ICONS: Record<string, string> = {
+      'mail.systemFolder.inbox': 'material-symbols:inbox-outline',
+      'mail.systemFolder.sent': 'material-symbols:send-outline',
+      'mail.systemFolder.drafts': 'material-symbols:draft-outline',
+      'mail.systemFolder.archive': 'material-symbols:archive-outline',
+      'mail.systemFolder.trash': 'material-symbols:delete-outline',
+      'mail.systemFolder.junk': 'material-symbols:report-outline',
+  }
+
+  const DEFAULT_FOLDER_ICON = 'material-symbols:folder-outline'
+
+  export function useSystemFolderLabel() {
+      const { t } = useI18n()
+
+      /**
+       * Retourne le label traduit d'un dossier système, ou son displayName si inconnu.
+       * @param path - Chemin IMAP du dossier (ex: "INBOX", "INBOX.Sent")
+       * @param displayName - Nom affiché par défaut si non reconnu
+       */
+      function getFolderLabel(path: string, displayName: string): string {
+          const key = SYSTEM_FOLDER_MAP[path.toLowerCase()]
+          return key ? t(key) : displayName
+      }
+
+      /**
+       * Retourne le nom de l'icône Material Symbols pour un dossier.
+       * @param path - Chemin IMAP du dossier
+       */
+      function getFolderIcon(path: string): string {
+          const key = SYSTEM_FOLDER_MAP[path.toLowerCase()]
+          return key ? (SYSTEM_FOLDER_ICONS[key] ?? DEFAULT_FOLDER_ICON) : DEFAULT_FOLDER_ICON
+      }
+
+      /**
+       * Indique si un dossier est un dossier système reconnu.
+       */
+      function isSystemFolder(path: string): boolean {
+          return path.toLowerCase() in SYSTEM_FOLDER_MAP
+      }
+
+      return {
+          getFolderLabel,
+          getFolderIcon,
+          isSystemFolder,
+      }
+  }
+  ```
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "useSystemFolderLabel" | head -10
+  ```
+
+  Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/composables/useSystemFolderLabel.ts
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : composable useSystemFolderLabel — mapping dossiers système IMAP → i18n + icônes"
+  ```
+
+---
+
+### Task 4 : Composant `MailRefreshButton.vue`
+
+Petit composant indépendant, sans dépendances sur les autres composants mail — à créer en premier pour qu'il soit disponible dans `mail.vue`.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailRefreshButton.vue`**
+
+  ```vue
+  <script setup lang="ts">
+  import { useMailStore } from '~/stores/mail'
+
+  const store = useMailStore()
+  const { syncing } = storeToRefs(store)
+
+  const { t } = useI18n()
+
+  async function handleRefresh(): Promise<void> {
+      await store.triggerSync()
+  }
+  </script>
+
+  <template>
+      <MalioButton
+          :label="t('mail.actions.refresh')"
+          variant="secondary"
+          icon-name="material-symbols:refresh"
+          icon-position="left"
+          :icon-size="16"
+          :disabled="syncing"
+          @click="handleRefresh"
+      />
+  </template>
+  ```
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailRefreshButton.vue
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailRefreshButton — bouton sync manuel, disabled pendant syncing"
+  ```
+
+---
+
+### Task 5 : Composant `MailFolderTree.vue`
+
+Arbre récursif des dossiers mail. Reçoit `folderTree` (computed du store, déjà arborifié). Émet `select` avec le `path` du dossier cliqué.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailFolderTree.vue`**
+
+  ```vue
+  <script setup lang="ts">
+  import type { MailFolderDto } from '~/services/dto/mail'
+
+  const props = defineProps<{
+      /** Arbre de dossiers (getter folderTree du store) */
+      folders: MailFolderDto[]
+      /** Chemin du dossier actuellement sélectionné */
+      selectedPath: string | null
+      /** Niveau de profondeur pour l'indentation (usage récursif interne) */
+      depth?: number
+  }>()
+
+  const emit = defineEmits<{
+      select: [path: string]
+  }>()
+
+  const { getFolderLabel, getFolderIcon } = useSystemFolderLabel()
+  const { t } = useI18n()
+
+  const depth = computed(() => props.depth ?? 0)
+
+  function handleSelect(path: string): void {
+      emit('select', path)
+  }
+  </script>
+
+  <template>
+      <div>
+          <div v-if="folders.length === 0 && depth === 0" class="px-3 py-4 text-sm text-neutral-400 italic">
+              {{ t('mail.empty.folder') }}
+          </div>
+
+          <template v-else>
+              <button
+                  v-for="folder in folders"
+                  :key="folder.path"
+                  type="button"
+                  class="w-full text-left"
+                  @click="handleSelect(folder.path)"
+              >
+                  <!-- Entrée dossier -->
+                  <div
+                      class="flex items-center gap-2 rounded-md px-3 py-1.5 text-sm transition-colors"
+                      :class="[
+                          { 'pl-[calc(0.75rem_+_theme(spacing[3])_*_v-bind(depth))]': depth > 0 },
+                          selectedPath === folder.path
+                              ? 'bg-primary-100 text-primary-700 font-medium'
+                              : 'text-neutral-700 hover:bg-neutral-100',
+                      ]"
+                      :style="depth > 0 ? { paddingLeft: `${0.75 + depth * 0.75}rem` } : {}"
+                  >
+                      <!-- Icône dossier -->
+                      <Icon
+                          :name="getFolderIcon(folder.path)"
+                          size="16"
+                          class="flex-shrink-0"
+                          :class="selectedPath === folder.path ? 'text-primary-600' : 'text-neutral-400'"
+                      />
+
+                      <!-- Label -->
+                      <span class="flex-1 truncate">
+                          {{ getFolderLabel(folder.path, folder.displayName) }}
+                      </span>
+
+                      <!-- Badge non-lus -->
+                      <span
+                          v-if="folder.unreadCount > 0"
+                          class="ml-auto flex-shrink-0 rounded-full bg-primary-500 px-1.5 py-0.5 text-xs font-bold text-white"
+                      >
+                          {{ folder.unreadCount > 99 ? '99+' : folder.unreadCount }}
+                      </span>
+                  </div>
+
+                  <!-- Sous-dossiers récursifs -->
+                  <MailFolderTree
+                      v-if="folder.children && folder.children.length > 0"
+                      :folders="folder.children"
+                      :selected-path="selectedPath"
+                      :depth="depth + 1"
+                      @select="handleSelect"
+                  />
+              </button>
+          </template>
+      </div>
+  </template>
+  ```
+
+  Note technique : l'indentation dynamique par CSS `calc` avec `v-bind(depth)` n'est pas fiable dans Tailwind — utiliser `:style` natif comme ci-dessus (`paddingLeft: depth * 0.75rem`). La récursivité via `<MailFolderTree>` fonctionne car Nuxt auto-importe les composants.
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailFolderTree.vue
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailFolderTree — arbre récursif dossiers, badges unread, icônes système"
+  ```
+
+---
+
+### Task 6 : Composant `MailMessageList.vue`
+
+Liste paginée des messages du dossier sélectionné. Infinite scroll via `IntersectionObserver` sur un sentinel div en bas de liste. Indicateurs visuels : point ● (non lu), étoile ⭐ (flagged), trombone 📎 (hasAttachments), date relative.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailMessageList.vue`**
+
+  ```vue
+  <script setup lang="ts">
+  import type { MailMessageHeaderDto } from '~/services/dto/mail'
+
+  const props = defineProps<{
+      messages: MailMessageHeaderDto[]
+      selectedId: number | null
+      loading: boolean
+      hasMore: boolean
+  }>()
+
+  const emit = defineEmits<{
+      select: [id: number]
+      loadMore: []
+  }>()
+
+  const { t } = useI18n()
+
+  // ─── Infinite scroll via IntersectionObserver ──────────────────────────────
+
+  const sentinelRef = ref<HTMLDivElement | null>(null)
+  let observer: IntersectionObserver | null = null
+
+  onMounted(() => {
+      if (!sentinelRef.value) return
+      observer = new IntersectionObserver(
+          (entries) => {
+              const entry = entries[0]
+              if (entry?.isIntersecting && props.hasMore && !props.loading) {
+                  emit('loadMore')
+              }
+          },
+          { threshold: 0.1 },
+      )
+      observer.observe(sentinelRef.value)
+  })
+
+  onBeforeUnmount(() => {
+      observer?.disconnect()
+      observer = null
+  })
+
+  // ─── Date relative ──────────────────────────────────────────────────────────
+
+  /**
+   * Formate une date ISO en date relative (il y a X minutes/heures/jours).
+   * Utilise Intl.RelativeTimeFormat avec la locale du navigateur.
+   */
+  function formatRelative(isoDate: string | null): string {
+      if (!isoDate) return ''
+      const date = new Date(isoDate)
+      const now = new Date()
+      const diffMs = date.getTime() - now.getTime()
+      const diffSeconds = Math.round(diffMs / 1000)
+      const diffMinutes = Math.round(diffSeconds / 60)
+      const diffHours = Math.round(diffMinutes / 60)
+      const diffDays = Math.round(diffHours / 24)
+
+      const rtf = new Intl.RelativeTimeFormat('fr', { numeric: 'auto' })
+
+      if (Math.abs(diffMinutes) < 1) return rtf.format(diffSeconds, 'second')
+      if (Math.abs(diffHours) < 1) return rtf.format(diffMinutes, 'minute')
+      if (Math.abs(diffDays) < 1) return rtf.format(diffHours, 'hour')
+      if (Math.abs(diffDays) < 30) return rtf.format(diffDays, 'day')
+
+      // Au-delà de 30 jours : date courte
+      return date.toLocaleDateString('fr', { day: '2-digit', month: 'short', year: 'numeric' })
+  }
+
+  /**
+   * Retourne un label court pour l'expéditeur (nom si disponible, sinon email).
+   */
+  function getSenderLabel(msg: MailMessageHeaderDto): string {
+      return msg.fromName ?? msg.fromEmail ?? ''
+  }
+  </script>
+
+  <template>
+      <div class="flex h-full flex-col overflow-hidden">
+          <!-- État vide -->
+          <div
+              v-if="!loading && messages.length === 0"
+              class="flex flex-1 items-center justify-center text-sm text-neutral-400 italic px-4 text-center"
+          >
+              {{ t('mail.empty.list') }}
+          </div>
+
+          <!-- Liste des messages -->
+          <div v-else class="flex-1 overflow-y-auto divide-y divide-neutral-100">
+              <button
+                  v-for="msg in messages"
+                  :key="msg.id"
+                  type="button"
+                  class="flex w-full gap-3 px-3 py-3 text-left transition-colors hover:bg-neutral-50 focus:outline-none"
+                  :class="[
+                      selectedId === msg.id ? 'bg-primary-50 border-l-2 border-primary-500' : '',
+                      !msg.isRead ? 'bg-white' : 'bg-neutral-50/50',
+                  ]"
+                  @click="emit('select', msg.id)"
+              >
+                  <!-- Indicateur non-lu -->
+                  <div class="mt-1.5 flex-shrink-0">
+                      <span
+                          class="block h-2 w-2 rounded-full"
+                          :class="msg.isRead ? 'bg-transparent' : 'bg-primary-500'"
+                      />
+                  </div>
+
+                  <!-- Contenu -->
+                  <div class="min-w-0 flex-1">
+                      <!-- Ligne 1 : expéditeur + date -->
+                      <div class="flex items-center justify-between gap-2">
+                          <span
+                              class="truncate text-sm"
+                              :class="msg.isRead ? 'text-neutral-600 font-normal' : 'text-neutral-900 font-semibold'"
+                          >
+                              {{ getSenderLabel(msg) }}
+                          </span>
+                          <span class="flex-shrink-0 text-xs text-neutral-400">
+                              {{ formatRelative(msg.sentAt ?? msg.receivedAt) }}
+                          </span>
+                      </div>
+
+                      <!-- Ligne 2 : sujet -->
+                      <p
+                          class="truncate text-sm"
+                          :class="msg.isRead ? 'text-neutral-500' : 'text-neutral-800 font-medium'"
+                      >
+                          {{ msg.subject ?? t('mail.noSubject') }}
+                      </p>
+
+                      <!-- Ligne 3 : indicateurs -->
+                      <div class="mt-0.5 flex items-center gap-1.5">
+                          <Icon
+                              v-if="msg.isFlagged"
+                              name="material-symbols:star"
+                              size="14"
+                              class="text-amber-400 flex-shrink-0"
+                          />
+                          <Icon
+                              v-if="msg.hasAttachments"
+                              name="material-symbols:attach-file"
+                              size="14"
+                              class="text-neutral-400 flex-shrink-0"
+                          />
+                          <span v-if="msg.linkedTaskIds.length > 0" class="text-xs text-primary-400">
+                              <Icon name="material-symbols:task-outline" size="14" class="flex-shrink-0" />
+                          </span>
+                      </div>
+                  </div>
+              </button>
+
+              <!-- Sentinel infinite scroll -->
+              <div ref="sentinelRef" class="h-px" />
+
+              <!-- Spinner chargement page suivante -->
+              <div v-if="loading && messages.length > 0" class="flex items-center justify-center py-4">
+                  <Icon name="material-symbols:progress-activity" size="20" class="animate-spin text-neutral-400" />
+              </div>
+          </div>
+
+          <!-- Premier chargement -->
+          <div v-if="loading && messages.length === 0" class="flex flex-1 items-center justify-center">
+              <Icon name="material-symbols:progress-activity" size="24" class="animate-spin text-neutral-400" />
+          </div>
+      </div>
+  </template>
+  ```
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailMessageList.vue
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailMessageList — liste paginée infinite scroll, indicateurs lu/étoilé/PJ/date relative"
+  ```
+
+---
+
+### Task 7 : Composant `MailMessageViewer.vue`
+
+Lecteur de mail complet. Reçoit le détail complet du message sélectionné. Sanitize le HTML body via `sanitizeMailHtml`. Gère le toggle "Afficher les images distantes". Actions : Créer tâche, Lier à tâche, Marquer lu/non-lu, Étoiler. Téléchargement PJ.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailMessageViewer.vue`**
+
+  ```vue
+  <script setup lang="ts">
+  import type { MailMessageDetailDto } from '~/services/dto/mail'
+  import { sanitizeMailHtml } from '~/utils/sanitizeMailHtml'
+  import { useMailService } from '~/services/mail'
+  import { useMailStore } from '~/stores/mail'
+
+  const props = defineProps<{
+      /** Détail complet du message. null = aucun message sélectionné. */
+      detail: MailMessageDetailDto | null
+      loading: boolean
+  }>()
+
+  const emit = defineEmits<{
+      /** Demande d'ouverture du modal "Créer tâche depuis ce mail" */
+      createTask: [mailId: number]
+      /** Demande d'ouverture du modal "Lier à une tâche existante" */
+      linkTask: [mailId: number]
+  }>()
+
+  const { t } = useI18n()
+  const store = useMailStore()
+  const mailService = useMailService()
+
+  // ─── Toggle images distantes ──────────────────────────────────────────────
+
+  const showImages = ref(false)
+
+  // ─── HTML sanitizé (client-side uniquement — projet SPA, pas de SSR) ──────
+
+  const sanitizedBody = computed((): string => {
+      if (!props.detail?.bodyHtml) return ''
+      return sanitizeMailHtml(props.detail.bodyHtml, { allowImages: showImages.value })
+  })
+
+  // Reset toggle images quand on change de message
+  watch(() => props.detail?.header.id, () => {
+      showImages.value = false
+  })
+
+  // ─── Actions ──────────────────────────────────────────────────────────────
+
+  async function handleMarkReadToggle(): Promise<void> {
+      if (!props.detail) return
+      const id = props.detail.header.id
+      const currentlyRead = props.detail.header.isRead
+      await store.markRead(id, !currentlyRead)
+  }
+
+  async function handleFlagToggle(): Promise<void> {
+      if (!props.detail) return
+      const id = props.detail.header.id
+      const currentlyFlagged = props.detail.header.isFlagged
+      await store.markFlagged(id, !currentlyFlagged)
+  }
+
+  async function handleDownload(downloadId: string, filename: string): Promise<void> {
+      try {
+          const { data } = await mailService.downloadAttachment(downloadId)
+          const url = URL.createObjectURL(data)
+          const a = document.createElement('a')
+          a.href = url
+          a.download = filename
+          a.click()
+          URL.revokeObjectURL(url)
+      } catch {
+          // L'erreur est gérée par useApi (toast automatique)
+      }
+  }
+
+  // ─── Formatage ────────────────────────────────────────────────────────────
+
+  function formatDate(iso: string | null): string {
+      if (!iso) return ''
+      return new Date(iso).toLocaleString('fr', {
+          dateStyle: 'long',
+          timeStyle: 'short',
+      })
+  }
+
+  function joinAddresses(
+      addresses: Array<{ name: string | null; email: string }>,
+  ): string {
+      return addresses
+          .map((a) => (a.name ? `${a.name} <${a.email}>` : a.email))
+          .join(', ')
+  }
+  </script>
+
+  <template>
+      <div class="flex h-full flex-col overflow-hidden">
+          <!-- État vide -->
+          <div
+              v-if="!detail && !loading"
+              class="flex flex-1 items-center justify-center text-sm text-neutral-400 italic px-8 text-center"
+          >
+              {{ t('mail.empty.viewer') }}
+          </div>
+
+          <!-- Chargement -->
+          <div v-else-if="loading" class="flex flex-1 items-center justify-center">
+              <Icon name="material-symbols:progress-activity" size="28" class="animate-spin text-neutral-400" />
+          </div>
+
+          <!-- Message chargé -->
+          <template v-else-if="detail">
+              <!-- Header message -->
+              <div class="flex-shrink-0 border-b border-neutral-200 px-4 py-3 space-y-1.5">
+                  <!-- Sujet -->
+                  <h2 class="text-base font-semibold text-neutral-900 break-words">
+                      {{ detail.header.subject ?? t('mail.noSubject') }}
+                  </h2>
+
+                  <!-- Métadonnées expéditeur/destinataires -->
+                  <dl class="text-xs text-neutral-500 space-y-0.5">
+                      <div class="flex gap-1.5">
+                          <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.from') }}</dt>
+                          <dd class="break-all">
+                              {{
+                                  detail.header.fromName
+                                      ? `${detail.header.fromName} <${detail.header.fromEmail}>`
+                                      : (detail.header.fromEmail ?? '')
+                              }}
+                          </dd>
+                      </div>
+                      <div v-if="detail.header.toRecipients.length > 0" class="flex gap-1.5">
+                          <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.to') }}</dt>
+                          <dd class="break-all">{{ joinAddresses(detail.header.toRecipients) }}</dd>
+                      </div>
+                      <div v-if="detail.header.ccRecipients.length > 0" class="flex gap-1.5">
+                          <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.cc') }}</dt>
+                          <dd class="break-all">{{ joinAddresses(detail.header.ccRecipients) }}</dd>
+                      </div>
+                      <div class="flex gap-1.5">
+                          <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.date') }}</dt>
+                          <dd>{{ formatDate(detail.header.sentAt ?? detail.header.receivedAt) }}</dd>
+                      </div>
+                  </dl>
+
+                  <!-- Barre d'actions -->
+                  <div class="flex flex-wrap items-center gap-2 pt-1">
+                      <MalioButton
+                          :label="t('mail.actions.createTask')"
+                          variant="primary"
+                          icon-name="material-symbols:add-task-outline"
+                          icon-position="left"
+                          :icon-size="14"
+                          @click="emit('createTask', detail.header.id)"
+                      />
+                      <MalioButton
+                          :label="t('mail.actions.linkTask')"
+                          variant="secondary"
+                          icon-name="material-symbols:link"
+                          icon-position="left"
+                          :icon-size="14"
+                          @click="emit('linkTask', detail.header.id)"
+                      />
+                      <MalioButton
+                          :label="detail.header.isRead ? t('mail.actions.markUnread') : t('mail.actions.markRead')"
+                          variant="tertiary"
+                          :icon-name="detail.header.isRead ? 'material-symbols:mark-email-unread-outline' : 'material-symbols:mark-email-read-outline'"
+                          icon-position="left"
+                          :icon-size="14"
+                          @click="handleMarkReadToggle"
+                      />
+                      <MalioButton
+                          :label="detail.header.isFlagged ? t('mail.actions.unflag') : t('mail.actions.flag')"
+                          variant="tertiary"
+                          :icon-name="detail.header.isFlagged ? 'material-symbols:star' : 'material-symbols:star-outline'"
+                          icon-position="left"
+                          :icon-size="14"
+                          @click="handleFlagToggle"
+                      />
+                  </div>
+              </div>
+
+              <!-- Corps du message -->
+              <div class="flex-1 overflow-y-auto px-4 py-3">
+                  <!-- Bannière "Afficher les images" -->
+                  <div
+                      v-if="!showImages && detail.bodyHtml"
+                      class="mb-3 flex items-center gap-3 rounded-md border border-amber-200 bg-amber-50 px-3 py-2 text-sm"
+                  >
+                      <Icon name="material-symbols:image-outline" size="16" class="text-amber-500 flex-shrink-0" />
+                      <span class="flex-1 text-amber-700">Les images distantes sont masquées pour votre sécurité.</span>
+                      <button
+                          type="button"
+                          class="text-xs font-medium text-amber-700 underline hover:text-amber-900 transition-colors"
+                          @click="showImages = true"
+                      >
+                          {{ t('mail.actions.showImages') }}
+                      </button>
+                  </div>
+
+                  <!-- Corps HTML sanitizé -->
+                  <div
+                      v-if="detail.bodyHtml"
+                      class="prose prose-sm max-w-none text-neutral-800"
+                      v-html="sanitizedBody"
+                  />
+
+                  <!-- Fallback texte plain -->
+                  <pre
+                      v-else-if="detail.bodyText"
+                      class="whitespace-pre-wrap font-sans text-sm text-neutral-700"
+                  >{{ detail.bodyText }}</pre>
+              </div>
+
+              <!-- Pièces jointes -->
+              <div
+                  v-if="detail.attachments.length > 0"
+                  class="flex-shrink-0 border-t border-neutral-200 px-4 py-3"
+              >
+                  <p class="mb-2 text-xs font-semibold uppercase tracking-wide text-neutral-500">
+                      {{ t('mail.attachments') }} ({{ detail.attachments.length }})
+                  </p>
+                  <div class="flex flex-wrap gap-2">
+                      <button
+                          v-for="att in detail.attachments"
+                          :key="att.downloadId"
+                          type="button"
+                          class="flex items-center gap-1.5 rounded border border-neutral-200 bg-neutral-50 px-2.5 py-1.5 text-xs text-neutral-700 transition-colors hover:bg-neutral-100 hover:border-neutral-300"
+                          :title="att.filename"
+                          @click="handleDownload(att.downloadId, att.filename)"
+                      >
+                          <Icon name="material-symbols:attach-file" size="14" class="flex-shrink-0 text-neutral-400" />
+                          <span class="max-w-[180px] truncate">{{ att.filename }}</span>
+                          <span class="text-neutral-400">({{ Math.round(att.size / 1024) }} Ko)</span>
+                      </button>
+                  </div>
+              </div>
+          </template>
+      </div>
+  </template>
+  ```
+
+  Points clés :
+  - `v-html="sanitizedBody"` est le **seul** `v-html` du composant, et il reçoit toujours la sortie de `sanitizeMailHtml` — jamais le `rawHtml` brut directement.
+  - La bannière "Afficher les images" est visible dès qu'il y a un `bodyHtml` et que `showImages` est false.
+  - `handleDownload` crée un lien `<a>` temporaire pour déclencher le téléchargement du Blob retourné par `mailService.downloadAttachment`.
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailMessageViewer.vue
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailMessageViewer — header, body sanitizé DOMPurify, PJ téléchargeables, 4 actions"
+  ```
+
+---
+
+### Task 8 : Page `pages/mail.vue`
+
+Page principale en layout 3 colonnes. Intègre les 4 composants créés ci-dessus. Gère le deep-link `?messageId=X`. Vérifie le rôle ROLE_CLIENT (redirection `/portal`). Le middleware global `auth.global.ts` gère déjà l'authentification de base — ici on ajoute seulement le check spécifique ROLE_CLIENT dans `onMounted`.
+
+- [ ] **Step 1 : Créer `frontend/pages/mail.vue`**
+
+  ```vue
+  <script setup lang="ts">
+  import { useMailStore } from '~/stores/mail'
+
+  const { t } = useI18n()
+  const router = useRouter()
+  const route = useRoute()
+  const auth = useAuthStore()
+
+  useHead({ title: t('mail.title') })
+
+  // ─── Contrôle d'accès ROLE_CLIENT ─────────────────────────────────────────
+  // Le middleware global gère auth. Ici : ROLE_CLIENT (sans ROLE_ADMIN) → /portal.
+  // Vérifié dans onMounted pour être sûr que auth est initialisé (SPA).
+
+  const isClientOnly = computed(() =>
+      auth.user?.roles?.includes('ROLE_CLIENT') === true
+      && auth.user?.roles?.includes('ROLE_ADMIN') !== true,
+  )
+
+  if (isClientOnly.value) {
+      await navigateTo('/portal')
+  }
+
+  // ─── Store ────────────────────────────────────────────────────────────────
+
+  const store = useMailStore()
+  const {
+      folderTree,
+      selectedFolderPath,
+      messages,
+      messagesLoading,
+      hasMoreMessages,
+      selectedMessageId,
+      selectedMessageDetail,
+      detailLoading,
+  } = storeToRefs(store)
+
+  // ─── Init : charge les dossiers + deep-link ───────────────────────────────
+
+  onMounted(async () => {
+      // Double-check rôle après hydratation (SPA guard)
+      if (isClientOnly.value) {
+          router.replace('/portal')
+          return
+      }
+
+      // Charger les dossiers si pas encore chargés
+      if (folderTree.value.length === 0) {
+          await store.fetchFolders()
+      }
+
+      // Sélectionner INBOX par défaut
+      if (!selectedFolderPath.value && folderTree.value.length > 0) {
+          const inbox = folderTree.value.find((f) => f.path.toUpperCase() === 'INBOX')
+          await store.selectFolder(inbox?.path ?? folderTree.value[0]!.path)
+      }
+
+      // Deep-link : ?messageId=X → sélectionner automatiquement ce message
+      const messageIdParam = route.query.messageId
+      if (messageIdParam) {
+          const id = parseInt(String(messageIdParam), 10)
+          if (!isNaN(id)) {
+              await store.selectMessage(id)
+          }
+      }
+  })
+
+  onBeforeUnmount(() => {
+      // Ne pas arrêter le polling ici — il est géré globalement par le layout (Phase 7)
+      // La page peut être démonter sans couper le compteur de non-lus global
+  })
+
+  // ─── Handlers ─────────────────────────────────────────────────────────────
+
+  async function handleFolderSelect(path: string): Promise<void> {
+      await store.selectFolder(path)
+      // Nettoyer le query param messageId si présent
+      if (route.query.messageId) {
+          router.replace({ query: { ...route.query, messageId: undefined } })
+      }
+  }
+
+  async function handleMessageSelect(id: number): Promise<void> {
+      await store.selectMessage(id)
+  }
+
+  function handleLoadMore(): void {
+      store.fetchMessages(true)
+  }
+
+  // Phase 6 : ces handlers seront branchés sur les modals MailCreateTaskModal / MailLinkTaskModal
+  function handleCreateTask(mailId: number): void {
+      // TODO Phase 6 : ouvrir MailCreateTaskModal
+      console.warn('[mail] handleCreateTask mailId=', mailId, '— modal à implémenter en Phase 6')
+  }
+
+  function handleLinkTask(mailId: number): void {
+      // TODO Phase 6 : ouvrir MailLinkTaskModal
+      console.warn('[mail] handleLinkTask mailId=', mailId, '— modal à implémenter en Phase 6')
+  }
+  </script>
+
+  <template>
+      <div class="flex h-full flex-col overflow-hidden">
+          <!-- Topbar page -->
+          <div class="flex flex-shrink-0 items-center justify-between border-b border-neutral-200 bg-white px-4 py-3">
+              <h1 class="text-lg font-semibold text-neutral-900">
+                  {{ t('mail.title') }}
+              </h1>
+              <MailRefreshButton />
+          </div>
+
+          <!-- Layout 3 colonnes -->
+          <div class="flex flex-1 overflow-hidden">
+              <!-- Colonne 1 : Dossiers (fixe, largeur 220px) -->
+              <aside class="w-[220px] flex-shrink-0 overflow-y-auto border-r border-neutral-200 bg-neutral-50 py-2">
+                  <p class="mb-1 px-3 text-xs font-semibold uppercase tracking-wide text-neutral-400">
+                      {{ t('mail.folders') }}
+                  </p>
+                  <MailFolderTree
+                      :folders="folderTree"
+                      :selected-path="selectedFolderPath"
+                      @select="handleFolderSelect"
+                  />
+              </aside>
+
+              <!-- Colonne 2 : Liste des messages (fixe, largeur 320px) -->
+              <div class="w-[320px] flex-shrink-0 overflow-hidden border-r border-neutral-200 bg-white">
+                  <div class="flex items-center justify-between border-b border-neutral-100 px-3 py-2">
+                      <p class="text-xs font-semibold uppercase tracking-wide text-neutral-400">
+                          {{ t('mail.messages') }}
+                      </p>
+                  </div>
+                  <div class="h-[calc(100%-37px)]">
+                      <MailMessageList
+                          :messages="messages"
+                          :selected-id="selectedMessageId"
+                          :loading="messagesLoading"
+                          :has-more="hasMoreMessages"
+                          @select="handleMessageSelect"
+                          @load-more="handleLoadMore"
+                      />
+                  </div>
+              </div>
+
+              <!-- Colonne 3 : Lecteur (flex, prend le reste) -->
+              <div class="flex-1 overflow-hidden bg-white">
+                  <MailMessageViewer
+                      :detail="selectedMessageDetail"
+                      :loading="detailLoading"
+                      @create-task="handleCreateTask"
+                      @link-task="handleLinkTask"
+                  />
+              </div>
+          </div>
+      </div>
+  </template>
+  ```
+
+  Points clés :
+  - `await navigateTo('/portal')` au niveau du `<script setup>` (avant `onMounted`) pour un redirect immédiat si ROLE_CLIENT détecté à l'hydratation.
+  - Le double-check dans `onMounted` couvre le cas où `auth` n'est pas encore résolu au premier rendu SPA.
+  - Les `console.warn` pour les handlers Phase 6 sont intentionnels (placeholder visible en dev).
+  - `h-[calc(100%-37px)]` : la topbar de la colonne liste fait ~37px (py-2 + texte xs) — ajuster si besoin après inspection visuelle.
+
+- [ ] **Step 2 : Commit**
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/pages/mail.vue
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : page /mail — layout 3 colonnes, deep-link messageId, refus ROLE_CLIENT"
+  ```
+
+---
+
+### Task 9 : Validation TypeScript globale + test manuel
+
+- [ ] **Step 1 : TypeScript strict — zéro erreur sur les fichiers Phase 5**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1
+  ```
+
+  Attendu : sortie vide (0 erreur). Erreurs fréquentes à anticiper et corriger :
+
+  - `Property 'XXX' does not exist on type 'DeepReadonly<...>'` → les refs du store sont `readonly()` — utiliser `.value` directement ou `storeToRefs()` (déjà fait dans `mail.vue`).
+  - `Cannot find name 'useSystemFolderLabel'` → vérifier que le composable est dans `composables/` (auto-importé par Nuxt).
+  - `'MailFolderTree' is not defined` → Nuxt auto-importe les composants de `components/` — vérifier le nom du fichier (PascalCase).
+  - `Property 'depth' does not exist` → dans `MailFolderTree`, `depth` est une prop avec valeur par défaut — s'assurer que le type est `number | undefined` dans `defineProps`.
+
+- [ ] **Step 2 : Démarrer le serveur de développement**
+
+  ```bash
+  cd /home/r-dev/malio-dev/Lesstime && make dev-nuxt
+  ```
+
+  Attendu : `Nuxt ready` sur `http://localhost:3002`.
+
+- [ ] **Step 3 : Tests manuels (checklist)**
+
+  Se connecter avec `alice` / `alice` (ROLE_USER) :
+
+  - [ ] Naviguer vers `http://localhost:3002/mail` → page visible, layout 3 colonnes affiché
+  - [ ] Les 3 colonnes sont présentes (même si vides — backend Phase 3 peut ne pas être déployé)
+  - [ ] Bouton "Actualiser" visible en haut à droite
+  - [ ] Console DevTools : aucune erreur Vue/Nuxt (les `console.warn` Phase 6 sont acceptables)
+  - [ ] TypeScript : aucune erreur rouge dans l'IDE
+
+  Se connecter avec `client-liot` / `client` (ROLE_CLIENT) :
+
+  - [ ] Naviguer vers `http://localhost:3002/mail` → redirect automatique vers `/portal`
+  - [ ] Pas d'affichage momentané de la page mail avant le redirect
+
+  Test anti-XSS (si backend Phase 3 disponible) :
+
+  - [ ] Injecter `<script>alert(1)</script>` dans un corps de mail (via devtools ou fixture)
+  - [ ] Ouvrir le mail dans le lecteur → aucune alerte JS, contenu rendu inoffensif
+  - [ ] Vérifier dans le DOM inspecté que la balise `<script>` est absente
+
+  Test images distantes :
+
+  - [ ] Un mail avec `<img src="https://example.com/pixel.gif">` dans le body
+  - [ ] À l'ouverture : placeholder `[Image distante — cliquer pour afficher]` visible à la place
+  - [ ] Cliquer sur "Afficher les images" → l'image est chargée (si réseau disponible)
+
+- [ ] **Step 4 : Commit de correction si nécessaire**
+
+  Si des bugs TypeScript ou visuels ont été détectés et corrigés :
+
+  ```bash
+  git -C /home/r-dev/malio-dev/Lesstime add frontend/pages/mail.vue frontend/components/mail/ frontend/composables/useSystemFolderLabel.ts
+  git -C /home/r-dev/malio-dev/Lesstime commit -m "fix(mail) : corrections post-test Phase 5 (TypeScript + rendu)"
+  ```
+
+---
+
+## Exigences techniques
+
+- `<script setup lang="ts">` partout — aucun `defineComponent`, aucun Options API
+- **4 espaces d'indentation** — convention Lesstime (cf. CLAUDE.md)
+- **Imports Pinia :** `const store = useMailStore()` puis `const { ... } = storeToRefs(store)` pour la réactivité des refs
+- **`v-html` uniquement** avec sortie de `sanitizeMailHtml()` — jamais avec `rawHtml` brut
+- **Images distantes :** toujours bloquées par défaut via `sanitizeMailHtml({ allowImages: false })` — toggle explicite par l'utilisateur
+- **Tailwind :** classes du design system observé dans les composants existants (`bg-primary-*`, `text-neutral-*`, `border-neutral-*`, `rounded-md`, spacing 3/4)
+- **Icons :** `<Icon name="material-symbols:..." />` — vérifier que les icônes existent sur [icones.js.org](https://icones.js.org/) (collection `material-symbols`)
+- **Date relative :** `Intl.RelativeTimeFormat` natif, locale `fr` — aucune dépendance externe
+- **DOMPurify :** import dans `utils/sanitizeMailHtml.ts` (déjà créé Phase 4) — ne pas reimporter DOMPurify directement dans les composants
+- **SSR :** le projet est SPA (Nuxt 4 SSR off), donc `sanitizeMailHtml` peut être appelé dans `computed` directement sans guard `import.meta.client`
+- **ROLE_CLIENT :** double protection — middleware global (`auth.global.ts`) + check explicite dans `pages/mail.vue`
+- **Format commits :** `feat(mail) : <message>` (espace avant `:`), 1 commit par composant/fichier
+
+---
+
+## Fichiers créés/modifiés — récapitulatif
+
+| Fichier | Type | Action |
+|---|---|---|
+| `frontend/pages/mail.vue` | Page Nuxt | Créer |
+| `frontend/components/mail/MailFolderTree.vue` | Composant Vue | Créer |
+| `frontend/components/mail/MailMessageList.vue` | Composant Vue | Créer |
+| `frontend/components/mail/MailMessageViewer.vue` | Composant Vue | Créer |
+| `frontend/components/mail/MailRefreshButton.vue` | Composant Vue | Créer |
+| `frontend/composables/useSystemFolderLabel.ts` | Composable | Créer |
+| `frontend/i18n/locales/fr.json` | i18n | Modifier (ajout bloc `mail`) |
+| `frontend/i18n/locales/en.json` | i18n | Modifier si fichier existe |
+
+**Fichiers Phase 4 utilisés (ne pas modifier) :**
+
+| Fichier | Utilisation dans Phase 5 |
+|---|---|
+| `frontend/stores/mail.ts` | `useMailStore()` — store central |
+| `frontend/services/mail.ts` | `useMailService().downloadAttachment()` dans `MailMessageViewer` |
+| `frontend/utils/sanitizeMailHtml.ts` | `sanitizeMailHtml()` dans `MailMessageViewer` |
+| `frontend/services/dto/mail.ts` | Types `MailFolderDto`, `MailMessageHeaderDto`, `MailMessageDetailDto` |
+
+---
+
+## Output attendu — critères d'acceptation Phase 5
+
+| Critère | Commande / vérification |
+|---|---|
+| TypeScript strict : 0 erreur | `cd frontend && npx tsc --noEmit` → sortie vide |
+| Page `/mail` accessible ROLE_USER | `http://localhost:3002/mail` avec `alice` → page visible |
+| ROLE_CLIENT redirigé `/portal` | Login avec `client-liot`, naviguer `/mail` → redirect `/portal` |
+| Pas d'XSS via body mail | Injecter `<script>alert(1)</script>` → aucune alerte |
+| Images distantes bloquées par défaut | Body avec `<img src="https://...">` → placeholder visible |
+| Infinite scroll fonctionnel | Scroll jusqu'en bas de la liste → chargement page suivante |
+| Deep-link `?messageId=X` | `http://localhost:3002/mail?messageId=42` → message 42 sélectionné |
+| Pas d'erreur console Vue | DevTools → onglet Console → aucune erreur rouge |
+
+La Phase 6 (Intégration tâches : MailCreateTaskModal, MailLinkTaskModal, onglet "Mails" TaskDrawer) peut commencer dès que tous ces critères sont satisfaits.
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase6-task-integration.md b/docs/superpowers/plans/2026-05-19-mail-phase6-task-integration.md
new file mode 100644
index 0000000..dbc79cc
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase6-task-integration.md
@@ -0,0 +1,1509 @@
+# Mail Integration — Phase 6 : Intégration Tâches
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Brancher l'intégration mail ↔ tâches : modal "Créer tâche depuis mail" (pré-remplie subject+body), modal "Lier mail à tâche existante" (autocomplete), nouvel onglet "Mails" dans `TaskModal.vue` listant les mails liés.
+
+**Architecture:** 3 nouveaux composants modals sous `components/mail/`, modification de `TaskModal.vue` pour ajouter un onglet `mails` à côté des onglets `details` et `planning` existants, branchement des handlers placeholders dans `pages/mail.vue`. Pas de nouveau backend (endpoints Phase 3 déjà en place).
+
+**Contexte codebase important :**
+- Il n'y a pas de `TaskDrawer.vue` — le composant principal est `TaskModal.vue` (`frontend/components/task/TaskModal.vue`), qui contient un système d'onglets `details` / `planning`.
+- `TaskModal.vue` est ouvert via `v-model: boolean` (prop `modelValue`) et reçoit la tâche complète via la prop `task: Task | null`.
+- Le service `useMailService()` expose déjà : `createTaskFromMail(mailId, input)`, `linkTask(mailId, taskId)`, `listMailsForTask(taskId)`.
+- `MailCreateTaskInput` est `{ projectId: number; taskGroupId?: number | null; priority?: string | null }` — le backend dérive titre/description du mail, le frontend passe uniquement les affectations.
+- `useProjectService().getAll()`, `useTaskGroupService().getByProject(projectId)`, `useTaskPriorityService().getAll()` sont les services de sélection.
+- Le projet est SPA (SSR off) — pas de guard `import.meta.client` nécessaire pour DOM.
+- Pattern modal existant : `<Teleport to="body">` + `<Transition>` + backdrop click pour fermer (voir `TaskModal.vue`).
+- `MalioSelect` requiert `{ label: string, value: number | null }` — utiliser `<select>` natif pour les enums string (ex: priority qui est une string).
+
+**Tech Stack:** Nuxt 4, Vue 3 Composition API + `<script setup lang="ts">`, Pinia, @malio/layer-ui (MalioButton, MalioButtonIcon, MalioSelect), Tailwind CSS, @nuxt/icon.
+
+**Branche cible :** `feat/mail-integration` (vérifier qu'elle est active avant de commencer).
+
+**Fichiers créés/modifiés par le codeur :**
+
+| Fichier | Action |
+|---|---|
+| `frontend/components/mail/MailCreateTaskModal.vue` | Créer |
+| `frontend/components/mail/MailLinkTaskModal.vue` | Créer |
+| `frontend/components/mail/MailPickerModal.vue` | Créer |
+| `frontend/components/task/TaskModal.vue` | Modifier (ajout onglet `mails`) |
+| `frontend/pages/mail.vue` | Modifier (brancher handlers placeholders) |
+| `frontend/i18n/locales/fr.json` | Modifier (ajout sous-clés `mail.createTaskModal`, `mail.linkTaskModal`, `mail.pickerModal`, `mail.taskTab`) |
+| `frontend/i18n/locales/en.json` | Modifier si le fichier existe |
+
+---
+
+### Task 1 : Vérification de l'environnement
+
+- [ ] **Step 1 : Vérifier la branche active**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime branch --show-current
+    ```
+
+    Attendu : `feat/mail-integration`. Si non :
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime checkout feat/mail-integration
+    ```
+
+- [ ] **Step 2 : Vérifier que les fichiers Phase 5 existent**
+
+    ```bash
+    ls -la /home/r-dev/malio-dev/Lesstime/frontend/pages/mail.vue \
+           /home/r-dev/malio-dev/Lesstime/frontend/components/mail/MailMessageViewer.vue \
+           /home/r-dev/malio-dev/Lesstime/frontend/services/mail.ts \
+           /home/r-dev/malio-dev/Lesstime/frontend/services/dto/mail.ts
+    ```
+
+    Attendu : les 4 fichiers présents. Si absents, implémenter Phase 5 d'abord.
+
+- [ ] **Step 3 : Vérifier le baseline TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | head -30
+    ```
+
+    Noter les erreurs existantes (si any) pour les distinguer des erreurs Phase 6.
+
+---
+
+### Task 2 : Clés i18n Phase 6 — `frontend/i18n/locales/fr.json`
+
+Ajouter les sous-clés dans le bloc `mail` existant (après la clé `task` déjà présente en Phase 5).
+
+- [ ] **Step 1 : Ajouter les sous-clés dans `fr.json`**
+
+    Dans le bloc `"mail": { ... }`, ajouter après `"task": { ... }` :
+
+    ```json
+    "createTaskModal": {
+        "title": "Créer une tâche depuis ce mail",
+        "submit": "Créer la tâche",
+        "projectLabel": "Projet *",
+        "projectPlaceholder": "Sélectionner un projet",
+        "groupLabel": "Groupe (optionnel)",
+        "groupPlaceholder": "Aucun groupe",
+        "priorityLabel": "Priorité (optionnelle)",
+        "priorityPlaceholder": "Aucune priorité",
+        "titleHint": "Le titre sera rempli depuis le sujet du mail.",
+        "descriptionHint": "La description sera remplie depuis le corps du mail."
+    },
+    "linkTaskModal": {
+        "title": "Lier à une tâche existante",
+        "submit": "Lier la tâche",
+        "searchPlaceholder": "Rechercher une tâche par titre…",
+        "projectFilter": "Filtrer par projet",
+        "projectAll": "Tous les projets",
+        "empty": "Aucune tâche correspondante.",
+        "loading": "Recherche en cours…"
+    },
+    "pickerModal": {
+        "title": "Lier un mail à cette tâche",
+        "searchPlaceholder": "Rechercher un mail (sujet, expéditeur)…",
+        "empty": "Aucun mail correspondant.",
+        "loading": "Chargement des mails…",
+        "submit": "Lier ce mail"
+    },
+    "taskTab": {
+        "title": "Mails",
+        "empty": "Aucun mail lié à cette tâche.",
+        "linkButton": "Lier un mail",
+        "openInMailer": "Ouvrir dans la messagerie",
+        "unlinkConfirm": "Délier ce mail ?"
+    }
+    ```
+
+- [ ] **Step 2 : Si `en.json` existe, ajouter les traductions anglaises**
+
+    ```bash
+    ls /home/r-dev/malio-dev/Lesstime/frontend/i18n/locales/
+    ```
+
+    Si `en.json` existe, ajouter dans le bloc `"mail"` :
+
+    ```json
+    "createTaskModal": {
+        "title": "Create a task from this mail",
+        "submit": "Create task",
+        "projectLabel": "Project *",
+        "projectPlaceholder": "Select a project",
+        "groupLabel": "Group (optional)",
+        "groupPlaceholder": "No group",
+        "priorityLabel": "Priority (optional)",
+        "priorityPlaceholder": "No priority",
+        "titleHint": "Title will be filled from the mail subject.",
+        "descriptionHint": "Description will be filled from the mail body."
+    },
+    "linkTaskModal": {
+        "title": "Link to an existing task",
+        "submit": "Link task",
+        "searchPlaceholder": "Search a task by title…",
+        "projectFilter": "Filter by project",
+        "projectAll": "All projects",
+        "empty": "No matching task.",
+        "loading": "Searching…"
+    },
+    "pickerModal": {
+        "title": "Link a mail to this task",
+        "searchPlaceholder": "Search a mail (subject, sender)…",
+        "empty": "No matching mail.",
+        "loading": "Loading mails…",
+        "submit": "Link this mail"
+    },
+    "taskTab": {
+        "title": "Mails",
+        "empty": "No mail linked to this task.",
+        "linkButton": "Link a mail",
+        "openInMailer": "Open in mailer",
+        "unlinkConfirm": "Unlink this mail?"
+    }
+    ```
+
+- [ ] **Step 3 : Valider la syntaxe JSON**
+
+    ```bash
+    node -e "JSON.parse(require('fs').readFileSync('/home/r-dev/malio-dev/Lesstime/frontend/i18n/locales/fr.json', 'utf8')); console.log('JSON OK')"
+    ```
+
+    Attendu : `JSON OK`. Corriger la virgule manquante si erreur.
+
+- [ ] **Step 4 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/i18n/locales/fr.json frontend/i18n/locales/en.json 2>/dev/null; true
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : clés i18n Phase 6 — createTaskModal, linkTaskModal, pickerModal, taskTab"
+    ```
+
+---
+
+### Task 3 : Composant `MailCreateTaskModal.vue`
+
+Modal pour créer une tâche depuis un mail. Le backend (`POST /api/mail/messages/{id}/create-task`) dérive automatiquement le titre (subject) et la description (body plain text) — le frontend passe uniquement l'affectation (projet, groupe, priorité).
+
+Le composant charge les projets au `onMounted`, puis charge les groupes quand le projet est sélectionné, et les priorités une seule fois. La priorité est une string (en IRI ou slug selon le backend) — utiliser `<select>` natif (pas `MalioSelect`) car les values sont des strings ou null.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailCreateTaskModal.vue`**
+
+    ```vue
+    <script setup lang="ts">
+    import type { MailMessageDetailDto } from '~/services/dto/mail'
+    import type { Task } from '~/services/dto/task'
+    import type { Project } from '~/services/dto/project'
+    import type { TaskGroup } from '~/services/dto/task-group'
+    import type { TaskPriority } from '~/services/dto/task-priority'
+    import { useMailService } from '~/services/mail'
+    import { useProjectService } from '~/services/projects'
+    import { useTaskGroupService } from '~/services/task-groups'
+    import { useTaskPriorityService } from '~/services/task-priorities'
+
+    const props = defineProps<{
+        /** v-model: true = modal ouvert */
+        modelValue: boolean
+        /** ID BDD du message source */
+        messageId: number
+        /** Détail du message (pour afficher sujet/expéditeur en lecture seule) */
+        messageDetail: MailMessageDetailDto | null
+    }>()
+
+    const emit = defineEmits<{
+        'update:modelValue': [value: boolean]
+        /** Émis après création réussie — payload = tâche créée */
+        created: [task: Task]
+    }>()
+
+    const { t } = useI18n()
+    const mailService = useMailService()
+    const projectService = useProjectService()
+    const taskGroupService = useTaskGroupService()
+    const priorityService = useTaskPriorityService()
+
+    // ─── État formulaire ──────────────────────────────────────────────────────
+
+    const projectId = ref<number | null>(null)
+    const taskGroupId = ref<number | null>(null)
+    const priorityId = ref<number | null>(null)
+    const isSubmitting = ref(false)
+    const touchedProject = ref(false)
+
+    // ─── Données de référence ─────────────────────────────────────────────────
+
+    const projects = ref<Project[]>([])
+    const groups = ref<TaskGroup[]>([])
+    const priorities = ref<TaskPriority[]>([])
+    const loadingGroups = ref(false)
+
+    const projectOptions = computed(() =>
+        projects.value.map(p => ({ label: p.name, value: p.id }))
+    )
+
+    const groupOptions = computed(() => [
+        { label: t('mail.createTaskModal.groupPlaceholder'), value: null },
+        ...groups.value.filter(g => !g.archived).map(g => ({ label: g.title, value: g.id })),
+    ])
+
+    // ─── Chargement initial ───────────────────────────────────────────────────
+
+    onMounted(async () => {
+        const [projs, prios] = await Promise.all([
+            projectService.getAll({ archived: false }),
+            priorityService.getAll(),
+        ])
+        projects.value = projs
+        priorities.value = prios
+    })
+
+    // Recharger les groupes quand le projet change
+    watch(projectId, async (pid) => {
+        taskGroupId.value = null
+        groups.value = []
+        if (!pid) return
+        loadingGroups.value = true
+        try {
+            groups.value = await taskGroupService.getByProject(pid)
+        } finally {
+            loadingGroups.value = false
+        }
+    })
+
+    // Reset formulaire à l'ouverture
+    watch(() => props.modelValue, (open) => {
+        if (open) {
+            projectId.value = null
+            taskGroupId.value = null
+            priorityId.value = null
+            touchedProject.value = false
+        }
+    })
+
+    // ─── Actions ──────────────────────────────────────────────────────────────
+
+    function close(): void {
+        emit('update:modelValue', false)
+    }
+
+    async function handleSubmit(): Promise<void> {
+        touchedProject.value = true
+        if (!projectId.value) return
+
+        isSubmitting.value = true
+        try {
+            const task = await mailService.createTaskFromMail(props.messageId, {
+                projectId: projectId.value,
+                taskGroupId: taskGroupId.value ?? undefined,
+                priority: priorityId.value ? `/api/task_priorities/${priorityId.value}` : undefined,
+            })
+            emit('created', task)
+            close()
+        } finally {
+            isSubmitting.value = false
+        }
+    }
+    </script>
+
+    <template>
+        <Teleport v-if="modelValue" to="body">
+            <Transition name="mail-modal" appear>
+                <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                    <!-- Backdrop -->
+                    <div
+                        class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                        @click="close"
+                    />
+
+                    <!-- Modal -->
+                    <div
+                        class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                        style="max-height: min(90vh, 640px)"
+                    >
+                        <!-- Header -->
+                        <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                            <h2 class="text-base font-bold text-neutral-900">
+                                {{ t('mail.createTaskModal.title') }}
+                            </h2>
+                            <MalioButtonIcon
+                                icon="mdi:close"
+                                aria-label="Fermer"
+                                variant="ghost"
+                                icon-size="20"
+                                @click="close"
+                            />
+                        </div>
+
+                        <!-- Corps -->
+                        <div class="overflow-y-auto px-6 py-5 space-y-5">
+                            <!-- Info mail source (lecture seule) -->
+                            <div
+                                v-if="messageDetail"
+                                class="rounded-lg border border-neutral-200 bg-neutral-50 px-4 py-3 text-sm"
+                            >
+                                <p class="font-medium text-neutral-800 truncate">
+                                    {{ messageDetail.header.subject ?? t('mail.noSubject') }}
+                                </p>
+                                <p class="mt-0.5 text-xs text-neutral-500 truncate">
+                                    {{ messageDetail.header.fromName ?? messageDetail.header.fromEmail }}
+                                </p>
+                                <p class="mt-2 text-xs text-neutral-400 italic">
+                                    {{ t('mail.createTaskModal.titleHint') }}
+                                </p>
+                                <p class="text-xs text-neutral-400 italic">
+                                    {{ t('mail.createTaskModal.descriptionHint') }}
+                                </p>
+                            </div>
+
+                            <!-- Sélection projet -->
+                            <div>
+                                <MalioSelect
+                                    v-model="projectId"
+                                    :options="projectOptions"
+                                    :label="t('mail.createTaskModal.projectLabel')"
+                                    :empty-option-label="t('mail.createTaskModal.projectPlaceholder')"
+                                    min-width="w-full"
+                                />
+                                <p
+                                    v-if="touchedProject && !projectId"
+                                    class="mt-1 text-xs text-red-500"
+                                >
+                                    {{ t('mail.createTaskModal.projectLabel').replace(' *', '') }} requis
+                                </p>
+                            </div>
+
+                            <!-- Sélection groupe (optionnel, chargé après projet) -->
+                            <div v-if="projectId">
+                                <MalioSelect
+                                    v-model="taskGroupId"
+                                    :options="groupOptions"
+                                    :label="t('mail.createTaskModal.groupLabel')"
+                                    :empty-option-label="t('mail.createTaskModal.groupPlaceholder')"
+                                    min-width="w-full"
+                                    :disabled="loadingGroups"
+                                />
+                            </div>
+
+                            <!-- Sélection priorité (optionnelle) — MalioSelect car les values sont number | null -->
+                            <div>
+                                <MalioSelect
+                                    v-model="priorityId"
+                                    :options="[
+                                        { label: t('mail.createTaskModal.priorityPlaceholder'), value: null },
+                                        ...priorities.map(p => ({ label: p.label, value: p.id }))
+                                    ]"
+                                    :label="t('mail.createTaskModal.priorityLabel')"
+                                    :empty-option-label="t('mail.createTaskModal.priorityPlaceholder')"
+                                    min-width="w-full"
+                                />
+                            </div>
+                        </div>
+
+                        <!-- Footer -->
+                        <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                            <MalioButton
+                                variant="tertiary"
+                                label="Annuler"
+                                button-class="w-auto px-4"
+                                @click="close"
+                            />
+                            <MalioButton
+                                :label="t('mail.createTaskModal.submit')"
+                                button-class="w-auto px-6"
+                                :disabled="isSubmitting"
+                                @click="handleSubmit"
+                            />
+                        </div>
+                    </div>
+                </div>
+            </Transition>
+        </Teleport>
+    </template>
+
+    <style scoped>
+    .mail-modal-enter-active,
+    .mail-modal-leave-active {
+        transition: opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-active > div:last-child,
+    .mail-modal-leave-active > div:last-child {
+        transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-from,
+    .mail-modal-leave-to {
+        opacity: 0;
+    }
+
+    .mail-modal-enter-from > div:last-child {
+        transform: scale(0.95) translateY(8px);
+        opacity: 0;
+    }
+    </style>
+    ```
+
+    Points clés :
+    - La priorité passe en IRI `/api/task_priorities/{id}` dans le payload — conforme au pattern `TaskModal.vue`.
+    - `taskGroupId: undefined` (pas `null`) si non sélectionné, pour que le backend ignore le champ (le type `MailCreateTaskInput` le déclare optionnel).
+    - Le backdrop click ferme la modal (même pattern que `TaskModal.vue`).
+    - Le composant ne pré-remplit PAS le titre/description : c'est le backend qui le fait depuis le mail, le frontend ne gère que les affectations.
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "MailCreateTaskModal" | head -10
+    ```
+
+    Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailCreateTaskModal.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailCreateTaskModal — picker projet/groupe/priorité, appel createTaskFromMail"
+    ```
+
+---
+
+### Task 4 : Composant `MailLinkTaskModal.vue`
+
+Modal pour lier un mail à une tâche existante. Autocomplete en input + dropdown filtré. Debounce 300ms sur la recherche. Filtre optionnel par projet. Statut archivé exclu (paramètre `archived: false`).
+
+Le service `useTaskService().getFiltered()` accepte des params libres — utiliser `{ title: searchTerm, archived: false }` + éventuellement `project: '/api/projects/{id}'`.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailLinkTaskModal.vue`**
+
+    ```vue
+    <script setup lang="ts">
+    import type { Task } from '~/services/dto/task'
+    import type { Project } from '~/services/dto/project'
+    import { useMailService } from '~/services/mail'
+    import { useTaskService } from '~/services/tasks'
+    import { useProjectService } from '~/services/projects'
+
+    const props = defineProps<{
+        modelValue: boolean
+        /** ID BDD du message à lier */
+        messageId: number
+    }>()
+
+    const emit = defineEmits<{
+        'update:modelValue': [value: boolean]
+        /** Émis après liaison réussie — payload = id de la tâche liée */
+        linked: [taskId: number]
+    }>()
+
+    const { t } = useI18n()
+    const mailService = useMailService()
+    const taskService = useTaskService()
+    const projectService = useProjectService()
+
+    // ─── État recherche ───────────────────────────────────────────────────────
+
+    const searchQuery = ref('')
+    const filterProjectId = ref<number | null>(null)
+    const results = ref<Task[]>([])
+    const selectedTask = ref<Task | null>(null)
+    const isLoading = ref(false)
+    const isSubmitting = ref(false)
+
+    // ─── Projets pour le filtre ───────────────────────────────────────────────
+
+    const projects = ref<Project[]>([])
+
+    const projectFilterOptions = computed(() => [
+        { label: t('mail.linkTaskModal.projectAll'), value: null },
+        ...projects.value.map(p => ({ label: p.name, value: p.id })),
+    ])
+
+    onMounted(async () => {
+        projects.value = await projectService.getAll({ archived: false })
+    })
+
+    // ─── Debounce recherche ───────────────────────────────────────────────────
+
+    let debounceTimer: ReturnType<typeof setTimeout> | null = null
+
+    watch([searchQuery, filterProjectId], () => {
+        selectedTask.value = null
+        if (debounceTimer) clearTimeout(debounceTimer)
+        debounceTimer = setTimeout(() => {
+            void runSearch()
+        }, 300)
+    })
+
+    async function runSearch(): Promise<void> {
+        const q = searchQuery.value.trim()
+        if (!q && !filterProjectId.value) {
+            results.value = []
+            return
+        }
+        isLoading.value = true
+        try {
+            const params: Record<string, string | number | boolean | string[]> = {
+                archived: false,
+            }
+            if (q) params['title'] = q
+            if (filterProjectId.value) params['project'] = `/api/projects/${filterProjectId.value}`
+            results.value = await taskService.getFiltered(params)
+        } finally {
+            isLoading.value = false
+        }
+    }
+
+    // ─── Reset à l'ouverture ──────────────────────────────────────────────────
+
+    watch(() => props.modelValue, (open) => {
+        if (open) {
+            searchQuery.value = ''
+            filterProjectId.value = null
+            results.value = []
+            selectedTask.value = null
+        }
+    })
+
+    onBeforeUnmount(() => {
+        if (debounceTimer) clearTimeout(debounceTimer)
+    })
+
+    // ─── Actions ──────────────────────────────────────────────────────────────
+
+    function close(): void {
+        emit('update:modelValue', false)
+    }
+
+    function selectTask(task: Task): void {
+        selectedTask.value = task
+    }
+
+    async function handleSubmit(): Promise<void> {
+        if (!selectedTask.value) return
+        isSubmitting.value = true
+        try {
+            await mailService.linkTask(props.messageId, selectedTask.value.id)
+            emit('linked', selectedTask.value.id)
+            close()
+        } finally {
+            isSubmitting.value = false
+        }
+    }
+    </script>
+
+    <template>
+        <Teleport v-if="modelValue" to="body">
+            <Transition name="mail-modal" appear>
+                <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                    <div
+                        class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                        @click="close"
+                    />
+
+                    <div
+                        class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                        style="max-height: min(90vh, 640px)"
+                    >
+                        <!-- Header -->
+                        <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                            <h2 class="text-base font-bold text-neutral-900">
+                                {{ t('mail.linkTaskModal.title') }}
+                            </h2>
+                            <MalioButtonIcon
+                                icon="mdi:close"
+                                aria-label="Fermer"
+                                variant="ghost"
+                                icon-size="20"
+                                @click="close"
+                            />
+                        </div>
+
+                        <!-- Corps -->
+                        <div class="overflow-y-auto px-6 py-5 space-y-4">
+                            <!-- Filtre projet -->
+                            <MalioSelect
+                                v-model="filterProjectId"
+                                :options="projectFilterOptions"
+                                :label="t('mail.linkTaskModal.projectFilter')"
+                                :empty-option-label="t('mail.linkTaskModal.projectAll')"
+                                min-width="w-full"
+                            />
+
+                            <!-- Recherche tâche -->
+                            <div>
+                                <label class="mb-1 block text-sm font-medium text-neutral-700">
+                                    {{ t('mail.linkTaskModal.title') }}
+                                </label>
+                                <input
+                                    v-model="searchQuery"
+                                    type="text"
+                                    :placeholder="t('mail.linkTaskModal.searchPlaceholder')"
+                                    class="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                                />
+                            </div>
+
+                            <!-- Résultats -->
+                            <div class="max-h-64 overflow-y-auto rounded-md border border-neutral-200">
+                                <!-- Chargement -->
+                                <div
+                                    v-if="isLoading"
+                                    class="flex items-center justify-center py-6 text-sm text-neutral-400"
+                                >
+                                    <Icon name="material-symbols:progress-activity" size="18" class="mr-2 animate-spin" />
+                                    {{ t('mail.linkTaskModal.loading') }}
+                                </div>
+
+                                <!-- Vide -->
+                                <div
+                                    v-else-if="!isLoading && results.length === 0 && (searchQuery.trim() || filterProjectId)"
+                                    class="py-6 text-center text-sm text-neutral-400 italic"
+                                >
+                                    {{ t('mail.linkTaskModal.empty') }}
+                                </div>
+
+                                <!-- Liste résultats -->
+                                <button
+                                    v-for="task in results"
+                                    :key="task.id"
+                                    type="button"
+                                    class="flex w-full items-start gap-3 px-4 py-3 text-left text-sm transition-colors hover:bg-neutral-50"
+                                    :class="selectedTask?.id === task.id
+                                        ? 'bg-primary-50 border-l-2 border-primary-500'
+                                        : 'border-l-2 border-transparent'"
+                                    @click="selectTask(task)"
+                                >
+                                    <Icon
+                                        name="material-symbols:task-outline"
+                                        size="16"
+                                        class="mt-0.5 flex-shrink-0 text-neutral-400"
+                                    />
+                                    <div class="min-w-0 flex-1">
+                                        <p class="truncate font-medium text-neutral-800">
+                                            {{ task.title }}
+                                        </p>
+                                        <p
+                                            v-if="task.project"
+                                            class="truncate text-xs text-neutral-500"
+                                        >
+                                            {{ task.project.name }}
+                                            <span v-if="task.project.code && task.number">
+                                                — {{ task.project.code }}-{{ task.number }}
+                                            </span>
+                                        </p>
+                                    </div>
+                                    <Icon
+                                        v-if="selectedTask?.id === task.id"
+                                        name="material-symbols:check-circle"
+                                        size="16"
+                                        class="flex-shrink-0 text-primary-500"
+                                    />
+                                </button>
+                            </div>
+                        </div>
+
+                        <!-- Footer -->
+                        <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                            <MalioButton
+                                variant="tertiary"
+                                label="Annuler"
+                                button-class="w-auto px-4"
+                                @click="close"
+                            />
+                            <MalioButton
+                                :label="t('mail.linkTaskModal.submit')"
+                                button-class="w-auto px-6"
+                                :disabled="!selectedTask || isSubmitting"
+                                @click="handleSubmit"
+                            />
+                        </div>
+                    </div>
+                </div>
+            </Transition>
+        </Teleport>
+    </template>
+
+    <style scoped>
+    .mail-modal-enter-active,
+    .mail-modal-leave-active {
+        transition: opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-active > div:last-child,
+    .mail-modal-leave-active > div:last-child {
+        transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-from,
+    .mail-modal-leave-to {
+        opacity: 0;
+    }
+
+    .mail-modal-enter-from > div:last-child {
+        transform: scale(0.95) translateY(8px);
+        opacity: 0;
+    }
+    </style>
+    ```
+
+    Points clés :
+    - Debounce 300ms — le timer est nettoyé dans `onBeforeUnmount` pour éviter les fuites.
+    - Sélection mono-tâche (click toggle sélection visuelle, un seul peut être sélectionné à la fois).
+    - Le bouton "Lier" est désactivé si aucune tâche sélectionnée ou si soumission en cours.
+    - La recherche ne se déclenche PAS si query vide ET pas de filtre projet (évite de charger toutes les tâches au montage).
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "MailLinkTaskModal" | head -10
+    ```
+
+    Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailLinkTaskModal.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailLinkTaskModal — autocomplete tâches, filtre projet, debounce 300ms"
+    ```
+
+---
+
+### Task 5 : Composant `MailPickerModal.vue`
+
+Modal utilisé depuis l'onglet "Mails" de `TaskModal.vue` pour lier un mail existant à la tâche ouverte. Charge les messages récents depuis le dossier INBOX (ou le dernier dossier sélectionné dans le store), affiche une liste filtrable, appelle `mailService.linkTask(messageId, taskId)`.
+
+- [ ] **Step 1 : Créer `frontend/components/mail/MailPickerModal.vue`**
+
+    ```vue
+    <script setup lang="ts">
+    import type { MailMessageHeaderDto } from '~/services/dto/mail'
+    import { useMailService } from '~/services/mail'
+    import { useMailStore } from '~/stores/mail'
+
+    const props = defineProps<{
+        modelValue: boolean
+        /** ID de la tâche cible (destinataire du lien) */
+        taskId: number
+    }>()
+
+    const emit = defineEmits<{
+        'update:modelValue': [value: boolean]
+        /** Émis après liaison réussie — payload = id du message lié */
+        linked: [messageId: number]
+    }>()
+
+    const { t } = useI18n()
+    const mailService = useMailService()
+    const mailStore = useMailStore()
+
+    // ─── État ─────────────────────────────────────────────────────────────────
+
+    const searchQuery = ref('')
+    const allMessages = ref<MailMessageHeaderDto[]>([])
+    const selectedMessage = ref<MailMessageHeaderDto | null>(null)
+    const isLoading = ref(false)
+    const isSubmitting = ref(false)
+
+    // ─── Filtrage local (pas d'appel API par frappe — les messages sont déjà chargés) ──
+
+    const filteredMessages = computed(() => {
+        const q = searchQuery.value.toLowerCase().trim()
+        if (!q) return allMessages.value
+        return allMessages.value.filter(
+            (m) =>
+                (m.subject ?? '').toLowerCase().includes(q) ||
+                (m.fromName ?? '').toLowerCase().includes(q) ||
+                (m.fromEmail ?? '').toLowerCase().includes(q),
+        )
+    })
+
+    // ─── Chargement à l'ouverture ─────────────────────────────────────────────
+
+    watch(() => props.modelValue, async (open) => {
+        if (!open) return
+        searchQuery.value = ''
+        selectedMessage.value = null
+        isLoading.value = true
+        try {
+            // Utiliser les messages déjà dans le store si disponibles (dossier courant)
+            // Sinon charger depuis INBOX
+            const folderPath = mailStore.selectedFolderPath ?? 'INBOX'
+            const page = await mailService.listMessages(folderPath, undefined, 50)
+            allMessages.value = page.items
+        } finally {
+            isLoading.value = false
+        }
+    })
+
+    // ─── Actions ──────────────────────────────────────────────────────────────
+
+    function close(): void {
+        emit('update:modelValue', false)
+    }
+
+    function selectMessage(msg: MailMessageHeaderDto): void {
+        selectedMessage.value = msg
+    }
+
+    async function handleSubmit(): Promise<void> {
+        if (!selectedMessage.value) return
+        isSubmitting.value = true
+        try {
+            await mailService.linkTask(selectedMessage.value.id, props.taskId)
+            emit('linked', selectedMessage.value.id)
+            close()
+        } finally {
+            isSubmitting.value = false
+        }
+    }
+
+    // ─── Formatage ────────────────────────────────────────────────────────────
+
+    function formatDate(iso: string | null): string {
+        if (!iso) return ''
+        return new Date(iso).toLocaleDateString('fr', {
+            day: '2-digit',
+            month: 'short',
+            year: 'numeric',
+        })
+    }
+    </script>
+
+    <template>
+        <Teleport v-if="modelValue" to="body">
+            <Transition name="mail-modal" appear>
+                <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                    <div
+                        class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                        @click="close"
+                    />
+
+                    <div
+                        class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                        style="max-height: min(90vh, 640px)"
+                    >
+                        <!-- Header -->
+                        <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                            <h2 class="text-base font-bold text-neutral-900">
+                                {{ t('mail.pickerModal.title') }}
+                            </h2>
+                            <MalioButtonIcon
+                                icon="mdi:close"
+                                aria-label="Fermer"
+                                variant="ghost"
+                                icon-size="20"
+                                @click="close"
+                            />
+                        </div>
+
+                        <!-- Corps -->
+                        <div class="overflow-y-auto px-6 py-5 space-y-4">
+                            <!-- Recherche locale -->
+                            <input
+                                v-model="searchQuery"
+                                type="text"
+                                :placeholder="t('mail.pickerModal.searchPlaceholder')"
+                                class="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                            />
+
+                            <!-- Résultats -->
+                            <div class="max-h-80 overflow-y-auto rounded-md border border-neutral-200 divide-y divide-neutral-100">
+                                <!-- Chargement -->
+                                <div
+                                    v-if="isLoading"
+                                    class="flex items-center justify-center py-8 text-sm text-neutral-400"
+                                >
+                                    <Icon name="material-symbols:progress-activity" size="18" class="mr-2 animate-spin" />
+                                    {{ t('mail.pickerModal.loading') }}
+                                </div>
+
+                                <!-- Vide -->
+                                <div
+                                    v-else-if="filteredMessages.length === 0"
+                                    class="py-8 text-center text-sm text-neutral-400 italic"
+                                >
+                                    {{ t('mail.pickerModal.empty') }}
+                                </div>
+
+                                <!-- Liste -->
+                                <button
+                                    v-for="msg in filteredMessages"
+                                    :key="msg.id"
+                                    type="button"
+                                    class="flex w-full items-start gap-3 px-4 py-3 text-left text-sm transition-colors hover:bg-neutral-50"
+                                    :class="selectedMessage?.id === msg.id
+                                        ? 'bg-primary-50 border-l-2 border-primary-500'
+                                        : 'border-l-2 border-transparent'"
+                                    @click="selectMessage(msg)"
+                                >
+                                    <Icon
+                                        name="material-symbols:mail-outline"
+                                        size="16"
+                                        class="mt-0.5 flex-shrink-0 text-neutral-400"
+                                    />
+                                    <div class="min-w-0 flex-1">
+                                        <p class="truncate font-medium text-neutral-800">
+                                            {{ msg.subject ?? t('mail.noSubject') }}
+                                        </p>
+                                        <p class="flex items-center gap-2 text-xs text-neutral-500">
+                                            <span class="truncate">{{ msg.fromName ?? msg.fromEmail }}</span>
+                                            <span class="flex-shrink-0">·</span>
+                                            <span class="flex-shrink-0">{{ formatDate(msg.sentAt ?? msg.receivedAt) }}</span>
+                                        </p>
+                                    </div>
+                                    <Icon
+                                        v-if="selectedMessage?.id === msg.id"
+                                        name="material-symbols:check-circle"
+                                        size="16"
+                                        class="flex-shrink-0 text-primary-500"
+                                    />
+                                </button>
+                            </div>
+                        </div>
+
+                        <!-- Footer -->
+                        <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                            <MalioButton
+                                variant="tertiary"
+                                label="Annuler"
+                                button-class="w-auto px-4"
+                                @click="close"
+                            />
+                            <MalioButton
+                                :label="t('mail.pickerModal.submit')"
+                                button-class="w-auto px-6"
+                                :disabled="!selectedMessage || isSubmitting"
+                                @click="handleSubmit"
+                            />
+                        </div>
+                    </div>
+                </div>
+            </Transition>
+        </Teleport>
+    </template>
+
+    <style scoped>
+    .mail-modal-enter-active,
+    .mail-modal-leave-active {
+        transition: opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-active > div:last-child,
+    .mail-modal-leave-active > div:last-child {
+        transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+    }
+
+    .mail-modal-enter-from,
+    .mail-modal-leave-to {
+        opacity: 0;
+    }
+
+    .mail-modal-enter-from > div:last-child {
+        transform: scale(0.95) translateY(8px);
+        opacity: 0;
+    }
+    </style>
+    ```
+
+    Points clés :
+    - Le filtrage est **local** (sur les 50 messages chargés) — pas de debounce nécessaire, réactif instantané.
+    - La note sur `linkTask(messageId, taskId)` : l'ordre des arguments est `(mailId, taskId)` dans `useMailService`. Ici on passe `selectedMessage.value.id` (mailId) et `props.taskId`.
+    - Utilise `mailStore.selectedFolderPath` pour charger depuis le dossier courant (meilleure UX si l'utilisateur vient de la page mail). Fallback sur `INBOX`.
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "MailPickerModal" | head -10
+    ```
+
+    Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/components/mail/MailPickerModal.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : MailPickerModal — sélection mail depuis dossier courant, liaison taskId"
+    ```
+
+---
+
+### Task 6 : Onglet "Mails" dans `TaskModal.vue`
+
+Ajouter un troisième onglet `mails` dans `TaskModal.vue`. Cet onglet est visible uniquement pour les utilisateurs non-ROLE_CLIENT (check `authStore.user?.roles`). Il charge les mails liés via `mailService.listMailsForTask(task.id)` à l'ouverture de l'onglet, affiche une liste compacte cliquable, propose un bouton "Lier un mail" qui ouvre `MailPickerModal`.
+
+**Important :** `TaskModal.vue` est un composant lourd. Modifier avec précision — ne pas altérer les onglets `details` et `planning` existants.
+
+- [ ] **Step 1 : Lire le fichier actuel pour localiser les points de modification**
+
+    Lire `frontend/components/task/TaskModal.vue` pour identifier :
+    1. La ligne `const activeTab = ref<'details' | 'planning'>('details')` — à étendre au type union.
+    2. La nav `<nav class="flex gap-6">` et sa boucle `v-for="tab in ['details', 'planning']"` — à étendre.
+    3. La section `<div v-show="activeTab === 'planning'">` — après laquelle insérer l'onglet mails.
+
+- [ ] **Step 2 : Modifier le type `activeTab` et ajouter les imports**
+
+    Dans la section `<script setup lang="ts">` (après le bloc de la section `<template>`), modifier la ligne :
+
+    ```typescript
+    const activeTab = ref<'details' | 'planning'>('details')
+    ```
+
+    en :
+
+    ```typescript
+    const activeTab = ref<'details' | 'planning' | 'mails'>('details')
+    ```
+
+    Ajouter les imports nécessaires (après les imports existants) :
+
+    ```typescript
+    import { useMailService } from '~/services/mail'
+    import type { MailMessageHeaderDto } from '~/services/dto/mail'
+    ```
+
+    Ajouter les variables d'état pour l'onglet mails (après `const activeTab = ref<...>`) :
+
+    ```typescript
+    const mailService = useMailService()
+    const linkedMails = ref<MailMessageHeaderDto[]>([])
+    const mailsLoading = ref(false)
+    const showMailPickerModal = ref(false)
+
+    const isMailUser = computed(() =>
+        !(authStore.user?.roles?.includes('ROLE_CLIENT') === true
+        && authStore.user?.roles?.includes('ROLE_ADMIN') !== true)
+    )
+    ```
+
+    Ajouter la fonction de chargement des mails :
+
+    ```typescript
+    async function loadLinkedMails(): Promise<void> {
+        if (!props.task || !isMailUser.value) return
+        mailsLoading.value = true
+        try {
+            linkedMails.value = await mailService.listMailsForTask(props.task.id)
+        } catch {
+            linkedMails.value = []
+        } finally {
+            mailsLoading.value = false
+        }
+    }
+    ```
+
+    Étendre le watcher existant `watch(() => props.modelValue, ...)` pour charger les mails quand l'onglet mails est actif, OU ajouter un watcher sur `activeTab` :
+
+    ```typescript
+    watch(activeTab, async (tab) => {
+        if (tab === 'mails' && props.task) {
+            await loadLinkedMails()
+        }
+    })
+    ```
+
+    Ajouter le handler de liaison réussie (appelé par `MailPickerModal`) :
+
+    ```typescript
+    async function handleMailLinked(): Promise<void> {
+        showMailPickerModal.value = false
+        await loadLinkedMails()
+    }
+    ```
+
+    Ajouter la fonction de formatage de date (utilisée dans l'onglet) :
+
+    ```typescript
+    function formatMailDate(iso: string | null): string {
+        if (!iso) return ''
+        return new Date(iso).toLocaleDateString('fr', {
+            day: '2-digit',
+            month: 'short',
+        })
+    }
+    ```
+
+- [ ] **Step 3 : Modifier le template — nav des onglets**
+
+    Remplacer la boucle d'onglets :
+
+    ```html
+    <button
+        v-for="tab in ['details', 'planning']"
+        :key="tab"
+        type="button"
+        class="px-1 pb-3 text-sm font-semibold transition"
+        :class="activeTab === tab
+            ? 'border-b-2 border-primary-500 text-primary-500'
+            : 'text-neutral-500 hover:text-neutral-700'"
+        @click="activeTab = tab as 'details' | 'planning'"
+    >
+        {{ $t(`tasks.${tab}Tab`) }}
+    </button>
+    ```
+
+    par :
+
+    ```html
+    <button
+        v-for="tab in availableTabs"
+        :key="tab"
+        type="button"
+        class="px-1 pb-3 text-sm font-semibold transition"
+        :class="activeTab === tab
+            ? 'border-b-2 border-primary-500 text-primary-500'
+            : 'text-neutral-500 hover:text-neutral-700'"
+        @click="activeTab = tab as 'details' | 'planning' | 'mails'"
+    >
+        {{ tab === 'mails' ? $t('mail.taskTab.title') : $t(`tasks.${tab}Tab`) }}
+    </button>
+    ```
+
+    Et ajouter le computed `availableTabs` dans le script :
+
+    ```typescript
+    const availableTabs = computed(() => {
+        const base: Array<'details' | 'planning' | 'mails'> = ['details', 'planning']
+        if (isEditing.value && isMailUser.value) base.push('mails')
+        return base
+    })
+    ```
+
+    Note : l'onglet "Mails" n'apparaît qu'en mode édition (tâche existante avec ID) et uniquement pour les non-ROLE_CLIENT.
+
+- [ ] **Step 4 : Ajouter le contenu de l'onglet mails dans le template**
+
+    Après la balise fermante `</div>` du `<div v-show="activeTab === 'planning'">`, ajouter :
+
+    ```html
+    <!-- Onglet Mails -->
+    <div v-show="activeTab === 'mails'" class="space-y-4">
+        <!-- Chargement -->
+        <div v-if="mailsLoading" class="flex items-center justify-center py-8">
+            <Icon name="material-symbols:progress-activity" size="24" class="animate-spin text-neutral-400" />
+        </div>
+
+        <!-- Vide -->
+        <div
+            v-else-if="linkedMails.length === 0"
+            class="flex flex-col items-center justify-center gap-3 py-8 text-center"
+        >
+            <Icon name="material-symbols:mail-outline" size="32" class="text-neutral-300" />
+            <p class="text-sm text-neutral-400 italic">{{ $t('mail.taskTab.empty') }}</p>
+        </div>
+
+        <!-- Liste mails liés -->
+        <div v-else class="divide-y divide-neutral-100 rounded-lg border border-neutral-200">
+            <NuxtLink
+                v-for="mail in linkedMails"
+                :key="mail.id"
+                :to="`/mail?messageId=${mail.id}`"
+                class="flex items-start gap-3 px-4 py-3 text-sm transition-colors hover:bg-neutral-50"
+                :title="$t('mail.taskTab.openInMailer')"
+            >
+                <Icon
+                    name="material-symbols:mail-outline"
+                    size="16"
+                    class="mt-0.5 flex-shrink-0 text-neutral-400"
+                />
+                <div class="min-w-0 flex-1">
+                    <p class="truncate font-medium text-neutral-800">
+                        {{ mail.subject ?? $t('mail.noSubject') }}
+                    </p>
+                    <p class="flex items-center gap-2 text-xs text-neutral-500">
+                        <span class="truncate">{{ mail.fromName ?? mail.fromEmail }}</span>
+                        <span>·</span>
+                        <span class="flex-shrink-0">{{ formatMailDate(mail.sentAt ?? mail.receivedAt) }}</span>
+                    </p>
+                </div>
+                <Icon
+                    name="material-symbols:open-in-new"
+                    size="14"
+                    class="flex-shrink-0 text-neutral-300"
+                />
+            </NuxtLink>
+        </div>
+
+        <!-- Bouton lier un mail -->
+        <div class="pt-2">
+            <MalioButton
+                :label="$t('mail.taskTab.linkButton')"
+                variant="secondary"
+                icon-name="material-symbols:link"
+                icon-position="left"
+                :icon-size="14"
+                button-class="w-auto"
+                @click="showMailPickerModal = true"
+            />
+        </div>
+
+        <!-- Modal picker mail -->
+        <MailPickerModal
+            v-if="task"
+            v-model="showMailPickerModal"
+            :task-id="task.id"
+            @linked="handleMailLinked"
+        />
+    </div>
+    ```
+
+- [ ] **Step 5 : Reset de l'onglet actif à l'ouverture**
+
+    Dans le watcher existant `watch(() => props.modelValue, async (open) => { if (open) { activeTab.value = 'details' ... } })`, l'onglet est déjà resetté à `'details'` — vérifier que c'est bien le cas (ne pas modifier cette ligne).
+
+    Ajouter le reset de `linkedMails` :
+
+    ```typescript
+    // À l'intérieur du bloc `if (open) {`, après `activeTab.value = 'details'`
+    linkedMails.value = []
+    ```
+
+- [ ] **Step 6 : Vérification TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep -E "TaskModal|mail" | head -20
+    ```
+
+    Attendu : aucune nouvelle erreur.
+
+- [ ] **Step 7 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/components/task/TaskModal.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : onglet Mails dans TaskModal — liste mails liés, bouton lier, MailPickerModal"
+    ```
+
+---
+
+### Task 7 : Brancher les handlers dans `pages/mail.vue`
+
+Remplacer les placeholders `console.warn` par l'ouverture des modals. Ajouter les refs `showCreateTaskModal` et `showLinkTaskModal` avec les states associés.
+
+- [ ] **Step 1 : Modifier `frontend/pages/mail.vue`**
+
+    Dans la section `<script setup lang="ts">`, ajouter les imports :
+
+    ```typescript
+    import type { Task } from '~/services/dto/task'
+    ```
+
+    Ajouter les refs d'état des modals (après les handlers existants) :
+
+    ```typescript
+    // ─── Modals Phase 6 ────────────────────────────────────────────────────────
+
+    const showCreateTaskModal = ref(false)
+    const showLinkTaskModal = ref(false)
+    const activeMailIdForModal = ref<number | null>(null)
+    ```
+
+    Remplacer les fonctions placeholder :
+
+    ```typescript
+    // Avant (à supprimer) :
+    function handleCreateTask(mailId: number): void {
+        console.warn('[mail] handleCreateTask mailId=', mailId, '— modal à implémenter en Phase 6')
+    }
+
+    function handleLinkTask(mailId: number): void {
+        console.warn('[mail] handleLinkTask mailId=', mailId, '— modal à implémenter en Phase 6')
+    }
+    ```
+
+    ```typescript
+    // Après (à insérer à la place) :
+    function handleCreateTask(mailId: number): void {
+        activeMailIdForModal.value = mailId
+        showCreateTaskModal.value = true
+    }
+
+    function handleLinkTask(mailId: number): void {
+        activeMailIdForModal.value = mailId
+        showLinkTaskModal.value = true
+    }
+
+    function handleTaskCreated(task: Task): void {
+        showCreateTaskModal.value = false
+        // La tâche est créée et liée côté backend — pas d'action supplémentaire côté page mail
+        // Le toast de succès est déjà géré par useMailService.createTaskFromMail (toastSuccessKey)
+    }
+
+    function handleTaskLinked(taskId: number): void {
+        showLinkTaskModal.value = false
+        // Idem — toast géré par useMailService.linkTask
+    }
+    ```
+
+    Dans le `<template>`, ajouter les modals juste avant la balise `</div>` de fermeture principale :
+
+    ```html
+    <!-- Modal créer tâche depuis mail -->
+    <MailCreateTaskModal
+        v-if="activeMailIdForModal !== null"
+        v-model="showCreateTaskModal"
+        :message-id="activeMailIdForModal"
+        :message-detail="selectedMessageDetail"
+        @created="handleTaskCreated"
+    />
+
+    <!-- Modal lier mail à tâche -->
+    <MailLinkTaskModal
+        v-if="activeMailIdForModal !== null"
+        v-model="showLinkTaskModal"
+        :message-id="activeMailIdForModal"
+        @linked="handleTaskLinked"
+    />
+    ```
+
+- [ ] **Step 2 : Vérification TypeScript**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1 | grep "mail.vue" | head -10
+    ```
+
+    Attendu : aucune erreur.
+
+- [ ] **Step 3 : Commit**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add frontend/pages/mail.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "feat(mail) : pages/mail.vue — branche handlers Phase 6 (MailCreateTaskModal + MailLinkTaskModal)"
+    ```
+
+---
+
+### Task 8 : Validation TypeScript globale + tests manuels end-to-end
+
+- [ ] **Step 1 : TypeScript strict — zéro erreur Phase 6**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime/frontend && npx tsc --noEmit 2>&1
+    ```
+
+    Attendu : sortie vide. Erreurs fréquentes à anticiper :
+
+    - `Type '"mails"' is not assignable to type '"details" | "planning"'` → vérifier que le type union du ref est bien `'details' | 'planning' | 'mails'` ET que le cast `as 'details' | 'planning' | 'mails'` est appliqué dans le handler click de la nav.
+    - `Property 'id' does not exist on type 'Task | null'` → le `v-if="task"` dans le template assure que `task` est non-null dans la portée — TypeScript peut ne pas l'inférer dans le script ; utiliser `props.task?.id` ou un guard explicite.
+    - `Cannot find name 'MailPickerModal'` → Nuxt auto-importe les composants de `components/` — vérifier le nom de fichier (PascalCase, chemin `components/mail/MailPickerModal.vue`).
+    - `Module '"~/services/mail"' has no exported member 'useMailService'` → vérifier l'import dans `TaskModal.vue` ; le service est un named export.
+
+- [ ] **Step 2 : Démarrer le serveur dev**
+
+    ```bash
+    cd /home/r-dev/malio-dev/Lesstime && make dev-nuxt
+    ```
+
+    Attendu : `Nuxt ready` sur `http://localhost:3002`. Aucune erreur de compilation Nuxt.
+
+- [ ] **Step 3 : Workflow 1 — Créer une tâche depuis un mail**
+
+    - [ ] Se connecter avec `alice` / `alice` (ROLE_USER)
+    - [ ] Naviguer vers `http://localhost:3002/mail`
+    - [ ] Sélectionner un dossier et un message (si backend Phase 3 dispo) ou forcer via DevTools (injecter `selectedMessageDetail` dans le store Pinia)
+    - [ ] Cliquer "Créer une tâche" dans `MailMessageViewer`
+    - [ ] Vérifier : `MailCreateTaskModal` s'ouvre, affiche le sujet + expéditeur en lecture seule
+    - [ ] Sélectionner un projet (ex : le projet SIRH des fixtures)
+    - [ ] Optionnel : sélectionner un groupe
+    - [ ] Cliquer "Créer la tâche"
+    - [ ] Vérifier : toast succès "Tâche créée depuis le mail." + modal se ferme
+    - [ ] Naviguer vers le projet correspondant → la nouvelle tâche apparaît avec titre = subject du mail
+    - [ ] Ouvrir la tâche → onglet "Mails" → le mail source apparaît dans la liste
+
+- [ ] **Step 4 : Workflow 2 — Lier une tâche existante à un mail**
+
+    - [ ] Sur la page `/mail`, sélectionner un message
+    - [ ] Cliquer "Lier à une tâche" dans `MailMessageViewer`
+    - [ ] Vérifier : `MailLinkTaskModal` s'ouvre
+    - [ ] Taper quelques lettres dans la recherche → les tâches s'affichent avec debounce
+    - [ ] Sélectionner une tâche (ex : "Réunion de suivi hebdomadaire" depuis les fixtures)
+    - [ ] Cliquer "Lier la tâche"
+    - [ ] Vérifier : toast succès "Mail lié à la tâche." + modal se ferme
+    - [ ] Ouvrir la tâche liée → onglet "Mails" → le mail apparaît dans la liste
+
+- [ ] **Step 5 : Workflow 3 — Lier un mail depuis l'onglet Mails du TaskModal**
+
+    - [ ] Naviguer vers un projet, ouvrir une tâche via TaskModal
+    - [ ] Cliquer sur l'onglet "Mails" (visible uniquement si ROLE_USER/ROLE_ADMIN)
+    - [ ] Vérifier : l'onglet charge et affiche "Aucun mail lié" si vide
+    - [ ] Cliquer "Lier un mail"
+    - [ ] Vérifier : `MailPickerModal` s'ouvre, charge les mails du dossier courant (ou INBOX)
+    - [ ] Rechercher/sélectionner un mail, cliquer "Lier ce mail"
+    - [ ] Vérifier : toast + liste rafraîchie dans l'onglet "Mails"
+
+- [ ] **Step 6 : Workflow 4 — Navigation depuis l'onglet Mails vers /mail**
+
+    - [ ] Dans l'onglet "Mails" du TaskModal, cliquer sur un mail lié
+    - [ ] Vérifier : navigation vers `/mail?messageId={id}` + le mail s'ouvre automatiquement (deep-link Phase 5)
+
+- [ ] **Step 7 : Vérification ROLE_CLIENT**
+
+    - [ ] Se connecter avec `client-liot` / `client`
+    - [ ] Naviguer vers `/mail` → redirect `/portal` (Phase 5)
+    - [ ] Via le portal, ouvrir un ticket client → TaskModal ne doit pas afficher l'onglet "Mails" (computed `availableTabs` l'exclut pour ROLE_CLIENT)
+
+- [ ] **Step 8 : Commit de correction si nécessaire**
+
+    ```bash
+    git -C /home/r-dev/malio-dev/Lesstime add \
+        frontend/components/mail/ \
+        frontend/components/task/TaskModal.vue \
+        frontend/pages/mail.vue
+    git -C /home/r-dev/malio-dev/Lesstime commit -m "fix(mail) : corrections post-test Phase 6 (TypeScript + comportement modals)"
+    ```
+
+---
+
+## Exigences techniques
+
+- `<script setup lang="ts">` partout — aucun Options API
+- **4 espaces d'indentation** — convention Lesstime
+- **TypeScript strict** : 0 erreur `npx tsc --noEmit` à la fin de chaque tâche
+- **Modals** : pattern `<Teleport to="body">` + `<Transition name="mail-modal">` + backdrop click (identique à `TaskModal.vue`)
+- **`MailCreateTaskInput`** : `priority` est transmis en IRI `/api/task_priorities/{id}` (string), pas en id numérique — conforme au pattern existant dans `TaskModal.vue`
+- **Autocomplete** : debounce 300ms dans `MailLinkTaskModal` — timer nettoyé dans `onBeforeUnmount`
+- **Filtrage mail** : local dans `MailPickerModal` (liste chargée une fois, filtrée en computed) — pas d'appel API par frappe
+- **ROLE_CLIENT** : l'onglet "Mails" dans `TaskModal` est exclu via `availableTabs` computed — double protection (backend bloque déjà les endpoints mail pour ROLE_CLIENT)
+- **Toast** : géré automatiquement par `useApi` via `toastSuccessKey` dans les méthodes du service — ne pas dupliquer dans les composants
+- **NuxtLink** pour la navigation vers `/mail?messageId=X` depuis l'onglet "Mails" (pas de `router.push`) — meilleure accessibilité
+- **`v-if="task"` dans TaskModal** : utiliser `props.task` (non null en mode édition) avec guard explicite pour les appels service
+- **Format commits** : `feat(mail) : <message>` (espace avant `:`), 1 commit par composant/fichier principal
+- **Pas de `console.warn`** dans le code final — supprimer les placeholders Phase 5
+
+---
+
+## Fichiers créés/modifiés — récapitulatif
+
+| Fichier | Type | Action |
+|---|---|---|
+| `frontend/components/mail/MailCreateTaskModal.vue` | Composant Vue | Créer |
+| `frontend/components/mail/MailLinkTaskModal.vue` | Composant Vue | Créer |
+| `frontend/components/mail/MailPickerModal.vue` | Composant Vue | Créer |
+| `frontend/components/task/TaskModal.vue` | Composant Vue | Modifier (onglet mails, state, watcher) |
+| `frontend/pages/mail.vue` | Page Nuxt | Modifier (handlers + modals dans template) |
+| `frontend/i18n/locales/fr.json` | i18n | Modifier (sous-clés `mail.createTaskModal`, `mail.linkTaskModal`, `mail.pickerModal`, `mail.taskTab`) |
+| `frontend/i18n/locales/en.json` | i18n | Modifier si existant |
+
+**Fichiers Phase 4/5 utilisés (ne pas modifier sauf indication) :**
+
+| Fichier | Utilisation dans Phase 6 |
+|---|---|
+| `frontend/services/mail.ts` | `createTaskFromMail`, `linkTask`, `listMailsForTask` |
+| `frontend/services/dto/mail.ts` | `MailMessageDetailDto`, `MailMessageHeaderDto`, `MailCreateTaskInput` |
+| `frontend/services/tasks.ts` | `getFiltered()` dans `MailLinkTaskModal` |
+| `frontend/services/projects.ts` | `getAll()` dans `MailCreateTaskModal`, `MailLinkTaskModal` |
+| `frontend/services/task-groups.ts` | `getByProject()` dans `MailCreateTaskModal` |
+| `frontend/services/task-priorities.ts` | `getAll()` dans `MailCreateTaskModal` |
+| `frontend/stores/mail.ts` | `selectedFolderPath` dans `MailPickerModal` |
+| `frontend/components/mail/MailMessageViewer.vue` | Émet `createTask` / `linkTask` (déjà câblé en Phase 5) |
+
+---
+
+## Output attendu — critères d'acceptation Phase 6
+
+| Critère | Vérification |
+|---|---|
+| TypeScript strict : 0 erreur | `cd frontend && npx tsc --noEmit` → sortie vide |
+| Workflow 1 complet | Mail → "Créer tâche" → tâche créée avec subject comme titre → visible dans onglet Mails du TaskModal |
+| Workflow 2 complet | Mail → "Lier à une tâche" → sélection + liaison → mail visible dans onglet Mails |
+| Workflow 3 complet | TaskModal onglet Mails → "Lier un mail" → MailPickerModal → liaison → liste rafraîchie |
+| Workflow 4 complet | Onglet Mails → click mail → navigation `/mail?messageId=X` → deep-link fonctionne |
+| ROLE_CLIENT isolé | Onglet "Mails" absent pour ROLE_CLIENT (computed `availableTabs`) |
+| Aucun `console.warn` résiduel | DevTools console → aucun warn `[mail]` Phase 5 |
+| Pas d'erreur Vue/Nuxt | DevTools console → aucune erreur rouge |
+
+La Phase 7 (Admin config + sidebar + polish) peut commencer dès que tous ces critères sont satisfaits.
diff --git a/docs/superpowers/plans/2026-05-19-mail-phase7-admin-polish.md b/docs/superpowers/plans/2026-05-19-mail-phase7-admin-polish.md
new file mode 100644
index 0000000..516bfd7
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-19-mail-phase7-admin-polish.md
@@ -0,0 +1,526 @@
+# Mail Integration — Phase 7 : Admin Config + Sidebar + Polish
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Finaliser l'intégration mail avec l'UI admin de configuration, le lien sidebar avec badge unread temps réel (polling 30s), et la documentation utilisateur/opérationnelle finale.
+
+**Architecture:** Onglet `AdminMailTab.vue` calqué sur `AdminZimbraTab.vue` (form IMAP/SMTP/credentials, bouton test connexion). Lien sidebar dans `layouts/default.vue` (visible ROLE_USER+ROLE_ADMIN seulement, masqué ROLE_CLIENT pur). Polling start au login / stop au logout via layout. Documentation finale dans `docs/` + section README mail.
+
+**Tech Stack:** Nuxt 4, Vue 3 Composition API, @malio/layer-ui, Pinia (useMailStore).
+
+---
+
+## Fichiers créés / modifiés
+
+| Fichier | Action |
+|---------|--------|
+| `frontend/components/admin/AdminMailTab.vue` | **Créer** |
+| `frontend/pages/admin.vue` | **Modifier** (ajout onglet mail) |
+| `frontend/layouts/default.vue` | **Modifier** (lien sidebar + polling lifecycle) |
+| `frontend/i18n/locales/fr.json` | **Modifier** (clés mail.admin.* + mail.sidebar.*) |
+| `frontend/i18n/locales/en.json` | **Modifier si présent** |
+| `docs/mail-cron-setup.md` | **Modifier** (enrichir checklist prod + sécurité) |
+| `docs/mail-integration.md` | **Créer** (doc complète intégration) |
+
+---
+
+## Task 1 : Composant `AdminMailTab.vue`
+
+**Fichier cible :** `frontend/components/admin/AdminMailTab.vue`
+
+**Modèle de référence :** `frontend/components/admin/AdminZimbraTab.vue` — reproduire exactement le même pattern (reactive form, hasPassword, isSaving/isTesting, loadSettings onMounted, handleSave/handleTest).
+
+**Service à utiliser :** `useMailService()` depuis `~/services/mail` — méthodes `getConfiguration`, `updateConfiguration`, `testConfiguration`.
+
+**DTOs :** `MailConfigurationDto`, `MailConfigurationUpdateDto`, `MailTestConnectionResultDto` depuis `~/services/dto/mail`.
+
+### Étapes
+
+- [ ] Créer `frontend/components/admin/AdminMailTab.vue`
+- [ ] Déclarer le reactive form avec tous les champs de `MailConfigurationDto` (sauf `hasPassword`, qui est en lecture seule) :
+  ```
+  protocol: '' (lecture seule "imap" en MVP — champ disabled)
+  imapHost: ''
+  imapPort: 993 (default OVH)
+  imapEncryption: 'ssl' (default OVH)
+  smtpHost: ''
+  smtpPort: 465 (default OVH)
+  smtpEncryption: 'ssl' (default OVH)
+  username: ''
+  password: '' (write-only — jamais pré-rempli)
+  sentFolderPath: '' (ex: "Sent Messages" ou "INBOX.Sent")
+  enabled: false
+  ```
+- [ ] `hasPassword` : `ref<boolean>(false)` — alimenté par `getConfiguration().hasPassword`
+- [ ] `isSaving` : `ref<boolean>(false)`, `isTesting` : `ref<boolean>(false)`
+- [ ] `testResult` : `ref<boolean | null>(null)` — réinitialisé à null au handleSave
+- [ ] `loadSettings()` :
+  ```ts
+  async function loadSettings(): Promise<void> {
+      const config = await getConfiguration()
+      form.protocol = config.protocol ?? 'imap'
+      form.imapHost = config.imapHost ?? ''
+      form.imapPort = config.imapPort ?? 993
+      form.imapEncryption = config.imapEncryption ?? 'ssl'
+      form.smtpHost = config.smtpHost ?? ''
+      form.smtpPort = config.smtpPort ?? 465
+      form.smtpEncryption = config.smtpEncryption ?? 'ssl'
+      form.username = config.username ?? ''
+      form.sentFolderPath = config.sentFolderPath ?? ''
+      form.enabled = config.enabled
+      hasPassword.value = config.hasPassword
+      // password jamais pré-rempli
+  }
+  ```
+- [ ] `handleSave()` : construit un `MailConfigurationUpdateDto` — inclure `password` uniquement si `form.password` est non-vide, sinon omettre le champ. Après save réussi : `hasPassword.value = result.hasPassword`, vider `form.password`, `testResult.value = null`
+- [ ] `handleTest()` : appelle `testConfiguration()`, `testResult.value = result.ok`. Le champ `result.error` est affiché en sous-texte si `testResult.value === false`
+- [ ] Template — sections IMAP et SMTP avec labels traduits :
+  - Titre `h2` : `$t('mail.admin.title')`
+  - Section IMAP (`fieldset` ou `div` avec titre `$t('mail.admin.imapSection')`) :
+    - `MalioInputText` pour `imapHost` + helper text `$t('mail.admin.ovhDefaultsHelp')` sous le champ (texte gris : `ssl0.ovh.net`)
+    - `input[type=number]` natif pour `imapPort` (MalioInputText n'accepte pas les number — voir convention CLAUDE.md)
+    - `select` natif pour `imapEncryption` (options : `ssl`, `tls`, `none`)
+  - Section SMTP (`$t('mail.admin.smtpSection')`) :
+    - `MalioInputText` pour `smtpHost`
+    - `input[type=number]` natif pour `smtpPort`
+    - `select` natif pour `smtpEncryption` (options : `ssl`, `tls`, `none`)
+  - Credentials :
+    - `MalioInputText` pour `username`
+    - `MalioInputPassword` pour `password` + indicateur `hasPassword` (même pattern que `AdminZimbraTab.vue` : `<p v-if="hasPassword && !form.password">{{ $t('mail.admin.passwordSet') }}</p>`)
+  - `MalioInputText` pour `sentFolderPath` (placeholder: `Sent Messages`)
+  - `label` + checkbox natif pour `enabled` : `$t('mail.admin.enabled')`
+  - Boutons côte à côte :
+    - `MalioButton` submit `$t('mail.admin.save')` `:disabled="isSaving"` → `handleSave`
+    - `MalioButton` variant tertiary `$t('mail.admin.test')` `:disabled="isTesting"` → `handleTest`
+  - Résultat test : `<p v-if="testResult !== null">` coloré vert/rouge selon valeur — si false ET `testError`, afficher `testError` sous le résultat
+- [ ] `onMounted(() => { loadSettings() })`
+- [ ] Vérifier indentation 4 espaces, pas d'imports inutilisés, TypeScript strict
+
+---
+
+## Task 2 : Intégration `AdminMailTab` dans `pages/admin.vue`
+
+**Fichier cible :** `frontend/pages/admin.vue`
+
+Le pattern actuel utilise un tableau `tabs as const` + `activeTab` ref + v-if par composant. Il suffit d'ajouter l'entrée mail à la fin.
+
+### Étapes
+
+- [ ] Ouvrir `frontend/pages/admin.vue`
+- [ ] Dans le tableau `tabs`, ajouter à la fin :
+  ```ts
+  { key: 'mail', label: 'Mail' },
+  ```
+  Remarque : les labels dans `tabs` sont des string litéraux inline (cf. autres onglets comme `'Zimbra'`), pas de i18n ici.
+- [ ] Le type `TabKey` est inféré automatiquement via `typeof tabs[number]['key']` — pas de changement nécessaire
+- [ ] Dans le template, après `<AdminZimbraTab v-if="activeTab === 'zimbra'" />`, ajouter :
+  ```html
+  <AdminMailTab v-if="activeTab === 'mail'" />
+  ```
+- [ ] Vérifier que Nuxt auto-importe `AdminMailTab` (fichier dans `components/admin/` → auto-import OK)
+- [ ] Test manuel : naviguer vers `/admin`, cliquer l'onglet "Mail", vérifier que le form se charge sans erreur 403 si connecté ROLE_ADMIN
+
+---
+
+## Task 3 : Lien sidebar dans `layouts/default.vue`
+
+**Fichier cible :** `frontend/layouts/default.vue`
+
+Le composant `SidebarLink` accepte `to`, `icon`, `label`, `collapsed`. Il n'a pas de prop `badge` native — vérifier dans `@malio/layer-ui/COMPONENTS.md` si une prop badge existe. Si non, wrapper manuel avec un `<div class="relative">` + badge absolu.
+
+### Étapes
+
+- [ ] Lire `frontend/node_modules/@malio/layer-ui/COMPONENTS.md` pour vérifier les props de `SidebarLink` (présence prop `badge` ou `badgeCount`)
+- [ ] **Cas A — SidebarLink a une prop badge :**
+  Utiliser directement :
+  ```html
+  <SidebarLink
+      v-if="isMailVisible"
+      to="/mail"
+      icon="material-symbols:mail-outline"
+      label="$t('mail.sidebar.title')"
+      :collapsed="sidebarIsCollapsed"
+      :badge="mailStore.globalUnreadCount > 0 ? mailStore.globalUnreadCount : undefined"
+      aria-label="$t('mail.sidebar.ariaLabel')"
+      @click="ui.closeMobileSidebar()"
+  />
+  ```
+- [ ] **Cas B — SidebarLink n'a pas de prop badge (plus probable) :**
+  Wrapper avec badge manuel :
+  ```html
+  <div v-if="isMailVisible" class="relative">
+      <SidebarLink
+          to="/mail"
+          icon="material-symbols:mail-outline"
+          :label="$t('mail.sidebar.title')"
+          :collapsed="sidebarIsCollapsed"
+          @click="ui.closeMobileSidebar()"
+      />
+      <span
+          v-if="mailStore.globalUnreadCount > 0"
+          class="absolute right-2 top-1/2 -translate-y-1/2 flex h-5 min-w-5 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+          :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+      >
+          {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+      </span>
+  </div>
+  ```
+- [ ] Dans `<script setup>`, ajouter :
+  ```ts
+  const mailStore = useMailStore()
+  ```
+- [ ] Définir le computed `isMailVisible` :
+  ```ts
+  const isMailVisible = computed(() => {
+      const roles: string[] = auth.user?.roles ?? []
+      // Visible si ROLE_USER (ou ROLE_ADMIN) mais pas ROLE_CLIENT exclusif
+      const isClient = roles.includes('ROLE_CLIENT') && !roles.includes('ROLE_ADMIN') && !roles.includes('ROLE_USER')
+      return !isClient && (roles.includes('ROLE_USER') || roles.includes('ROLE_ADMIN'))
+  })
+  ```
+- [ ] Placer le lien sidebar **après** `SidebarLink to="/my-tasks"` et **avant** `SidebarLink to="/projects"` (ordre logique : dashboard → mes tâches → mail → projets → suivi de temps → admin)
+- [ ] Vérifier responsive : en mode collapsed (`sidebarIsCollapsed = true`), le badge doit rester visible et accessible
+- [ ] Test manuel : utilisateur ROLE_CLIENT seul → lien absent. Utilisateur ROLE_USER → lien visible. Badge rouge si `globalUnreadCount > 0`
+
+---
+
+## Task 4 : Lifecycle polling start/stop
+
+**Fichier cible :** `frontend/layouts/default.vue`
+
+Le store `useMailStore` expose `startPolling()` (idempotent — guard `if (pollTimer) return`) et `stopPolling()`. Le polling doit démarrer au montage du layout (si l'utilisateur est autorisé) et s'arrêter au logout.
+
+### Étapes
+
+- [ ] Dans `onMounted` de `layouts/default.vue` (qui contient déjà `timerStore.fetchActive()`), ajouter après :
+  ```ts
+  if (isMailVisible.value) {
+      mailStore.startPolling()
+  }
+  ```
+- [ ] Vérifier que `isMailVisible` est disponible dans le même scope (oui, c'est un computed défini dans `<script setup>`)
+- [ ] Pour le stop au logout : dans `useAuthStore`, le logout vide l'user. Watcher sur `auth.user` dans le layout :
+  ```ts
+  watch(() => auth.user, (user) => {
+      if (!user) {
+          mailStore.stopPolling()
+      } else if (isMailVisible.value) {
+          mailStore.startPolling()
+      }
+  })
+  ```
+- [ ] Vérifier l'idempotence : `startPolling()` dans le store a déjà `if (pollTimer) return` — naviguer entre les pages ne crée pas plusieurs timers
+- [ ] `onUnmounted` dans le layout n'est pas nécessaire car le layout persiste toute la session ; le watch sur `auth.user` suffit
+- [ ] Test manuel : ouvrir devtools → Network → vérifier un seul appel `GET /api/mail/folders` toutes les 30s, pas de rafale
+
+---
+
+## Task 5 : i18n additionnels Phase 7
+
+**Fichiers cibles :** `frontend/i18n/locales/fr.json` (et `en.json` si présent)
+
+### Clés à ajouter (section `mail` — fusionner avec les clés existantes des phases précédentes)
+
+```json
+{
+  "mail": {
+    "sidebar": {
+      "title": "Messagerie",
+      "ariaLabel": "Accès à la messagerie, {count} messages non lus"
+    },
+    "admin": {
+      "title": "Configuration messagerie",
+      "protocol": "Protocole",
+      "imapSection": "Réception (IMAP)",
+      "smtpSection": "Envoi (SMTP)",
+      "host": "Serveur",
+      "port": "Port",
+      "encryption": "Chiffrement",
+      "username": "Adresse e-mail",
+      "password": "Mot de passe",
+      "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
+      "sentFolderPath": "Dossier des envois",
+      "enabled": "Activer la synchronisation mail",
+      "test": "Tester la connexion",
+      "testSuccess": "Connexion IMAP réussie",
+      "testFailed": "Échec de connexion",
+      "save": "Enregistrer",
+      "saveSuccess": "Configuration enregistrée",
+      "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
+    }
+  }
+}
+```
+
+### Étapes
+
+- [ ] Ouvrir `frontend/i18n/locales/fr.json`
+- [ ] Localiser la section `mail` existante (créée en Phase 4/5)
+- [ ] Fusionner les clés `mail.sidebar.*` et `mail.admin.*` sans écraser les clés existantes
+- [ ] Si `en.json` existe : ajouter les équivalents anglais (traduction directe — pas d'approximation)
+- [ ] Vérifier la cohérence JSON (virgules, pas de clés dupliquées)
+- [ ] `make dev-nuxt` → console browser → 0 warning `[vue-i18n] Missing locale message`
+
+---
+
+## Task 6 : Documentation finale
+
+### 6a — Enrichir `docs/mail-cron-setup.md`
+
+**Fichier cible :** `docs/mail-cron-setup.md`
+
+Ce fichier existe déjà (créé Phase 2). Ajouter les sections manquantes :
+
+- [ ] Ajouter section **"Checklist setup production"** après la section "Variables d'environnement" :
+  ```markdown
+  ## Checklist setup production
+
+  1. [ ] Définir `ENCRYPTION_KEY` dans les variables d'environnement production
+  2. [ ] Créer le compte mail dédié (ex: `lesstime@votre-domaine.fr`) chez OVH
+  3. [ ] Accéder à `/admin` → onglet "Mail" → renseigner les credentials IMAP/SMTP
+  4. [ ] Cliquer "Tester la connexion" → vérifier le succès
+  5. [ ] Cocher "Activer la synchronisation" → Enregistrer
+  6. [ ] Installer le cron OS (voir section "Installation du cron")
+  7. [ ] Vérifier les logs après la première sync : `make logs-dev` (chercher `mail.sync`)
+  ```
+- [ ] Ajouter section **"Sécurité"** (si absente ou incomplète) :
+  ```markdown
+  ## Rappels sécurité
+
+  - La page `/mail` et tous les endpoints `/api/mail/*` sont refusés aux `ROLE_CLIENT` exclusifs
+  - Le sidebar "Messagerie" est masqué pour les utilisateurs ROLE_CLIENT sans ROLE_USER
+  - Le password IMAP est chiffré via libsodium secretbox avant stockage (jamais en clair en base)
+  - Les corps de mails sont sanitisés via DOMPurify avant affichage (voir `frontend/utils/sanitizeMailHtml.ts`)
+  - Les pixels tracking distants sont remplacés par un placeholder
+  - Aucun body mail, password ou contenu de pièce jointe n'est loggé
+  ```
+
+### 6b — Créer `docs/mail-integration.md`
+
+**Fichier cible :** `docs/mail-integration.md`
+
+- [ ] Créer le fichier avec les sections suivantes :
+
+```markdown
+# Intégration Mail — Vue d'ensemble
+
+## Fonctionnalités
+
+- Lecture de la boîte mail partagée (IMAP) depuis Lesstime
+- Navigation par dossiers (arbre récursif avec compteurs non-lus)
+- Liste paginée des messages (infinite scroll, cursor-based)
+- Lecture des corps de mail sanitisés (DOMPurify — protection XSS + pixels tracking)
+- Création d'une tâche Lesstime depuis un mail (sujet → titre, texte → description)
+- Lien mail ↔ tâche (bidirectionnel)
+- Onglet "Mails" dans le TaskDrawer pour retrouver les mails liés à une tâche
+- Synchronisation IMAP automatique via cron OS (toutes les 10 min)
+- Déclenchement manuel de sync depuis l'UI (bouton Refresh)
+- Badge non-lus en temps réel dans la sidebar (polling 30s)
+
+## Endpoints API
+
+| Méthode | URL | Rôle | Description |
+|---------|-----|------|-------------|
+| GET | `/api/mail/configuration` | ROLE_ADMIN | Lire la config singleton |
+| PATCH | `/api/mail/configuration` | ROLE_ADMIN | Mettre à jour la config |
+| POST | `/api/mail/configuration/test` | ROLE_ADMIN | Tester la connexion IMAP |
+| GET | `/api/mail/folders` | ROLE_USER | Arbre des dossiers + unread |
+| GET | `/api/mail/messages` | ROLE_USER | Liste paginée (param: folder, cursor, limit) |
+| GET | `/api/mail/messages/{id}` | ROLE_USER | Détail + body (cached 5 min) |
+| POST | `/api/mail/messages/{id}/read` | ROLE_USER | Marquer lu/non-lu |
+| POST | `/api/mail/messages/{id}/flag` | ROLE_USER | Marquer étoilé/non-étoilé |
+| POST | `/api/mail/messages/{id}/create-task` | ROLE_USER | Créer tâche depuis mail |
+| POST | `/api/mail/messages/{id}/link-task` | ROLE_USER | Lier mail à tâche existante |
+| DELETE | `/api/mail/messages/{id}/link-task/{taskId}` | ROLE_USER | Supprimer le lien |
+| GET | `/api/tasks/{id}/mails` | ROLE_USER | Mails liés à une tâche |
+| GET | `/api/mail/attachments/{id}` | ROLE_USER | Télécharger une pièce jointe |
+| POST | `/api/mail/sync` | ROLE_USER | Déclencher sync async (Messenger) |
+
+Tous les endpoints `/api/mail/*` refusent explicitement `ROLE_CLIENT`.
+
+## Sécurité
+
+- ROLE_CLIENT exclusif : accès refusé à tous les endpoints mail et à la page `/mail`
+- Le sidebar "Messagerie" est masqué pour les ROLE_CLIENT
+- Password IMAP chiffré via libsodium secretbox (env `ENCRYPTION_KEY`)
+- Corps de mail sanitisés via DOMPurify (`sanitizeMailHtml.ts`) — script/iframe/object/embed/on*/javascript: bloqués
+- Pixels tracking distants (img src http) remplacés par placeholder
+- Aucun body, password ou contenu de pièce jointe dans les logs
+
+## Dépendances
+
+### Backend
+- `webklex/php-imap` : client IMAP PHP
+- `symfony/lock` : Symfony Lock pour éviter les syncs parallèles
+- `symfony/messenger` : dispatch asynchrone `MailSyncRequested`
+- `libsodium` (ext PHP) : chiffrement du password IMAP
+
+### Frontend
+- `dompurify` + `@types/dompurify` : sanitization HTML des corps de mail
+
+## Fichiers clés
+
+### Backend
+- `src/Entity/MailConfiguration.php` — entité singleton (credentials, enabled)
+- `src/Entity/MailFolder.php` — dossier IMAP synced
+- `src/Entity/MailMessage.php` — message IMAP synced (headers, flags)
+- `src/Entity/TaskMailLink.php` — lien tâche ↔ mail
+- `src/Mail/ImapMailProvider.php` — implémentation IMAP (webklex)
+- `src/Service/MailSyncService.php` — algorithme de sync (UID FETCH, resync flags)
+- `src/Controller/Mail/` — controllers custom (test, folders, messages, sync)
+- `src/State/Mail/` — providers/processors API Platform (configuration)
+
+### Frontend
+- `frontend/pages/mail.vue` — page principale 3 colonnes
+- `frontend/components/mail/` — MailFolderTree, MailMessageList, MailMessageViewer, MailRefreshButton
+- `frontend/components/admin/AdminMailTab.vue` — onglet config admin
+- `frontend/stores/mail.ts` — store Pinia (folders, messages, polling)
+- `frontend/services/mail.ts` — service API (toutes les méthodes)
+- `frontend/services/dto/mail.ts` — types TypeScript
+- `frontend/utils/sanitizeMailHtml.ts` — DOMPurify wrapper
+
+## Synchronisation cron
+
+Voir `docs/mail-cron-setup.md` pour la configuration détaillée.
+
+Résumé :
+```bash
+# Cron OS (toutes les 10 min)
+*/10 * * * * cd /path/to/Lesstime && make mail-sync >> /var/log/lesstime-mail-sync.log 2>&1
+
+# Commandes Makefile
+make mail-sync              # Sync complète
+make mail-sync FOLDER=INBOX # Sync d'un dossier
+make mail-sync DRYRUN=1     # Simulation sans écriture
+```
+
+## Configuration admin
+
+1. Aller sur `/admin` → onglet "Mail"
+2. Renseigner les credentials IMAP/SMTP (OVH : `ssl0.ovh.net`, port 993/465, SSL)
+3. Cliquer "Tester la connexion"
+4. Activer la synchronisation → Enregistrer
+5. Configurer le cron OS
+
+## Variables d'environnement
+
+| Variable | Description | Obligatoire |
+|----------|-------------|-------------|
+| `ENCRYPTION_KEY` | Clé hex 32 bytes libsodium pour chiffrer le password IMAP | Oui |
+| `LOCK_DSN` | DSN Symfony Lock (défaut: `flock`) | Non |
+| `MESSENGER_TRANSPORT_DSN` | Transport Messenger pour sync async | Recommandé (prod) |
+```
+
+### 6c — Vérifier `make mail-sync` dans le README
+
+- [ ] Ouvrir `README.md` à la racine de Lesstime
+- [ ] Vérifier si une section mail ou une mention de `make mail-sync` existe déjà
+- [ ] Si absente : ajouter dans la section des commandes Makefile une ligne documentant `make mail-sync` avec la description courte (cf. le commentaire déjà présent dans le makefile)
+
+---
+
+## Task 7 : Vérifications sécurité finales
+
+### Étapes
+
+- [ ] Ouvrir `frontend/utils/sanitizeMailHtml.ts` — vérifier la config DOMPurify :
+  - `FORBID_TAGS` doit inclure : `script`, `iframe`, `object`, `embed`, `form`, `input`
+  - `FORBID_ATTR` doit inclure tous les handlers `on*` + `javascript:` dans `href`/`src`
+  - Les `<img src="http(s)://...">` distants sont remplacés par un placeholder (pas juste supprimés)
+  - Si manquant, noter la correction mais ne pas modifier (la correction est documentée ici pour le codeur)
+- [ ] Test injection XSS manuel (dans la console browser, sur la page `/mail`) :
+  ```js
+  import('/utils/sanitizeMailHtml').then(m => {
+      console.log(m.sanitizeMailHtml('<script>alert(1)</script><img src=x onerror=alert(2)><iframe src="javascript:alert(3)"></iframe>'))
+  })
+  ```
+  Résultat attendu : chaîne sans `<script>`, sans `onerror`, sans `<iframe>`
+- [ ] Grep logs — confirmer aucun body/password/attachment dans les logs :
+  ```bash
+  grep -rn "bodyHtml\|bodyText\|password\|attachment.*content" src/Mail/ src/Service/MailSyncService.php src/Controller/Mail/ --include="*.php"
+  ```
+  Vérifier que les occurrences trouvées sont uniquement des définitions de propriétés, jamais passées à un logger
+- [ ] Vérifier que `GET /api/mail/configuration` ne retourne jamais de champ `password` dans la réponse JSON (tester avec `curl -s http://localhost:8082/api/mail/configuration -H "Cookie: BEARER=..."` ou équivalent)
+- [ ] Vérifier que `POST /api/mail/folders` avec un cookie ROLE_CLIENT retourne bien 403
+
+---
+
+## Task 8 : QA passe end-to-end
+
+### Étapes
+
+- [ ] `make test` → 0 failure, 0 error
+- [ ] `make php-cs-fixer-allow-risky` → idempotent (0 fichier modifié)
+- [ ] `cd frontend && npx tsc --noEmit` → 0 erreur TypeScript
+- [ ] `make dev-nuxt` → démarrage OK, 0 erreur console browser au load de `/mail`
+- [ ] **Workflow admin :**
+  - Se connecter en admin
+  - Aller sur `/admin` → onglet "Mail"
+  - Renseigner `imapHost = ssl0.ovh.net`, `imapPort = 993`, `imapEncryption = ssl`, `username = test@example.com`, `password = test`
+  - Cliquer "Tester la connexion" → résultat affiché (succès ou échec selon config réelle)
+  - Enregistrer → toast "Configuration enregistrée"
+  - Rechargement de la page → les champs sont pré-remplis, indicateur "Mot de passe déjà configuré" visible
+- [ ] **Workflow sidebar :**
+  - Se connecter en ROLE_USER
+  - Vérifier que le lien "Messagerie" est visible dans la sidebar
+  - Vérifier le badge si `globalUnreadCount > 0`
+  - Se connecter en ROLE_CLIENT → vérifier l'absence du lien sidebar
+- [ ] **Workflow polling :**
+  - Ouvrir les DevTools → Network → filtrer sur `mail/folders`
+  - Rester sur une page 90s → exactement 3 appels (1 immédiat + 2 toutes les 30s)
+  - Naviguer entre `/mail` et `/my-tasks` → pas de rafale, pas de duplication du polling
+- [ ] **Workflow complet mail → tâche (régression Phase 6) :**
+  - Ouvrir un mail dans `/mail`
+  - Cliquer "Créer tâche" → modal → sélectionner projet → créer
+  - Tâche apparaît dans `/my-tasks` avec le mail lié
+  - Depuis le TaskDrawer de la tâche → onglet "Mails" → mail visible → cliquer → redirection `/mail?messageId=X`
+- [ ] **Simulation sync :**
+  - `make mail-sync DRYRUN=1` → commande retourne 0, pas d'erreur Symfony
+
+---
+
+## Task 9 : Cleanup final
+
+### Étapes
+
+- [ ] Grep debug dans tous les fichiers mail frontend :
+  ```bash
+  grep -rn "console\.log\|console\.warn\|console\.error\|debugger" frontend/components/mail/ frontend/components/admin/AdminMailTab.vue frontend/stores/mail.ts frontend/services/mail.ts frontend/utils/sanitizeMailHtml.ts
+  ```
+  Supprimer toute occurrence (sauf `console.error` intentionnel avec commentaire explicatif)
+- [ ] Grep TODO/FIXME/HACK :
+  ```bash
+  grep -rn "TODO\|FIXME\|HACK\|XXX" frontend/components/mail/ frontend/components/admin/AdminMailTab.vue frontend/stores/mail.ts frontend/services/mail.ts
+  ```
+  Résoudre ou supprimer chaque occurrence
+- [ ] Vérifier qu'aucun import inutilisé ne traîne dans `AdminMailTab.vue` et les fichiers modifiés dans `layouts/default.vue`
+- [ ] `cd frontend && npx tsc --noEmit` → toujours 0 erreur après cleanup
+- [ ] Si des modifications ont été faites depuis le dernier commit Phase 6, créer un commit final :
+  ```
+  feat(mail) : Phase 7 — admin config tab, sidebar badge, polling lifecycle
+  docs(mail) : documentation intégration mail complète
+  ```
+  (deux commits séparés si les changements sont distincts)
+
+---
+
+## Critères d'acceptation (Phase 7 complète)
+
+- [ ] Admin peut accéder à `/admin` → onglet "Mail" → configurer IMAP/SMTP → tester → activer
+- [ ] Le sidebar affiche un badge unread actualisé toutes les 30s pour ROLE_USER/ROLE_ADMIN
+- [ ] Le sidebar "Messagerie" est invisible pour ROLE_CLIENT exclusif
+- [ ] `make test` vert
+- [ ] `npx tsc --noEmit` 0 erreur
+- [ ] 0 warning console browser au chargement
+- [ ] 0 ERROR PHP dans `make logs-dev` pendant le workflow normal
+- [ ] `docs/mail-integration.md` complet et accessible
+- [ ] `docs/mail-cron-setup.md` enrichi avec checklist prod et rappels sécurité
+
+---
+
+## Dépendances
+
+- **Phase 5** (store `useMailStore` avec `startPolling`/`stopPolling` + page `/mail`) — DONE
+- **Phase 6** (intégration tâches) — DONE
+- **Phase 3** (endpoints `/api/mail/configuration` GET/PATCH/test, ROLE_CLIENT refusé) — DONE
+- **Phase 4** (services `getConfiguration`, `updateConfiguration`, `testConfiguration`, DTOs) — DONE
diff --git a/frontend/components/admin/AdminMailTab.vue b/frontend/components/admin/AdminMailTab.vue
new file mode 100644
index 0000000..0d54a64
--- /dev/null
+++ b/frontend/components/admin/AdminMailTab.vue
@@ -0,0 +1,231 @@
+<template>
+    <div>
+        <h2 class="text-lg font-bold text-neutral-900">{{ $t('mail.admin.title') }}</h2>
+
+        <form class="mt-6 max-w-lg space-y-6" @submit.prevent="handleSave">
+            <!-- Section IMAP (réception) -->
+            <fieldset class="space-y-4">
+                <legend class="text-sm font-bold text-neutral-700">{{ $t('mail.admin.imapSection') }}</legend>
+
+                <div>
+                    <MalioInputText
+                        v-model="form.imapHost"
+                        :label="$t('mail.admin.host')"
+                        input-class="w-full"
+                    />
+                    <p class="mt-1 text-xs text-neutral-500">{{ $t('mail.admin.ovhDefaultsHelp') }}</p>
+                </div>
+
+                <div>
+                    <label class="block text-sm font-semibold text-neutral-700">{{ $t('mail.admin.port') }}</label>
+                    <input
+                        v-model.number="form.imapPort"
+                        type="number"
+                        min="1"
+                        max="65535"
+                        class="mt-1 w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                    />
+                </div>
+
+                <div>
+                    <label class="block text-sm font-semibold text-neutral-700">{{ $t('mail.admin.encryption') }}</label>
+                    <select
+                        v-model="form.imapEncryption"
+                        class="mt-1 w-full rounded-md border border-neutral-300 bg-white px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                    >
+                        <option value="ssl">SSL</option>
+                        <option value="tls">TLS</option>
+                        <option value="none">Aucun</option>
+                    </select>
+                </div>
+            </fieldset>
+
+            <!-- Section SMTP (envoi) -->
+            <fieldset class="space-y-4">
+                <legend class="text-sm font-bold text-neutral-700">{{ $t('mail.admin.smtpSection') }}</legend>
+
+                <MalioInputText
+                    v-model="form.smtpHost"
+                    :label="$t('mail.admin.host')"
+                    input-class="w-full"
+                />
+
+                <div>
+                    <label class="block text-sm font-semibold text-neutral-700">{{ $t('mail.admin.port') }}</label>
+                    <input
+                        v-model.number="form.smtpPort"
+                        type="number"
+                        min="1"
+                        max="65535"
+                        class="mt-1 w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                    />
+                </div>
+
+                <div>
+                    <label class="block text-sm font-semibold text-neutral-700">{{ $t('mail.admin.encryption') }}</label>
+                    <select
+                        v-model="form.smtpEncryption"
+                        class="mt-1 w-full rounded-md border border-neutral-300 bg-white px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                    >
+                        <option value="ssl">SSL</option>
+                        <option value="tls">TLS</option>
+                        <option value="none">Aucun</option>
+                    </select>
+                </div>
+            </fieldset>
+
+            <!-- Credentials -->
+            <fieldset class="space-y-4">
+                <legend class="text-sm font-bold text-neutral-700">{{ $t('mail.admin.username') }}</legend>
+
+                <MalioInputText
+                    v-model="form.username"
+                    :label="$t('mail.admin.username')"
+                    input-class="w-full"
+                />
+
+                <div>
+                    <MalioInputPassword
+                        v-model="form.password"
+                        :label="$t('mail.admin.password')"
+                        input-class="w-full"
+                    />
+                    <p v-if="hasPassword && !form.password" class="mt-1 text-xs text-green-600">
+                        {{ $t('mail.admin.passwordSet') }}
+                    </p>
+                </div>
+
+                <MalioInputText
+                    v-model="form.sentFolderPath"
+                    :label="$t('mail.admin.sentFolderPath')"
+                    placeholder="Sent Messages"
+                    input-class="w-full"
+                />
+            </fieldset>
+
+            <label class="flex cursor-pointer items-center gap-2">
+                <input v-model="form.enabled" type="checkbox" class="rounded border-neutral-300" />
+                <span class="text-sm">{{ $t('mail.admin.enabled') }}</span>
+            </label>
+
+            <div class="flex gap-3">
+                <MalioButton
+                    :label="$t('mail.admin.save')"
+                    button-class="w-auto px-4"
+                    :disabled="isSaving"
+                    @click="handleSave"
+                />
+                <MalioButton
+                    variant="tertiary"
+                    :label="$t('mail.admin.test')"
+                    button-class="w-auto px-4"
+                    :disabled="isTesting"
+                    @click="handleTest"
+                />
+            </div>
+
+            <div v-if="testResult !== null">
+                <p
+                    class="text-sm font-medium"
+                    :class="testResult ? 'text-green-600' : 'text-red-600'"
+                >
+                    {{ testResult ? $t('mail.admin.testSuccess') : $t('mail.admin.testFailed') }}
+                </p>
+                <p v-if="testResult === false && testError" class="mt-1 text-xs text-neutral-500">
+                    {{ testError }}
+                </p>
+            </div>
+        </form>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useMailService } from '~/services/mail'
+
+const { getConfiguration, updateConfiguration, testConfiguration } = useMailService()
+
+const form = reactive({
+    protocol: 'imap',
+    imapHost: '',
+    imapPort: 993,
+    imapEncryption: 'ssl',
+    smtpHost: '',
+    smtpPort: 465,
+    smtpEncryption: 'ssl',
+    username: '',
+    password: '',
+    sentFolderPath: '',
+    enabled: false,
+})
+
+const hasPassword = ref<boolean>(false)
+const isSaving = ref<boolean>(false)
+const isTesting = ref<boolean>(false)
+const testResult = ref<boolean | null>(null)
+const testError = ref<string | null>(null)
+
+async function loadSettings(): Promise<void> {
+    const config = await getConfiguration()
+    form.protocol = config.protocol ?? 'imap'
+    form.imapHost = config.imapHost ?? ''
+    form.imapPort = config.imapPort ?? 993
+    form.imapEncryption = config.imapEncryption ?? 'ssl'
+    form.smtpHost = config.smtpHost ?? ''
+    form.smtpPort = config.smtpPort ?? 465
+    form.smtpEncryption = config.smtpEncryption ?? 'ssl'
+    form.username = config.username ?? ''
+    form.sentFolderPath = config.sentFolderPath ?? ''
+    form.enabled = config.enabled
+    hasPassword.value = config.hasPassword
+    // password jamais pré-rempli
+}
+
+async function handleSave(): Promise<void> {
+    isSaving.value = true
+    testResult.value = null
+    testError.value = null
+    try {
+        const payload: Record<string, unknown> = {
+            protocol: form.protocol,
+            imapHost: form.imapHost.trim() || null,
+            imapPort: form.imapPort,
+            imapEncryption: form.imapEncryption,
+            smtpHost: form.smtpHost.trim() || null,
+            smtpPort: form.smtpPort,
+            smtpEncryption: form.smtpEncryption,
+            username: form.username.trim() || null,
+            sentFolderPath: form.sentFolderPath.trim() || null,
+            enabled: form.enabled,
+        }
+        if (form.password) {
+            payload.password = form.password
+        }
+        const result = await updateConfiguration(payload)
+        hasPassword.value = result.hasPassword
+        form.password = ''
+    } finally {
+        isSaving.value = false
+    }
+}
+
+async function handleTest(): Promise<void> {
+    isTesting.value = true
+    testResult.value = null
+    testError.value = null
+    try {
+        const result = await testConfiguration()
+        testResult.value = result.ok
+        if (!result.ok && result.error) {
+            testError.value = result.error
+        }
+    } catch {
+        testResult.value = false
+    } finally {
+        isTesting.value = false
+    }
+}
+
+onMounted(() => {
+    loadSettings()
+})
+</script>
diff --git a/frontend/components/mail/MailCreateTaskModal.vue b/frontend/components/mail/MailCreateTaskModal.vue
new file mode 100644
index 0000000..46c96fa
--- /dev/null
+++ b/frontend/components/mail/MailCreateTaskModal.vue
@@ -0,0 +1,251 @@
+<script setup lang="ts">
+import type { MailMessageDetailDto } from '~/services/dto/mail'
+import type { Task } from '~/services/dto/task'
+import type { Project } from '~/services/dto/project'
+import type { TaskGroup } from '~/services/dto/task-group'
+import type { TaskPriority } from '~/services/dto/task-priority'
+import { useMailService } from '~/services/mail'
+import { useProjectService } from '~/services/projects'
+import { useTaskGroupService } from '~/services/task-groups'
+import { useTaskPriorityService } from '~/services/task-priorities'
+
+const props = defineProps<{
+    /** v-model: true = modal ouvert */
+    modelValue: boolean
+    /** ID BDD du message source */
+    messageId: number
+    /** Détail du message (pour afficher sujet/expéditeur en lecture seule) */
+    messageDetail: MailMessageDetailDto | null
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: boolean]
+    /** Émis après création réussie — payload = tâche créée */
+    created: [task: Task]
+}>()
+
+const { t } = useI18n()
+const mailService = useMailService()
+const projectService = useProjectService()
+const taskGroupService = useTaskGroupService()
+const priorityService = useTaskPriorityService()
+
+// ─── État formulaire ──────────────────────────────────────────────────────
+
+const projectId = ref<number | null>(null)
+const taskGroupId = ref<number | null>(null)
+const priorityId = ref<number | null>(null)
+const isSubmitting = ref(false)
+const touchedProject = ref(false)
+
+// ─── Données de référence ─────────────────────────────────────────────────
+
+const projects = ref<Project[]>([])
+const groups = ref<TaskGroup[]>([])
+const priorities = ref<TaskPriority[]>([])
+const loadingGroups = ref(false)
+
+const projectOptions = computed(() =>
+    projects.value.map(p => ({ label: p.name, value: p.id })),
+)
+
+const groupOptions = computed(() =>
+    groups.value.filter(g => !g.archived).map(g => ({ label: g.title, value: g.id })),
+)
+
+const priorityOptions = computed(() =>
+    priorities.value.map(p => ({ label: p.label, value: p.id })),
+)
+
+// ─── Chargement initial ───────────────────────────────────────────────────
+
+onMounted(async () => {
+    const [projs, prios] = await Promise.all([
+        projectService.getAll({ archived: false }),
+        priorityService.getAll(),
+    ])
+    projects.value = projs
+    priorities.value = prios
+})
+
+// Recharger les groupes quand le projet change
+watch(projectId, async (pid) => {
+    taskGroupId.value = null
+    groups.value = []
+    if (!pid) return
+    loadingGroups.value = true
+    try {
+        groups.value = await taskGroupService.getByProject(pid)
+    } finally {
+        loadingGroups.value = false
+    }
+})
+
+// Reset formulaire à l'ouverture
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        projectId.value = null
+        taskGroupId.value = null
+        priorityId.value = null
+        touchedProject.value = false
+    }
+})
+
+// ─── Actions ──────────────────────────────────────────────────────────────
+
+function close(): void {
+    emit('update:modelValue', false)
+}
+
+async function handleSubmit(): Promise<void> {
+    touchedProject.value = true
+    if (!projectId.value) return
+
+    isSubmitting.value = true
+    try {
+        const task = await mailService.createTaskFromMail(props.messageId, {
+            projectId: projectId.value,
+            taskGroupId: taskGroupId.value ?? undefined,
+            priority: priorityId.value ? `/api/task_priorities/${priorityId.value}` : undefined,
+        })
+        emit('created', task)
+        close()
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
+
+<template>
+    <Teleport v-if="modelValue" to="body">
+        <Transition name="mail-modal" appear>
+            <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                <!-- Backdrop -->
+                <div
+                    class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                    @click="close"
+                />
+
+                <!-- Modal -->
+                <div
+                    class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                    style="max-height: min(90vh, 640px)"
+                >
+                    <!-- Header -->
+                    <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                        <h2 class="text-base font-bold text-neutral-900">
+                            {{ t('mail.createTaskModal.title') }}
+                        </h2>
+                        <MalioButtonIcon
+                            icon="mdi:close"
+                            aria-label="Fermer"
+                            variant="ghost"
+                            icon-size="20"
+                            @click="close"
+                        />
+                    </div>
+
+                    <!-- Corps -->
+                    <div class="overflow-y-auto px-6 py-5 space-y-5">
+                        <!-- Info mail source (lecture seule) -->
+                        <div
+                            v-if="messageDetail"
+                            class="rounded-lg border border-neutral-200 bg-neutral-50 px-4 py-3 text-sm"
+                        >
+                            <p class="font-medium text-neutral-800 truncate">
+                                {{ messageDetail.header.subject ?? t('mail.noSubject') }}
+                            </p>
+                            <p class="mt-0.5 text-xs text-neutral-500 truncate">
+                                {{ messageDetail.header.fromName ?? messageDetail.header.fromEmail }}
+                            </p>
+                            <p class="mt-2 text-xs text-neutral-400 italic">
+                                {{ t('mail.createTaskModal.titleHint') }}
+                            </p>
+                            <p class="text-xs text-neutral-400 italic">
+                                {{ t('mail.createTaskModal.descriptionHint') }}
+                            </p>
+                        </div>
+
+                        <!-- Sélection projet -->
+                        <div>
+                            <MalioSelect
+                                v-model="projectId"
+                                :options="projectOptions"
+                                :label="t('mail.createTaskModal.projectLabel')"
+                                :empty-option-label="t('mail.createTaskModal.projectPlaceholder')"
+                                min-width="w-full"
+                            />
+                            <p
+                                v-if="touchedProject && !projectId"
+                                class="mt-1 text-xs text-red-500"
+                            >
+                                {{ t('mail.createTaskModal.projectLabel').replace(' *', '') }} requis
+                            </p>
+                        </div>
+
+                        <!-- Sélection groupe (optionnel, chargé après projet) -->
+                        <div v-if="projectId">
+                            <MalioSelect
+                                v-model="taskGroupId"
+                                :options="groupOptions"
+                                :label="t('mail.createTaskModal.groupLabel')"
+                                :empty-option-label="t('mail.createTaskModal.groupPlaceholder')"
+                                min-width="w-full"
+                                :disabled="loadingGroups"
+                            />
+                        </div>
+
+                        <!-- Sélection priorité (optionnelle) — MalioSelect car les values sont number | null -->
+                        <div>
+                            <MalioSelect
+                                v-model="priorityId"
+                                :options="priorityOptions"
+                                :label="t('mail.createTaskModal.priorityLabel')"
+                                :empty-option-label="t('mail.createTaskModal.priorityPlaceholder')"
+                                min-width="w-full"
+                            />
+                        </div>
+                    </div>
+
+                    <!-- Footer -->
+                    <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                        <MalioButton
+                            variant="tertiary"
+                            label="Annuler"
+                            button-class="w-auto px-4"
+                            @click="close"
+                        />
+                        <MalioButton
+                            :label="t('mail.createTaskModal.submit')"
+                            button-class="w-auto px-6"
+                            :disabled="isSubmitting"
+                            @click="handleSubmit"
+                        />
+                    </div>
+                </div>
+            </div>
+        </Transition>
+    </Teleport>
+</template>
+
+<style scoped>
+.mail-modal-enter-active,
+.mail-modal-leave-active {
+    transition: opacity 0.2s ease;
+}
+
+.mail-modal-enter-active > div:last-child,
+.mail-modal-leave-active > div:last-child {
+    transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+}
+
+.mail-modal-enter-from,
+.mail-modal-leave-to {
+    opacity: 0;
+}
+
+.mail-modal-enter-from > div:last-child {
+    transform: scale(0.95) translateY(8px);
+    opacity: 0;
+}
+</style>
diff --git a/frontend/components/mail/MailFolderTree.vue b/frontend/components/mail/MailFolderTree.vue
new file mode 100644
index 0000000..604aaba
--- /dev/null
+++ b/frontend/components/mail/MailFolderTree.vue
@@ -0,0 +1,123 @@
+<script setup lang="ts">
+import type { MailFolderDto } from '~/services/dto/mail'
+
+const props = defineProps<{
+    /** Arbre de dossiers (getter folderTree du store) */
+    folders: readonly MailFolderDto[]
+    /** Chemin du dossier actuellement sélectionné */
+    selectedPath: string | null
+    /** Niveau de profondeur pour l'indentation (usage récursif interne) */
+    depth?: number
+}>()
+
+const emit = defineEmits<{
+    select: [path: string]
+}>()
+
+const { getFolderLabel, getFolderIcon } = useSystemFolderLabel()
+const { t } = useI18n()
+
+const currentDepth = computed(() => props.depth ?? 0)
+
+// Dossiers dépliés (repliés par défaut → seuls les dossiers racine sont visibles).
+const expanded = ref<Set<string>>(new Set())
+
+function isExpanded(path: string): boolean {
+    return expanded.value.has(path)
+}
+
+function toggleExpanded(path: string): void {
+    const next = new Set(expanded.value)
+    if (next.has(path)) {
+        next.delete(path)
+    } else {
+        next.add(path)
+    }
+    expanded.value = next
+}
+
+function hasChildren(folder: MailFolderDto): boolean {
+    return !!folder.children && folder.children.length > 0
+}
+
+function handleSelect(path: string): void {
+    emit('select', path)
+}
+
+function paddingStyle(): Record<string, string> {
+    const depth = currentDepth.value
+    return { paddingLeft: `${0.5 + depth * 0.75}rem` }
+}
+</script>
+
+<template>
+    <div>
+        <div
+            v-if="folders.length === 0 && currentDepth === 0"
+            class="px-3 py-4 text-sm text-neutral-400 italic"
+        >
+            {{ t('mail.empty.folder') }}
+        </div>
+
+        <template v-else>
+            <div v-for="folder in folders" :key="folder.path">
+                <div
+                    class="flex items-center gap-1 rounded-md pr-2 py-1.5 text-sm transition-colors"
+                    :class="
+                        selectedPath === folder.path
+                            ? 'bg-primary-100 text-primary-700 font-medium'
+                            : 'text-neutral-700 hover:bg-neutral-100'
+                    "
+                    :style="paddingStyle()"
+                >
+                    <button
+                        v-if="hasChildren(folder)"
+                        type="button"
+                        class="flex-shrink-0 rounded p-0.5 hover:bg-neutral-200"
+                        :aria-label="isExpanded(folder.path) ? t('mail.folderTree.collapse') : t('mail.folderTree.expand')"
+                        @click.stop="toggleExpanded(folder.path)"
+                    >
+                        <Icon
+                            :name="isExpanded(folder.path) ? 'material-symbols:keyboard-arrow-down' : 'material-symbols:chevron-right'"
+                            size="16"
+                            class="text-neutral-400"
+                        />
+                    </button>
+                    <span v-else class="inline-block w-[22px] flex-shrink-0" />
+
+                    <button
+                        type="button"
+                        class="flex flex-1 items-center gap-2 text-left min-w-0"
+                        @click="handleSelect(folder.path)"
+                    >
+                        <Icon
+                            :name="getFolderIcon(folder.path)"
+                            size="16"
+                            class="flex-shrink-0"
+                            :class="selectedPath === folder.path ? 'text-primary-600' : 'text-neutral-400'"
+                        />
+
+                        <span class="flex-1 truncate">
+                            {{ getFolderLabel(folder.path, folder.displayName) }}
+                        </span>
+
+                        <span
+                            v-if="folder.unreadCount > 0"
+                            class="ml-auto flex-shrink-0 rounded-full bg-primary-500 px-1.5 py-0.5 text-xs font-bold text-white"
+                        >
+                            {{ folder.unreadCount > 99 ? '99+' : folder.unreadCount }}
+                        </span>
+                    </button>
+                </div>
+
+                <MailFolderTree
+                    v-if="hasChildren(folder) && isExpanded(folder.path)"
+                    :folders="folder.children"
+                    :selected-path="selectedPath"
+                    :depth="currentDepth + 1"
+                    @select="handleSelect"
+                />
+            </div>
+        </template>
+    </div>
+</template>
diff --git a/frontend/components/mail/MailLinkTaskModal.vue b/frontend/components/mail/MailLinkTaskModal.vue
new file mode 100644
index 0000000..78c2180
--- /dev/null
+++ b/frontend/components/mail/MailLinkTaskModal.vue
@@ -0,0 +1,266 @@
+<script setup lang="ts">
+import type { Task } from '~/services/dto/task'
+import type { Project } from '~/services/dto/project'
+import { useMailService } from '~/services/mail'
+import { useTaskService } from '~/services/tasks'
+import { useProjectService } from '~/services/projects'
+
+const props = defineProps<{
+    modelValue: boolean
+    /** ID BDD du message à lier */
+    messageId: number
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: boolean]
+    /** Émis après liaison réussie — payload = id de la tâche liée */
+    linked: [taskId: number]
+}>()
+
+const { t } = useI18n()
+const mailService = useMailService()
+const taskService = useTaskService()
+const projectService = useProjectService()
+
+// ─── État recherche ───────────────────────────────────────────────────────
+
+const searchQuery = ref('')
+const filterProjectId = ref<number | null>(null)
+const results = ref<Task[]>([])
+const selectedTask = ref<Task | null>(null)
+const isLoading = ref(false)
+const isSubmitting = ref(false)
+
+// ─── Projets pour le filtre ───────────────────────────────────────────────
+
+const projects = ref<Project[]>([])
+
+const projectFilterOptions = computed(() =>
+    projects.value.map(p => ({ label: p.name, value: p.id })),
+)
+
+onMounted(async () => {
+    projects.value = await projectService.getAll({ archived: false })
+})
+
+// ─── Debounce recherche ───────────────────────────────────────────────────
+
+let debounceTimer: ReturnType<typeof setTimeout> | null = null
+
+watch([searchQuery, filterProjectId], () => {
+    selectedTask.value = null
+    if (debounceTimer) clearTimeout(debounceTimer)
+    debounceTimer = setTimeout(() => {
+        void runSearch()
+    }, 300)
+})
+
+async function runSearch(): Promise<void> {
+    const q = searchQuery.value.trim()
+    if (!q && !filterProjectId.value) {
+        results.value = []
+        return
+    }
+    isLoading.value = true
+    try {
+        const params: Record<string, string | number | boolean | string[]> = {
+            archived: false,
+        }
+        if (q) params['title'] = q
+        if (filterProjectId.value) params['project'] = `/api/projects/${filterProjectId.value}`
+        results.value = await taskService.getFiltered(params)
+    } finally {
+        isLoading.value = false
+    }
+}
+
+// ─── Reset à l'ouverture ──────────────────────────────────────────────────
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        searchQuery.value = ''
+        filterProjectId.value = null
+        results.value = []
+        selectedTask.value = null
+    }
+})
+
+onBeforeUnmount(() => {
+    if (debounceTimer) clearTimeout(debounceTimer)
+})
+
+// ─── Actions ──────────────────────────────────────────────────────────────
+
+function close(): void {
+    emit('update:modelValue', false)
+}
+
+function selectTask(task: Task): void {
+    selectedTask.value = task
+}
+
+async function handleSubmit(): Promise<void> {
+    if (!selectedTask.value) return
+    isSubmitting.value = true
+    try {
+        await mailService.linkTask(props.messageId, selectedTask.value.id)
+        emit('linked', selectedTask.value.id)
+        close()
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
+
+<template>
+    <Teleport v-if="modelValue" to="body">
+        <Transition name="mail-modal" appear>
+            <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                <div
+                    class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                    @click="close"
+                />
+
+                <div
+                    class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                    style="max-height: min(90vh, 640px)"
+                >
+                    <!-- Header -->
+                    <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                        <h2 class="text-base font-bold text-neutral-900">
+                            {{ t('mail.linkTaskModal.title') }}
+                        </h2>
+                        <MalioButtonIcon
+                            icon="mdi:close"
+                            aria-label="Fermer"
+                            variant="ghost"
+                            icon-size="20"
+                            @click="close"
+                        />
+                    </div>
+
+                    <!-- Corps -->
+                    <div class="overflow-y-auto px-6 py-5 space-y-4">
+                        <!-- Filtre projet -->
+                        <MalioSelect
+                            v-model="filterProjectId"
+                            :options="projectFilterOptions"
+                            :label="t('mail.linkTaskModal.projectFilter')"
+                            :empty-option-label="t('mail.linkTaskModal.projectAll')"
+                            min-width="w-full"
+                        />
+
+                        <!-- Recherche tâche -->
+                        <div>
+                            <label class="mb-1 block text-sm font-medium text-neutral-700">
+                                {{ t('mail.linkTaskModal.title') }}
+                            </label>
+                            <input
+                                v-model="searchQuery"
+                                type="text"
+                                :placeholder="t('mail.linkTaskModal.searchPlaceholder')"
+                                class="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                            />
+                        </div>
+
+                        <!-- Résultats -->
+                        <div class="max-h-64 overflow-y-auto rounded-md border border-neutral-200">
+                            <!-- Chargement -->
+                            <div
+                                v-if="isLoading"
+                                class="flex items-center justify-center py-6 text-sm text-neutral-400"
+                            >
+                                <Icon name="material-symbols:progress-activity" size="18" class="mr-2 animate-spin" />
+                                {{ t('mail.linkTaskModal.loading') }}
+                            </div>
+
+                            <!-- Vide -->
+                            <div
+                                v-else-if="!isLoading && results.length === 0 && (searchQuery.trim() || filterProjectId)"
+                                class="py-6 text-center text-sm text-neutral-400 italic"
+                            >
+                                {{ t('mail.linkTaskModal.empty') }}
+                            </div>
+
+                            <!-- Liste résultats -->
+                            <button
+                                v-for="task in results"
+                                :key="task.id"
+                                type="button"
+                                class="flex w-full items-start gap-3 px-4 py-3 text-left text-sm transition-colors hover:bg-neutral-50"
+                                :class="selectedTask?.id === task.id
+                                    ? 'bg-primary-50 border-l-2 border-primary-500'
+                                    : 'border-l-2 border-transparent'"
+                                @click="selectTask(task)"
+                            >
+                                <Icon
+                                    name="material-symbols:task-outline"
+                                    size="16"
+                                    class="mt-0.5 flex-shrink-0 text-neutral-400"
+                                />
+                                <div class="min-w-0 flex-1">
+                                    <p class="truncate font-medium text-neutral-800">
+                                        {{ task.title }}
+                                    </p>
+                                    <p
+                                        v-if="task.project"
+                                        class="truncate text-xs text-neutral-500"
+                                    >
+                                        {{ task.project.name }}
+                                        <span v-if="task.project.code && task.number">
+                                            — {{ task.project.code }}-{{ task.number }}
+                                        </span>
+                                    </p>
+                                </div>
+                                <Icon
+                                    v-if="selectedTask?.id === task.id"
+                                    name="material-symbols:check-circle"
+                                    size="16"
+                                    class="flex-shrink-0 text-primary-500"
+                                />
+                            </button>
+                        </div>
+                    </div>
+
+                    <!-- Footer -->
+                    <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                        <MalioButton
+                            variant="tertiary"
+                            label="Annuler"
+                            button-class="w-auto px-4"
+                            @click="close"
+                        />
+                        <MalioButton
+                            :label="t('mail.linkTaskModal.submit')"
+                            button-class="w-auto px-6"
+                            :disabled="!selectedTask || isSubmitting"
+                            @click="handleSubmit"
+                        />
+                    </div>
+                </div>
+            </div>
+        </Transition>
+    </Teleport>
+</template>
+
+<style scoped>
+.mail-modal-enter-active,
+.mail-modal-leave-active {
+    transition: opacity 0.2s ease;
+}
+
+.mail-modal-enter-active > div:last-child,
+.mail-modal-leave-active > div:last-child {
+    transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+}
+
+.mail-modal-enter-from,
+.mail-modal-leave-to {
+    opacity: 0;
+}
+
+.mail-modal-enter-from > div:last-child {
+    transform: scale(0.95) translateY(8px);
+    opacity: 0;
+}
+</style>
diff --git a/frontend/components/mail/MailMessageList.vue b/frontend/components/mail/MailMessageList.vue
new file mode 100644
index 0000000..1367ff1
--- /dev/null
+++ b/frontend/components/mail/MailMessageList.vue
@@ -0,0 +1,151 @@
+<script setup lang="ts">
+import type { MailMessageHeaderDto } from '~/services/dto/mail'
+
+const props = defineProps<{
+    messages: readonly MailMessageHeaderDto[]
+    selectedId: number | null
+    loading: boolean
+    hasMore: boolean
+}>()
+
+const emit = defineEmits<{
+    select: [id: number]
+    loadMore: []
+}>()
+
+const { t } = useI18n()
+
+const sentinelRef = ref<HTMLDivElement | null>(null)
+let observer: IntersectionObserver | null = null
+
+onMounted(() => {
+    if (!sentinelRef.value) return
+    observer = new IntersectionObserver(
+        (entries) => {
+            const entry = entries[0]
+            if (entry?.isIntersecting && props.hasMore && !props.loading) {
+                emit('loadMore')
+            }
+        },
+        { threshold: 0.1 },
+    )
+    observer.observe(sentinelRef.value)
+})
+
+onBeforeUnmount(() => {
+    observer?.disconnect()
+    observer = null
+})
+
+/**
+ * Formate une date ISO en date relative (il y a X minutes/heures/jours).
+ * Utilise Intl.RelativeTimeFormat avec la locale fr.
+ */
+function formatRelative(isoDate: string | null): string {
+    if (!isoDate) return ''
+    const date = new Date(isoDate)
+    const now = new Date()
+    const diffMs = date.getTime() - now.getTime()
+    const diffSeconds = Math.round(diffMs / 1000)
+    const diffMinutes = Math.round(diffSeconds / 60)
+    const diffHours = Math.round(diffMinutes / 60)
+    const diffDays = Math.round(diffHours / 24)
+
+    const rtf = new Intl.RelativeTimeFormat('fr', { numeric: 'auto' })
+
+    if (Math.abs(diffMinutes) < 1) return rtf.format(diffSeconds, 'second')
+    if (Math.abs(diffHours) < 1) return rtf.format(diffMinutes, 'minute')
+    if (Math.abs(diffDays) < 1) return rtf.format(diffHours, 'hour')
+    if (Math.abs(diffDays) < 30) return rtf.format(diffDays, 'day')
+
+    return date.toLocaleDateString('fr', { day: '2-digit', month: 'short', year: 'numeric' })
+}
+
+function getSenderLabel(msg: MailMessageHeaderDto): string {
+    return msg.fromName ?? msg.fromEmail ?? ''
+}
+</script>
+
+<template>
+    <div class="flex h-full flex-col overflow-hidden">
+        <div
+            v-if="!loading && messages.length === 0"
+            class="flex flex-1 items-center justify-center text-sm text-neutral-400 italic px-4 text-center"
+        >
+            {{ t('mail.empty.list') }}
+        </div>
+
+        <div v-else class="flex-1 overflow-y-auto divide-y divide-neutral-100">
+            <button
+                v-for="msg in messages"
+                :key="msg.id"
+                type="button"
+                class="flex w-full gap-3 px-3 py-3 text-left transition-colors hover:bg-neutral-50 focus:outline-none"
+                :class="[
+                    selectedId === msg.id ? 'bg-primary-50 border-l-2 border-primary-500' : '',
+                    !msg.isRead ? 'bg-white' : 'bg-neutral-50/50',
+                ]"
+                @click="emit('select', msg.id)"
+            >
+                <div class="mt-1.5 flex-shrink-0">
+                    <span
+                        class="block h-2 w-2 rounded-full"
+                        :class="msg.isRead ? 'bg-transparent' : 'bg-primary-500'"
+                    />
+                </div>
+
+                <div class="min-w-0 flex-1">
+                    <div class="flex items-center justify-between gap-2">
+                        <span
+                            class="truncate text-sm"
+                            :class="msg.isRead ? 'text-neutral-600 font-normal' : 'text-neutral-900 font-semibold'"
+                        >
+                            {{ getSenderLabel(msg) }}
+                        </span>
+                        <span class="flex-shrink-0 text-xs text-neutral-400">
+                            {{ formatRelative(msg.sentAt ?? msg.receivedAt) }}
+                        </span>
+                    </div>
+
+                    <p
+                        class="truncate text-sm"
+                        :class="msg.isRead ? 'text-neutral-500' : 'text-neutral-800 font-medium'"
+                    >
+                        {{ msg.subject ?? t('mail.noSubject') }}
+                    </p>
+
+                    <div class="mt-0.5 flex items-center gap-1.5">
+                        <Icon
+                            v-if="msg.isFlagged"
+                            name="material-symbols:star"
+                            size="14"
+                            class="text-amber-400 flex-shrink-0"
+                        />
+                        <Icon
+                            v-if="msg.hasAttachments"
+                            name="material-symbols:attach-file"
+                            size="14"
+                            class="text-neutral-400 flex-shrink-0"
+                        />
+                        <Icon
+                            v-if="msg.linkedTaskIds.length > 0"
+                            name="material-symbols:task-outline"
+                            size="14"
+                            class="text-primary-400 flex-shrink-0"
+                        />
+                    </div>
+                </div>
+            </button>
+
+            <div ref="sentinelRef" class="h-px" />
+
+            <div v-if="loading && messages.length > 0" class="flex items-center justify-center py-4">
+                <Icon name="material-symbols:progress-activity" size="20" class="animate-spin text-neutral-400" />
+            </div>
+        </div>
+
+        <div v-if="loading && messages.length === 0" class="flex flex-1 items-center justify-center">
+            <Icon name="material-symbols:progress-activity" size="24" class="animate-spin text-neutral-400" />
+        </div>
+    </div>
+</template>
diff --git a/frontend/components/mail/MailMessageViewer.vue b/frontend/components/mail/MailMessageViewer.vue
new file mode 100644
index 0000000..4f2c1cf
--- /dev/null
+++ b/frontend/components/mail/MailMessageViewer.vue
@@ -0,0 +1,183 @@
+<script setup lang="ts">
+import type { MailMessageDetailDto, MailAddressDto } from '~/services/dto/mail'
+import { sanitizeMailHtml } from '~/utils/sanitizeMailHtml'
+import { useMailService } from '~/services/mail'
+
+const props = defineProps<{
+    /** Détail complet du message. null = aucun message sélectionné. */
+    detail: MailMessageDetailDto | null
+    loading: boolean
+}>()
+
+const emit = defineEmits<{
+    createTask: [mailId: number]
+    linkTask: [mailId: number]
+}>()
+
+const { t } = useI18n()
+const mailService = useMailService()
+
+const showImages = ref(false)
+
+const sanitizedBody = computed((): string => {
+    if (!props.detail?.bodyHtml) return ''
+    return sanitizeMailHtml(props.detail.bodyHtml, { allowImages: showImages.value })
+})
+
+watch(
+    () => props.detail?.header.id,
+    () => {
+        showImages.value = false
+    },
+)
+
+async function handleDownload(downloadId: string, filename: string): Promise<void> {
+    try {
+        const { data } = await mailService.downloadAttachment(downloadId)
+        const url = URL.createObjectURL(data)
+        const a = document.createElement('a')
+        a.href = url
+        a.download = filename
+        a.click()
+        URL.revokeObjectURL(url)
+    } catch {
+        // L'erreur est gérée par useApi (toast automatique)
+    }
+}
+
+function formatDate(iso: string | null): string {
+    if (!iso) return ''
+    return new Date(iso).toLocaleString('fr', {
+        dateStyle: 'long',
+        timeStyle: 'short',
+    })
+}
+
+function joinAddresses(addresses: MailAddressDto[]): string {
+    return addresses
+        .map((a) => (a.name ? `${a.name} <${a.email}>` : a.email))
+        .join(', ')
+}
+</script>
+
+<template>
+    <div class="flex h-full flex-col overflow-hidden">
+        <div
+            v-if="!detail && !loading"
+            class="flex flex-1 items-center justify-center text-sm text-neutral-400 italic px-8 text-center"
+        >
+            {{ t('mail.empty.viewer') }}
+        </div>
+
+        <div v-else-if="loading" class="flex flex-1 items-center justify-center">
+            <Icon name="material-symbols:progress-activity" size="28" class="animate-spin text-neutral-400" />
+        </div>
+
+        <template v-else-if="detail">
+            <div class="flex-shrink-0 border-b border-neutral-200 px-4 py-3 space-y-1.5">
+                <h2 class="text-base font-semibold text-neutral-900 break-words">
+                    {{ detail.header.subject ?? t('mail.noSubject') }}
+                </h2>
+
+                <dl class="text-xs text-neutral-500 space-y-0.5">
+                    <div class="flex gap-1.5">
+                        <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.from') }}</dt>
+                        <dd class="break-all">
+                            {{
+                                detail.header.fromName
+                                    ? `${detail.header.fromName} <${detail.header.fromEmail}>`
+                                    : (detail.header.fromEmail ?? '')
+                            }}
+                        </dd>
+                    </div>
+                    <div v-if="detail.header.toRecipients.length > 0" class="flex gap-1.5">
+                        <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.to') }}</dt>
+                        <dd class="break-all">{{ joinAddresses(detail.header.toRecipients) }}</dd>
+                    </div>
+                    <div v-if="detail.header.ccRecipients.length > 0" class="flex gap-1.5">
+                        <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.cc') }}</dt>
+                        <dd class="break-all">{{ joinAddresses(detail.header.ccRecipients) }}</dd>
+                    </div>
+                    <div class="flex gap-1.5">
+                        <dt class="font-medium text-neutral-600 w-5 flex-shrink-0">{{ t('mail.date') }}</dt>
+                        <dd>{{ formatDate(detail.header.sentAt ?? detail.header.receivedAt) }}</dd>
+                    </div>
+                </dl>
+
+                <div class="flex flex-wrap items-center gap-2 pt-1">
+                    <MalioButton
+                        :label="t('mail.actions.createTask')"
+                        variant="primary"
+                        icon-name="material-symbols:add-task-outline"
+                        icon-position="left"
+                        :icon-size="13"
+                        button-class="text-xs px-2.5 py-1"
+                        @click="emit('createTask', detail.header.id)"
+                    />
+                    <MalioButton
+                        :label="t('mail.actions.linkTask')"
+                        variant="secondary"
+                        icon-name="material-symbols:link"
+                        icon-position="left"
+                        :icon-size="13"
+                        button-class="text-xs px-2.5 py-1"
+                        @click="emit('linkTask', detail.header.id)"
+                    />
+                </div>
+            </div>
+
+            <div class="flex-1 overflow-y-auto px-4 py-3">
+                <div
+                    v-if="!showImages && detail.bodyHtml"
+                    class="mb-3 flex items-center gap-3 rounded-md border border-amber-200 bg-amber-50 px-3 py-2 text-sm"
+                >
+                    <Icon name="material-symbols:image-outline" size="16" class="text-amber-500 flex-shrink-0" />
+                    <span class="flex-1 text-amber-700">
+                        {{ t('mail.remoteImagesBlocked') }}
+                    </span>
+                    <button
+                        type="button"
+                        class="text-xs font-medium text-amber-700 underline hover:text-amber-900 transition-colors"
+                        @click="showImages = true"
+                    >
+                        {{ t('mail.actions.showImages') }}
+                    </button>
+                </div>
+
+                <div
+                    v-if="detail.bodyHtml"
+                    class="prose prose-sm max-w-none text-neutral-800"
+                    v-html="sanitizedBody"
+                />
+
+                <pre
+                    v-else-if="detail.bodyText"
+                    class="whitespace-pre-wrap font-sans text-sm text-neutral-700"
+                >{{ detail.bodyText }}</pre>
+            </div>
+
+            <div
+                v-if="detail.attachments.length > 0"
+                class="flex-shrink-0 border-t border-neutral-200 px-4 py-3"
+            >
+                <p class="mb-2 text-xs font-semibold uppercase tracking-wide text-neutral-500">
+                    {{ t('mail.attachments') }} ({{ detail.attachments.length }})
+                </p>
+                <div class="flex flex-wrap gap-2">
+                    <button
+                        v-for="att in detail.attachments"
+                        :key="att.downloadId"
+                        type="button"
+                        class="flex items-center gap-1.5 rounded border border-neutral-200 bg-neutral-50 px-2.5 py-1.5 text-xs text-neutral-700 transition-colors hover:bg-neutral-100 hover:border-neutral-300"
+                        :title="att.filename"
+                        @click="handleDownload(att.downloadId, att.filename)"
+                    >
+                        <Icon name="material-symbols:attach-file" size="14" class="flex-shrink-0 text-neutral-400" />
+                        <span class="max-w-[180px] truncate">{{ att.filename }}</span>
+                        <span class="text-neutral-400">({{ Math.round(att.size / 1024) }} Ko)</span>
+                    </button>
+                </div>
+            </div>
+        </template>
+    </div>
+</template>
diff --git a/frontend/components/mail/MailPickerModal.vue b/frontend/components/mail/MailPickerModal.vue
new file mode 100644
index 0000000..7b893c8
--- /dev/null
+++ b/frontend/components/mail/MailPickerModal.vue
@@ -0,0 +1,228 @@
+<script setup lang="ts">
+import type { MailMessageHeaderDto } from '~/services/dto/mail'
+import { useMailService } from '~/services/mail'
+import { useMailStore } from '~/stores/mail'
+
+const props = defineProps<{
+    modelValue: boolean
+    /** ID de la tâche cible (destinataire du lien) */
+    taskId: number
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: boolean]
+    /** Émis après liaison réussie — payload = id du message lié */
+    linked: [messageId: number]
+}>()
+
+const { t } = useI18n()
+const mailService = useMailService()
+const mailStore = useMailStore()
+
+// ─── État ─────────────────────────────────────────────────────────────────
+
+const searchQuery = ref('')
+const allMessages = ref<MailMessageHeaderDto[]>([])
+const selectedMessage = ref<MailMessageHeaderDto | null>(null)
+const isLoading = ref(false)
+const isSubmitting = ref(false)
+
+// ─── Filtrage local (pas d'appel API par frappe — les messages sont déjà chargés) ──
+
+const filteredMessages = computed(() => {
+    const q = searchQuery.value.toLowerCase().trim()
+    if (!q) return allMessages.value
+    return allMessages.value.filter(
+        (m) =>
+            (m.subject ?? '').toLowerCase().includes(q)
+            || (m.fromName ?? '').toLowerCase().includes(q)
+            || (m.fromEmail ?? '').toLowerCase().includes(q),
+    )
+})
+
+// ─── Chargement à l'ouverture ─────────────────────────────────────────────
+
+watch(() => props.modelValue, async (open) => {
+    if (!open) return
+    searchQuery.value = ''
+    selectedMessage.value = null
+    isLoading.value = true
+    try {
+        // Utiliser le dossier actuellement sélectionné dans le store si disponible,
+        // sinon fallback sur INBOX.
+        const folderPath = mailStore.selectedFolderPath ?? 'INBOX'
+        const page = await mailService.listMessages(folderPath, undefined, 50)
+        allMessages.value = page.items
+    } finally {
+        isLoading.value = false
+    }
+})
+
+// ─── Actions ──────────────────────────────────────────────────────────────
+
+function close(): void {
+    emit('update:modelValue', false)
+}
+
+function selectMessage(msg: MailMessageHeaderDto): void {
+    selectedMessage.value = msg
+}
+
+async function handleSubmit(): Promise<void> {
+    if (!selectedMessage.value) return
+    isSubmitting.value = true
+    try {
+        await mailService.linkTask(selectedMessage.value.id, props.taskId)
+        emit('linked', selectedMessage.value.id)
+        close()
+    } finally {
+        isSubmitting.value = false
+    }
+}
+
+// ─── Formatage ────────────────────────────────────────────────────────────
+
+function formatDate(iso: string | null): string {
+    if (!iso) return ''
+    return new Date(iso).toLocaleDateString('fr', {
+        day: '2-digit',
+        month: 'short',
+        year: 'numeric',
+    })
+}
+</script>
+
+<template>
+    <Teleport v-if="modelValue" to="body">
+        <Transition name="mail-modal" appear>
+            <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+                <div
+                    class="absolute inset-0 bg-slate-900/40 backdrop-blur-sm"
+                    @click="close"
+                />
+
+                <div
+                    class="relative z-10 w-full max-w-lg rounded-2xl bg-white shadow-2xl ring-1 ring-black/5 overflow-hidden"
+                    style="max-height: min(90vh, 640px)"
+                >
+                    <!-- Header -->
+                    <div class="flex items-center justify-between border-b border-neutral-100 bg-neutral-50/80 px-6 py-4">
+                        <h2 class="text-base font-bold text-neutral-900">
+                            {{ t('mail.pickerModal.title') }}
+                        </h2>
+                        <MalioButtonIcon
+                            icon="mdi:close"
+                            aria-label="Fermer"
+                            variant="ghost"
+                            icon-size="20"
+                            @click="close"
+                        />
+                    </div>
+
+                    <!-- Corps -->
+                    <div class="overflow-y-auto px-6 py-5 space-y-4">
+                        <!-- Recherche locale -->
+                        <input
+                            v-model="searchQuery"
+                            type="text"
+                            :placeholder="t('mail.pickerModal.searchPlaceholder')"
+                            class="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500"
+                        />
+
+                        <!-- Résultats -->
+                        <div class="max-h-80 overflow-y-auto rounded-md border border-neutral-200 divide-y divide-neutral-100">
+                            <!-- Chargement -->
+                            <div
+                                v-if="isLoading"
+                                class="flex items-center justify-center py-8 text-sm text-neutral-400"
+                            >
+                                <Icon name="material-symbols:progress-activity" size="18" class="mr-2 animate-spin" />
+                                {{ t('mail.pickerModal.loading') }}
+                            </div>
+
+                            <!-- Vide -->
+                            <div
+                                v-else-if="filteredMessages.length === 0"
+                                class="py-8 text-center text-sm text-neutral-400 italic"
+                            >
+                                {{ t('mail.pickerModal.empty') }}
+                            </div>
+
+                            <!-- Liste -->
+                            <button
+                                v-for="msg in filteredMessages"
+                                :key="msg.id"
+                                type="button"
+                                class="flex w-full items-start gap-3 px-4 py-3 text-left text-sm transition-colors hover:bg-neutral-50"
+                                :class="selectedMessage?.id === msg.id
+                                    ? 'bg-primary-50 border-l-2 border-primary-500'
+                                    : 'border-l-2 border-transparent'"
+                                @click="selectMessage(msg)"
+                            >
+                                <Icon
+                                    name="material-symbols:mail-outline"
+                                    size="16"
+                                    class="mt-0.5 flex-shrink-0 text-neutral-400"
+                                />
+                                <div class="min-w-0 flex-1">
+                                    <p class="truncate font-medium text-neutral-800">
+                                        {{ msg.subject ?? t('mail.noSubject') }}
+                                    </p>
+                                    <p class="flex items-center gap-2 text-xs text-neutral-500">
+                                        <span class="truncate">{{ msg.fromName ?? msg.fromEmail }}</span>
+                                        <span class="flex-shrink-0">·</span>
+                                        <span class="flex-shrink-0">{{ formatDate(msg.sentAt ?? msg.receivedAt) }}</span>
+                                    </p>
+                                </div>
+                                <Icon
+                                    v-if="selectedMessage?.id === msg.id"
+                                    name="material-symbols:check-circle"
+                                    size="16"
+                                    class="flex-shrink-0 text-primary-500"
+                                />
+                            </button>
+                        </div>
+                    </div>
+
+                    <!-- Footer -->
+                    <div class="flex justify-end gap-3 border-t border-neutral-100 px-6 py-4">
+                        <MalioButton
+                            variant="tertiary"
+                            label="Annuler"
+                            button-class="w-auto px-4"
+                            @click="close"
+                        />
+                        <MalioButton
+                            :label="t('mail.pickerModal.submit')"
+                            button-class="w-auto px-6"
+                            :disabled="!selectedMessage || isSubmitting"
+                            @click="handleSubmit"
+                        />
+                    </div>
+                </div>
+            </div>
+        </Transition>
+    </Teleport>
+</template>
+
+<style scoped>
+.mail-modal-enter-active,
+.mail-modal-leave-active {
+    transition: opacity 0.2s ease;
+}
+
+.mail-modal-enter-active > div:last-child,
+.mail-modal-leave-active > div:last-child {
+    transition: transform 0.2s cubic-bezier(0.16, 1, 0.3, 1), opacity 0.2s ease;
+}
+
+.mail-modal-enter-from,
+.mail-modal-leave-to {
+    opacity: 0;
+}
+
+.mail-modal-enter-from > div:last-child {
+    transform: scale(0.95) translateY(8px);
+    opacity: 0;
+}
+</style>
diff --git a/frontend/components/mail/MailRefreshButton.vue b/frontend/components/mail/MailRefreshButton.vue
new file mode 100644
index 0000000..2d29e26
--- /dev/null
+++ b/frontend/components/mail/MailRefreshButton.vue
@@ -0,0 +1,24 @@
+<script setup lang="ts">
+import { useMailStore } from '~/stores/mail'
+
+const store = useMailStore()
+const { syncing } = storeToRefs(store)
+
+const { t } = useI18n()
+
+async function handleRefresh(): Promise<void> {
+    await store.triggerSync()
+}
+</script>
+
+<template>
+    <MalioButton
+        :label="t('mail.actions.refresh')"
+        variant="secondary"
+        icon-name="material-symbols:refresh"
+        icon-position="left"
+        :icon-size="16"
+        :disabled="syncing"
+        @click="handleRefresh"
+    />
+</template>
diff --git a/frontend/components/task/TaskModal.vue b/frontend/components/task/TaskModal.vue
index 579d0d9..ab7155d 100644
--- a/frontend/components/task/TaskModal.vue
+++ b/frontend/components/task/TaskModal.vue
@@ -60,16 +60,16 @@
                         <div class="border-b border-neutral-100 -mx-4 px-4 sm:-mx-8 sm:px-8 mb-4">
                             <nav class="flex gap-6">
                                 <button
-                                    v-for="tab in ['details', 'planning']"
+                                    v-for="tab in availableTabs"
                                     :key="tab"
                                     type="button"
                                     class="px-1 pb-3 text-sm font-semibold transition"
                                     :class="activeTab === tab
                                         ? 'border-b-2 border-primary-500 text-primary-500'
                                         : 'text-neutral-500 hover:text-neutral-700'"
-                                    @click="activeTab = tab as 'details' | 'planning'"
+                                    @click="activeTab = tab as 'details' | 'planning' | 'mails'"
                                 >
-                                    {{ $t(`tasks.${tab}Tab`) }}
+                                    {{ tab === 'mails' ? $t('mail.taskTab.title') : $t(`tasks.${tab}Tab`) }}
                                 </button>
                             </nav>
                         </div>
@@ -433,6 +433,76 @@
                             </div>
                         </div>
 
+                        <!-- Onglet Mails -->
+                        <div v-show="activeTab === 'mails'" class="space-y-4">
+                            <!-- Chargement -->
+                            <div v-if="mailsLoading" class="flex items-center justify-center py-8">
+                                <Icon name="material-symbols:progress-activity" size="24" class="animate-spin text-neutral-400" />
+                            </div>
+
+                            <!-- Vide -->
+                            <div
+                                v-else-if="linkedMails.length === 0"
+                                class="flex flex-col items-center justify-center gap-3 py-8 text-center"
+                            >
+                                <Icon name="material-symbols:mail-outline" size="32" class="text-neutral-300" />
+                                <p class="text-sm text-neutral-400 italic">{{ $t('mail.taskTab.empty') }}</p>
+                            </div>
+
+                            <!-- Liste mails liés -->
+                            <div v-else class="divide-y divide-neutral-100 rounded-lg border border-neutral-200">
+                                <NuxtLink
+                                    v-for="mail in linkedMails"
+                                    :key="mail.id"
+                                    :to="`/mail?messageId=${mail.id}`"
+                                    class="flex items-start gap-3 px-4 py-3 text-sm transition-colors hover:bg-neutral-50"
+                                    :title="$t('mail.taskTab.openInMailer')"
+                                >
+                                    <Icon
+                                        name="material-symbols:mail-outline"
+                                        size="16"
+                                        class="mt-0.5 flex-shrink-0 text-neutral-400"
+                                    />
+                                    <div class="min-w-0 flex-1">
+                                        <p class="truncate font-medium text-neutral-800">
+                                            {{ mail.subject ?? $t('mail.noSubject') }}
+                                        </p>
+                                        <p class="flex items-center gap-2 text-xs text-neutral-500">
+                                            <span class="truncate">{{ mail.fromName ?? mail.fromEmail }}</span>
+                                            <span>·</span>
+                                            <span class="flex-shrink-0">{{ formatMailDate(mail.sentAt ?? mail.receivedAt) }}</span>
+                                        </p>
+                                    </div>
+                                    <Icon
+                                        name="material-symbols:open-in-new"
+                                        size="14"
+                                        class="flex-shrink-0 text-neutral-300"
+                                    />
+                                </NuxtLink>
+                            </div>
+
+                            <!-- Bouton lier un mail -->
+                            <div class="pt-2">
+                                <MalioButton
+                                    :label="$t('mail.taskTab.linkButton')"
+                                    variant="secondary"
+                                    icon-name="material-symbols:link"
+                                    icon-position="left"
+                                    :icon-size="14"
+                                    button-class="w-auto"
+                                    @click="showMailPickerModal = true"
+                                />
+                            </div>
+
+                            <!-- Modal picker mail -->
+                            <MailPickerModal
+                                v-if="task"
+                                v-model="showMailPickerModal"
+                                :task-id="task.id"
+                                @linked="handleMailLinked"
+                            />
+                        </div>
+
                         <!-- Footer -->
                         <div
                             class="mt-6 flex items-center border-t border-neutral-100 pt-5"
@@ -513,6 +583,8 @@ import { useTaskService } from '~/services/tasks'
 import { useTaskRecurrenceService } from '~/services/task-recurrences'
 
 import type { Project } from '~/services/dto/project'
+import { useMailService } from '~/services/mail'
+import type { MailMessageHeaderDto } from '~/services/dto/mail'
 
 const props = defineProps<{
     modelValue: boolean
@@ -545,7 +617,14 @@ function close() {
 const isEditing = computed(() => !!props.task)
 const isSubmitting = ref(false)
 const confirmDeleteOpen = ref(false)
-const activeTab = ref<'details' | 'planning'>('details')
+const activeTab = ref<'details' | 'planning' | 'mails'>('details')
+
+// ─── Onglet Mails ─────────────────────────────────────────────────────────
+
+const mailService = useMailService()
+const linkedMails = ref<MailMessageHeaderDto[]>([])
+const mailsLoading = ref(false)
+const showMailPickerModal = ref(false)
 
 const giteaUrl = ref('')
 const { getSettings: getGiteaSettings } = useGiteaService()
@@ -765,6 +844,7 @@ watch(() => props.modelValue, async (open) => {
         activeTab.value = 'details'
         confirmDeleteDocOpen.value = false
         documentToDelete.value = null
+        linkedMails.value = []
         populateForm(props.task)
         const pid = resolvedProjectId.value
         if (pid) {
@@ -823,6 +903,49 @@ watch(() => form.projectId, async (pid) => {
 const authStore = useAuthStore()
 const isAdmin = computed(() => authStore.user?.roles?.includes('ROLE_ADMIN') ?? false)
 
+const isClientOnly = computed(() =>
+    authStore.user?.roles?.includes('ROLE_CLIENT') === true
+    && authStore.user?.roles?.includes('ROLE_ADMIN') !== true,
+)
+const isMailUser = computed(() => !isClientOnly.value)
+
+const availableTabs = computed(() => {
+    const base: Array<'details' | 'planning' | 'mails'> = ['details', 'planning']
+    if (isEditing.value && isMailUser.value) base.push('mails')
+    return base
+})
+
+async function loadLinkedMails(): Promise<void> {
+    if (!props.task || !isMailUser.value) return
+    mailsLoading.value = true
+    try {
+        linkedMails.value = await mailService.listMailsForTask(props.task.id)
+    } catch {
+        linkedMails.value = []
+    } finally {
+        mailsLoading.value = false
+    }
+}
+
+watch(activeTab, async (tab) => {
+    if (tab === 'mails' && props.task) {
+        await loadLinkedMails()
+    }
+})
+
+async function handleMailLinked(): Promise<void> {
+    showMailPickerModal.value = false
+    await loadLinkedMails()
+}
+
+function formatMailDate(iso: string | null): string {
+    if (!iso) return ''
+    return new Date(iso).toLocaleDateString('fr', {
+        day: '2-digit',
+        month: 'short',
+    })
+}
+
 function ticketStatusClass(status: string): string {
     switch (status) {
         case 'new': return 'bg-blue-100 text-blue-700'
diff --git a/frontend/composables/useSystemFolderLabel.ts b/frontend/composables/useSystemFolderLabel.ts
new file mode 100644
index 0000000..8958e0a
--- /dev/null
+++ b/frontend/composables/useSystemFolderLabel.ts
@@ -0,0 +1,75 @@
+/**
+ * Mapping des chemins de dossiers système IMAP vers les clés i18n.
+ * Les clés sont normalisées en minuscules pour la comparaison.
+ * Couvre les variantes OVH courantes (INBOX, INBOX.Sent, Sent, etc.)
+ */
+const SYSTEM_FOLDER_MAP: Record<string, string> = {
+    'inbox': 'mail.systemFolder.inbox',
+    'sent': 'mail.systemFolder.sent',
+    'inbox.sent': 'mail.systemFolder.sent',
+    'sent messages': 'mail.systemFolder.sent',
+    'drafts': 'mail.systemFolder.drafts',
+    'inbox.drafts': 'mail.systemFolder.drafts',
+    'archive': 'mail.systemFolder.archive',
+    'archives': 'mail.systemFolder.archive',
+    'inbox.archive': 'mail.systemFolder.archive',
+    'trash': 'mail.systemFolder.trash',
+    'deleted': 'mail.systemFolder.trash',
+    'deleted items': 'mail.systemFolder.trash',
+    'inbox.trash': 'mail.systemFolder.trash',
+    'junk': 'mail.systemFolder.junk',
+    'junk e-mail': 'mail.systemFolder.junk',
+    'spam': 'mail.systemFolder.junk',
+    'inbox.junk': 'mail.systemFolder.junk',
+}
+
+/**
+ * Icônes Material Symbols associées aux dossiers système.
+ * Pour les dossiers non reconnus : utiliser une icône générique.
+ */
+const SYSTEM_FOLDER_ICONS: Record<string, string> = {
+    'mail.systemFolder.inbox': 'material-symbols:inbox-outline',
+    'mail.systemFolder.sent': 'material-symbols:send-outline',
+    'mail.systemFolder.drafts': 'material-symbols:draft-outline',
+    'mail.systemFolder.archive': 'material-symbols:archive-outline',
+    'mail.systemFolder.trash': 'material-symbols:delete-outline',
+    'mail.systemFolder.junk': 'material-symbols:report-outline',
+}
+
+const DEFAULT_FOLDER_ICON = 'material-symbols:folder-outline'
+
+export function useSystemFolderLabel() {
+    const { t } = useI18n()
+
+    /**
+     * Retourne le label traduit d'un dossier système, ou son displayName si inconnu.
+     * @param path - Chemin IMAP du dossier (ex: "INBOX", "INBOX.Sent")
+     * @param displayName - Nom affiché par défaut si non reconnu
+     */
+    function getFolderLabel(path: string, displayName: string): string {
+        const key = SYSTEM_FOLDER_MAP[path.toLowerCase()]
+        return key ? t(key) : displayName
+    }
+
+    /**
+     * Retourne le nom de l'icône Material Symbols pour un dossier.
+     * @param path - Chemin IMAP du dossier
+     */
+    function getFolderIcon(path: string): string {
+        const key = SYSTEM_FOLDER_MAP[path.toLowerCase()]
+        return key ? (SYSTEM_FOLDER_ICONS[key] ?? DEFAULT_FOLDER_ICON) : DEFAULT_FOLDER_ICON
+    }
+
+    /**
+     * Indique si un dossier est un dossier système reconnu.
+     */
+    function isSystemFolder(path: string): boolean {
+        return path.toLowerCase() in SYSTEM_FOLDER_MAP
+    }
+
+    return {
+        getFolderLabel,
+        getFolderIcon,
+        isSystemFolder,
+    }
+}
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index df24394..7bd9f6c 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -492,5 +492,127 @@
         "weekly": "Hebdomadaire",
         "monthly": "Mensuel",
         "yearly": "Annuel"
+    },
+    "mail": {
+        "title": "Messagerie",
+        "sidebar": {
+            "title": "Messagerie",
+            "ariaLabel": "Accès à la messagerie, {count} messages non lus"
+        },
+        "admin": {
+            "title": "Configuration messagerie",
+            "protocol": "Protocole",
+            "imapSection": "Réception (IMAP)",
+            "smtpSection": "Envoi (SMTP)",
+            "host": "Serveur",
+            "port": "Port",
+            "encryption": "Chiffrement",
+            "username": "Adresse e-mail",
+            "password": "Mot de passe",
+            "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
+            "sentFolderPath": "Dossier des envois",
+            "enabled": "Activer la synchronisation mail",
+            "test": "Tester la connexion",
+            "testSuccess": "Connexion IMAP réussie",
+            "testFailed": "Échec de connexion",
+            "save": "Enregistrer",
+            "saveSuccess": "Configuration enregistrée",
+            "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
+        },
+        "folders": "Dossiers",
+        "messages": "Messages",
+        "viewer": "Lecture",
+        "empty": {
+            "folder": "Aucun dossier disponible.",
+            "list": "Aucun message dans ce dossier.",
+            "viewer": "Sélectionnez un message pour le lire."
+        },
+        "folderTree": {
+            "expand": "Déplier le dossier",
+            "collapse": "Replier le dossier"
+        },
+        "systemFolder": {
+            "inbox": "Boîte de réception",
+            "sent": "Éléments envoyés",
+            "drafts": "Brouillons",
+            "archive": "Archives",
+            "trash": "Corbeille",
+            "junk": "Indésirables"
+        },
+        "actions": {
+            "refresh": "Actualiser",
+            "createTask": "Créer une tâche",
+            "linkTask": "Lier à une tâche",
+            "markRead": "Marquer comme lu",
+            "markUnread": "Marquer comme non lu",
+            "flag": "Marquer important",
+            "unflag": "Retirer l'importance",
+            "download": "Télécharger",
+            "showImages": "Afficher les images"
+        },
+        "errors": {
+            "syncFailed": "Erreur lors de la synchronisation.",
+            "fetchFailed": "Impossible de charger les messages.",
+            "notAuthorized": "Vous n'avez pas accès à la messagerie."
+        },
+        "configuration": {
+            "saved": "Configuration mail enregistrée."
+        },
+        "task": {
+            "created": "Tâche créée depuis le mail.",
+            "linked": "Mail lié à la tâche.",
+            "unlinked": "Lien supprimé."
+        },
+        "createTaskModal": {
+            "title": "Créer une tâche depuis ce mail",
+            "submit": "Créer la tâche",
+            "projectLabel": "Projet *",
+            "projectPlaceholder": "Sélectionner un projet",
+            "groupLabel": "Groupe (optionnel)",
+            "groupPlaceholder": "Aucun groupe",
+            "priorityLabel": "Priorité (optionnelle)",
+            "priorityPlaceholder": "Aucune priorité",
+            "titleHint": "Le titre sera rempli depuis le sujet du mail.",
+            "descriptionHint": "La description sera remplie depuis le corps du mail."
+        },
+        "linkTaskModal": {
+            "title": "Lier à une tâche existante",
+            "submit": "Lier la tâche",
+            "searchPlaceholder": "Rechercher une tâche par titre…",
+            "projectFilter": "Filtrer par projet",
+            "projectAll": "Tous les projets",
+            "empty": "Aucune tâche correspondante.",
+            "loading": "Recherche en cours…"
+        },
+        "pickerModal": {
+            "title": "Lier un mail à cette tâche",
+            "searchPlaceholder": "Rechercher un mail (sujet, expéditeur)…",
+            "empty": "Aucun mail correspondant.",
+            "loading": "Chargement des mails…",
+            "submit": "Lier ce mail"
+        },
+        "taskTab": {
+            "title": "Mails",
+            "empty": "Aucun mail lié à cette tâche.",
+            "linkButton": "Lier un mail",
+            "openInMailer": "Ouvrir dans la messagerie",
+            "unlinkConfirm": "Délier ce mail ?"
+        },
+        "sync": {
+            "dispatched": "Synchronisation lancée en arrière-plan."
+        },
+        "attachments": "Pièces jointes",
+        "noAttachments": "Aucune pièce jointe.",
+        "from": "De",
+        "to": "À",
+        "cc": "Cc",
+        "date": "Date",
+        "subject": "Sujet",
+        "noSubject": "(Sans objet)",
+        "loadMore": "Charger plus",
+        "loading": "Chargement…",
+        "hasAttachments": "Pièces jointes",
+        "unread": "non lu | non lus",
+        "remoteImagesBlocked": "Les images distantes sont masquées pour votre sécurité."
     }
 }
diff --git a/frontend/layouts/default.vue b/frontend/layouts/default.vue
index 4894ea4..f3e6b53 100644
--- a/frontend/layouts/default.vue
+++ b/frontend/layouts/default.vue
@@ -53,6 +53,23 @@
                         :collapsed="sidebarIsCollapsed"
                         @click="ui.closeMobileSidebar()"
                     />
+                    <div v-if="isMailVisible" class="relative">
+                        <SidebarLink
+                            to="/mail"
+                            icon="mdi:email-outline"
+                            :label="$t('mail.sidebar.title')"
+                            :collapsed="sidebarIsCollapsed"
+                            @click="ui.closeMobileSidebar()"
+                        />
+                        <span
+                            v-if="mailStore.globalUnreadCount > 0"
+                            class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+                            :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
+                            :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+                        >
+                            {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+                        </span>
+                    </div>
                     <SidebarLink
                         to="/projects"
                         icon="mdi:folder-outline"
@@ -162,9 +179,18 @@ import { extractHydraMembers } from '~/utils/api'
 
 const auth = useAuthStore()
 const ui = useUiStore()
+const mailStore = useMailStore()
 const {version} = useAppVersion()
 const route = useRoute()
 
+const isMailVisible = computed(() => {
+    const roles: string[] = auth.user?.roles ?? []
+    const isClientOnly = roles.includes('ROLE_CLIENT')
+        && !roles.includes('ROLE_ADMIN')
+        && !roles.includes('ROLE_USER')
+    return !isClientOnly && (roles.includes('ROLE_USER') || roles.includes('ROLE_ADMIN'))
+})
+
 // On mobile, sidebar is always expanded (not collapsed icon mode)
 const sidebarIsCollapsed = computed(() => {
     if (ui.sidebarOpen) return false
@@ -207,6 +233,17 @@ watch(
 
 onMounted(() => {
     timerStore.fetchActive()
+    if (isMailVisible.value) {
+        mailStore.startPolling()
+    }
+})
+
+watch(() => auth.user, (user) => {
+    if (!user) {
+        mailStore.stopPolling()
+    } else if (isMailVisible.value) {
+        mailStore.startPolling()
+    }
 })
 
 const completeDrawerOpen = ref(false)
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index ce394c2..5ef248b 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -15,6 +15,7 @@
                 "@tailwindcss/typography": "^0.5.19",
                 "@vuepic/vue-datepicker": "^12.1.0",
                 "chart.js": "^4.5.1",
+                "dompurify": "^3.4.5",
                 "marked": "^18.0.0",
                 "nuxt": "^4.3.1",
                 "nuxt-toast": "^1.4.0",
@@ -23,6 +24,9 @@
                 "vue-advanced-cropper": "^2.8.9",
                 "vue-chartjs": "^5.3.3",
                 "vue-router": "^4.6.4"
+            },
+            "devDependencies": {
+                "@types/dompurify": "^3.0.5"
             }
         },
         "node_modules/@alloc/quick-lru": {
@@ -5859,6 +5863,16 @@
                 "tslib": "^2.4.0"
             }
         },
+        "node_modules/@types/dompurify": {
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-3.0.5.tgz",
+            "integrity": "sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@types/trusted-types": "*"
+            }
+        },
         "node_modules/@types/esrecurse": {
             "version": "4.3.1",
             "resolved": "https://registry.npmjs.org/@types/esrecurse/-/esrecurse-4.3.1.tgz",
@@ -5905,6 +5919,13 @@
             "integrity": "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==",
             "license": "MIT"
         },
+        "node_modules/@types/trusted-types": {
+            "version": "2.0.7",
+            "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+            "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+            "devOptional": true,
+            "license": "MIT"
+        },
         "node_modules/@types/web-bluetooth": {
             "version": "0.0.21",
             "resolved": "https://registry.npmjs.org/@types/web-bluetooth/-/web-bluetooth-0.0.21.tgz",
@@ -8100,6 +8121,15 @@
                 "url": "https://github.com/fb55/domhandler?sponsor=1"
             }
         },
+        "node_modules/dompurify": {
+            "version": "3.4.5",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.5.tgz",
+            "integrity": "sha512-OrwIBKsdNSVEeubdJ1HBv/wNENRM9ytAVCv7YXt//A3vPdVMNuACRqK9mXCGCBW2ln7BT/A4X0jXHo2Gu89miA==",
+            "license": "(MPL-2.0 OR Apache-2.0)",
+            "optionalDependencies": {
+                "@types/trusted-types": "^2.0.7"
+            }
+        },
         "node_modules/domutils": {
             "version": "3.2.2",
             "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
@@ -12223,7 +12253,6 @@
             "resolved": "https://registry.npmjs.org/prosemirror-model/-/prosemirror-model-1.25.4.tgz",
             "integrity": "sha512-PIM7E43PBxKce8OQeezAs9j4TP+5yDpZVbuurd1h5phUxEKIu+G2a+EUZzIC5nS1mJktDJWzbqS23n1tsAf5QA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "orderedmap": "^2.0.0"
             }
@@ -12244,7 +12273,6 @@
             "resolved": "https://registry.npmjs.org/prosemirror-state/-/prosemirror-state-1.4.4.tgz",
             "integrity": "sha512-6jiYHH2CIGbCfnxdHbXZ12gySFY/fz/ulZE333G6bPqIZ4F+TXo9ifiR86nAHpWnfoNjOb3o5ESi7J8Uz1jXHw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "prosemirror-model": "^1.0.0",
                 "prosemirror-transform": "^1.0.0",
@@ -12278,7 +12306,6 @@
             "resolved": "https://registry.npmjs.org/prosemirror-view/-/prosemirror-view-1.41.8.tgz",
             "integrity": "sha512-TnKDdohEatgyZNGCDWIdccOHXhYloJwbwU+phw/a23KBvJIR9lWQWW7WHHK3vBdOLDNuF7TaX98GObUZOWkOnA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "prosemirror-model": "^1.20.0",
                 "prosemirror-state": "^1.0.0",
diff --git a/frontend/package.json b/frontend/package.json
index 3ffd52c..b8cc7e2 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -19,6 +19,7 @@
         "@tailwindcss/typography": "^0.5.19",
         "@vuepic/vue-datepicker": "^12.1.0",
         "chart.js": "^4.5.1",
+        "dompurify": "^3.4.5",
         "marked": "^18.0.0",
         "nuxt": "^4.3.1",
         "nuxt-toast": "^1.4.0",
@@ -27,5 +28,8 @@
         "vue-advanced-cropper": "^2.8.9",
         "vue-chartjs": "^5.3.3",
         "vue-router": "^4.6.4"
+    },
+    "devDependencies": {
+        "@types/dompurify": "^3.0.5"
     }
 }
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index 0743847..7ad5831 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -30,6 +30,7 @@
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
+            <AdminMailTab v-if="activeTab === 'mail'" />
         </div>
     </div>
 </template>
@@ -48,6 +49,7 @@ const tabs = [
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },
+    { key: 'mail', label: 'Mail' },
 ] as const
 
 type TabKey = typeof tabs[number]['key']
diff --git a/frontend/pages/mail.vue b/frontend/pages/mail.vue
new file mode 100644
index 0000000..bc3ddf6
--- /dev/null
+++ b/frontend/pages/mail.vue
@@ -0,0 +1,182 @@
+<script setup lang="ts">
+import type { Task } from '~/services/dto/task'
+import { useMailStore } from '~/stores/mail'
+import { useAuthStore } from '~/stores/auth'
+
+const { t } = useI18n()
+const router = useRouter()
+const route = useRoute()
+const auth = useAuthStore()
+
+useHead({ title: t('mail.title') })
+
+// ─── Contrôle d'accès ROLE_CLIENT ─────────────────────────────────────────
+// Le middleware global gère auth + ROLE_CLIENT → /portal. Ici : double check
+// en SPA car la session peut être hydratée après le rendu initial.
+
+const isClientOnly = computed(() =>
+    auth.user?.roles?.includes('ROLE_CLIENT') === true
+    && auth.user?.roles?.includes('ROLE_ADMIN') !== true,
+)
+
+if (isClientOnly.value) {
+    await navigateTo('/portal')
+}
+
+// ─── Store ────────────────────────────────────────────────────────────────
+
+const store = useMailStore()
+const {
+    folderTree,
+    selectedFolderPath,
+    messages,
+    messagesLoading,
+    hasMoreMessages,
+    selectedMessageId,
+    selectedMessageDetail,
+    detailLoading,
+} = storeToRefs(store)
+
+// ─── Init : charge les dossiers + deep-link ───────────────────────────────
+
+onMounted(async () => {
+    if (isClientOnly.value) {
+        router.replace('/portal')
+        return
+    }
+
+    if (folderTree.value.length === 0) {
+        await store.fetchFolders()
+    }
+
+    if (!selectedFolderPath.value && folderTree.value.length > 0) {
+        const inbox = folderTree.value.find((f) => f.path.toUpperCase() === 'INBOX')
+        const first = folderTree.value[0]
+        const target = inbox?.path ?? first?.path
+        if (target) {
+            await store.selectFolder(target)
+        }
+    }
+
+    const messageIdParam = route.query.messageId
+    if (messageIdParam) {
+        const id = parseInt(String(messageIdParam), 10)
+        if (!isNaN(id)) {
+            await store.selectMessage(id)
+        }
+    }
+})
+
+// ─── Handlers ─────────────────────────────────────────────────────────────
+
+async function handleFolderSelect(path: string): Promise<void> {
+    await store.selectFolder(path)
+    if (route.query.messageId) {
+        const nextQuery = { ...route.query }
+        delete nextQuery.messageId
+        router.replace({ query: nextQuery })
+    }
+}
+
+async function handleMessageSelect(id: number): Promise<void> {
+    await store.selectMessage(id)
+}
+
+function handleLoadMore(): void {
+    store.fetchMessages(true)
+}
+
+// ─── Modals Phase 6 ────────────────────────────────────────────────────────
+
+const showCreateTaskModal = ref(false)
+const showLinkTaskModal = ref(false)
+const activeMailIdForModal = ref<number | null>(null)
+
+function handleCreateTask(mailId: number): void {
+    activeMailIdForModal.value = mailId
+    showCreateTaskModal.value = true
+}
+
+function handleLinkTask(mailId: number): void {
+    activeMailIdForModal.value = mailId
+    showLinkTaskModal.value = true
+}
+
+function handleTaskCreated(_task: Task): void {
+    showCreateTaskModal.value = false
+    // La tâche est créée et liée côté backend — toast géré par useMailService.createTaskFromMail
+}
+
+function handleTaskLinked(_taskId: number): void {
+    showLinkTaskModal.value = false
+    // Toast géré par useMailService.linkTask
+}
+</script>
+
+<template>
+    <div class="flex h-full flex-col overflow-hidden">
+        <div class="flex flex-shrink-0 items-center justify-between border-b border-neutral-200 bg-white px-4 py-3">
+            <h1 class="text-lg font-semibold text-neutral-900">
+                {{ t('mail.title') }}
+            </h1>
+            <MailRefreshButton />
+        </div>
+
+        <div class="flex flex-1 overflow-hidden">
+            <aside class="w-[220px] flex-shrink-0 overflow-y-auto border-r border-neutral-200 bg-neutral-50 py-2">
+                <p class="mb-1 px-3 text-xs font-semibold uppercase tracking-wide text-neutral-400">
+                    {{ t('mail.folders') }}
+                </p>
+                <MailFolderTree
+                    :folders="folderTree"
+                    :selected-path="selectedFolderPath"
+                    @select="handleFolderSelect"
+                />
+            </aside>
+
+            <div class="flex w-[320px] flex-shrink-0 flex-col overflow-hidden border-r border-neutral-200 bg-white">
+                <div class="flex flex-shrink-0 items-center justify-between border-b border-neutral-100 px-3 py-2">
+                    <p class="text-xs font-semibold uppercase tracking-wide text-neutral-400">
+                        {{ t('mail.messages') }}
+                    </p>
+                </div>
+                <div class="flex-1 overflow-hidden">
+                    <MailMessageList
+                        :messages="messages"
+                        :selected-id="selectedMessageId"
+                        :loading="messagesLoading"
+                        :has-more="hasMoreMessages"
+                        @select="handleMessageSelect"
+                        @load-more="handleLoadMore"
+                    />
+                </div>
+            </div>
+
+            <div class="flex-1 overflow-hidden bg-white">
+                <MailMessageViewer
+                    :detail="selectedMessageDetail"
+                    :loading="detailLoading"
+                    @create-task="handleCreateTask"
+                    @link-task="handleLinkTask"
+                />
+            </div>
+        </div>
+
+        <!-- Modal créer tâche depuis mail -->
+        <MailCreateTaskModal
+            v-if="activeMailIdForModal !== null"
+            v-model="showCreateTaskModal"
+            :message-id="activeMailIdForModal"
+            :message-detail="selectedMessageDetail"
+            @created="handleTaskCreated"
+        />
+
+        <!-- Modal lier mail à tâche -->
+        <MailLinkTaskModal
+            v-if="activeMailIdForModal !== null"
+            v-model="showLinkTaskModal"
+            :message-id="activeMailIdForModal"
+            @linked="handleTaskLinked"
+        />
+    </div>
+</template>
diff --git a/frontend/services/dto/mail.ts b/frontend/services/dto/mail.ts
new file mode 100644
index 0000000..818b138
--- /dev/null
+++ b/frontend/services/dto/mail.ts
@@ -0,0 +1,121 @@
+// Lecture de la configuration mail (singleton admin)
+export type MailConfigurationDto = {
+    protocol: string | null
+    imapHost: string | null
+    imapPort: number | null
+    imapEncryption: string | null
+    smtpHost: string | null
+    smtpPort: number | null
+    smtpEncryption: string | null
+    username: string | null
+    sentFolderPath: string | null
+    enabled: boolean
+    hasPassword: boolean
+    // password JAMAIS présent dans les réponses GET
+}
+
+// Input PATCH configuration (password optionnel, write-only)
+export type MailConfigurationUpdateDto = {
+    protocol?: string | null
+    imapHost?: string | null
+    imapPort?: number | null
+    imapEncryption?: string | null
+    smtpHost?: string | null
+    smtpPort?: number | null
+    smtpEncryption?: string | null
+    username?: string | null
+    sentFolderPath?: string | null
+    enabled?: boolean
+    password?: string       // write-only, jamais retourné
+}
+
+// Résultat du test de connexion
+export type MailTestConnectionResultDto = {
+    ok: boolean
+    foldersCount?: number
+    error?: string
+}
+
+// Dossier mail (peut être imbriqué)
+export type MailFolderDto = {
+    path: string
+    displayName: string
+    parentPath: string | null
+    unreadCount: number
+    totalCount: number
+    children?: MailFolderDto[]
+}
+
+// Adresse mail (nom + email)
+export type MailAddressDto = {
+    name: string | null
+    email: string
+}
+
+// En-tête d'un message (liste)
+export type MailMessageHeaderDto = {
+    id: number
+    messageId: string       // identifiant IMAP unique
+    folderPath: string
+    subject: string | null
+    fromName: string | null
+    fromEmail: string | null
+    toRecipients: MailAddressDto[]
+    ccRecipients: MailAddressDto[]
+    sentAt: string | null   // ISO 8601
+    receivedAt: string      // ISO 8601
+    isRead: boolean
+    isFlagged: boolean
+    hasAttachments: boolean
+    linkedTaskIds: number[]
+}
+
+// Pièce jointe (métadonnées uniquement, téléchargement via downloadId)
+export type MailAttachmentDto = {
+    downloadId: string
+    filename: string
+    mimeType: string
+    size: number            // octets
+}
+
+// Détail complet d'un message (enrichi avec body + PJ)
+export type MailMessageDetailDto = {
+    header: MailMessageHeaderDto
+    bodyHtml: string | null    // HTML brut — TOUJOURS passer par sanitizeMailHtml() avant affichage
+    bodyText: string | null    // Fallback texte plain
+    attachments: MailAttachmentDto[]
+}
+
+// Page de messages paginée (cursor-based)
+export type MailMessagesPageDto = {
+    items: MailMessageHeaderDto[]
+    nextCursor: string | null   // null = plus de page suivante
+    total: number
+}
+
+// Input : marquer lu/non-lu
+export type MailMessageReadInput = {
+    read: boolean
+}
+
+// Input : marquer étoilé/non-étoilé
+export type MailMessageFlagInput = {
+    flagged: boolean
+}
+
+// Input : créer une tâche depuis un mail
+export type MailCreateTaskInput = {
+    projectId: number
+    taskGroupId?: number | null
+    priority?: string | null
+}
+
+// Input : lier une tâche existante à un mail
+export type MailLinkTaskInput = {
+    taskId: number
+}
+
+// Résultat de la sync manuelle
+export type MailSyncResultDto = {
+    dispatched: boolean
+}
diff --git a/frontend/services/mail.ts b/frontend/services/mail.ts
new file mode 100644
index 0000000..2f44422
--- /dev/null
+++ b/frontend/services/mail.ts
@@ -0,0 +1,276 @@
+import type {
+    MailConfigurationDto,
+    MailConfigurationUpdateDto,
+    MailTestConnectionResultDto,
+    MailFolderDto,
+    MailMessageHeaderDto,
+    MailMessageDetailDto,
+    MailMessagesPageDto,
+    MailMessageReadInput,
+    MailMessageFlagInput,
+    MailCreateTaskInput,
+    MailLinkTaskInput,
+    MailSyncResultDto,
+} from './dto/mail'
+import type { Task } from './dto/task'
+
+type BackendMailMessage = {
+    id: number
+    messageId: string
+    uid: number
+    folderPath?: string
+    subject: string | null
+    fromAddress: string | null
+    fromName: string | null
+    toAddresses: string[] | null
+    ccAddresses: string[] | null
+    sentAt: string | null
+    isRead: boolean
+    isFlagged: boolean
+    hasAttachments: boolean
+    snippet?: string | null
+    linkedTaskIds?: number[]
+}
+
+function toAddressList(values: string[] | null | undefined): { email: string; name: string | null }[] {
+    return (values ?? []).map((email) => ({ email, name: null }))
+}
+
+function mapHeader(m: BackendMailMessage, fallbackFolderPath = ''): MailMessageHeaderDto {
+    return {
+        id: m.id,
+        messageId: m.messageId,
+        folderPath: m.folderPath ?? fallbackFolderPath,
+        subject: m.subject,
+        fromName: m.fromName,
+        fromEmail: m.fromAddress,
+        toRecipients: toAddressList(m.toAddresses),
+        ccRecipients: toAddressList(m.ccAddresses),
+        sentAt: m.sentAt,
+        receivedAt: m.sentAt ?? '',
+        isRead: m.isRead,
+        isFlagged: m.isFlagged,
+        hasAttachments: m.hasAttachments,
+        linkedTaskIds: m.linkedTaskIds ?? [],
+    }
+}
+
+export function useMailService() {
+    const api = useApi()
+
+    // ─── Configuration (Admin) ────────────────────────────────────────────────
+
+    /**
+     * Récupère la configuration mail singleton.
+     * Requiert ROLE_ADMIN — 403 sinon.
+     */
+    async function getConfiguration(): Promise<MailConfigurationDto> {
+        return api.get<MailConfigurationDto>('/mail/configuration')
+    }
+
+    /**
+     * Met à jour la configuration mail (PATCH merge).
+     * Si payload.password est fourni, il sera chiffré côté backend.
+     * Jamais retourné en clair dans la réponse.
+     */
+    async function updateConfiguration(
+        payload: MailConfigurationUpdateDto,
+    ): Promise<MailConfigurationDto> {
+        return api.patch<MailConfigurationDto>(
+            '/mail/configuration',
+            payload as Record<string, unknown>,
+            { toastSuccessKey: 'mail.configuration.saved' },
+        )
+    }
+
+    /**
+     * Teste la connexion IMAP avec la configuration actuelle.
+     * Requiert ROLE_ADMIN.
+     */
+    async function testConfiguration(): Promise<MailTestConnectionResultDto> {
+        return api.post<MailTestConnectionResultDto>('/mail/configuration/test', {})
+    }
+
+    // ─── Dossiers ─────────────────────────────────────────────────────────────
+
+    /**
+     * Liste tous les dossiers mail depuis la base (cache BDD, pas live IMAP).
+     * Retourne une liste plate — la construction de l'arbre est faite dans le store
+     * via le getter `folderTree`.
+     */
+    async function listFolders(): Promise<MailFolderDto[]> {
+        return api.get<MailFolderDto[]>('/mail/folders')
+    }
+
+    // ─── Messages ─────────────────────────────────────────────────────────────
+
+    /**
+     * Liste les messages d'un dossier, paginés par cursor.
+     * @param folderPath - Chemin du dossier (ex: "INBOX", "INBOX.Sent")
+     * @param cursor - Opaque cursor retourné par la page précédente (undefined = première page)
+     * @param limit - Nombre de messages par page (défaut backend : 50)
+     */
+    async function listMessages(
+        folderPath: string,
+        cursor?: string,
+        limit?: number,
+    ): Promise<MailMessagesPageDto> {
+        const query: Record<string, unknown> = {}
+        if (cursor) query.cursor = cursor
+        if (limit) query.limit = limit
+        const path = `/mail/folders/${encodeURIComponent(folderPath)}/messages`
+        const response = await api.get<{ messages: BackendMailMessage[]; nextCursor: string | null }>(
+            path,
+            query,
+        )
+        return {
+            items: response.messages.map((m) => mapHeader(m, folderPath)),
+            nextCursor: response.nextCursor,
+            total: response.messages.length,
+        }
+    }
+
+    /**
+     * Récupère le détail complet d'un message (body live IMAP, cached 5 min).
+     * @param id - ID BDD du message (MailMessage.id)
+     */
+    async function getMessage(id: number): Promise<MailMessageDetailDto> {
+        const response = await api.get<
+            BackendMailMessage & {
+                bodyHtml: string | null
+                bodyText: string | null
+                attachments: MailMessageDetailDto['attachments']
+            }
+        >(`/mail/messages/${id}`)
+        return {
+            header: mapHeader(response),
+            bodyHtml: response.bodyHtml,
+            bodyText: response.bodyText,
+            attachments: response.attachments,
+        }
+    }
+
+    // ─── Actions sur les messages ─────────────────────────────────────────────
+
+    /**
+     * Marque un message comme lu ou non-lu.
+     */
+    async function markRead(id: number, read: boolean): Promise<MailMessageHeaderDto> {
+        const payload: MailMessageReadInput = { read }
+        return api.post<MailMessageHeaderDto>(
+            `/mail/messages/${id}/read`,
+            payload as unknown as Record<string, unknown>,
+        )
+    }
+
+    /**
+     * Marque un message comme étoilé ou non-étoilé.
+     */
+    async function markFlagged(id: number, flagged: boolean): Promise<MailMessageHeaderDto> {
+        const payload: MailMessageFlagInput = { flagged }
+        return api.post<MailMessageHeaderDto>(
+            `/mail/messages/${id}/flag`,
+            payload as unknown as Record<string, unknown>,
+        )
+    }
+
+    // ─── Intégration tâches ───────────────────────────────────────────────────
+
+    /**
+     * Crée une nouvelle tâche à partir d'un mail (subject → titre, body → description).
+     * @param mailId - ID BDD du message
+     * @param input - Paramètres de la tâche à créer
+     */
+    async function createTaskFromMail(
+        mailId: number,
+        input: MailCreateTaskInput,
+    ): Promise<Task> {
+        return api.post<Task>(
+            `/mail/messages/${mailId}/create-task`,
+            input as unknown as Record<string, unknown>,
+            { toastSuccessKey: 'mail.task.created' },
+        )
+    }
+
+    /**
+     * Lie un mail à une tâche existante.
+     * @param mailId - ID BDD du message
+     * @param taskId - ID de la tâche existante
+     */
+    async function linkTask(mailId: number, taskId: number): Promise<void> {
+        const payload: MailLinkTaskInput = { taskId }
+        await api.post<void>(
+            `/mail/messages/${mailId}/link-task`,
+            payload as unknown as Record<string, unknown>,
+            { toastSuccessKey: 'mail.task.linked' },
+        )
+    }
+
+    /**
+     * Supprime le lien entre un mail et une tâche.
+     * @param mailId - ID BDD du message
+     * @param taskId - ID de la tâche
+     */
+    async function unlinkTask(mailId: number, taskId: number): Promise<void> {
+        await api.delete<void>(`/mail/messages/${mailId}/link-task/${taskId}`, {}, {
+            toastSuccessKey: 'mail.task.unlinked',
+        })
+    }
+
+    /**
+     * Liste les mails liés à une tâche (pour l'onglet "Mails" du TaskDrawer — Phase 6).
+     * @param taskId - ID de la tâche
+     */
+    async function listMailsForTask(taskId: number): Promise<MailMessageHeaderDto[]> {
+        return api.get<MailMessageHeaderDto[]>(`/tasks/${taskId}/mails`)
+    }
+
+    // ─── Pièces jointes ───────────────────────────────────────────────────────
+
+    /**
+     * Télécharge une pièce jointe et retourne le Blob + headers.
+     * Content-Disposition: attachment est géré côté backend (jamais inline).
+     * @param downloadId - Identifiant opaque retourné dans MailAttachmentDto.downloadId
+     */
+    async function downloadAttachment(
+        downloadId: string,
+    ): Promise<{ data: Blob; headers: Headers }> {
+        return api.getBlob(`/mail/attachments/${downloadId}`)
+    }
+
+    // ─── Synchronisation ─────────────────────────────────────────────────────
+
+    /**
+     * Déclenche une synchronisation IMAP asynchrone via Symfony Messenger.
+     * Retourne immédiatement ({ dispatched: true }) — la sync se fait en arrière-plan.
+     */
+    async function triggerSync(): Promise<MailSyncResultDto> {
+        return api.post<MailSyncResultDto>('/mail/sync', {}, {
+            toastSuccessKey: 'mail.sync.dispatched',
+        })
+    }
+
+    return {
+        // Config
+        getConfiguration,
+        updateConfiguration,
+        testConfiguration,
+        // Dossiers
+        listFolders,
+        // Messages
+        listMessages,
+        getMessage,
+        // Actions
+        markRead,
+        markFlagged,
+        // Tâches
+        createTaskFromMail,
+        linkTask,
+        unlinkTask,
+        listMailsForTask,
+        // Pièces jointes
+        downloadAttachment,
+        // Sync
+        triggerSync,
+    }
+}
diff --git a/frontend/stores/mail.ts b/frontend/stores/mail.ts
new file mode 100644
index 0000000..05d89e0
--- /dev/null
+++ b/frontend/stores/mail.ts
@@ -0,0 +1,332 @@
+import { defineStore } from 'pinia'
+import type {
+    MailFolderDto,
+    MailMessageHeaderDto,
+    MailMessageDetailDto,
+} from '~/services/dto/mail'
+import { useMailService } from '~/services/mail'
+
+const POLL_INTERVAL_MS = 30 * 1000 // 30 secondes
+
+export const useMailStore = defineStore('mail', () => {
+    // ─── State ────────────────────────────────────────────────────────────────
+
+    /** Liste plate des dossiers (reçue de l'API) */
+    const folders = ref<MailFolderDto[]>([])
+
+    /** Chemin du dossier actuellement sélectionné */
+    const selectedFolderPath = ref<string | null>(null)
+
+    /** Messages du dossier sélectionné (accumulés pour infinite scroll) */
+    const messages = ref<MailMessageHeaderDto[]>([])
+
+    /** Cursor de pagination pour la page suivante (null = plus de données) */
+    const messagesCursor = ref<string | null>(null)
+
+    /** Chargement en cours (messages) */
+    const messagesLoading = ref(false)
+
+    /** ID du message sélectionné pour lecture */
+    const selectedMessageId = ref<number | null>(null)
+
+    /** Détail complet du message sélectionné (body + PJ) */
+    const selectedMessageDetail = ref<MailMessageDetailDto | null>(null)
+
+    /** Chargement du détail en cours */
+    const detailLoading = ref(false)
+
+    /** Sync IMAP en cours (déclenchée manuellement) */
+    const syncing = ref(false)
+
+    /** Nombre total de messages non lus (toutes boîtes confondues) */
+    const globalUnreadCount = ref(0)
+
+    /** Erreur courante (null si aucune) */
+    const error = ref<string | null>(null)
+
+    let pollTimer: ReturnType<typeof setInterval> | null = null
+
+    // ─── Getters ──────────────────────────────────────────────────────────────
+
+    /**
+     * Nombre de non-lus dans INBOX uniquement (utilisé dans la sidebar).
+     */
+    const inboxUnread = computed(() => {
+        const inbox = folders.value.find(
+            (f) => f.path === 'INBOX' || f.path.toUpperCase() === 'INBOX',
+        )
+        return inbox?.unreadCount ?? 0
+    })
+
+    /**
+     * Construit l'arbre de dossiers depuis la liste plate.
+     * Les dossiers sans parentPath sont à la racine.
+     * Les enfants sont triés alphabétiquement par displayName.
+     */
+    const folderTree = computed((): MailFolderDto[] => {
+        const map = new Map<string, MailFolderDto>()
+        const roots: MailFolderDto[] = []
+
+        // Initialiser chaque dossier avec children vide
+        folders.value.forEach((folder) => {
+            map.set(folder.path, { ...folder, children: [] })
+        })
+
+        // Construire l'arbre
+        map.forEach((folder) => {
+            if (folder.parentPath && map.has(folder.parentPath)) {
+                const parent = map.get(folder.parentPath)!
+                parent.children = parent.children ?? []
+                parent.children.push(folder)
+            } else {
+                roots.push(folder)
+            }
+        })
+
+        // Trier les enfants alphabétiquement
+        function sortChildren(nodes: MailFolderDto[]): MailFolderDto[] {
+            return nodes
+                .map((n) => ({
+                    ...n,
+                    children: n.children ? sortChildren(n.children) : undefined,
+                }))
+                .sort((a, b) => a.displayName.localeCompare(b.displayName, 'fr'))
+        }
+
+        return sortChildren(roots)
+    })
+
+    /**
+     * Indique si le cursor de pagination est disponible (plus de messages à charger).
+     */
+    const hasMoreMessages = computed(() => messagesCursor.value !== null)
+
+    // ─── Actions ──────────────────────────────────────────────────────────────
+
+    /**
+     * Charge la liste des dossiers depuis l'API et met à jour globalUnreadCount.
+     */
+    async function fetchFolders(): Promise<void> {
+        const service = useMailService()
+        try {
+            folders.value = await service.listFolders()
+            globalUnreadCount.value = folders.value.reduce(
+                (sum, f) => sum + f.unreadCount,
+                0,
+            )
+        } catch {
+            // Silently ignore polling errors (ne pas interrompre l'UX)
+        }
+    }
+
+    /**
+     * Charge les messages du dossier sélectionné.
+     * @param append - Si true, ajoute à la liste existante (infinite scroll). Si false, remplace.
+     */
+    async function fetchMessages(append = false): Promise<void> {
+        if (!selectedFolderPath.value) return
+        if (messagesLoading.value) return
+
+        messagesLoading.value = true
+        error.value = null
+
+        const service = useMailService()
+        try {
+            const cursor = append ? (messagesCursor.value ?? undefined) : undefined
+            const page = await service.listMessages(selectedFolderPath.value, cursor)
+
+            if (append) {
+                messages.value = [...messages.value, ...page.items]
+            } else {
+                messages.value = page.items
+            }
+            messagesCursor.value = page.nextCursor
+        } catch (err) {
+            error.value = err instanceof Error ? err.message : 'Erreur lors du chargement des messages.'
+        } finally {
+            messagesLoading.value = false
+        }
+    }
+
+    /**
+     * Sélectionne un dossier et charge ses messages (reset de la pagination).
+     * @param path - Chemin du dossier (ex: "INBOX")
+     */
+    async function selectFolder(path: string): Promise<void> {
+        if (selectedFolderPath.value === path) return
+        selectedFolderPath.value = path
+        messages.value = []
+        messagesCursor.value = null
+        selectedMessageId.value = null
+        selectedMessageDetail.value = null
+        await fetchMessages()
+    }
+
+    /**
+     * Marque un message comme lu ou non-lu.
+     * Met à jour le state local (messages + detail) sans refetch.
+     */
+    async function markRead(id: number, read: boolean): Promise<void> {
+        const service = useMailService()
+        const updated = await service.markRead(id, read)
+
+        // Mise à jour optimiste dans la liste
+        const idx = messages.value.findIndex((m) => m.id === id)
+        if (idx !== -1) {
+            messages.value[idx] = { ...messages.value[idx], isRead: updated.isRead }
+        }
+
+        // Mise à jour dans le détail si ouvert
+        if (selectedMessageDetail.value?.header.id === id) {
+            selectedMessageDetail.value = {
+                ...selectedMessageDetail.value,
+                header: { ...selectedMessageDetail.value.header, isRead: updated.isRead },
+            }
+        }
+
+        // Mettre à jour le compteur du dossier
+        await _refreshFolderUnreadCount()
+    }
+
+    /**
+     * Sélectionne un message et charge son détail complet (body + PJ).
+     * Marque automatiquement le message comme lu si ce n'est pas déjà le cas.
+     * @param id - ID BDD du message
+     */
+    async function selectMessage(id: number): Promise<void> {
+        if (selectedMessageId.value === id) return
+        selectedMessageId.value = id
+        selectedMessageDetail.value = null
+        detailLoading.value = true
+
+        const service = useMailService()
+        try {
+            const detail = await service.getMessage(id)
+            selectedMessageDetail.value = detail
+
+            // Auto-mark as read si nécessaire
+            if (!detail.header.isRead) {
+                await markRead(id, true)
+            }
+        } finally {
+            detailLoading.value = false
+        }
+    }
+
+    /**
+     * Marque un message comme étoilé ou non-étoilé.
+     * Met à jour le state local sans refetch.
+     */
+    async function markFlagged(id: number, flagged: boolean): Promise<void> {
+        const service = useMailService()
+        const updated = await service.markFlagged(id, flagged)
+
+        const idx = messages.value.findIndex((m) => m.id === id)
+        if (idx !== -1) {
+            messages.value[idx] = { ...messages.value[idx], isFlagged: updated.isFlagged }
+        }
+
+        if (selectedMessageDetail.value?.header.id === id) {
+            selectedMessageDetail.value = {
+                ...selectedMessageDetail.value,
+                header: { ...selectedMessageDetail.value.header, isFlagged: updated.isFlagged },
+            }
+        }
+    }
+
+    /**
+     * Déclenche une synchronisation IMAP asynchrone.
+     * Recharge les dossiers après 2s pour refléter les nouveaux messages.
+     */
+    async function triggerSync(): Promise<void> {
+        if (syncing.value) return
+        syncing.value = true
+        const service = useMailService()
+        try {
+            await service.triggerSync()
+            // Laisser le temps au handler Messenger de traiter
+            setTimeout(async () => {
+                await fetchFolders()
+                if (selectedFolderPath.value) {
+                    await fetchMessages(false)
+                }
+                syncing.value = false
+            }, 2000)
+        } catch {
+            syncing.value = false
+        }
+    }
+
+    /**
+     * Arrête le polling. À appeler au logout.
+     */
+    function stopPolling(): void {
+        if (pollTimer) {
+            clearInterval(pollTimer)
+            pollTimer = null
+        }
+    }
+
+    /**
+     * Démarre le polling toutes les 30s pour mettre à jour globalUnreadCount.
+     * À appeler dans app.vue ou le layout default au login.
+     * Idempotent : un seul timer actif à la fois.
+     */
+    function startPolling(): void {
+        if (pollTimer) return
+        fetchFolders() // Charge immédiatement
+        pollTimer = setInterval(fetchFolders, POLL_INTERVAL_MS)
+
+        // Cleanup automatique si le scope du store est détruit
+        if (getCurrentScope()) {
+            onScopeDispose(stopPolling)
+        }
+    }
+
+    /**
+     * Rafraîchit les compteurs non-lus du dossier actuel depuis l'API.
+     * Usage interne — appelé après markRead.
+     */
+    async function _refreshFolderUnreadCount(): Promise<void> {
+        const service = useMailService()
+        try {
+            const updatedFolders = await service.listFolders()
+            folders.value = updatedFolders
+            globalUnreadCount.value = updatedFolders.reduce(
+                (sum, f) => sum + f.unreadCount,
+                0,
+            )
+        } catch {
+            // Silently ignore
+        }
+    }
+
+    return {
+        // State (readonly pour les consommateurs)
+        folders: readonly(folders),
+        selectedFolderPath: readonly(selectedFolderPath),
+        messages: readonly(messages),
+        messagesCursor: readonly(messagesCursor),
+        messagesLoading: readonly(messagesLoading),
+        selectedMessageId: readonly(selectedMessageId),
+        selectedMessageDetail: readonly(selectedMessageDetail),
+        detailLoading: readonly(detailLoading),
+        syncing: readonly(syncing),
+        globalUnreadCount: readonly(globalUnreadCount),
+        error: readonly(error),
+        // Getters
+        inboxUnread,
+        folderTree,
+        hasMoreMessages,
+        // Actions
+        fetchFolders,
+        selectFolder,
+        fetchMessages,
+        selectMessage,
+        markRead,
+        markFlagged,
+        triggerSync,
+        startPolling,
+        stopPolling,
+    }
+})
diff --git a/frontend/utils/sanitizeMailHtml.ts b/frontend/utils/sanitizeMailHtml.ts
new file mode 100644
index 0000000..53de52b
--- /dev/null
+++ b/frontend/utils/sanitizeMailHtml.ts
@@ -0,0 +1,160 @@
+import DOMPurify, { type Config as DOMPurifyConfig } from 'dompurify'
+
+/**
+ * Options de sanitization du corps HTML d'un mail.
+ */
+export type SanitizeMailHtmlOptions = {
+    /**
+     * Si true, les images distantes (http/https) sont affichées directement.
+     * Par défaut false — les images distantes sont remplacées par un placeholder
+     * cliquable pour éviter le tracking par pixel.
+     */
+    allowImages?: boolean
+}
+
+/**
+ * Configuration DOMPurify bloquante pour les corps de mail.
+ * - Bloque les balises dangereuses : script, iframe, object, embed, style, link, meta, form, input
+ * - Bloque les attributs événements (on*) et les URI javascript:
+ * - Autorise les URI data: uniquement pour les images (PNG/JPEG/GIF/WEBP) — images inline CID
+ */
+const DOMPURIFY_CONFIG: DOMPurifyConfig = {
+    FORBID_TAGS: [
+        'script',
+        'iframe',
+        'object',
+        'embed',
+        'style',
+        'link',
+        'meta',
+        'form',
+        'input',
+        'button',
+        'textarea',
+        'select',
+        'base',
+        'applet',
+    ],
+    FORBID_ATTR: [
+        'onerror',
+        'onload',
+        'onclick',
+        'onmouseover',
+        'onmouseout',
+        'onmouseenter',
+        'onmouseleave',
+        'onfocus',
+        'onblur',
+        'onchange',
+        'onsubmit',
+        'onreset',
+        'onkeydown',
+        'onkeyup',
+        'onkeypress',
+        'ondblclick',
+        'oncontextmenu',
+        'onwheel',
+        'ondrag',
+        'ondrop',
+        'oncopy',
+        'oncut',
+        'onpaste',
+        'action',
+        'formaction',
+        'xlink:href',
+    ],
+    ALLOWED_URI_REGEXP: /^(?:https?|mailto|tel|cid|data:image\/(?:png|jpeg|gif|webp)(?:;base64,)?)(?::|$)/i,
+    FORCE_BODY: true,
+    WHOLE_DOCUMENT: false,
+}
+
+/**
+ * Remplace les balises <img> avec src http(s):// par un bouton placeholder.
+ * Le src original est stocké en data-mail-image-src pour permettre l'affichage
+ * à la demande de l'utilisateur (Phase 5 — MailMessageViewer).
+ */
+function replaceRemoteImages(html: string): string {
+    // Utiliser un DOMParser côté client uniquement (SSR-safe : le guard process.client
+    // est géré par l'appelant dans un composant Vue — ce helper ne tourne que client-side)
+    const parser = new DOMParser()
+    const doc = parser.parseFromString(html, 'text/html')
+    const images = doc.querySelectorAll('img')
+
+    images.forEach((img) => {
+        const src = img.getAttribute('src') ?? ''
+        const isRemote = /^https?:\/\//i.test(src)
+        if (!isRemote) return
+
+        // Remplacer par un span cliquable (pas de <button> — DOMPurify le forbid)
+        const placeholder = doc.createElement('span')
+        placeholder.setAttribute('data-mail-image-src', src)
+        placeholder.setAttribute('data-mail-image-placeholder', 'true')
+        placeholder.setAttribute('title', src)
+        placeholder.style.cssText = [
+            'display: inline-flex',
+            'align-items: center',
+            'gap: 4px',
+            'padding: 2px 6px',
+            'border: 1px solid #d1d5db',
+            'border-radius: 4px',
+            'background: #f9fafb',
+            'color: #6b7280',
+            'font-size: 12px',
+            'cursor: pointer',
+            'user-select: none',
+        ].join(';')
+        placeholder.textContent = '[Image distante — cliquer pour afficher]'
+
+        img.replaceWith(placeholder)
+    })
+
+    return doc.body.innerHTML
+}
+
+/**
+ * Sanitize le HTML brut d'un corps de mail.
+ *
+ * - Bloque tous les vecteurs XSS connus (scripts, événements inline, iframes…)
+ * - Par défaut, remplace les images distantes par un placeholder anti-tracking
+ * - Utiliser allowImages: true uniquement si l'utilisateur a explicitement cliqué
+ *   "Afficher les images" dans le lecteur de mail
+ *
+ * IMPORTANT : Cette fonction requiert un environnement navigateur (DOMParser, DOMPurify).
+ * Ne pas appeler côté SSR — toujours dans un composant Vue avec `onMounted` ou dans
+ * un computed côté client uniquement (`import.meta.client`).
+ *
+ * @param rawHtml - HTML brut tel que reçu de l'API backend
+ * @param options - Options de sanitization
+ * @returns HTML sanitizé, sûr pour injection via v-html
+ */
+export function sanitizeMailHtml(
+    rawHtml: string,
+    options: SanitizeMailHtmlOptions = {},
+): string {
+    if (!rawHtml || rawHtml.trim() === '') return ''
+
+    // Étape 1 : DOMPurify — supprime tous les vecteurs dangereux
+    const sanitized = DOMPurify.sanitize(rawHtml, DOMPURIFY_CONFIG) as string
+
+    // Étape 2 : Remplacement images distantes (anti-tracking)
+    if (!options.allowImages) {
+        return replaceRemoteImages(sanitized)
+    }
+
+    return sanitized
+}
+
+/**
+ * Vérifie si un élément HTML est un placeholder d'image généré par sanitizeMailHtml.
+ * Utile dans MailMessageViewer pour gérer le clic "Afficher l'image".
+ */
+export function isMailImagePlaceholder(el: HTMLElement): boolean {
+    return el.hasAttribute('data-mail-image-placeholder')
+}
+
+/**
+ * Récupère le src original d'un placeholder d'image.
+ */
+export function getMailImageSrc(el: HTMLElement): string | null {
+    return el.getAttribute('data-mail-image-src')
+}
diff --git a/makefile b/makefile
index 16c8944..af6184b 100644
--- a/makefile
+++ b/makefile
@@ -122,5 +122,11 @@ php-cs-fixer-allow-risky:
 test:
 	$(EXEC_PHP) php -d memory_limit="512M" vendor/bin/phpunit $(FILES)
 
+## Synchronise la boîte mail IMAP vers la base locale (cron OS toutes les 10 min)
+## Passer FOLDER=INBOX pour cibler un seul dossier. Ex: make mail-sync FOLDER=INBOX
+## Passer DRYRUN=1 pour simuler sans écrire. Ex: make mail-sync DRYRUN=1
+mail-sync:
+	$(SYMFONY_CONSOLE) app:mail:sync $(if $(FOLDER),--folder=$(FOLDER),) $(if $(DRYRUN),--dry-run,)
+
 wait:
 	sleep 10
diff --git a/migrations/Version20260519211723.php b/migrations/Version20260519211723.php
new file mode 100644
index 0000000..90fec2e
--- /dev/null
+++ b/migrations/Version20260519211723.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260519211723 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Mail integration: create mail_configuration, mail_folder, mail_message, task_mail_link tables';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+                CREATE TABLE mail_configuration (
+                    id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL,
+                    protocol VARCHAR(10) NOT NULL,
+                    imap_host VARCHAR(255) DEFAULT NULL,
+                    imap_port INT NOT NULL,
+                    imap_encryption VARCHAR(10) NOT NULL,
+                    smtp_host VARCHAR(255) DEFAULT NULL,
+                    smtp_port INT NOT NULL,
+                    smtp_encryption VARCHAR(10) NOT NULL,
+                    username VARCHAR(255) DEFAULT NULL,
+                    encrypted_password TEXT DEFAULT NULL,
+                    sent_folder_path VARCHAR(255) NOT NULL,
+                    enabled BOOLEAN NOT NULL,
+                    PRIMARY KEY (id)
+                )
+            SQL);
+
+        $this->addSql(<<<'SQL'
+                CREATE TABLE mail_folder (
+                    id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL,
+                    path VARCHAR(500) NOT NULL,
+                    display_name VARCHAR(255) NOT NULL,
+                    parent_path VARCHAR(500) DEFAULT NULL,
+                    unread_count INT NOT NULL,
+                    total_count INT NOT NULL,
+                    last_synced_at TIMESTAMP(0) WITH TIME ZONE DEFAULT NULL,
+                    PRIMARY KEY (id)
+                )
+            SQL);
+
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_319BB6A6B548B0F ON mail_folder (path)');
+        $this->addSql('CREATE INDEX idx_mail_folder_parent_path ON mail_folder (parent_path)');
+
+        $this->addSql(<<<'SQL'
+                CREATE TABLE mail_message (
+                    id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL,
+                    message_id VARCHAR(500) NOT NULL,
+                    folder_id INT NOT NULL,
+                    uid INT NOT NULL,
+                    subject VARCHAR(500) DEFAULT NULL,
+                    from_address VARCHAR(255) NOT NULL,
+                    from_name VARCHAR(255) DEFAULT NULL,
+                    to_addresses JSON NOT NULL,
+                    cc_addresses JSON DEFAULT NULL,
+                    sent_at TIMESTAMP(0) WITH TIME ZONE NOT NULL,
+                    is_read BOOLEAN NOT NULL,
+                    is_flagged BOOLEAN NOT NULL,
+                    has_attachments BOOLEAN NOT NULL,
+                    snippet TEXT DEFAULT NULL,
+                    synced_at TIMESTAMP(0) WITH TIME ZONE NOT NULL,
+                    PRIMARY KEY (id)
+                )
+            SQL);
+
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_6C00B110537A1329 ON mail_message (message_id)');
+        $this->addSql('CREATE UNIQUE INDEX uq_mail_message_folder_uid ON mail_message (folder_id, uid)');
+        $this->addSql('CREATE INDEX IDX_6C00B110162CB942 ON mail_message (folder_id)');
+        $this->addSql('CREATE INDEX idx_mail_message_sent_at ON mail_message (sent_at)');
+        $this->addSql('CREATE INDEX idx_mail_message_is_read ON mail_message (is_read)');
+        $this->addSql('ALTER TABLE mail_message ADD CONSTRAINT FK_6C00B110162CB942 FOREIGN KEY (folder_id) REFERENCES mail_folder (id) ON DELETE CASCADE NOT DEFERRABLE');
+
+        $this->addSql(<<<'SQL'
+                CREATE TABLE task_mail_link (
+                    id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL,
+                    task_id INT NOT NULL,
+                    mail_message_id INT NOT NULL,
+                    linked_at TIMESTAMP(0) WITH TIME ZONE NOT NULL,
+                    linked_by_id INT DEFAULT NULL,
+                    PRIMARY KEY (id)
+                )
+            SQL);
+
+        $this->addSql('CREATE UNIQUE INDEX uq_task_mail_link ON task_mail_link (task_id, mail_message_id)');
+        $this->addSql('CREATE INDEX IDX_E4FDC7C98DB60186 ON task_mail_link (task_id)');
+        $this->addSql('CREATE INDEX IDX_E4FDC7C987B9F9D5 ON task_mail_link (mail_message_id)');
+        $this->addSql('CREATE INDEX IDX_E4FDC7C91AE3CFF3 ON task_mail_link (linked_by_id)');
+        $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT FK_E4FDC7C98DB60186 FOREIGN KEY (task_id) REFERENCES task (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT FK_E4FDC7C987B9F9D5 FOREIGN KEY (mail_message_id) REFERENCES mail_message (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE task_mail_link ADD CONSTRAINT FK_E4FDC7C91AE3CFF3 FOREIGN KEY (linked_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT FK_E4FDC7C98DB60186');
+        $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT FK_E4FDC7C987B9F9D5');
+        $this->addSql('ALTER TABLE task_mail_link DROP CONSTRAINT FK_E4FDC7C91AE3CFF3');
+        $this->addSql('DROP TABLE task_mail_link');
+
+        $this->addSql('ALTER TABLE mail_message DROP CONSTRAINT FK_6C00B110162CB942');
+        $this->addSql('DROP TABLE mail_message');
+
+        $this->addSql('DROP TABLE mail_folder');
+
+        $this->addSql('DROP TABLE mail_configuration');
+    }
+}
diff --git a/migrations/Version20260519220000.php b/migrations/Version20260519220000.php
new file mode 100644
index 0000000..a8a7feb
--- /dev/null
+++ b/migrations/Version20260519220000.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Cree la table messenger_messages pour le transport async Symfony Messenger.
+ */
+final class Version20260519220000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Cree la table messenger_messages pour le transport async Doctrine de Symfony Messenger.';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE IF NOT EXISTS messenger_messages (
+                id BIGSERIAL PRIMARY KEY,
+                body TEXT NOT NULL,
+                headers TEXT NOT NULL,
+                queue_name VARCHAR(190) NOT NULL,
+                created_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL,
+                available_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL,
+                delivered_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL
+            )
+            SQL);
+
+        $this->addSql('CREATE INDEX IF NOT EXISTS IDX_75EA56E0FB7336F0 ON messenger_messages (queue_name)');
+        $this->addSql('CREATE INDEX IF NOT EXISTS IDX_75EA56E0E3BD61CE ON messenger_messages (available_at)');
+        $this->addSql('CREATE INDEX IF NOT EXISTS IDX_75EA56E016BA31DB ON messenger_messages (delivered_at)');
+
+        $this->addSql(<<<'SQL'
+            CREATE OR REPLACE FUNCTION notify_messenger_messages() RETURNS TRIGGER AS $$
+            BEGIN
+                PERFORM pg_notify('messenger_messages', NEW.queue_name::text);
+                RETURN NEW;
+            END;
+            $$ LANGUAGE plpgsql;
+            SQL);
+
+        $this->addSql('DROP TRIGGER IF EXISTS notify_trigger ON messenger_messages;');
+        $this->addSql('CREATE TRIGGER notify_trigger AFTER INSERT OR UPDATE ON messenger_messages FOR EACH ROW EXECUTE PROCEDURE notify_messenger_messages();');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE IF EXISTS messenger_messages');
+        $this->addSql('DROP FUNCTION IF EXISTS notify_messenger_messages()');
+    }
+}
diff --git a/migrations/Version20260520061736.php b/migrations/Version20260520061736.php
new file mode 100644
index 0000000..ebc57ee
--- /dev/null
+++ b/migrations/Version20260520061736.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20260520061736 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'mail_message.message_id: drop global UNIQUE (un même Message-ID existe dans plusieurs dossiers IMAP), conserver un index simple';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('DROP INDEX uniq_6c00b110537a1329');
+        $this->addSql('CREATE INDEX idx_mail_message_message_id ON mail_message (message_id)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP INDEX idx_mail_message_message_id');
+        $this->addSql('CREATE UNIQUE INDEX uniq_6c00b110537a1329 ON mail_message (message_id)');
+    }
+}
diff --git a/phpunit.dist.xml b/phpunit.dist.xml
index 22bd879..817239b 100644
--- a/phpunit.dist.xml
+++ b/phpunit.dist.xml
@@ -15,6 +15,19 @@
         <ini name="error_reporting" value="-1" />
         <server name="APP_ENV" value="test" force="true" />
         <server name="SHELL_VERBOSITY" value="-1" />
+        <server name="KERNEL_CLASS" value="App\Kernel" />
+
+        <!-- ###+ symfony/lock ### -->
+        <!-- Choose one of the stores below -->
+        <!-- postgresql+advisory://db_user:db_password@localhost/db_name -->
+        <env name="LOCK_DSN" value="flock"/>
+        <!-- ###- symfony/lock ### -->
+
+        <!-- ###+ symfony/messenger ### -->
+        <env name="MESSENGER_TRANSPORT_DSN" value="doctrine://default?auto_setup=0"/>
+        <!-- ###- symfony/messenger ### -->
+
+        <env name="ENCRYPTION_KEY" value="ccd250183ea853179562d458e645585f3d46ddebb0701743236196f60fc1a0b8"/>
     </php>
 
     <testsuites>
diff --git a/src/ApiResource/MailSettings.php b/src/ApiResource/MailSettings.php
new file mode 100644
index 0000000..615b9d1
--- /dev/null
+++ b/src/ApiResource/MailSettings.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\ApiResource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\Patch;
+use App\State\Mail\MailSettingsProcessor;
+use App\State\Mail\MailSettingsProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/mail/configuration',
+            normalizationContext: ['groups' => ['mail_settings:read']],
+            provider: MailSettingsProvider::class,
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Patch(
+            uriTemplate: '/mail/configuration',
+            denormalizationContext: ['groups' => ['mail_settings:write']],
+            normalizationContext: ['groups' => ['mail_settings:read']],
+            provider: MailSettingsProvider::class,
+            processor: MailSettingsProcessor::class,
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+)]
+final class MailSettings
+{
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $protocol = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $imapHost = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?int $imapPort = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $imapEncryption = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $smtpHost = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?int $smtpPort = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $smtpEncryption = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $username = null;
+
+    #[Groups(['mail_settings:write'])]
+    public ?string $password = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public ?string $sentFolderPath = null;
+
+    #[Groups(['mail_settings:read', 'mail_settings:write'])]
+    public bool $enabled = false;
+
+    #[Groups(['mail_settings:read'])]
+    public bool $hasPassword = false;
+}
diff --git a/src/Command/MailSyncCommand.php b/src/Command/MailSyncCommand.php
new file mode 100644
index 0000000..1f787af
--- /dev/null
+++ b/src/Command/MailSyncCommand.php
@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Command;
+
+use App\Repository\MailConfigurationRepository;
+use App\Repository\MailFolderRepository;
+use App\Service\MailSyncService;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(
+    name: 'app:mail:sync',
+    description: 'Synchronise la boîte mail partagée OVH (IMAP) vers la base locale',
+)]
+final class MailSyncCommand extends Command
+{
+    public function __construct(
+        private readonly MailSyncService $mailSyncService,
+        private readonly MailConfigurationRepository $configRepository,
+        private readonly MailFolderRepository $folderRepository,
+    ) {
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->addOption(
+                'folder',
+                null,
+                InputOption::VALUE_OPTIONAL,
+                'Synchronise uniquement le dossier spécifié (ex: INBOX)',
+            )
+            ->addOption(
+                'dry-run',
+                null,
+                InputOption::VALUE_NONE,
+                'Simule la synchronisation sans écrire en base (lecture IMAP uniquement)',
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        $config = $this->configRepository->findSingleton();
+
+        if (null === $config || !$config->isEnabled()) {
+            $io->info('Mail config disabled, skipping.');
+
+            return Command::SUCCESS;
+        }
+
+        $isDryRun   = (bool) $input->getOption('dry-run');
+        $folderPath = $input->getOption('folder');
+
+        if ($isDryRun) {
+            $io->note('Mode --dry-run activé : aucune écriture en base.');
+            $io->success('Dry-run terminé — config IMAP active, aucune sync exécutée.');
+
+            return Command::SUCCESS;
+        }
+
+        $io->text('Démarrage de la synchronisation mail...');
+        $startTime = microtime(true);
+
+        if (null !== $folderPath) {
+            $folder = $this->folderRepository->findByPath((string) $folderPath);
+
+            if (null === $folder) {
+                $io->error(sprintf('Dossier "%s" introuvable en base — lance une sync complète au moins une fois.', $folderPath));
+
+                return Command::FAILURE;
+            }
+
+            $io->text(sprintf('Synchronisation du dossier : %s', $folderPath));
+            $report = $this->mailSyncService->syncFolder($folder);
+        } else {
+            $report = $this->mailSyncService->syncAll();
+        }
+
+        $elapsed = round(microtime(true) - $startTime, 2);
+
+        $io->success(sprintf(
+            'Sync terminée en %.1fs : %d créés, %d mis à jour, %d supprimés, %d dossiers scannés.',
+            $elapsed,
+            $report->createdCount,
+            $report->updatedCount,
+            $report->deletedCount,
+            $report->foldersScanned,
+        ));
+
+        if ([] !== $report->errors) {
+            $io->warning(sprintf('%d erreur(s) :', count($report->errors)));
+
+            foreach ($report->errors as $error) {
+                $io->text(' - '.$error);
+            }
+        }
+
+        return [] === $report->errors ? Command::SUCCESS : Command::FAILURE;
+    }
+}
diff --git a/src/Controller/Mail/MailAttachmentDownloadController.php b/src/Controller/Mail/MailAttachmentDownloadController.php
new file mode 100644
index 0000000..f2be423
--- /dev/null
+++ b/src/Controller/Mail/MailAttachmentDownloadController.php
@@ -0,0 +1,93 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailMessageRepository;
+use App\Security\MailAccessChecker;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/attachments/{downloadId}', name: 'mail_attachment_download', methods: ['GET'], priority: 1)]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailAttachmentDownloadController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly MailProviderInterface $mailProvider,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(string $downloadId): Response
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $decoded = base64_decode(strtr($downloadId, '-_', '+/'), true);
+        if (false === $decoded || !str_contains($decoded, ':')) {
+            throw new BadRequestHttpException('Invalid attachment ID format');
+        }
+
+        [$messageDbIdStr, $partNumber] = explode(':', $decoded, 2);
+        $messageDbId                   = (int) $messageDbIdStr;
+
+        $message = $this->messageRepository->find($messageDbId);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        try {
+            $detail = $this->mailProvider->fetchMessage(
+                $message->getFolder()->getPath(),
+                $message->getUid()
+            );
+        } catch (MailProviderException) {
+            throw new NotFoundHttpException('Could not fetch message from IMAP server');
+        }
+
+        $targetAttachment = null;
+        foreach ($detail->attachments as $att) {
+            if ($att->partNumber === $partNumber) {
+                $targetAttachment = $att;
+
+                break;
+            }
+        }
+
+        if (null === $targetAttachment) {
+            throw new NotFoundHttpException(sprintf('Attachment part "%s" not found', $partNumber));
+        }
+
+        try {
+            $content = $this->mailProvider->fetchAttachment(
+                $message->getFolder()->getPath(),
+                $message->getUid(),
+                $partNumber
+            );
+        } catch (MailProviderException) {
+            throw new NotFoundHttpException('Could not fetch attachment content');
+        }
+
+        $filename = basename($targetAttachment->filename);
+        if ('' === $filename || '.' === $filename) {
+            $filename = 'attachment';
+        }
+
+        $response = new Response($content);
+        $response->headers->set('Content-Type', $targetAttachment->mimeType);
+        $response->headers->set(
+            'Content-Disposition',
+            sprintf('attachment; filename="%s"', addslashes($filename))
+        );
+        $response->headers->set('Content-Length', (string) strlen($content));
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}
diff --git a/src/Controller/Mail/MailCreateTaskController.php b/src/Controller/Mail/MailCreateTaskController.php
new file mode 100644
index 0000000..651c661
--- /dev/null
+++ b/src/Controller/Mail/MailCreateTaskController.php
@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Entity\Project;
+use App\Entity\Task;
+use App\Entity\TaskGroup;
+use App\Entity\TaskMailLink;
+use App\Entity\TaskPriority;
+use App\Repository\MailMessageRepository;
+use App\Repository\TaskRepository;
+use App\Security\MailAccessChecker;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}/create-task', name: 'mail_create_task', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailCreateTaskController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly EntityManagerInterface $em,
+        private readonly MailAccessChecker $accessChecker,
+        private readonly TaskRepository $taskRepository,
+    ) {}
+
+    public function __invoke(Request $request, int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $body      = json_decode($request->getContent(), true);
+        $projectId = $body['projectId'] ?? null;
+
+        if (null === $projectId) {
+            throw new UnprocessableEntityHttpException('projectId is required');
+        }
+
+        $project = $this->em->getRepository(Project::class)->find($projectId);
+        if (null === $project) {
+            throw new NotFoundHttpException('Project not found');
+        }
+
+        $title = $message->getSubject() ?? 'Mail sans sujet';
+        if (mb_strlen($title) > 255) {
+            $title = mb_substr($title, 0, 252).'...';
+        }
+
+        $result = $this->em->wrapInTransaction(function () use ($project, $title, $body, $message) {
+            $maxNumber = $this->taskRepository->findMaxNumberByProjectForUpdate($project);
+
+            $task = new Task();
+            $task->setProject($project);
+            $task->setTitle($title);
+            $task->setNumber($maxNumber + 1);
+
+            if (isset($body['taskGroupId']) && null !== $body['taskGroupId']) {
+                $taskGroup = $this->em->getRepository(TaskGroup::class)->find($body['taskGroupId']);
+                if (null !== $taskGroup) {
+                    $task->setGroup($taskGroup);
+                }
+            }
+
+            if (isset($body['priorityId']) && null !== $body['priorityId']) {
+                $priority = $this->em->getRepository(TaskPriority::class)->find($body['priorityId']);
+                if (null !== $priority) {
+                    $task->setPriority($priority);
+                }
+            }
+
+            $this->em->persist($task);
+
+            $link = new TaskMailLink();
+            $link->setTask($task);
+            $link->setMailMessage($message);
+            $link->setLinkedAt(new DateTimeImmutable());
+            $link->setLinkedBy($this->getUser());
+            $this->em->persist($link);
+
+            $this->em->flush();
+
+            return $task;
+        });
+
+        return $this->json([
+            'taskId'     => $result->getId(),
+            'taskNumber' => $result->getNumber(),
+            'taskTitle'  => $result->getTitle(),
+            'messageId'  => $message->getId(),
+        ], 201);
+    }
+}
diff --git a/src/Controller/Mail/MailFoldersListController.php b/src/Controller/Mail/MailFoldersListController.php
new file mode 100644
index 0000000..879ac19
--- /dev/null
+++ b/src/Controller/Mail/MailFoldersListController.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Repository\MailFolderRepository;
+use App\Security\MailAccessChecker;
+use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/folders', name: 'mail_folders_list', methods: ['GET'], priority: 1)]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailFoldersListController extends AbstractController
+{
+    public function __construct(
+        private readonly MailFolderRepository $folderRepository,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $folders = $this->folderRepository->findAllOrderedByPath();
+
+        $data = array_map(static fn ($folder) => [
+            'id'           => $folder->getId(),
+            'path'         => $folder->getPath(),
+            'displayName'  => $folder->getDisplayName(),
+            'parentPath'   => $folder->getParentPath(),
+            'unreadCount'  => $folder->getUnreadCount(),
+            'totalCount'   => $folder->getTotalCount(),
+            'lastSyncedAt' => $folder->getLastSyncedAt()?->format(DateTimeInterface::ATOM),
+        ], $folders);
+
+        return $this->json($data);
+    }
+}
diff --git a/src/Controller/Mail/MailLinkTaskController.php b/src/Controller/Mail/MailLinkTaskController.php
new file mode 100644
index 0000000..86d96b8
--- /dev/null
+++ b/src/Controller/Mail/MailLinkTaskController.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Entity\Task;
+use App\Entity\TaskMailLink;
+use App\Repository\MailMessageRepository;
+use App\Repository\TaskMailLinkRepository;
+use App\Security\MailAccessChecker;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}/link-task', name: 'mail_link_task', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailLinkTaskController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly EntityManagerInterface $em,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(Request $request, int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $body   = json_decode($request->getContent(), true);
+        $taskId = $body['taskId'] ?? null;
+
+        if (null === $taskId) {
+            throw new UnprocessableEntityHttpException('taskId is required');
+        }
+
+        $task = $this->em->getRepository(Task::class)->find($taskId);
+        if (null === $task) {
+            throw new NotFoundHttpException('Task not found');
+        }
+
+        $existing = $this->linkRepository->findByTaskAndMessage($task, $message);
+        if (null !== $existing) {
+            return $this->json(['message' => 'Already linked']);
+        }
+
+        $link = new TaskMailLink();
+        $link->setTask($task);
+        $link->setMailMessage($message);
+        $link->setLinkedAt(new DateTimeImmutable());
+        $link->setLinkedBy($this->getUser());
+        $this->em->persist($link);
+        $this->em->flush();
+
+        return $this->json(['linkId' => $link->getId(), 'taskId' => $task->getId(), 'messageId' => $message->getId()], 201);
+    }
+}
diff --git a/src/Controller/Mail/MailMessageDetailController.php b/src/Controller/Mail/MailMessageDetailController.php
new file mode 100644
index 0000000..c6a7e29
--- /dev/null
+++ b/src/Controller/Mail/MailMessageDetailController.php
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailMessageRepository;
+use App\Security\MailAccessChecker;
+use DateTimeInterface;
+use Psr\Cache\CacheItemPoolInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}', name: 'mail_message_detail', methods: ['GET'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailMessageDetailController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly MailProviderInterface $mailProvider,
+        private readonly MailAccessChecker $accessChecker,
+        private readonly CacheItemPoolInterface $cache,
+    ) {}
+
+    public function __invoke(int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $cacheKey = 'mail_body_'.md5($message->getMessageId());
+        $item     = $this->cache->getItem($cacheKey);
+
+        if (!$item->isHit()) {
+            try {
+                $detail = $this->mailProvider->fetchMessage(
+                    $message->getFolder()->getPath(),
+                    $message->getUid()
+                );
+                $item->set($detail);
+                $item->expiresAfter(300);
+                $this->cache->save($item);
+            } catch (MailProviderException) {
+                throw new ServiceUnavailableHttpException(null, 'IMAP unavailable: could not fetch message body');
+            }
+        }
+
+        $detail = $item->get();
+
+        $messageId   = $message->getId();
+        $attachments = array_map(static fn ($att) => [
+            'partNumber' => $att->partNumber,
+            'filename'   => $att->filename,
+            'mimeType'   => $att->mimeType,
+            'size'       => $att->size,
+            'downloadId' => rtrim(strtr(base64_encode($messageId.':'.$att->partNumber), '+/', '-_'), '='),
+        ], $detail->attachments);
+
+        return $this->json([
+            'id'             => $message->getId(),
+            'messageId'      => $message->getMessageId(),
+            'uid'            => $message->getUid(),
+            'folderPath'     => $message->getFolder()->getPath(),
+            'subject'        => $detail->header->subject,
+            'fromAddress'    => $detail->header->fromAddress,
+            'fromName'       => $detail->header->fromName,
+            'toAddresses'    => $detail->header->toAddresses,
+            'ccAddresses'    => $detail->header->ccAddresses,
+            'sentAt'         => $detail->header->sentAt->format(DateTimeInterface::ATOM),
+            'isRead'         => $message->isRead(),
+            'isFlagged'      => $message->isFlagged(),
+            'hasAttachments' => $message->hasAttachments(),
+            'bodyHtml'       => $detail->bodyHtml,
+            'bodyText'       => $detail->bodyText,
+            'attachments'    => $attachments,
+        ]);
+    }
+}
diff --git a/src/Controller/Mail/MailMessageFlagController.php b/src/Controller/Mail/MailMessageFlagController.php
new file mode 100644
index 0000000..262b13a
--- /dev/null
+++ b/src/Controller/Mail/MailMessageFlagController.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailMessageRepository;
+use App\Security\MailAccessChecker;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}/flag', name: 'mail_message_flag', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailMessageFlagController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly MailProviderInterface $mailProvider,
+        private readonly EntityManagerInterface $em,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(Request $request, int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $body    = json_decode($request->getContent(), true);
+        $flagged = (bool) ($body['flagged'] ?? true);
+
+        try {
+            $this->mailProvider->markFlagged($message->getFolder()->getPath(), $message->getUid(), $flagged);
+        } catch (MailProviderException) {
+            // Non bloquant
+        }
+
+        $message->setIsFlagged($flagged);
+        $this->em->flush();
+
+        return $this->json(['id' => $message->getId(), 'isFlagged' => $message->isFlagged()]);
+    }
+}
diff --git a/src/Controller/Mail/MailMessageReadController.php b/src/Controller/Mail/MailMessageReadController.php
new file mode 100644
index 0000000..3ec9504
--- /dev/null
+++ b/src/Controller/Mail/MailMessageReadController.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailMessageRepository;
+use App\Security\MailAccessChecker;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}/read', name: 'mail_message_read', methods: ['POST'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailMessageReadController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly MailProviderInterface $mailProvider,
+        private readonly EntityManagerInterface $em,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(Request $request, int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $body = json_decode($request->getContent(), true);
+        $read = (bool) ($body['read'] ?? true);
+
+        try {
+            $this->mailProvider->markRead($message->getFolder()->getPath(), $message->getUid(), $read);
+        } catch (MailProviderException) {
+            // Non bloquant : on met quand meme a jour la BDD (sync IMAP au prochain cycle)
+        }
+
+        $message->setIsRead($read);
+        $this->em->flush();
+
+        return $this->json(['id' => $message->getId(), 'isRead' => $message->isRead()]);
+    }
+}
diff --git a/src/Controller/Mail/MailMessagesListController.php b/src/Controller/Mail/MailMessagesListController.php
new file mode 100644
index 0000000..ccb4e02
--- /dev/null
+++ b/src/Controller/Mail/MailMessagesListController.php
@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Repository\MailFolderRepository;
+use App\Repository\MailMessageRepository;
+use App\Security\MailAccessChecker;
+use DateTimeInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/folders/{folderPath}/messages', name: 'mail_messages_list', methods: ['GET'], priority: 1, requirements: ['folderPath' => '.+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailMessagesListController extends AbstractController
+{
+    public function __construct(
+        private readonly MailFolderRepository $folderRepository,
+        private readonly MailMessageRepository $messageRepository,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(Request $request, string $folderPath): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $decodedPath = urldecode($folderPath);
+
+        $folder = $this->folderRepository->findByPath($decodedPath);
+        if (null === $folder) {
+            throw new NotFoundHttpException(sprintf('Folder "%s" not found', $decodedPath));
+        }
+
+        $limit  = min((int) $request->query->get('limit', 50), 100);
+        $cursor = $request->query->get('cursor');
+
+        $result = $this->messageRepository->findByFolderCursor($folder, $limit, $cursor ?: null);
+
+        $messages = array_map(static fn ($m) => [
+            'id'             => $m->getId(),
+            'messageId'      => $m->getMessageId(),
+            'uid'            => $m->getUid(),
+            'subject'        => $m->getSubject(),
+            'fromAddress'    => $m->getFromAddress(),
+            'fromName'       => $m->getFromName(),
+            'toAddresses'    => $m->getToAddresses(),
+            'ccAddresses'    => $m->getCcAddresses(),
+            'sentAt'         => $m->getSentAt()->format(DateTimeInterface::ATOM),
+            'isRead'         => $m->isRead(),
+            'isFlagged'      => $m->isFlagged(),
+            'hasAttachments' => $m->hasAttachments(),
+            'snippet'        => $m->getSnippet(),
+        ], $result['messages']);
+
+        return $this->json([
+            'messages'   => $messages,
+            'nextCursor' => $result['nextCursor'],
+        ]);
+    }
+}
diff --git a/src/Controller/Mail/MailSyncTriggerController.php b/src/Controller/Mail/MailSyncTriggerController.php
new file mode 100644
index 0000000..165293b
--- /dev/null
+++ b/src/Controller/Mail/MailSyncTriggerController.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Message\MailSyncRequested;
+use App\Security\MailAccessChecker;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Messenger\MessageBusInterface;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/sync', name: 'mail_sync_trigger', methods: ['POST'], priority: 1)]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailSyncTriggerController extends AbstractController
+{
+    public function __construct(
+        private readonly MessageBusInterface $bus,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(Request $request): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $body       = json_decode($request->getContent(), true) ?? [];
+        $folderPath = $body['folderPath'] ?? null;
+
+        $this->bus->dispatch(new MailSyncRequested($folderPath));
+
+        return $this->json(
+            ['message' => 'Synchronisation démarrée en arrière-plan'],
+            Response::HTTP_ACCEPTED
+        );
+    }
+}
diff --git a/src/Controller/Mail/MailTestConnectionController.php b/src/Controller/Mail/MailTestConnectionController.php
new file mode 100644
index 0000000..6d25518
--- /dev/null
+++ b/src/Controller/Mail/MailTestConnectionController.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+use Throwable;
+
+#[Route('/api/mail/configuration/test', name: 'mail_configuration_test', methods: ['POST'], priority: 1)]
+#[IsGranted('ROLE_ADMIN')]
+class MailTestConnectionController extends AbstractController
+{
+    public function __construct(
+        private readonly MailProviderInterface $mailProvider,
+    ) {}
+
+    public function __invoke(): JsonResponse
+    {
+        try {
+            $foldersCount = $this->mailProvider->testConnection();
+
+            return $this->json([
+                'ok'           => true,
+                'foldersCount' => $foldersCount,
+            ]);
+        } catch (MailProviderException $e) {
+            return $this->json([
+                'ok'     => false,
+                'error'  => 'Connexion IMAP impossible. Vérifiez la configuration.',
+                'detail' => $e->getMessage(),
+            ]);
+        } catch (Throwable $e) {
+            return $this->json([
+                'ok'     => false,
+                'error'  => 'Erreur inattendue lors du test de connexion.',
+                'detail' => $e->getMessage(),
+            ]);
+        }
+    }
+}
diff --git a/src/Controller/Mail/MailUnlinkTaskController.php b/src/Controller/Mail/MailUnlinkTaskController.php
new file mode 100644
index 0000000..399959e
--- /dev/null
+++ b/src/Controller/Mail/MailUnlinkTaskController.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Entity\Task;
+use App\Repository\MailMessageRepository;
+use App\Repository\TaskMailLinkRepository;
+use App\Security\MailAccessChecker;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/mail/messages/{id}/link-task/{taskId}', name: 'mail_unlink_task', methods: ['DELETE'], priority: 1, requirements: ['id' => '\d+', 'taskId' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class MailUnlinkTaskController extends AbstractController
+{
+    public function __construct(
+        private readonly MailMessageRepository $messageRepository,
+        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly EntityManagerInterface $em,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(int $id, int $taskId): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $message = $this->messageRepository->find($id);
+        if (null === $message) {
+            throw new NotFoundHttpException('Message not found');
+        }
+
+        $task = $this->em->getRepository(Task::class)->find($taskId);
+        if (null === $task) {
+            throw new NotFoundHttpException('Task not found');
+        }
+
+        $link = $this->linkRepository->findByTaskAndMessage($task, $message);
+        if (null === $link) {
+            throw new NotFoundHttpException('Link not found');
+        }
+
+        $this->em->remove($link);
+        $this->em->flush();
+
+        return $this->json(null, Response::HTTP_NO_CONTENT);
+    }
+}
diff --git a/src/Controller/Mail/TaskMailsListController.php b/src/Controller/Mail/TaskMailsListController.php
new file mode 100644
index 0000000..6b2180e
--- /dev/null
+++ b/src/Controller/Mail/TaskMailsListController.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Mail;
+
+use App\Entity\Task;
+use App\Repository\TaskMailLinkRepository;
+use App\Security\MailAccessChecker;
+use DateTimeInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/tasks/{id}/mails', name: 'task_mails_list', methods: ['GET'], priority: 1, requirements: ['id' => '\d+'])]
+#[IsGranted('IS_AUTHENTICATED_FULLY')]
+class TaskMailsListController extends AbstractController
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly MailAccessChecker $accessChecker,
+    ) {}
+
+    public function __invoke(int $id): JsonResponse
+    {
+        $this->accessChecker->ensureCanAccessMail($this->getUser());
+
+        $task = $this->em->getRepository(Task::class)->find($id);
+        if (null === $task) {
+            throw new NotFoundHttpException('Task not found');
+        }
+
+        $links = $this->linkRepository->findByTask($task);
+
+        $data = array_map(static fn ($link) => [
+            'id'          => $link->getMailMessage()->getId(),
+            'messageId'   => $link->getMailMessage()->getMessageId(),
+            'subject'     => $link->getMailMessage()->getSubject(),
+            'fromAddress' => $link->getMailMessage()->getFromAddress(),
+            'fromName'    => $link->getMailMessage()->getFromName(),
+            'sentAt'      => $link->getMailMessage()->getSentAt()->format(DateTimeInterface::ATOM),
+            'isRead'      => $link->getMailMessage()->isRead(),
+            'isFlagged'   => $link->getMailMessage()->isFlagged(),
+            'snippet'     => $link->getMailMessage()->getSnippet(),
+            'linkedAt'    => $link->getLinkedAt()->format(DateTimeInterface::ATOM),
+        ], $links);
+
+        return $this->json($data);
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index bf8e9a1..a6a1c03 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -6,6 +6,7 @@ namespace App\DataFixtures;
 
 use App\Entity\Client;
 use App\Entity\ClientTicket;
+use App\Entity\MailConfiguration;
 use App\Entity\Project;
 use App\Entity\Task;
 use App\Entity\TaskEffort;
@@ -706,6 +707,21 @@ class AppFixtures extends Fixture
         $taskRecurring->setRecurrence($recurrence);
         $manager->persist($taskRecurring);
 
+        // =============================================
+        // Mail Configuration
+        // =============================================
+        $mailConfig = new MailConfiguration();
+        $mailConfig->setImapHost('ssl0.ovh.net');
+        $mailConfig->setImapPort(993);
+        $mailConfig->setImapEncryption('ssl');
+        $mailConfig->setSmtpHost('ssl0.ovh.net');
+        $mailConfig->setSmtpPort(465);
+        $mailConfig->setSmtpEncryption('ssl');
+        $mailConfig->setUsername('lesstime@ovh.fr');
+        $mailConfig->setSentFolderPath('Sent');
+        $mailConfig->setEnabled(false);
+        $manager->persist($mailConfig);
+
         $manager->flush();
     }
 }
diff --git a/src/Entity/ClientTicket.php b/src/Entity/ClientTicket.php
index 54a4d7e..b825c2f 100644
--- a/src/Entity/ClientTicket.php
+++ b/src/Entity/ClientTicket.php
@@ -47,12 +47,8 @@ use Symfony\Component\Validator\Constraints as Assert;
     order: ['createdAt' => 'DESC'],
 )]
 #[ORM\Entity(repositoryClass: ClientTicketRepository::class)]
-#[ORM\Table(
-    name: 'client_ticket',
-    uniqueConstraints: [
-        new ORM\UniqueConstraint(name: 'uniq_client_ticket_project_number', columns: ['project_id', 'number']),
-    ],
-)]
+#[ORM\Table(name: 'client_ticket')]
+#[ORM\UniqueConstraint(name: 'uniq_client_ticket_project_number', columns: ['project_id', 'number'])]
 class ClientTicket
 {
     public const string TYPE_BUG         = 'bug';
diff --git a/src/Entity/MailConfiguration.php b/src/Entity/MailConfiguration.php
new file mode 100644
index 0000000..b1af5b1
--- /dev/null
+++ b/src/Entity/MailConfiguration.php
@@ -0,0 +1,193 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use App\Repository\MailConfigurationRepository;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity(repositoryClass: MailConfigurationRepository::class)]
+#[ORM\Table(name: 'mail_configuration')]
+class MailConfiguration
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 10)]
+    private string $protocol = 'imap';
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $imapHost = null;
+
+    #[ORM\Column]
+    private int $imapPort = 993;
+
+    #[ORM\Column(length: 10)]
+    private string $imapEncryption = 'ssl';
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $smtpHost = null;
+
+    #[ORM\Column]
+    private int $smtpPort = 465;
+
+    #[ORM\Column(length: 10)]
+    private string $smtpEncryption = 'ssl';
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $username = null;
+
+    #[ORM\Column(type: 'text', nullable: true)]
+    private ?string $encryptedPassword = null;
+
+    #[ORM\Column(length: 255)]
+    private string $sentFolderPath = 'Sent';
+
+    #[ORM\Column(type: 'boolean')]
+    private bool $enabled = false;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getProtocol(): string
+    {
+        return $this->protocol;
+    }
+
+    public function setProtocol(string $protocol): static
+    {
+        $this->protocol = $protocol;
+
+        return $this;
+    }
+
+    public function getImapHost(): ?string
+    {
+        return $this->imapHost;
+    }
+
+    public function setImapHost(?string $imapHost): static
+    {
+        $this->imapHost = $imapHost;
+
+        return $this;
+    }
+
+    public function getImapPort(): int
+    {
+        return $this->imapPort;
+    }
+
+    public function setImapPort(int $imapPort): static
+    {
+        $this->imapPort = $imapPort;
+
+        return $this;
+    }
+
+    public function getImapEncryption(): string
+    {
+        return $this->imapEncryption;
+    }
+
+    public function setImapEncryption(string $imapEncryption): static
+    {
+        $this->imapEncryption = $imapEncryption;
+
+        return $this;
+    }
+
+    public function getSmtpHost(): ?string
+    {
+        return $this->smtpHost;
+    }
+
+    public function setSmtpHost(?string $smtpHost): static
+    {
+        $this->smtpHost = $smtpHost;
+
+        return $this;
+    }
+
+    public function getSmtpPort(): int
+    {
+        return $this->smtpPort;
+    }
+
+    public function setSmtpPort(int $smtpPort): static
+    {
+        $this->smtpPort = $smtpPort;
+
+        return $this;
+    }
+
+    public function getSmtpEncryption(): string
+    {
+        return $this->smtpEncryption;
+    }
+
+    public function setSmtpEncryption(string $smtpEncryption): static
+    {
+        $this->smtpEncryption = $smtpEncryption;
+
+        return $this;
+    }
+
+    public function getUsername(): ?string
+    {
+        return $this->username;
+    }
+
+    public function setUsername(?string $username): static
+    {
+        $this->username = $username;
+
+        return $this;
+    }
+
+    public function getEncryptedPassword(): ?string
+    {
+        return $this->encryptedPassword;
+    }
+
+    public function setEncryptedPassword(?string $encryptedPassword): static
+    {
+        $this->encryptedPassword = $encryptedPassword;
+
+        return $this;
+    }
+
+    public function getSentFolderPath(): string
+    {
+        return $this->sentFolderPath;
+    }
+
+    public function setSentFolderPath(string $sentFolderPath): static
+    {
+        $this->sentFolderPath = $sentFolderPath;
+
+        return $this;
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->enabled;
+    }
+
+    public function setEnabled(bool $enabled): static
+    {
+        $this->enabled = $enabled;
+
+        return $this;
+    }
+
+    public function hasPassword(): bool
+    {
+        return null !== $this->encryptedPassword;
+    }
+}
diff --git a/src/Entity/MailFolder.php b/src/Entity/MailFolder.php
new file mode 100644
index 0000000..0b2462d
--- /dev/null
+++ b/src/Entity/MailFolder.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use App\Repository\MailFolderRepository;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity(repositoryClass: MailFolderRepository::class)]
+#[ORM\Table(name: 'mail_folder')]
+#[ORM\Index(columns: ['parent_path'], name: 'idx_mail_folder_parent_path')]
+class MailFolder
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 500, unique: true)]
+    private string $path;
+
+    #[ORM\Column(length: 255)]
+    private string $displayName;
+
+    #[ORM\Column(length: 500, nullable: true)]
+    private ?string $parentPath = null;
+
+    #[ORM\Column]
+    private int $unreadCount = 0;
+
+    #[ORM\Column]
+    private int $totalCount = 0;
+
+    #[ORM\Column(type: 'datetimetz_immutable', nullable: true)]
+    private ?DateTimeImmutable $lastSyncedAt = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getPath(): string
+    {
+        return $this->path;
+    }
+
+    public function setPath(string $path): static
+    {
+        $this->path = $path;
+
+        return $this;
+    }
+
+    public function getDisplayName(): string
+    {
+        return $this->displayName;
+    }
+
+    public function setDisplayName(string $displayName): static
+    {
+        $this->displayName = $displayName;
+
+        return $this;
+    }
+
+    public function getParentPath(): ?string
+    {
+        return $this->parentPath;
+    }
+
+    public function setParentPath(?string $parentPath): static
+    {
+        $this->parentPath = $parentPath;
+
+        return $this;
+    }
+
+    public function getUnreadCount(): int
+    {
+        return $this->unreadCount;
+    }
+
+    public function setUnreadCount(int $unreadCount): static
+    {
+        $this->unreadCount = $unreadCount;
+
+        return $this;
+    }
+
+    public function getTotalCount(): int
+    {
+        return $this->totalCount;
+    }
+
+    public function setTotalCount(int $totalCount): static
+    {
+        $this->totalCount = $totalCount;
+
+        return $this;
+    }
+
+    public function getLastSyncedAt(): ?DateTimeImmutable
+    {
+        return $this->lastSyncedAt;
+    }
+
+    public function setLastSyncedAt(?DateTimeImmutable $lastSyncedAt): static
+    {
+        $this->lastSyncedAt = $lastSyncedAt;
+
+        return $this;
+    }
+}
diff --git a/src/Entity/MailMessage.php b/src/Entity/MailMessage.php
new file mode 100644
index 0000000..8efee5f
--- /dev/null
+++ b/src/Entity/MailMessage.php
@@ -0,0 +1,239 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use App\Repository\MailMessageRepository;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity(repositoryClass: MailMessageRepository::class)]
+#[ORM\Table(name: 'mail_message')]
+#[ORM\UniqueConstraint(name: 'uq_mail_message_folder_uid', columns: ['folder_id', 'uid'])]
+#[ORM\Index(columns: ['sent_at'], name: 'idx_mail_message_sent_at')]
+#[ORM\Index(columns: ['is_read'], name: 'idx_mail_message_is_read')]
+#[ORM\Index(columns: ['message_id'], name: 'idx_mail_message_message_id')]
+class MailMessage
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 500)]
+    private string $messageId;
+
+    #[ORM\ManyToOne(targetEntity: MailFolder::class)]
+    #[ORM\JoinColumn(name: 'folder_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    private MailFolder $folder;
+
+    #[ORM\Column]
+    private int $uid;
+
+    #[ORM\Column(length: 500, nullable: true)]
+    private ?string $subject = null;
+
+    #[ORM\Column(length: 255)]
+    private string $fromAddress;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $fromName = null;
+
+    #[ORM\Column(type: 'json')]
+    private array $toAddresses = [];
+
+    #[ORM\Column(type: 'json', nullable: true)]
+    private ?array $ccAddresses = null;
+
+    #[ORM\Column(type: 'datetimetz_immutable')]
+    private DateTimeImmutable $sentAt;
+
+    #[ORM\Column(type: 'boolean')]
+    private bool $isRead = false;
+
+    #[ORM\Column(type: 'boolean')]
+    private bool $isFlagged = false;
+
+    #[ORM\Column(type: 'boolean')]
+    private bool $hasAttachments = false;
+
+    #[ORM\Column(type: 'text', nullable: true)]
+    private ?string $snippet = null;
+
+    #[ORM\Column(type: 'datetimetz_immutable')]
+    private DateTimeImmutable $syncedAt;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getMessageId(): string
+    {
+        return $this->messageId;
+    }
+
+    public function setMessageId(string $messageId): static
+    {
+        $this->messageId = $messageId;
+
+        return $this;
+    }
+
+    public function getFolder(): MailFolder
+    {
+        return $this->folder;
+    }
+
+    public function setFolder(MailFolder $folder): static
+    {
+        $this->folder = $folder;
+
+        return $this;
+    }
+
+    public function getUid(): int
+    {
+        return $this->uid;
+    }
+
+    public function setUid(int $uid): static
+    {
+        $this->uid = $uid;
+
+        return $this;
+    }
+
+    public function getSubject(): ?string
+    {
+        return $this->subject;
+    }
+
+    public function setSubject(?string $subject): static
+    {
+        $this->subject = $subject;
+
+        return $this;
+    }
+
+    public function getFromAddress(): string
+    {
+        return $this->fromAddress;
+    }
+
+    public function setFromAddress(string $fromAddress): static
+    {
+        $this->fromAddress = $fromAddress;
+
+        return $this;
+    }
+
+    public function getFromName(): ?string
+    {
+        return $this->fromName;
+    }
+
+    public function setFromName(?string $fromName): static
+    {
+        $this->fromName = $fromName;
+
+        return $this;
+    }
+
+    public function getToAddresses(): array
+    {
+        return $this->toAddresses;
+    }
+
+    public function setToAddresses(array $toAddresses): static
+    {
+        $this->toAddresses = $toAddresses;
+
+        return $this;
+    }
+
+    public function getCcAddresses(): ?array
+    {
+        return $this->ccAddresses;
+    }
+
+    public function setCcAddresses(?array $ccAddresses): static
+    {
+        $this->ccAddresses = $ccAddresses;
+
+        return $this;
+    }
+
+    public function getSentAt(): DateTimeImmutable
+    {
+        return $this->sentAt;
+    }
+
+    public function setSentAt(DateTimeImmutable $sentAt): static
+    {
+        $this->sentAt = $sentAt;
+
+        return $this;
+    }
+
+    public function isRead(): bool
+    {
+        return $this->isRead;
+    }
+
+    public function setIsRead(bool $isRead): static
+    {
+        $this->isRead = $isRead;
+
+        return $this;
+    }
+
+    public function isFlagged(): bool
+    {
+        return $this->isFlagged;
+    }
+
+    public function setIsFlagged(bool $isFlagged): static
+    {
+        $this->isFlagged = $isFlagged;
+
+        return $this;
+    }
+
+    public function hasAttachments(): bool
+    {
+        return $this->hasAttachments;
+    }
+
+    public function setHasAttachments(bool $hasAttachments): static
+    {
+        $this->hasAttachments = $hasAttachments;
+
+        return $this;
+    }
+
+    public function getSnippet(): ?string
+    {
+        return $this->snippet;
+    }
+
+    public function setSnippet(?string $snippet): static
+    {
+        $this->snippet = $snippet;
+
+        return $this;
+    }
+
+    public function getSyncedAt(): DateTimeImmutable
+    {
+        return $this->syncedAt;
+    }
+
+    public function setSyncedAt(DateTimeImmutable $syncedAt): static
+    {
+        $this->syncedAt = $syncedAt;
+
+        return $this;
+    }
+}
diff --git a/src/Entity/TaskMailLink.php b/src/Entity/TaskMailLink.php
new file mode 100644
index 0000000..652fc22
--- /dev/null
+++ b/src/Entity/TaskMailLink.php
@@ -0,0 +1,88 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use App\Repository\TaskMailLinkRepository;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity(repositoryClass: TaskMailLinkRepository::class)]
+#[ORM\Table(name: 'task_mail_link')]
+#[ORM\UniqueConstraint(name: 'uq_task_mail_link', columns: ['task_id', 'mail_message_id'])]
+class TaskMailLink
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    private ?int $id = null;
+
+    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    private Task $task;
+
+    #[ORM\ManyToOne(targetEntity: MailMessage::class)]
+    #[ORM\JoinColumn(name: 'mail_message_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    private MailMessage $mailMessage;
+
+    #[ORM\Column(type: 'datetimetz_immutable')]
+    private DateTimeImmutable $linkedAt;
+
+    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\JoinColumn(name: 'linked_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    private ?User $linkedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getTask(): Task
+    {
+        return $this->task;
+    }
+
+    public function setTask(Task $task): static
+    {
+        $this->task = $task;
+
+        return $this;
+    }
+
+    public function getMailMessage(): MailMessage
+    {
+        return $this->mailMessage;
+    }
+
+    public function setMailMessage(MailMessage $mailMessage): static
+    {
+        $this->mailMessage = $mailMessage;
+
+        return $this;
+    }
+
+    public function getLinkedAt(): DateTimeImmutable
+    {
+        return $this->linkedAt;
+    }
+
+    public function setLinkedAt(DateTimeImmutable $linkedAt): static
+    {
+        $this->linkedAt = $linkedAt;
+
+        return $this;
+    }
+
+    public function getLinkedBy(): ?User
+    {
+        return $this->linkedBy;
+    }
+
+    public function setLinkedBy(?User $linkedBy): static
+    {
+        $this->linkedBy = $linkedBy;
+
+        return $this;
+    }
+}
diff --git a/src/Mail/Dto/MailAttachmentDto.php b/src/Mail/Dto/MailAttachmentDto.php
new file mode 100644
index 0000000..cb6362a
--- /dev/null
+++ b/src/Mail/Dto/MailAttachmentDto.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Dto;
+
+final readonly class MailAttachmentDto
+{
+    public function __construct(
+        public string $partNumber,
+        public string $filename,
+        public string $mimeType,
+        public int $size,
+    ) {}
+}
diff --git a/src/Mail/Dto/MailFolderDto.php b/src/Mail/Dto/MailFolderDto.php
new file mode 100644
index 0000000..d6ff8ff
--- /dev/null
+++ b/src/Mail/Dto/MailFolderDto.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Dto;
+
+final readonly class MailFolderDto
+{
+    public function __construct(
+        public string $path,
+        public string $displayName,
+        public ?string $parentPath,
+        public int $unreadCount,
+        public int $totalCount,
+    ) {}
+}
diff --git a/src/Mail/Dto/MailMessageDetailDto.php b/src/Mail/Dto/MailMessageDetailDto.php
new file mode 100644
index 0000000..76462e7
--- /dev/null
+++ b/src/Mail/Dto/MailMessageDetailDto.php
@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Dto;
+
+final readonly class MailMessageDetailDto
+{
+    /**
+     * @param list<MailAttachmentDto> $attachments
+     */
+    public function __construct(
+        public MailMessageHeaderDto $header,
+        public ?string $bodyHtml,
+        public ?string $bodyText,
+        public array $attachments,
+    ) {}
+}
diff --git a/src/Mail/Dto/MailMessageHeaderDto.php b/src/Mail/Dto/MailMessageHeaderDto.php
new file mode 100644
index 0000000..fe9d022
--- /dev/null
+++ b/src/Mail/Dto/MailMessageHeaderDto.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Dto;
+
+use DateTimeImmutable;
+
+final readonly class MailMessageHeaderDto
+{
+    public function __construct(
+        public int $uid,
+        public string $messageId,
+        public ?string $subject,
+        public string $fromAddress,
+        public ?string $fromName,
+        public array $toAddresses,
+        public ?array $ccAddresses,
+        public DateTimeImmutable $sentAt,
+        public bool $isRead,
+        public bool $isFlagged,
+        public bool $hasAttachments,
+        public ?string $snippet,
+    ) {}
+}
diff --git a/src/Mail/Dto/MailSyncReport.php b/src/Mail/Dto/MailSyncReport.php
new file mode 100644
index 0000000..cee124b
--- /dev/null
+++ b/src/Mail/Dto/MailSyncReport.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Dto;
+
+use DateTimeImmutable;
+
+final readonly class MailSyncReport
+{
+    /**
+     * @param list<string> $errors
+     */
+    public function __construct(
+        public int $createdCount,
+        public int $updatedCount,
+        public int $deletedCount,
+        public int $foldersScanned,
+        public array $errors,
+        public float $durationSeconds,
+        public DateTimeImmutable $startedAt,
+        public DateTimeImmutable $finishedAt,
+    ) {}
+}
diff --git a/src/Mail/Exception/MailProviderException.php b/src/Mail/Exception/MailProviderException.php
new file mode 100644
index 0000000..af4e6da
--- /dev/null
+++ b/src/Mail/Exception/MailProviderException.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail\Exception;
+
+use RuntimeException;
+
+final class MailProviderException extends RuntimeException
+{
+    public static function connectionFailed(string $reason): self
+    {
+        return new self(sprintf('Mail provider connection failed: %s', $reason));
+    }
+
+    public static function operationFailed(string $operation, string $reason): self
+    {
+        return new self(sprintf('Mail provider operation "%s" failed: %s', $operation, $reason));
+    }
+}
diff --git a/src/Mail/ImapMailProvider.php b/src/Mail/ImapMailProvider.php
new file mode 100644
index 0000000..9ef7c45
--- /dev/null
+++ b/src/Mail/ImapMailProvider.php
@@ -0,0 +1,403 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Mail\Dto\MailAttachmentDto;
+use App\Mail\Dto\MailFolderDto;
+use App\Mail\Dto\MailMessageDetailDto;
+use App\Mail\Dto\MailMessageHeaderDto;
+use App\Mail\Exception\MailProviderException;
+use App\Repository\MailConfigurationRepository;
+use App\Service\TokenEncryptor;
+use DateTimeImmutable;
+use Psr\Log\LoggerInterface;
+use SodiumException;
+use Throwable;
+use Webklex\PHPIMAP\Client;
+use Webklex\PHPIMAP\ClientManager;
+use Webklex\PHPIMAP\IMAP;
+
+final class ImapMailProvider implements MailProviderInterface
+{
+    private ?Client $client = null;
+
+    public function __construct(
+        private readonly MailConfigurationRepository $configRepository,
+        private readonly TokenEncryptor $tokenEncryptor,
+        private readonly LoggerInterface $logger,
+    ) {}
+
+    /**
+     * Closes the reused IMAP connection. Call once at the end of a batch
+     * synchronisation to release the socket; HTTP requests can ignore it
+     * (the connection dies with the process).
+     */
+    public function closeConnection(): void
+    {
+        if (null !== $this->client && $this->client->isConnected()) {
+            try {
+                $this->client->disconnect();
+            } catch (Throwable) {
+                // best effort
+            }
+        }
+        $this->client = null;
+    }
+
+    public function testConnection(): int
+    {
+        $client = $this->getClient(requireEnabled: false);
+
+        try {
+            $folders = $client->getFolders(false);
+
+            return count($folders);
+        } catch (Throwable $e) {
+            $this->logger->error('ImapMailProvider::testConnection failed: '.$e->getMessage());
+
+            throw MailProviderException::connectionFailed($e->getMessage());
+        }
+    }
+
+    public function listFolders(): array
+    {
+        $client = $this->getClient();
+
+        try {
+            $folders = $client->getFolders(false);
+            $result  = [];
+
+            foreach ($folders as $folder) {
+                $path       = $folder->path;
+                $parentPath = null;
+                $delimiter  = $folder->delimiter ?? '.';
+                $lastDelim  = strrpos($path, $delimiter);
+                if (false !== $lastDelim && $lastDelim > 0) {
+                    $parentPath = substr($path, 0, $lastDelim);
+                }
+
+                $result[] = new MailFolderDto(
+                    path: $path,
+                    displayName: $folder->name,
+                    parentPath: $parentPath,
+                    unreadCount: (int) ($folder->status['unseen'] ?? 0),
+                    totalCount: (int) ($folder->status['messages'] ?? 0),
+                );
+            }
+
+            return $result;
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error('ImapMailProvider::listFolders failed: '.$e->getMessage());
+
+            throw MailProviderException::operationFailed('listFolders', $e->getMessage());
+        }
+    }
+
+    public function listMessages(string $folderPath, int $limit, int $offset): array
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('listMessages', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $messages = $folder->query()
+                ->whereAll()
+                ->setFetchBody(false)
+                ->leaveUnread()
+                ->setSequence(IMAP::ST_UID)
+                ->get()
+            ;
+
+            $result = [];
+            $items  = array_slice($messages->toArray(), $offset, $limit);
+
+            foreach ($items as $message) {
+                $result[] = $this->buildHeaderDto($message, withSnippet: false);
+            }
+
+            return $result;
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::listMessages failed for folder %s: %s', $folderPath, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('listMessages', $e->getMessage());
+        }
+    }
+
+    public function fetchMessage(string $folderPath, int $uid): MailMessageDetailDto
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('fetchMessage', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $message = $folder->query()->uid($uid)->leaveUnread()->setSequence(IMAP::ST_UID)->get()->first();
+
+            if (null === $message) {
+                throw MailProviderException::operationFailed('fetchMessage', sprintf('UID %d not found in folder %s', $uid, $folderPath));
+            }
+
+            $header      = $this->buildHeaderDto($message);
+            $bodyHtml    = $message->getHTMLBody(false) ?: null;
+            $bodyText    = $message->getTextBody() ?: null;
+            $attachments = [];
+
+            foreach ($message->getAttachments() as $att) {
+                $attachments[] = new MailAttachmentDto(
+                    partNumber: (string) ($att->part_number ?? '1'),
+                    filename: $att->getName() ?? 'attachment',
+                    mimeType: $att->getMimeType() ?? 'application/octet-stream',
+                    size: $att->getSize() ?? 0,
+                );
+            }
+
+            return new MailMessageDetailDto(
+                header: $header,
+                bodyHtml: $bodyHtml,
+                bodyText: $bodyText,
+                attachments: $attachments,
+            );
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::fetchMessage failed uid=%d folder=%s: %s', $uid, $folderPath, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('fetchMessage', $e->getMessage());
+        }
+    }
+
+    public function markRead(string $folderPath, int $uid, bool $read): void
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('markRead', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $message = $folder->query()->uid($uid)->leaveUnread()->setSequence(IMAP::ST_UID)->get()->first();
+
+            if (null === $message) {
+                throw MailProviderException::operationFailed('markRead', sprintf('UID %d not found', $uid));
+            }
+
+            if ($read) {
+                $message->setFlag('Seen');
+            } else {
+                $message->unsetFlag('Seen');
+            }
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::markRead failed uid=%d: %s', $uid, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('markRead', $e->getMessage());
+        }
+    }
+
+    public function markFlagged(string $folderPath, int $uid, bool $flagged): void
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('markFlagged', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $message = $folder->query()->uid($uid)->leaveUnread()->setSequence(IMAP::ST_UID)->get()->first();
+
+            if (null === $message) {
+                throw MailProviderException::operationFailed('markFlagged', sprintf('UID %d not found', $uid));
+            }
+
+            if ($flagged) {
+                $message->setFlag('Flagged');
+            } else {
+                $message->unsetFlag('Flagged');
+            }
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::markFlagged failed uid=%d: %s', $uid, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('markFlagged', $e->getMessage());
+        }
+    }
+
+    public function moveMessage(string $folderPath, int $uid, string $targetFolder): void
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('moveMessage', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $message = $folder->query()->uid($uid)->leaveUnread()->setSequence(IMAP::ST_UID)->get()->first();
+
+            if (null === $message) {
+                throw MailProviderException::operationFailed('moveMessage', sprintf('UID %d not found', $uid));
+            }
+
+            $message->moveToFolder($targetFolder);
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::moveMessage failed uid=%d: %s', $uid, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('moveMessage', $e->getMessage());
+        }
+    }
+
+    public function fetchAttachment(string $folderPath, int $uid, string $partNumber): string
+    {
+        $client = $this->getClient();
+
+        try {
+            $folder = $client->getFolder($folderPath);
+            if (null === $folder) {
+                throw MailProviderException::operationFailed('fetchAttachment', sprintf('Folder %s not found', $folderPath));
+            }
+
+            $message = $folder->query()->uid($uid)->leaveUnread()->setSequence(IMAP::ST_UID)->get()->first();
+
+            if (null === $message) {
+                throw MailProviderException::operationFailed('fetchAttachment', sprintf('UID %d not found', $uid));
+            }
+
+            foreach ($message->getAttachments() as $att) {
+                if ((string) ($att->part_number ?? '1') === $partNumber) {
+                    return (string) $att->getContent();
+                }
+            }
+
+            throw MailProviderException::operationFailed('fetchAttachment', sprintf('Part %s not found in UID %d', $partNumber, $uid));
+        } catch (MailProviderException $e) {
+            throw $e;
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('ImapMailProvider::fetchAttachment failed uid=%d part=%s: %s', $uid, $partNumber, $e->getMessage()));
+
+            throw MailProviderException::operationFailed('fetchAttachment', $e->getMessage());
+        }
+    }
+
+    private function getClient(bool $requireEnabled = true): Client
+    {
+        if (null !== $this->client && $this->client->isConnected()) {
+            return $this->client;
+        }
+
+        $config = $this->configRepository->findSingleton();
+
+        if (null === $config) {
+            throw MailProviderException::connectionFailed('Mail configuration is missing');
+        }
+
+        if ($requireEnabled && !$config->isEnabled()) {
+            throw MailProviderException::connectionFailed('Mail configuration is disabled');
+        }
+
+        if (null === $config->getEncryptedPassword()) {
+            throw MailProviderException::connectionFailed('No password configured');
+        }
+
+        $password = $this->tokenEncryptor->decrypt($config->getEncryptedPassword());
+
+        try {
+            $manager = new ClientManager();
+            $client  = $manager->make([
+                'host'          => $config->getImapHost(),
+                'port'          => $config->getImapPort(),
+                'encryption'    => $config->getImapEncryption(),
+                'validate_cert' => true,
+                'username'      => $config->getUsername(),
+                'password'      => $password,
+                'protocol'      => 'imap',
+            ]);
+
+            $client->connect();
+        } catch (Throwable $e) {
+            $this->logger->error('IMAP connection failed: '.$e->getMessage());
+
+            throw MailProviderException::connectionFailed($e->getMessage());
+        } finally {
+            try {
+                sodium_memzero($password);
+            } catch (SodiumException) {
+                // ignore: interned strings can't be zeroed
+            }
+        }
+
+        $this->client = $client;
+
+        return $client;
+    }
+
+    private function buildHeaderDto(mixed $message, bool $withSnippet = true): MailMessageHeaderDto
+    {
+        $from        = $message->getFrom()->first();
+        $fromAddress = null !== $from ? (string) $from->mail : '';
+        $fromName    = null !== $from && null !== $from->personal ? (string) $from->personal : null;
+
+        $toAddresses = [];
+        foreach ($message->getTo() as $addr) {
+            $toAddresses[] = (string) $addr->mail;
+        }
+
+        $ccAddresses = null;
+        $cc          = $message->getCc();
+        if (null !== $cc && $cc->count() > 0) {
+            $ccAddresses = [];
+            foreach ($cc as $addr) {
+                $ccAddresses[] = (string) $addr->mail;
+            }
+        }
+
+        $sentAt   = new DateTimeImmutable();
+        $dateAttr = $message->getDate();
+        if (null !== $dateAttr) {
+            try {
+                $sentAt = DateTimeImmutable::createFromInterface($dateAttr->toDate());
+            } catch (Throwable) {
+                // keep default when the header date is missing or unparsable
+            }
+        }
+
+        $snippet = null;
+        if ($withSnippet) {
+            $text = $message->getTextBody();
+            if (null !== $text && '' !== $text) {
+                $snippet = mb_substr(strip_tags($text), 0, 200);
+            }
+        }
+
+        return new MailMessageHeaderDto(
+            uid: (int) $message->getUid(),
+            messageId: (string) $message->getMessageId(),
+            subject: '' !== (string) $message->getSubject() ? (string) $message->getSubject() : null,
+            fromAddress: $fromAddress,
+            fromName: $fromName,
+            toAddresses: $toAddresses,
+            ccAddresses: $ccAddresses,
+            sentAt: $sentAt,
+            isRead: $message->hasFlag('Seen'),
+            isFlagged: $message->hasFlag('Flagged'),
+            hasAttachments: $message->hasAttachments(),
+            snippet: $snippet,
+        );
+    }
+}
diff --git a/src/Mail/MailProviderInterface.php b/src/Mail/MailProviderInterface.php
new file mode 100644
index 0000000..c233846
--- /dev/null
+++ b/src/Mail/MailProviderInterface.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Mail\Dto\MailFolderDto;
+use App\Mail\Dto\MailMessageDetailDto;
+use App\Mail\Dto\MailMessageHeaderDto;
+use App\Mail\Exception\MailProviderException;
+
+interface MailProviderInterface
+{
+    /**
+     * Opens a connection using the stored configuration and returns the number
+     * of folders found. Used by the admin "test connection" endpoint, so it
+     * MUST work even when the configuration is not yet enabled.
+     *
+     * @throws MailProviderException
+     */
+    public function testConnection(): int;
+
+    /**
+     * Releases any reused network connection held by the provider.
+     * Safe to call multiple times; a no-op if nothing is open.
+     */
+    public function closeConnection(): void;
+
+    /**
+     * Returns the full folder tree of the configured mailbox.
+     *
+     * @return list<MailFolderDto>
+     *
+     * @throws MailProviderException
+     */
+    public function listFolders(): array;
+
+    /**
+     * Returns a paginated list of message headers for the given folder.
+     *
+     * @return list<MailMessageHeaderDto>
+     *
+     * @throws MailProviderException
+     */
+    public function listMessages(string $folderPath, int $limit, int $offset): array;
+
+    /**
+     * Fetches the full message (headers + body + attachments list) by UID.
+     *
+     * @throws MailProviderException
+     */
+    public function fetchMessage(string $folderPath, int $uid): MailMessageDetailDto;
+
+    /**
+     * Marks a message as read or unread on the IMAP server.
+     *
+     * @throws MailProviderException
+     */
+    public function markRead(string $folderPath, int $uid, bool $read): void;
+
+    /**
+     * Marks a message as flagged (starred) or unflagged on the IMAP server.
+     *
+     * @throws MailProviderException
+     */
+    public function markFlagged(string $folderPath, int $uid, bool $flagged): void;
+
+    /**
+     * Moves a message from one folder to another on the IMAP server.
+     *
+     * @throws MailProviderException
+     */
+    public function moveMessage(string $folderPath, int $uid, string $targetFolder): void;
+
+    /**
+     * Fetches the raw binary content of an attachment by its MIME part number.
+     *
+     * @throws MailProviderException
+     */
+    public function fetchAttachment(string $folderPath, int $uid, string $partNumber): string;
+}
diff --git a/src/Message/MailSyncRequested.php b/src/Message/MailSyncRequested.php
new file mode 100644
index 0000000..01ecb52
--- /dev/null
+++ b/src/Message/MailSyncRequested.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Message;
+
+final readonly class MailSyncRequested
+{
+    public function __construct(
+        public ?string $folderPath = null,
+    ) {}
+}
diff --git a/src/MessageHandler/MailSyncRequestedHandler.php b/src/MessageHandler/MailSyncRequestedHandler.php
new file mode 100644
index 0000000..d76e32b
--- /dev/null
+++ b/src/MessageHandler/MailSyncRequestedHandler.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\MessageHandler;
+
+use App\Message\MailSyncRequested;
+use App\Repository\MailFolderRepository;
+use App\Service\MailSyncService;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Messenger\Attribute\AsMessageHandler;
+use Throwable;
+
+#[AsMessageHandler]
+final readonly class MailSyncRequestedHandler
+{
+    public function __construct(
+        private MailSyncService $mailSyncService,
+        private MailFolderRepository $folderRepository,
+        private LoggerInterface $logger,
+    ) {}
+
+    public function __invoke(MailSyncRequested $message): void
+    {
+        try {
+            if (null !== $message->folderPath) {
+                $folder = $this->folderRepository->findByPath($message->folderPath);
+                if (null !== $folder) {
+                    $report = $this->mailSyncService->syncFolder($folder);
+                    $this->logger->info(sprintf(
+                        'MailSyncRequested handled for folder "%s": %d created, %d updated, %d deleted',
+                        $message->folderPath,
+                        $report->createdCount,
+                        $report->updatedCount,
+                        $report->deletedCount,
+                    ));
+                } else {
+                    $this->logger->warning(sprintf('MailSyncRequested: folder "%s" not found in DB', $message->folderPath));
+                }
+            } else {
+                $report = $this->mailSyncService->syncAll();
+                $this->logger->info(sprintf(
+                    'MailSyncRequested handled (all folders): %d created, %d updated, %d deleted, %d folders scanned',
+                    $report->createdCount,
+                    $report->updatedCount,
+                    $report->deletedCount,
+                    $report->foldersScanned,
+                ));
+            }
+        } catch (Throwable $e) {
+            $this->logger->error('MailSyncRequestedHandler failed: '.$e->getMessage());
+        }
+    }
+}
diff --git a/src/Repository/MailConfigurationRepository.php b/src/Repository/MailConfigurationRepository.php
new file mode 100644
index 0000000..9be3993
--- /dev/null
+++ b/src/Repository/MailConfigurationRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\MailConfiguration;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+class MailConfigurationRepository extends ServiceEntityRepository
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, MailConfiguration::class);
+    }
+
+    public function findSingleton(): ?MailConfiguration
+    {
+        return $this->createQueryBuilder('m')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getOneOrNullResult()
+        ;
+    }
+}
diff --git a/src/Repository/MailFolderRepository.php b/src/Repository/MailFolderRepository.php
new file mode 100644
index 0000000..d228d35
--- /dev/null
+++ b/src/Repository/MailFolderRepository.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\MailFolder;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+class MailFolderRepository extends ServiceEntityRepository
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, MailFolder::class);
+    }
+
+    /**
+     * @return list<MailFolder>
+     */
+    public function findAllOrderedByPath(): array
+    {
+        return $this->createQueryBuilder('f')
+            ->orderBy('f.path', 'ASC')
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
+    public function findByPath(string $path): ?MailFolder
+    {
+        return $this->findOneBy(['path' => $path]);
+    }
+}
diff --git a/src/Repository/MailMessageRepository.php b/src/Repository/MailMessageRepository.php
new file mode 100644
index 0000000..78e07cd
--- /dev/null
+++ b/src/Repository/MailMessageRepository.php
@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\MailFolder;
+use App\Entity\MailMessage;
+use DateTimeImmutable;
+use DateTimeInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+class MailMessageRepository extends ServiceEntityRepository
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, MailMessage::class);
+    }
+
+    public function findByMessageId(string $messageId): ?MailMessage
+    {
+        return $this->findOneBy(['messageId' => $messageId]);
+    }
+
+    public function findByFolderAndUid(MailFolder $folder, int $uid): ?MailMessage
+    {
+        return $this->findOneBy(['folder' => $folder, 'uid' => $uid]);
+    }
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findByFolderPaginated(MailFolder $folder, int $limit, int $offset): array
+    {
+        return $this->createQueryBuilder('m')
+            ->andWhere('m.folder = :folder')
+            ->setParameter('folder', $folder)
+            ->orderBy('m.sentAt', 'DESC')
+            ->addOrderBy('m.id', 'DESC')
+            ->setMaxResults($limit)
+            ->setFirstResult($offset)
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
+    public function countUnreadByFolder(MailFolder $folder): int
+    {
+        return (int) $this->createQueryBuilder('m')
+            ->select('COUNT(m.id)')
+            ->andWhere('m.folder = :folder')
+            ->andWhere('m.isRead = false')
+            ->setParameter('folder', $folder)
+            ->getQuery()
+            ->getSingleScalarResult()
+        ;
+    }
+
+    public function findMaxUidInFolder(MailFolder $folder): int
+    {
+        $result = $this->createQueryBuilder('m')
+            ->select('MAX(m.uid)')
+            ->andWhere('m.folder = :folder')
+            ->setParameter('folder', $folder)
+            ->getQuery()
+            ->getSingleScalarResult()
+        ;
+
+        return (int) ($result ?? 0);
+    }
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findLastNByFolder(MailFolder $folder, int $limit): array
+    {
+        return $this->createQueryBuilder('m')
+            ->andWhere('m.folder = :folder')
+            ->setParameter('folder', $folder)
+            ->orderBy('m.sentAt', 'DESC')
+            ->addOrderBy('m.id', 'DESC')
+            ->setMaxResults($limit)
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
+    /**
+     * @return list<int>
+     */
+    public function findAllUidsByFolder(MailFolder $folder): array
+    {
+        $rows = $this->createQueryBuilder('m')
+            ->select('m.uid')
+            ->andWhere('m.folder = :folder')
+            ->setParameter('folder', $folder)
+            ->getQuery()
+            ->getArrayResult()
+        ;
+
+        return array_column($rows, 'uid');
+    }
+
+    /**
+     * Pagination cursor : retourne $limit messages apres le cursor (sentAt DESC, id DESC).
+     * Cursor format : base64url(sentAt_iso8601:id) - null pour la premiere page.
+     *
+     * @return array{messages: list<MailMessage>, nextCursor: ?string}
+     */
+    public function findByFolderCursor(MailFolder $folder, int $limit, ?string $cursor): array
+    {
+        $qb = $this->createQueryBuilder('m')
+            ->andWhere('m.folder = :folder')
+            ->setParameter('folder', $folder)
+            ->orderBy('m.sentAt', 'DESC')
+            ->addOrderBy('m.id', 'DESC')
+            ->setMaxResults($limit + 1)
+        ;
+
+        if (null !== $cursor) {
+            $decoded = base64_decode(strtr($cursor, '-_', '+/'), true);
+            if (false !== $decoded && str_contains($decoded, ':')) {
+                [$sentAtStr, $idStr] = explode(':', $decoded, 2);
+                $cursorSentAt        = DateTimeImmutable::createFromFormat(DateTimeInterface::ATOM, $sentAtStr);
+                $cursorId            = (int) $idStr;
+
+                if ($cursorSentAt instanceof DateTimeImmutable) {
+                    $qb
+                        ->andWhere('m.sentAt < :cursorSentAt OR (m.sentAt = :cursorSentAt AND m.id < :cursorId)')
+                        ->setParameter('cursorSentAt', $cursorSentAt)
+                        ->setParameter('cursorId', $cursorId)
+                    ;
+                }
+            }
+        }
+
+        /** @var list<MailMessage> $results */
+        $results    = $qb->getQuery()->getResult();
+        $hasMore    = count($results) > $limit;
+        $messages   = $hasMore ? array_slice($results, 0, $limit) : $results;
+        $nextCursor = null;
+
+        if ($hasMore && [] !== $messages) {
+            $last       = end($messages);
+            $raw        = $last->getSentAt()->format(DateTimeInterface::ATOM).':'.$last->getId();
+            $nextCursor = rtrim(strtr(base64_encode($raw), '+/', '-_'), '=');
+        }
+
+        return ['messages' => $messages, 'nextCursor' => $nextCursor];
+    }
+}
diff --git a/src/Repository/TaskMailLinkRepository.php b/src/Repository/TaskMailLinkRepository.php
new file mode 100644
index 0000000..565e71d
--- /dev/null
+++ b/src/Repository/TaskMailLinkRepository.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\MailMessage;
+use App\Entity\Task;
+use App\Entity\TaskMailLink;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+class TaskMailLinkRepository extends ServiceEntityRepository
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskMailLink::class);
+    }
+
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByTask(Task $task): array
+    {
+        return $this->createQueryBuilder('l')
+            ->andWhere('l.task = :task')
+            ->setParameter('task', $task)
+            ->orderBy('l.linkedAt', 'DESC')
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
+    public function findByTaskAndMessage(Task $task, MailMessage $message): ?TaskMailLink
+    {
+        return $this->findOneBy(['task' => $task, 'mailMessage' => $message]);
+    }
+
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByMessage(MailMessage $message): array
+    {
+        return $this->findBy(['mailMessage' => $message]);
+    }
+}
diff --git a/src/Security/MailAccessChecker.php b/src/Security/MailAccessChecker.php
new file mode 100644
index 0000000..aa5073a
--- /dev/null
+++ b/src/Security/MailAccessChecker.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\Entity\User;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final readonly class MailAccessChecker
+{
+    public function __construct(
+        private AuthorizationCheckerInterface $authorizationChecker,
+    ) {}
+
+    /**
+     * Verifie que l'utilisateur courant peut acceder aux endpoints mail.
+     * Autorise : ROLE_USER, ROLE_ADMIN.
+     * Refuse : ROLE_CLIENT pur (sans ROLE_ADMIN), non authentifie.
+     *
+     * @throws AccessDeniedException
+     */
+    public function ensureCanAccessMail(?UserInterface $user): void
+    {
+        if (!$user instanceof User) {
+            throw new AccessDeniedException('Authentication required');
+        }
+
+        $roles = $user->getRoles();
+
+        if (in_array('ROLE_CLIENT', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+            throw new AccessDeniedException('Mail not accessible to clients');
+        }
+
+        if (!in_array('ROLE_USER', $roles, true) && !in_array('ROLE_ADMIN', $roles, true)) {
+            throw new AccessDeniedException('ROLE_USER required');
+        }
+    }
+
+    /**
+     * Verifie que l'utilisateur est ROLE_ADMIN.
+     *
+     * @throws AccessDeniedException
+     */
+    public function ensureIsAdmin(?UserInterface $user): void
+    {
+        if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Admin only');
+        }
+    }
+}
diff --git a/src/Service/MailSyncService.php b/src/Service/MailSyncService.php
new file mode 100644
index 0000000..2d0e329
--- /dev/null
+++ b/src/Service/MailSyncService.php
@@ -0,0 +1,347 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service;
+
+use App\Entity\MailFolder;
+use App\Entity\MailMessage;
+use App\Mail\Dto\MailSyncReport;
+use App\Mail\Exception\MailProviderException;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailConfigurationRepository;
+use App\Repository\MailFolderRepository;
+use App\Repository\MailMessageRepository;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\Persistence\ManagerRegistry;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Lock\LockFactory;
+use Throwable;
+
+final class MailSyncService
+{
+    private const int FLAGS_RESYNC_LIMIT = 200;
+    private const string LOCK_NAME       = 'mail.sync';
+    private const float LOCK_TTL         = 600.0;
+
+    public function __construct(
+        private readonly MailProviderInterface $provider,
+        private readonly MailConfigurationRepository $configRepository,
+        private readonly MailFolderRepository $folderRepository,
+        private readonly MailMessageRepository $messageRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly LockFactory $lockFactory,
+        private readonly LoggerInterface $logger,
+        private readonly ManagerRegistry $managerRegistry,
+    ) {}
+
+    public function syncAll(): MailSyncReport
+    {
+        $startedAt = new DateTimeImmutable();
+
+        $config = $this->configRepository->findSingleton();
+
+        if (null === $config || !$config->isEnabled()) {
+            $this->logger->info('mail.sync skipped: mail config is disabled or missing');
+
+            return $this->emptyReport($startedAt, []);
+        }
+
+        $lock = $this->lockFactory->createLock(self::LOCK_NAME, ttl: self::LOCK_TTL, autoRelease: true);
+
+        if (!$lock->acquire()) {
+            $this->logger->info('mail.sync skipped: another sync in progress');
+
+            return $this->emptyReport($startedAt, ['lock_not_acquired']);
+        }
+
+        try {
+            return $this->doSyncAll($startedAt);
+        } finally {
+            $this->provider->closeConnection();
+            $lock->release();
+        }
+    }
+
+    public function syncFolderStructure(): void
+    {
+        try {
+            $remoteFolders = $this->provider->listFolders();
+        } catch (MailProviderException $e) {
+            $this->logger->error('syncFolderStructure: listFolders failed: '.$e->getMessage());
+
+            return;
+        }
+
+        $remotePathSet = [];
+
+        foreach ($remoteFolders as $dto) {
+            $remotePathSet[$dto->path] = true;
+            $folder                    = $this->folderRepository->findByPath($dto->path);
+
+            if (null === $folder) {
+                $folder = new MailFolder();
+                $folder->setPath($dto->path);
+            }
+
+            $folder->setDisplayName($dto->displayName);
+            $folder->setParentPath($dto->parentPath);
+            $folder->setUnreadCount($dto->unreadCount);
+            $folder->setTotalCount($dto->totalCount);
+
+            $this->entityManager->persist($folder);
+        }
+
+        $this->entityManager->flush();
+
+        $allDbFolders = $this->folderRepository->findAllOrderedByPath();
+
+        foreach ($allDbFolders as $dbFolder) {
+            if (!isset($remotePathSet[$dbFolder->getPath()])) {
+                $this->logger->warning(sprintf(
+                    'syncFolderStructure: folder "%s" no longer exists on server — keeping in DB for safety',
+                    $dbFolder->getPath()
+                ));
+            }
+        }
+    }
+
+    public function syncFolder(MailFolder $folder): MailSyncReport
+    {
+        $startedAt     = new DateTimeImmutable();
+        $createdCount  = 0;
+        $updatedCount  = 0;
+        $deletedCount  = 0;
+        $errors        = [];
+        $remoteHeaders = null;
+
+        try {
+            $lastUid       = $this->messageRepository->findMaxUidInFolder($folder);
+            $remoteHeaders = $this->provider->listMessages($folder->getPath(), limit: 5000, offset: 0);
+
+            foreach ($remoteHeaders as $header) {
+                if ($header->uid <= $lastUid) {
+                    continue;
+                }
+
+                $existing = $this->messageRepository->findByFolderAndUid($folder, $header->uid);
+                if (null !== $existing) {
+                    continue;
+                }
+
+                $message = new MailMessage();
+                $message->setFolder($folder);
+                $message->setUid($header->uid);
+                $message->setMessageId($header->messageId);
+                $message->setSubject($header->subject);
+                $message->setFromAddress($header->fromAddress);
+                $message->setFromName($header->fromName);
+                $message->setToAddresses($header->toAddresses);
+                $message->setCcAddresses($header->ccAddresses);
+                $message->setSentAt($header->sentAt);
+                $message->setIsRead($header->isRead);
+                $message->setIsFlagged($header->isFlagged);
+                $message->setHasAttachments($header->hasAttachments);
+                $message->setSnippet($header->snippet);
+                $message->setSyncedAt(new DateTimeImmutable());
+
+                $this->entityManager->persist($message);
+                ++$createdCount;
+            }
+
+            $this->entityManager->flush();
+        } catch (MailProviderException $e) {
+            $this->logger->error(sprintf('syncFolder[%s] listMessages failed: %s', $folder->getPath(), $e->getMessage()));
+            $errors[] = $e->getMessage();
+        } catch (Throwable $e) {
+            $this->logger->error(sprintf('syncFolder[%s] unexpected error: %s', $folder->getPath(), $e->getMessage()));
+            $errors[] = $e->getMessage();
+        }
+
+        try {
+            $recentMessages = $this->messageRepository->findLastNByFolder($folder, self::FLAGS_RESYNC_LIMIT);
+
+            if (null !== $recentMessages && [] !== $recentMessages) {
+                $remoteByUid = [];
+                if (null !== $remoteHeaders) {
+                    foreach ($remoteHeaders as $h) {
+                        $remoteByUid[$h->uid] = $h;
+                    }
+                }
+
+                foreach ($recentMessages as $dbMessage) {
+                    $remote = $remoteByUid[$dbMessage->getUid()] ?? null;
+                    if (null === $remote) {
+                        continue;
+                    }
+
+                    $changed = false;
+
+                    if ($dbMessage->isRead() !== $remote->isRead) {
+                        $dbMessage->setIsRead($remote->isRead);
+                        $changed = true;
+                    }
+
+                    if ($dbMessage->isFlagged() !== $remote->isFlagged) {
+                        $dbMessage->setIsFlagged($remote->isFlagged);
+                        $changed = true;
+                    }
+
+                    if ($changed) {
+                        ++$updatedCount;
+                    }
+                }
+
+                $this->entityManager->flush();
+            }
+        } catch (Throwable $e) {
+            $this->logger->warning(sprintf('syncFolder[%s] flag resync failed: %s', $folder->getPath(), $e->getMessage()));
+        }
+
+        try {
+            $dbUids = $this->messageRepository->findAllUidsByFolder($folder);
+
+            if ([] !== $dbUids) {
+                if (null === $remoteHeaders) {
+                    $remoteHeaders = $this->provider->listMessages($folder->getPath(), limit: 5000, offset: 0);
+                }
+
+                $remoteUidSet = [];
+                foreach ($remoteHeaders as $h) {
+                    $remoteUidSet[$h->uid] = true;
+                }
+
+                $toDelete      = array_filter($dbUids, static fn (int $uid) => !isset($remoteUidSet[$uid]));
+                $toDeleteCount = count($toDelete);
+                $dbTotal       = count($dbUids);
+
+                if ($toDeleteCount > (int) ($dbTotal * 0.5)) {
+                    $warningMsg = sprintf(
+                        'syncFolder[%s] suppression guard triggered: %d/%d would be deleted (>50%%) — aborting deletions',
+                        $folder->getPath(),
+                        $toDeleteCount,
+                        $dbTotal
+                    );
+                    $this->logger->warning($warningMsg);
+                    $errors[] = $warningMsg;
+                } else {
+                    foreach ($toDelete as $uid) {
+                        $dbMessage = $this->messageRepository->findByFolderAndUid($folder, $uid);
+
+                        if (null !== $dbMessage) {
+                            $this->entityManager->remove($dbMessage);
+                            ++$deletedCount;
+                        }
+                    }
+
+                    $this->entityManager->flush();
+                }
+            }
+        } catch (MailProviderException $e) {
+            $this->logger->error(sprintf('syncFolder[%s] deletion detection failed: %s', $folder->getPath(), $e->getMessage()));
+            $errors[] = $e->getMessage();
+        }
+
+        $finishedAt = new DateTimeImmutable();
+
+        return new MailSyncReport(
+            createdCount: $createdCount,
+            updatedCount: $updatedCount,
+            deletedCount: $deletedCount,
+            foldersScanned: 1,
+            errors: $errors,
+            durationSeconds: (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp()),
+            startedAt: $startedAt,
+            finishedAt: $finishedAt,
+        );
+    }
+
+    private function doSyncAll(DateTimeImmutable $startedAt): MailSyncReport
+    {
+        $this->syncFolderStructure();
+
+        $totalCreated = 0;
+        $totalUpdated = 0;
+        $totalDeleted = 0;
+        $totalFolders = 0;
+        $allErrors    = [];
+
+        $folders = $this->folderRepository->findAllOrderedByPath();
+
+        foreach ($folders as $folder) {
+            try {
+                $report = $this->syncFolder($folder);
+                $totalCreated += $report->createdCount;
+                $totalUpdated += $report->updatedCount;
+                $totalDeleted += $report->deletedCount;
+                ++$totalFolders;
+                $allErrors = array_merge($allErrors, $report->errors);
+                // A folder error can leave the reused IMAP connection in a bad
+                // selection state ("must be in SELECTED state", "empty response").
+                // Drop it so the next folder reconnects on a clean session.
+                if ([] !== $report->errors) {
+                    $this->provider->closeConnection();
+                }
+            } catch (Throwable $e) {
+                $this->logger->error(sprintf('doSyncAll: syncFolder[%s] threw: %s', $folder->getPath(), $e->getMessage()));
+                $allErrors[] = $e->getMessage();
+                $this->provider->closeConnection();
+            }
+
+            // A failed flush closes the Doctrine EntityManager; without a reset
+            // every subsequent folder would fail with "EntityManager is closed".
+            // Reset it via the registry and stop the run cleanly — the next cron
+            // cycle resumes incrementally from where we left off.
+            if (!$this->entityManager->isOpen()) {
+                $this->logger->error('doSyncAll: EntityManager was closed mid-sync, resetting and aborting this run');
+                $this->managerRegistry->resetManager();
+                $allErrors[] = 'EntityManager closed mid-sync — run aborted, will resume next cycle';
+
+                break;
+            }
+        }
+
+        $finishedAt = new DateTimeImmutable();
+
+        $this->logger->info(sprintf(
+            'mail.sync done: %d created, %d updated, %d deleted, %d folders, %d errors, %.1fs',
+            $totalCreated,
+            $totalUpdated,
+            $totalDeleted,
+            $totalFolders,
+            count($allErrors),
+            (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp())
+        ));
+
+        return new MailSyncReport(
+            createdCount: $totalCreated,
+            updatedCount: $totalUpdated,
+            deletedCount: $totalDeleted,
+            foldersScanned: $totalFolders,
+            errors: $allErrors,
+            durationSeconds: (float) ($finishedAt->getTimestamp() - $startedAt->getTimestamp()),
+            startedAt: $startedAt,
+            finishedAt: $finishedAt,
+        );
+    }
+
+    /**
+     * @param list<string> $errors
+     */
+    private function emptyReport(DateTimeImmutable $startedAt, array $errors): MailSyncReport
+    {
+        $now = new DateTimeImmutable();
+
+        return new MailSyncReport(
+            createdCount: 0,
+            updatedCount: 0,
+            deletedCount: 0,
+            foldersScanned: 0,
+            errors: $errors,
+            durationSeconds: 0.0,
+            startedAt: $startedAt,
+            finishedAt: $now,
+        );
+    }
+}
diff --git a/src/State/Mail/MailSettingsProcessor.php b/src/State/Mail/MailSettingsProcessor.php
new file mode 100644
index 0000000..9b7a7df
--- /dev/null
+++ b/src/State/Mail/MailSettingsProcessor.php
@@ -0,0 +1,83 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State\Mail;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\ApiResource\MailSettings;
+use App\Entity\MailConfiguration;
+use App\Repository\MailConfigurationRepository;
+use App\Service\TokenEncryptor;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class MailSettingsProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private MailConfigurationRepository $configRepository,
+        private TokenEncryptor $tokenEncryptor,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): MailSettings
+    {
+        assert($data instanceof MailSettings);
+
+        $config = $this->configRepository->findSingleton();
+        if (null === $config) {
+            $config = new MailConfiguration();
+        }
+
+        if (null !== $data->protocol) {
+            $config->setProtocol($data->protocol);
+        }
+        if (null !== $data->imapHost) {
+            $config->setImapHost($data->imapHost);
+        }
+        if (null !== $data->imapPort) {
+            $config->setImapPort($data->imapPort);
+        }
+        if (null !== $data->imapEncryption) {
+            $config->setImapEncryption($data->imapEncryption);
+        }
+        if (null !== $data->smtpHost) {
+            $config->setSmtpHost($data->smtpHost);
+        }
+        if (null !== $data->smtpPort) {
+            $config->setSmtpPort($data->smtpPort);
+        }
+        if (null !== $data->smtpEncryption) {
+            $config->setSmtpEncryption($data->smtpEncryption);
+        }
+        if (null !== $data->username) {
+            $config->setUsername($data->username);
+        }
+        if (null !== $data->sentFolderPath) {
+            $config->setSentFolderPath($data->sentFolderPath);
+        }
+        $config->setEnabled($data->enabled);
+
+        if (null !== $data->password && '' !== $data->password) {
+            $config->setEncryptedPassword($this->tokenEncryptor->encrypt($data->password));
+        }
+
+        $this->em->persist($config);
+        $this->em->flush();
+
+        $result                 = new MailSettings();
+        $result->protocol       = $config->getProtocol();
+        $result->imapHost       = $config->getImapHost();
+        $result->imapPort       = $config->getImapPort();
+        $result->imapEncryption = $config->getImapEncryption();
+        $result->smtpHost       = $config->getSmtpHost();
+        $result->smtpPort       = $config->getSmtpPort();
+        $result->smtpEncryption = $config->getSmtpEncryption();
+        $result->username       = $config->getUsername();
+        $result->sentFolderPath = $config->getSentFolderPath();
+        $result->enabled        = $config->isEnabled();
+        $result->hasPassword    = $config->hasPassword();
+
+        return $result;
+    }
+}
diff --git a/src/State/Mail/MailSettingsProvider.php b/src/State/Mail/MailSettingsProvider.php
new file mode 100644
index 0000000..9a60292
--- /dev/null
+++ b/src/State/Mail/MailSettingsProvider.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State\Mail;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\ApiResource\MailSettings;
+use App\Repository\MailConfigurationRepository;
+
+final readonly class MailSettingsProvider implements ProviderInterface
+{
+    public function __construct(
+        private MailConfigurationRepository $configRepository,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): MailSettings
+    {
+        $config = $this->configRepository->findSingleton();
+        $dto    = new MailSettings();
+
+        if (null !== $config) {
+            $dto->protocol       = $config->getProtocol();
+            $dto->imapHost       = $config->getImapHost();
+            $dto->imapPort       = $config->getImapPort();
+            $dto->imapEncryption = $config->getImapEncryption();
+            $dto->smtpHost       = $config->getSmtpHost();
+            $dto->smtpPort       = $config->getSmtpPort();
+            $dto->smtpEncryption = $config->getSmtpEncryption();
+            $dto->username       = $config->getUsername();
+            $dto->sentFolderPath = $config->getSentFolderPath();
+            $dto->enabled        = $config->isEnabled();
+            $dto->hasPassword    = $config->hasPassword();
+        }
+
+        return $dto;
+    }
+}
diff --git a/symfony.lock b/symfony.lock
index 3eee6c4..d748755 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -169,6 +169,18 @@
             ".editorconfig"
         ]
     },
+    "symfony/lock": {
+        "version": "8.0",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "5.2",
+            "ref": "8e937ff2b4735d110af1770f242c1107fdab4c8e"
+        },
+        "files": [
+            "config/packages/lock.yaml"
+        ]
+    },
     "symfony/mcp-bundle": {
         "version": "v0.6.0"
     },
@@ -222,6 +234,19 @@
             "config/routes/security.yaml"
         ]
     },
+    "symfony/translation": {
+        "version": "8.0",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "6.3",
+            "ref": "620a1b84865ceb2ba304c8f8bf2a185fbf32a843"
+        },
+        "files": [
+            "config/packages/translation.yaml",
+            "translations/.gitignore"
+        ]
+    },
     "symfony/uid": {
         "version": "8.0",
         "recipe": {
diff --git a/tests/Functional/Command/MailSyncCommandTest.php b/tests/Functional/Command/MailSyncCommandTest.php
new file mode 100644
index 0000000..9ad3a5e
--- /dev/null
+++ b/tests/Functional/Command/MailSyncCommandTest.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Command;
+
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+class MailSyncCommandTest extends KernelTestCase
+{
+    public function testCommandExitsSuccessWhenMailDisabled(): void
+    {
+        self::bootKernel();
+        $application = new Application(self::$kernel);
+        $command     = $application->find('app:mail:sync');
+        $tester      = new CommandTester($command);
+
+        $exitCode = $tester->execute([]);
+
+        self::assertSame(0, $exitCode);
+        self::assertStringContainsString('disabled', strtolower($tester->getDisplay()));
+    }
+
+    public function testCommandDryRunExitsSuccess(): void
+    {
+        self::bootKernel();
+        $application = new Application(self::$kernel);
+        $command     = $application->find('app:mail:sync');
+        $tester      = new CommandTester($command);
+
+        $exitCode = $tester->execute(['--dry-run' => true]);
+
+        self::assertSame(0, $exitCode);
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailFoldersControllerTest.php b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
new file mode 100644
index 0000000..520942c
--- /dev/null
+++ b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller\Mail;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class MailFoldersControllerTest extends WebTestCase
+{
+    public function testListFoldersReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/mail/folders');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testListFoldersReturns403ForRoleClient(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        $client->loginUser($clientUser);
+        $client->request('GET', '/api/mail/folders');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testListFoldersReturns200ForRoleUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+        $client->request('GET', '/api/mail/folders');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertIsArray($data);
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailMessagesControllerTest.php b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
new file mode 100644
index 0000000..f82e4f1
--- /dev/null
+++ b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller\Mail;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class MailMessagesControllerTest extends WebTestCase
+{
+    public function testGetMessageDetailReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/mail/messages/999');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testGetMessageDetailReturns403ForRoleClient(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        $client->loginUser($clientUser);
+        $client->request('GET', '/api/mail/messages/999');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testGetMessageDetailReturns404WhenMessageNotFound(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+        $client->request('GET', '/api/mail/messages/99999');
+
+        self::assertResponseStatusCodeSame(404);
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailSettingsControllerTest.php b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
new file mode 100644
index 0000000..63c1d0c
--- /dev/null
+++ b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
@@ -0,0 +1,121 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller\Mail;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class MailSettingsControllerTest extends WebTestCase
+{
+    public function testGetConfigurationReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/mail/configuration');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testGetConfigurationReturns403ForRoleUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+        $client->request('GET', '/api/mail/configuration');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testGetConfigurationReturns200ForAdmin(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        $client->loginUser($admin);
+        $client->request('GET', '/api/mail/configuration');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+
+        self::assertArrayNotHasKey('password', $data);
+        self::assertArrayNotHasKey('encryptedPassword', $data);
+        self::assertArrayHasKey('hasPassword', $data);
+        self::assertArrayHasKey('imapHost', $data);
+        self::assertArrayHasKey('enabled', $data);
+    }
+
+    public function testPatchConfigurationReturns403ForRoleUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+        $client->request(
+            'PATCH',
+            '/api/mail/configuration',
+            [],
+            [],
+            ['CONTENT_TYPE' => 'application/merge-patch+json'],
+            json_encode(['enabled' => false])
+        );
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testPatchConfigurationUpdatesFieldsForAdmin(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        $client->loginUser($admin);
+        $client->request(
+            'PATCH',
+            '/api/mail/configuration',
+            [],
+            [],
+            ['CONTENT_TYPE' => 'application/merge-patch+json'],
+            json_encode(['imapHost' => 'imap.example.com', 'enabled' => false])
+        );
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertSame('imap.example.com', $data['imapHost']);
+        self::assertArrayNotHasKey('password', $data);
+    }
+
+    public function testPatchConfigurationWithPasswordEncryptsIt(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        $client->loginUser($admin);
+        $client->request(
+            'PATCH',
+            '/api/mail/configuration',
+            [],
+            [],
+            ['CONTENT_TYPE' => 'application/merge-patch+json'],
+            json_encode(['password' => 'secret123'])
+        );
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertTrue($data['hasPassword']);
+        self::assertArrayNotHasKey('password', $data);
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
new file mode 100644
index 0000000..54dbbc1
--- /dev/null
+++ b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller\Mail;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class MailSyncTriggerControllerTest extends WebTestCase
+{
+    public function testSyncTriggerReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('POST', '/api/mail/sync');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSyncTriggerReturns403ForRoleClient(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        $client->loginUser($clientUser);
+        $client->request('POST', '/api/mail/sync');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testSyncTriggerReturns202ForRoleUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+        $client->request('POST', '/api/mail/sync');
+
+        self::assertResponseStatusCodeSame(202);
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('message', $data);
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
new file mode 100644
index 0000000..83feeb5
--- /dev/null
+++ b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller\Mail;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class MailTaskIntegrationControllerTest extends WebTestCase
+{
+    public function testLinkTaskReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('POST', '/api/mail/messages/1/link-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['taskId' => 1]));
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testLinkTaskReturns403ForRoleClient(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        $client->loginUser($clientUser);
+        $client->request('POST', '/api/mail/messages/1/link-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['taskId' => 1]));
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testUnlinkTaskReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('DELETE', '/api/mail/messages/1/link-task/1');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testTaskMailsListReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/tasks/1/mails');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testTaskMailsListReturns403ForRoleClient(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $clientUser = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        $client->loginUser($clientUser);
+        $client->request('GET', '/api/tasks/1/mails');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testCreateTaskReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('POST', '/api/mail/messages/1/create-task', [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['projectId' => 1]));
+
+        self::assertResponseStatusCodeSame(401);
+    }
+}
diff --git a/tests/Unit/Mail/ImapMailProviderTest.php b/tests/Unit/Mail/ImapMailProviderTest.php
new file mode 100644
index 0000000..3720d35
--- /dev/null
+++ b/tests/Unit/Mail/ImapMailProviderTest.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Mail;
+
+use App\Entity\MailConfiguration;
+use App\Mail\Exception\MailProviderException;
+use App\Mail\ImapMailProvider;
+use App\Repository\MailConfigurationRepository;
+use App\Service\TokenEncryptor;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\NullLogger;
+
+/**
+ * @internal
+ */
+class ImapMailProviderTest extends TestCase
+{
+    public function testThrowsWhenConfigDisabled(): void
+    {
+        $config = new MailConfiguration();
+        $config->setEnabled(false);
+
+        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo->method('findSingleton')->willReturn($config);
+
+        $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
+
+        $this->expectException(MailProviderException::class);
+        $provider->listFolders();
+    }
+
+    public function testThrowsWhenConfigMissing(): void
+    {
+        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo->method('findSingleton')->willReturn(null);
+
+        $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
+
+        $this->expectException(MailProviderException::class);
+        $provider->listFolders();
+    }
+
+    private function makeEncryptor(): TokenEncryptor
+    {
+        return new TokenEncryptor(sodium_bin2hex(random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES)));
+    }
+}
diff --git a/tests/Unit/Mail/MailSyncReportTest.php b/tests/Unit/Mail/MailSyncReportTest.php
new file mode 100644
index 0000000..bea5283
--- /dev/null
+++ b/tests/Unit/Mail/MailSyncReportTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Mail;
+
+use App\Mail\Dto\MailSyncReport;
+use DateTimeImmutable;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+class MailSyncReportTest extends TestCase
+{
+    public function testInstantiationWithDefaults(): void
+    {
+        $start  = new DateTimeImmutable('2026-01-01 10:00:00');
+        $finish = new DateTimeImmutable('2026-01-01 10:00:05');
+
+        $report = new MailSyncReport(
+            createdCount: 3,
+            updatedCount: 1,
+            deletedCount: 0,
+            foldersScanned: 2,
+            errors: [],
+            durationSeconds: 5.0,
+            startedAt: $start,
+            finishedAt: $finish,
+        );
+
+        self::assertSame(3, $report->createdCount);
+        self::assertSame(1, $report->updatedCount);
+        self::assertSame(0, $report->deletedCount);
+        self::assertSame(2, $report->foldersScanned);
+        self::assertSame([], $report->errors);
+        self::assertSame(5.0, $report->durationSeconds);
+        self::assertSame($start, $report->startedAt);
+        self::assertSame($finish, $report->finishedAt);
+    }
+
+    public function testWithErrors(): void
+    {
+        $report = new MailSyncReport(
+            createdCount: 0,
+            updatedCount: 0,
+            deletedCount: 0,
+            foldersScanned: 1,
+            errors: ['IMAP connection timeout'],
+            durationSeconds: 0.5,
+            startedAt: new DateTimeImmutable(),
+            finishedAt: new DateTimeImmutable(),
+        );
+
+        self::assertCount(1, $report->errors);
+        self::assertSame('IMAP connection timeout', $report->errors[0]);
+    }
+}
diff --git a/tests/Unit/Repository/MailConfigurationRepositoryTest.php b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
new file mode 100644
index 0000000..f903ee6
--- /dev/null
+++ b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Repository;
+
+use App\Entity\MailConfiguration;
+use App\Repository\MailConfigurationRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+class MailConfigurationRepositoryTest extends KernelTestCase
+{
+    private MailConfigurationRepository $repository;
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container        = static::getContainer();
+        $this->repository = $container->get(MailConfigurationRepository::class);
+        $this->em         = $container->get('doctrine.orm.entity_manager');
+        $this->em->getConnection()->executeStatement('TRUNCATE TABLE mail_configuration RESTART IDENTITY CASCADE');
+    }
+
+    public function testFindSingletonReturnsNullWhenEmpty(): void
+    {
+        $result = $this->repository->findSingleton();
+
+        self::assertNull($result);
+    }
+
+    public function testFindSingletonReturnsFirstRecord(): void
+    {
+        $config = new MailConfiguration();
+        $config->setImapHost('ssl0.ovh.net');
+        $config->setEnabled(false);
+        $this->em->persist($config);
+        $this->em->flush();
+
+        $result = $this->repository->findSingleton();
+
+        self::assertInstanceOf(MailConfiguration::class, $result);
+        self::assertSame('ssl0.ovh.net', $result->getImapHost());
+        self::assertFalse($result->isEnabled());
+    }
+}
diff --git a/tests/Unit/Service/MailSyncServiceTest.php b/tests/Unit/Service/MailSyncServiceTest.php
new file mode 100644
index 0000000..76abdf4
--- /dev/null
+++ b/tests/Unit/Service/MailSyncServiceTest.php
@@ -0,0 +1,187 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Service;
+
+use App\Entity\MailConfiguration;
+use App\Entity\MailFolder;
+use App\Mail\Dto\MailFolderDto;
+use App\Mail\MailProviderInterface;
+use App\Repository\MailConfigurationRepository;
+use App\Repository\MailFolderRepository;
+use App\Repository\MailMessageRepository;
+use App\Service\MailSyncService;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\Persistence\ManagerRegistry;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\NullLogger;
+use Symfony\Component\Lock\LockFactory;
+use Symfony\Component\Lock\SharedLockInterface;
+
+/**
+ * @internal
+ */
+class MailSyncServiceTest extends TestCase
+{
+    public function testSyncAllReturnsEmptyReportWhenConfigDisabled(): void
+    {
+        $config = new MailConfiguration();
+        $config->setEnabled(false);
+
+        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo->method('findSingleton')->willReturn($config);
+
+        $provider    = $this->createMock(MailProviderInterface::class);
+        $folderRepo  = $this->createMock(MailFolderRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $em          = $this->createMock(EntityManagerInterface::class);
+        $lockFactory = $this->makeLockFactory();
+
+        $service = new MailSyncService(
+            provider: $provider,
+            configRepository: $configRepo,
+            folderRepository: $folderRepo,
+            messageRepository: $messageRepo,
+            entityManager: $em,
+            lockFactory: $lockFactory,
+            logger: new NullLogger(),
+            managerRegistry: $this->createMock(ManagerRegistry::class),
+        );
+
+        $report = $service->syncAll();
+
+        self::assertSame(0, $report->createdCount);
+        self::assertSame(0, $report->updatedCount);
+        self::assertSame(0, $report->deletedCount);
+        self::assertSame(0, $report->foldersScanned);
+    }
+
+    public function testSyncAllReturnsEmptyReportWhenLockNotAcquired(): void
+    {
+        $config = new MailConfiguration();
+        $config->setEnabled(true);
+
+        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo->method('findSingleton')->willReturn($config);
+
+        $provider    = $this->createMock(MailProviderInterface::class);
+        $folderRepo  = $this->createMock(MailFolderRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $em          = $this->createMock(EntityManagerInterface::class);
+        $lockFactory = $this->makeLockFactory(false);
+
+        $service = new MailSyncService(
+            provider: $provider,
+            configRepository: $configRepo,
+            folderRepository: $folderRepo,
+            messageRepository: $messageRepo,
+            entityManager: $em,
+            lockFactory: $lockFactory,
+            logger: new NullLogger(),
+            managerRegistry: $this->createMock(ManagerRegistry::class),
+        );
+
+        $report = $service->syncAll();
+
+        self::assertSame(0, $report->createdCount);
+        self::assertContains('lock_not_acquired', $report->errors);
+    }
+
+    public function testSyncFolderStructureCreatesNewFolders(): void
+    {
+        $config = new MailConfiguration();
+        $config->setEnabled(true);
+
+        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo->method('findSingleton')->willReturn($config);
+
+        $folderDto = new MailFolderDto(
+            path: 'INBOX',
+            displayName: 'Inbox',
+            parentPath: null,
+            unreadCount: 5,
+            totalCount: 42,
+        );
+
+        $provider = $this->createMock(MailProviderInterface::class);
+        $provider->method('listFolders')->willReturn([$folderDto]);
+
+        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $folderRepo->method('findByPath')->willReturn(null);
+        $folderRepo->method('findAllOrderedByPath')->willReturn([]);
+
+        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $em          = $this->createMock(EntityManagerInterface::class);
+        $em->expects(self::once())->method('persist');
+        $em->expects(self::once())->method('flush');
+
+        $lockFactory = $this->makeLockFactory();
+
+        $service = new MailSyncService(
+            provider: $provider,
+            configRepository: $configRepo,
+            folderRepository: $folderRepo,
+            messageRepository: $messageRepo,
+            entityManager: $em,
+            lockFactory: $lockFactory,
+            logger: new NullLogger(),
+            managerRegistry: $this->createMock(ManagerRegistry::class),
+        );
+
+        $service->syncFolderStructure();
+    }
+
+    public function testSyncFolderAbortsSuppressionWhenOver50Percent(): void
+    {
+        $config = new MailConfiguration();
+        $config->setEnabled(true);
+
+        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo->method('findSingleton')->willReturn($config);
+
+        $folder = new MailFolder();
+        $folder->setPath('INBOX');
+
+        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $messageRepo->method('findMaxUidInFolder')->willReturn(10);
+        $messageRepo->method('findAllUidsByFolder')->willReturn([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]);
+        $messageRepo->method('findLastNByFolder')->willReturn([]);
+
+        $provider = $this->createMock(MailProviderInterface::class);
+        $provider->method('listMessages')->willReturn([]);
+
+        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $em         = $this->createMock(EntityManagerInterface::class);
+        $em->expects(self::never())->method('remove');
+
+        $lockFactory = $this->makeLockFactory();
+
+        $service = new MailSyncService(
+            provider: $provider,
+            configRepository: $configRepo,
+            folderRepository: $folderRepo,
+            messageRepository: $messageRepo,
+            entityManager: $em,
+            lockFactory: $lockFactory,
+            logger: new NullLogger(),
+            managerRegistry: $this->createMock(ManagerRegistry::class),
+        );
+
+        $report = $service->syncFolder($folder);
+
+        self::assertSame(0, $report->deletedCount);
+        self::assertNotEmpty($report->errors);
+    }
+
+    private function makeLockFactory(bool $acquired = true): LockFactory
+    {
+        $lock = $this->createMock(SharedLockInterface::class);
+        $lock->method('acquire')->willReturn($acquired);
+
+        $factory = $this->createMock(LockFactory::class);
+        $factory->method('createLock')->willReturn($lock);
+
+        return $factory;
+    }
+}
diff --git a/translations/.gitignore b/translations/.gitignore
new file mode 100644
index 0000000..e69de29