chore: bump version to v0.2.9

- Project cards (/projects): 16px radius, pastel background, no border
- Time tracking calendar blocks: pastel opaque background, project color text

Ticket: LST-29

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.env

@@ -1,5 +1,5 @@
 APP_ENV=dev
-APP_SECRET="a64f5614357bf56aecb1d7470e431535"
+APP_SECRET="change_me_in_env_local"
 APP_DEBUG=1
 
 DEFAULT_URI=http://localhost/
@@ -11,7 +11,7 @@ CORS_ALLOW_ORIGIN='^https?://(localhost|127.0.0.1)(:[0-9]+)?$'
 ###> lexik/jwt-authentication-bundle ###
 JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
 JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
-JWT_PASSPHRASE=c2dbeec8fa8255bdab24e88b9fc1e57927740c429ae3b930d03e51b92e13a85f
+JWT_PASSPHRASE=change_me_in_env_local
 JWT_COOKIE_SECURE=0
 JWT_TOKEN_TTL=86400
 JWT_COOKIE_TTL=86400
@@ -20,4 +20,4 @@ JWT_COOKIE_TTL=86400
 
 DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:${POSTGRES_PORT}/${POSTGRES_DB}?serverVersion=16&charset=utf8"
 
-ENCRYPTION_KEY=aaaaaaaaa
+ENCRYPTION_KEY=change_me_in_env_local

.env.example

@@ -0,0 +1,99 @@
+###############################################################################
+# Lesstime — Fichier d'environnement de reference
+#
+# Copiez ce fichier en .env.local et remplissez les valeurs sensibles.
+# Les valeurs par defaut dans .env suffisent pour le developpement ;
+# seuls les secrets (APP_SECRET, JWT_PASSPHRASE, ENCRYPTION_KEY) doivent
+# etre definis dans .env.local.
+#
+# Ne commitez JAMAIS de vrais secrets dans .env ou .env.example.
+###############################################################################
+
+# ===========================================================================
+# App
+# ===========================================================================
+
+# Environnement Symfony : dev, test, prod
+APP_ENV=dev
+
+# Secret applicatif Symfony (32 chars hex) — a generer pour chaque installation
+# Generer avec : php -r "echo bin2hex(random_bytes(16));"
+APP_SECRET="change_me_in_env_local"
+
+# Active/desactive le mode debug (1 = oui, 0 = non)
+APP_DEBUG=1
+
+# URI par defaut de l'application (utilise pour les liens absolus)
+DEFAULT_URI=http://localhost/
+
+# ===========================================================================
+# CORS (nelmio/cors-bundle)
+# ===========================================================================
+
+# Origines autorisees pour les requetes cross-origin (regex)
+CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'
+
+# ===========================================================================
+# JWT (lexik/jwt-authentication-bundle)
+# ===========================================================================
+
+# Chemin vers la cle privee RSA pour signer les tokens JWT
+JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
+
+# Chemin vers la cle publique RSA pour verifier les tokens JWT
+JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
+
+# Passphrase de la cle privee JWT — a generer pour chaque installation
+# Generer avec : php -r "echo bin2hex(random_bytes(32));"
+JWT_PASSPHRASE=change_me_in_env_local
+
+# Cookie securise (1 = HTTPS uniquement, 0 = HTTP autorise — dev seulement)
+JWT_COOKIE_SECURE=0
+
+# Duree de vie du token JWT en secondes (86400 = 24h)
+JWT_TOKEN_TTL=86400
+
+# Duree de vie du cookie JWT en secondes (86400 = 24h)
+JWT_COOKIE_TTL=86400
+
+# ===========================================================================
+# Base de donnees (Doctrine / PostgreSQL)
+# ===========================================================================
+
+# Les variables POSTGRES_* sont definies dans docker/.env.docker
+# et injectees automatiquement par Docker Compose.
+# DATABASE_URL est construite a partir de ces variables.
+DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:${POSTGRES_PORT}/${POSTGRES_DB}?serverVersion=16&charset=utf8"
+
+# ===========================================================================
+# Chiffrement
+# ===========================================================================
+
+# Cle de chiffrement pour les donnees sensibles (64 chars hex = 256 bits)
+# Generer avec : php -r "echo bin2hex(random_bytes(32));"
+ENCRYPTION_KEY=change_me_in_env_local
+
+# ===========================================================================
+# Docker (docker/.env.docker)
+#
+# Ces variables sont lues par Docker Compose. Voir docker/.env.docker
+# pour les valeurs par defaut. Creez docker/.env.docker.local pour
+# surcharger localement.
+# ===========================================================================
+
+# DOCKER_APP_NAME=lesstime
+# DOCKER_PHP_VERSION=8.4.6
+# DOCKER_NODE_VERSION=24.12.0
+# APP_USER=www-data
+# POSTGRES_DB=lesstime
+# POSTGRES_USER=root
+# POSTGRES_PASSWORD=root
+# POSTGRES_PORT=5435
+# XDEBUG_CLIENT_HOST=host.docker.internal
+
+# ===========================================================================
+# Frontend (frontend/.env)
+# ===========================================================================
+
+# Base URL de l'API pour le client Nuxt (relative, proxifiee par Nginx)
+# NUXT_PUBLIC_API_BASE=/api

.gitea/workflows/release-artefact.yml

@@ -45,12 +45,12 @@ jobs:
           set -euo pipefail
           mkdir -p release
           tar -czf "release/lesstime-${GITHUB_REF_NAME}.tar.gz" \
+            .env \
             bin \
             config \
             migrations \
             public \
             src \
-            templates \
             vendor \
             composer.json \
             composer.lock \

.gitignore

@@ -22,3 +22,11 @@
 ###> lexik/jwt-authentication-bundle ###
 /config/jwt/*.pem
 ###< lexik/jwt-authentication-bundle ###
+
+###> ide ###
+.idea/
+###< ide ###
+
+###> docker local ###
+docker/.env.docker.local
+###< docker local ###

.idea/.gitignore

@@ -1,10 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Ignored default folder with query files
-/queries/
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
-# Editor-based HTTP Client requests
-/httpRequests/

.idea/Lesstime.iml

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="WEB_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$" />
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-</module>

.idea/db-forest-config.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="db-tree-configuration">
-    <option name="data" value="----------------------------------------&#10;1:0:9cad43df-2147-4989-b7a4-443067034884&#10;2:0:ae622167-c834-4e7b-87a5-c1721036f5dc&#10;3:0:f407a514-c6b4-4b26-9555-445a85892502&#10;4:0:09e221b8-067a-488b-9c1d-4e155a333079&#10;" />
-  </component>
-</project>

.idea/material_theme_project_new.xml

@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="MaterialThemeProjectNewConfig">
-    <option name="metadata">
-      <MTProjectMetadataState>
-        <option name="userId" value="386cba74:19cc24e9181:-799b" />
-      </MTProjectMetadataState>
-    </option>
-  </component>
-</project>

.idea/modules.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/Lesstime.iml" filepath="$PROJECT_DIR$/.idea/Lesstime.iml" />
-    </modules>
-  </component>
-</project>

.idea/php.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="MessDetectorOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PHPCSFixerOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PHPCodeSnifferOptionsConfiguration">
-    <option name="highlightLevel" value="WARNING" />
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PhpProjectSharedConfiguration" php_language_level="8.4" />
-  <component name="PhpStanOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-  <component name="PsalmOptionsConfiguration">
-    <option name="transferred" value="true" />
-  </component>
-</project>

.idea/vcs.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="$PROJECT_DIR$" vcs="Git" />
-  </component>
-</project>

CLAUDE.md

@@ -12,7 +12,7 @@ Application de gestion de projet. Monorepo Symfony 8 (API Platform 4) + Nuxt 4.
 ## Structure
 
 ```
-src/Entity/          # Entités Doctrine (User, Client, Project, Task, TaskStatus, TaskEffort, TaskPriority, TaskTag, TaskGroup, TimeEntry, GiteaConfiguration, ClientTicket, Notification, TaskDocument)
+src/Entity/          # Entités Doctrine (User, Client, Project, Task, TaskStatus, TaskEffort, TaskPriority, TaskTag, TaskGroup, TimeEntry, GiteaConfiguration, ClientTicket, Notification, TaskDocument, BookStackConfiguration, TaskBookStackLink)
 src/ApiResource/     # Ressources API Platform (si découplées des entités)
 src/State/           # Providers et Processors API Platform (MeProvider, AppVersionProvider, ActiveTimeEntryProvider, UserPasswordHasherProcessor, TaskNumberProcessor, ClientTicket*Provider/Processor, NotificationProvider, Gitea*Provider, Gitea*Processor)
 src/Service/         # Services métier (NotificationService)

composer.json

@@ -26,12 +26,13 @@
         "symfony/http-client": "8.0.*",
         "symfony/mcp-bundle": "^0.6.0",
         "symfony/mime": "8.0.*",
+        "symfony/monolog-bundle": "^4.0",
         "symfony/property-access": "8.0.*",
         "symfony/property-info": "8.0.*",
+        "symfony/rate-limiter": "8.0.*",
         "symfony/runtime": "8.0.*",
         "symfony/security-bundle": "8.0.*",
         "symfony/serializer": "8.0.*",
-        "symfony/twig-bundle": "8.0.*",
         "symfony/validator": "8.0.*",
         "symfony/yaml": "8.0.*"
     },
@@ -90,8 +91,6 @@
     "require-dev": {
         "doctrine/doctrine-fixtures-bundle": "^4.3",
         "friendsofphp/php-cs-fixer": "^3.94",
-        "phpunit/phpunit": "^13.0",
-        "symfony/browser-kit": "8.0.*",
-        "symfony/css-selector": "8.0.*"
+        "phpunit/phpunit": "^13.0"
     }
 }

config/bundles.php

@@ -10,12 +10,11 @@ use Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle;
 use Nelmio\CorsBundle\NelmioCorsBundle;
 use Symfony\AI\McpBundle\McpBundle;
 use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
+use Symfony\Bundle\MonologBundle\MonologBundle;
 use Symfony\Bundle\SecurityBundle\SecurityBundle;
-use Symfony\Bundle\TwigBundle\TwigBundle;
 
 return [
     FrameworkBundle::class              => ['all' => true],
-    TwigBundle::class                   => ['all' => true],
     SecurityBundle::class               => ['all' => true],
     DoctrineBundle::class               => ['all' => true],
     DoctrineMigrationsBundle::class     => ['all' => true],
@@ -24,4 +23,5 @@ return [
     DoctrineFixturesBundle::class       => ['dev' => true, 'test' => true],
     LexikJWTAuthenticationBundle::class => ['all' => true],
     McpBundle::class                    => ['all' => true],
+    MonologBundle::class                => ['all' => true],
 ];

config/packages/api_platform.yaml

@@ -1,5 +1,5 @@
 api_platform:
-    title: Hello API Platform
+    title: Lesstime API
     version: 1.0.0
     formats:
         jsonld: ['application/ld+json']

config/packages/mcp.yaml

@@ -19,5 +19,5 @@ mcp:
         path: /_mcp
         session:
             store: file
-            directory: '%kernel.cache_dir%/mcp-sessions'
+            directory: '%kernel.project_dir%/var/mcp-sessions'
             ttl: 3600

config/packages/monolog.yaml

@@ -0,0 +1,56 @@
+monolog:
+    channels:
+        - deprecation
+
+when@dev:
+    monolog:
+        handlers:
+            main:
+                type: rotating_file
+                path: "%kernel.logs_dir%/%kernel.environment%.log"
+                level: debug
+                max_files: 7
+                channels: ["!event"]
+            console:
+                type: console
+                process_psr_3_messages: false
+                channels: ["!event", "!doctrine", "!console"]
+
+when@test:
+    monolog:
+        handlers:
+            main:
+                type: fingers_crossed
+                action_level: error
+                handler: nested
+                excluded_http_codes: [404, 405]
+                channels: ["!event"]
+            nested:
+                type: stream
+                path: "%kernel.logs_dir%/%kernel.environment%.log"
+                level: debug
+
+when@prod:
+    monolog:
+        handlers:
+            main:
+                type: fingers_crossed
+                action_level: error
+                handler: nested
+                excluded_http_codes: [404, 405]
+                channels: ["!deprecation"]
+                buffer_size: 50
+            nested:
+                type: rotating_file
+                path: "%kernel.logs_dir%/%kernel.environment%.log"
+                level: debug
+                max_files: 30
+            console:
+                type: console
+                process_psr_3_messages: false
+                channels: ["!event", "!doctrine"]
+            deprecation:
+                type: rotating_file
+                channels: [deprecation]
+                path: "%kernel.logs_dir%/deprecations.log"
+                max_files: 7

config/packages/security.yaml

@@ -22,6 +22,9 @@ security:
             pattern: ^/login_check
             stateless: true
             provider: app_user_provider
+            login_throttling:
+                max_attempts: 5
+                interval: '1 minute'
             json_login:
                 check_path: /login_check
                 username_path: username
@@ -59,6 +62,7 @@ security:
         - { path: ^/api/docs, roles: PUBLIC_ACCESS }
         # Version de l'application en public
         - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
+        - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
         - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
 

config/packages/twig.yaml

@@ -1,6 +0,0 @@
-twig:
-    file_name_pattern: '*.twig'
-
-when@test:
-    twig:
-        strict_variables: true

config/version.yaml

@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.1.0'
+    app.version: '0.2.9'

deploy/nginx/lesstime.conf

@@ -0,0 +1,50 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name project.malio-dev.fr;
+
+  root /var/www/lesstime/frontend/.output/public;
+  index index.html;
+
+  client_max_body_size 55m;
+
+    location ^~ /api/ {
+        root /var/www/lesstime/public;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ^~ /bundles/ {
+        root /var/www/lesstime/public;
+        try_files $uri =404;
+    }
+
+    location = /api/login_check {
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME /var/www/lesstime/public/index.php;
+        fastcgi_param DOCUMENT_ROOT /var/www/lesstime/public;
+        fastcgi_param SCRIPT_NAME /index.php;
+        fastcgi_param PATH_INFO /login_check;
+        fastcgi_param REQUEST_URI /login_check;
+        fastcgi_pass unix:/run/php/php8.4-fpm.sock;
+    }
+
+    location ^~ /_mcp {
+        root /var/www/lesstime/public;
+        try_files $uri /index.php?$query_string;
+    }
+
+    location ~ ^/index\.php(/|$) {
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME /var/www/lesstime/public/index.php;
+        fastcgi_param DOCUMENT_ROOT /var/www/lesstime/public;
+        fastcgi_pass unix:/run/php/php8.4-fpm.sock;
+    }
+
+  location ~ \.php$ {
+      return 404;
+  }
+
+  location / {
+      try_files $uri $uri/ /index.html;
+  }
+}

docker/.env.docker.local

@@ -1,9 +0,0 @@
-DOCKER_APP_NAME=lesstime
-DOCKER_PHP_VERSION=8.4.6
-DOCKER_NODE_VERSION=24.12.0
-APP_USER=www-data
-POSTGRES_DB=lesstime
-POSTGRES_USER=root
-POSTGRES_PASSWORD=root
-POSTGRES_PORT=5435
-XDEBUG_CLIENT_HOST=192.168.0.124

docs/deploy.md

@@ -0,0 +1,213 @@
+# Deploiement sur serveur Ubuntu (sans Docker)
+
+## Prerequis
+
+- Ubuntu 22.04+ avec PHP 8.4, Node 24, PostgreSQL 16, Nginx
+- Acces root ou sudo sur le serveur
+
+## 1. Preparer la BDD
+
+```bash
+sudo -u postgres createuser lesstime
+sudo -u postgres createdb -O lesstime lesstime
+sudo -u postgres psql -c "ALTER USER lesstime WITH PASSWORD 'ton-mdp';"
+```
+
+## 2. Creer les dossiers
+
+```bash
+sudo mkdir -p /var/www/lesstime/var/log /var/www/lesstime/var/cache /var/www/lesstime/config/jwt
+sudo chown -R www-data:www-data /var/www/lesstime
+```
+
+## 3. Configurer l'environnement
+
+```bash
+sudo nano /var/www/lesstime/.env
+```
+
+Contenu minimal :
+```ini
+APP_ENV=prod
+```
+
+```bash
+sudo nano /var/www/lesstime/.env.local
+```
+
+Contenu :
+```ini
+APP_ENV=prod
+APP_SECRET=<random-hex-32>
+APP_DEBUG=0
+
+DEFAULT_URI=http://project.malio-dev.fr/
+CORS_ALLOW_ORIGIN='^https?://project\.malio-dev\.fr$'
+
+DATABASE_URL="postgresql://lesstime:<mdp>@localhost:5432/lesstime?serverVersion=16&charset=utf8"
+
+JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
+JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
+JWT_PASSPHRASE=<passphrase>
+JWT_COOKIE_SECURE=0
+JWT_TOKEN_TTL=86400
+JWT_COOKIE_TTL=86400
+
+ENCRYPTION_KEY=<random-hex-32>
+```
+
+> `JWT_COOKIE_SECURE=0` car HTTP. Passer a `1` si HTTPS.
+
+## 4. Installer le script de deploy
+
+```bash
+sudo cp script/deploy-release.sh /usr/local/bin/deploy-lesstime
+sudo chmod +x /usr/local/bin/deploy-lesstime
+```
+
+Si le repo Gitea est prive, configurer un token :
+```bash
+echo "ton-token-gitea" | sudo tee /etc/lesstime-release-token
+sudo chmod 600 /etc/lesstime-release-token
+```
+
+## 5. Deployer une release
+
+```bash
+sudo /usr/local/bin/deploy-lesstime v0.2.1
+```
+
+Le script telecharge l'artefact, extrait les fichiers, clear le cache et lance les migrations.
+
+## 6. Generer les cles JWT
+
+```bash
+cd /var/www/lesstime
+sudo -u www-data php bin/console lexik:jwt:generate-keypair --skip-if-exists --env=prod
+```
+
+## 7. Configurer Nginx
+
+```bash
+sudo cp deploy/nginx/lesstime.conf /etc/nginx/sites-available/lesstime
+sudo ln -sf /etc/nginx/sites-available/lesstime /etc/nginx/sites-enabled/
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+## 8. Creer le premier user admin
+
+Hasher un mot de passe :
+```bash
+php /var/www/lesstime/bin/console security:hash-password --env=prod
+```
+
+Choisir `App\Entity\User`, taper le mdp, copier le hash. Puis :
+```bash
+sudo -u postgres psql lesstime -c "INSERT INTO \"user\" (username, roles, password, created_at) VALUES ('admin', '[\"ROLE_ADMIN\"]', '<le-hash>', NOW());"
+```
+
+## 9. Tester
+
+```bash
+curl http://project.malio-dev.fr/api/version
+curl http://project.malio-dev.fr/
+```
+
+---
+
+# Connecter le serveur MCP a Claude Code
+
+Le serveur MCP expose 22 tools (projets, taches, time tracking avec liaison tickets client, metadonnees) via le endpoint HTTP `/_mcp`.
+
+## 1. Generer un token API
+
+Sur le serveur (ou en local via Docker) :
+
+```bash
+# Production (serveur)
+php /var/www/lesstime/bin/console app:generate-api-token admin --env=prod
+
+# Dev (Docker)
+docker exec -it php-lesstime-fpm php bin/console app:generate-api-token admin
+```
+
+La commande affiche un token de 64 caracteres. Ce token est lie a l'utilisateur et stocke en base (champ `apiToken` de l'entite `User`).
+
+## 2. Configurer Claude Code
+
+### Transport HTTP (recommande pour la prod)
+
+Creer ou modifier `.mcp.json` a la racine du projet :
+
+```json
+{
+    "mcpServers": {
+        "lesstime": {
+            "type": "http",
+            "url": "http://project.malio-dev.fr/_mcp",
+            "headers": {
+                "Authorization": "Bearer <ton-token>"
+            }
+        }
+    }
+}
+```
+
+### Transport STDIO (dev local via Docker)
+
+```json
+{
+    "mcpServers": {
+        "lesstime-local": {
+            "command": "docker",
+            "args": [
+                "exec",
+                "-i",
+                "php-lesstime-fpm",
+                "php",
+                "bin/console",
+                "mcp:server"
+            ]
+        }
+    }
+}
+```
+
+### Transport STDIO via SSH (prod sans endpoint HTTP)
+
+```json
+{
+    "mcpServers": {
+        "lesstime": {
+            "command": "ssh",
+            "args": [
+                "user@serveur",
+                "php",
+                "/var/www/lesstime/bin/console",
+                "mcp:server",
+                "--env=prod"
+            ]
+        }
+    }
+}
+```
+
+## 3. Redemarrer Claude Code
+
+Apres modification de `.mcp.json`, relancer Claude Code pour qu'il detecte le serveur.
+
+## 4. Verifier
+
+Demander a Claude d'utiliser un outil MCP, par exemple :
+- "Liste les projets sur Lesstime"
+- "Cree une tache dans le projet LT"
+
+## Tools disponibles
+
+| Domaine | Tools |
+|---------|-------|
+| Projets | list-projects, get-project, create-project, update-project |
+| Taches | list-tasks, get-task, create-task, update-task, delete-task |
+| Metadonnees | list-statuses, list-priorities, list-efforts, list-tags, list-groups, create-group, update-group |
+| Time tracking | list-time-entries, create-time-entry, update-time-entry, delete-time-entry (supporte clientTicketId) |
+| Reference | list-users, list-clients |

frontend/components/admin/AdminClientTicketTab.vue

@@ -274,25 +274,22 @@ const availableStatusTransitions = computed(() => {
 })
 
 function getProjectName(iri: string): string {
-    const match = iri.match(/\/api\/projects\/(\d+)/)
-    if (!match) return ''
-    const id = Number(match[1])
+    const id = extractIdFromIri(iri)
+    if (!id) return ''
     return projects.value.find(p => p.id === id)?.name ?? ''
 }
 
 function getSubmitterName(iri: string | null): string {
     if (!iri) return '-'
-    const match = iri.match(/\/api\/users\/(\d+)/)
-    if (!match) return ''
-    const id = Number(match[1])
+    const id = extractIdFromIri(iri)
+    if (!id) return ''
     return users.value.find(u => u.id === id)?.username ?? ''
 }
 
 function getSubmitterUser(iri: string | null): UserData | undefined {
     if (!iri) return undefined
-    const match = iri.match(/\/api\/users\/(\d+)/)
-    if (!match) return undefined
-    const id = Number(match[1])
+    const id = extractIdFromIri(iri)
+    if (!id) return undefined
     return users.value.find(u => u.id === id)
 }
 

frontend/components/client-ticket/ClientTicketDetailModal.vue

@@ -191,7 +191,7 @@
 </template>
 
 <script setup lang="ts">
-import type { ClientTicket } from '~/services/dto/client-ticket'
+import type { ClientTicket, ClientTicketWrite } from '~/services/dto/client-ticket'
 import type { TaskDocument } from '~/services/dto/task-document'
 import { useTaskDocumentService } from '~/services/task-documents'
 import { useClientTicketService } from '~/services/client-tickets'
@@ -243,7 +243,7 @@ const canEdit = computed(() => {
     if (!sub) return false
     // submittedBy can be an IRI string or an embedded object
     if (typeof sub === 'string') return sub === `/api/users/${userId}`
-    if (typeof sub === 'object' && 'id' in sub) return (sub as any).id === userId
+    if (typeof sub === 'object' && 'id' in sub) return (sub as { id: number }).id === userId
     return false
 })
 
@@ -270,7 +270,7 @@ async function saveEdit() {
         if (props.ticket.type === 'bug') {
             data.url = editForm.url || null
         }
-        await clientTicketService.update(props.ticket.id, data as any)
+        await clientTicketService.update(props.ticket.id, data as Partial<ClientTicketWrite>)
         isEditing.value = false
         emit('refresh')
     } finally {

frontend/components/client/ClientDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un client' : 'Ajouter un client'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('clients.editClient') : $t('clients.addClient')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.name"

frontend/components/project/ProjectDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un projet' : 'Ajouter un projet'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('projects.editProject') : $t('projects.addProject')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.code"

frontend/components/task/TaskDocumentList.vue

@@ -34,6 +34,7 @@
                 <!-- Delete button -->
                 <button
                     v-if="isAdmin"
+                    type="button"
                     class="absolute right-1 top-1 hidden rounded p-0.5 text-neutral-400 transition-colors hover:bg-red-50 hover:text-red-500 group-hover:block"
                     @click.stop="$emit('delete', doc)"
                 >

frontend/components/task/TaskDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un ticket' : 'Ajouter un ticket'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('tasks.editTask') : $t('tasks.addTask')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.title"
@@ -267,7 +267,7 @@ async function handleArchive() {
     if (timerStore.activeEntry?.task) {
         const taskIri = typeof timerStore.activeEntry.task === 'string'
             ? timerStore.activeEntry.task
-            : (timerStore.activeEntry.task as any)?.['@id'] ?? `/api/tasks/${(timerStore.activeEntry.task as any)?.id}`
+            : (timerStore.activeEntry.task as Task)?.['@id'] ?? `/api/tasks/${(timerStore.activeEntry.task as Task)?.id}`
         if (taskIri === `/api/tasks/${props.task.id}`) {
             await timerStore.stop()
         }

frontend/components/task/TaskEffortDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un effort' : 'Ajouter un effort'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('taskEfforts.editEffort') : $t('taskEfforts.addEffort')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.label"

frontend/components/task/TaskGroupDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un groupe' : 'Ajouter un groupe'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('taskGroups.editGroup') : $t('taskGroups.addGroup')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.title"

frontend/components/task/TaskModal.vue

@@ -24,7 +24,7 @@
                                     {{ task.project.code }}-{{ task.number }}
                                 </span>
                                 <h2 class="text-lg font-bold tracking-tight text-neutral-900">
-                                    {{ isEditing ? 'Modifier un ticket' : 'Ajouter un ticket' }}
+                                    {{ isEditing ? $t('tasks.editTask') : $t('tasks.addTask') }}
                                 </h2>
                             </div>
                             <button
@@ -65,6 +65,20 @@
                             @blur="touched.title = true"
                         />
 
+                        <!-- Project select (create mode with project list) -->
+                        <div v-if="showProjectSelect" class="mt-4">
+                            <MalioSelect
+                                v-model="form.projectId"
+                                :options="projectOptions"
+                                label="Projet *"
+                                empty-option-label="Sélectionner un projet"
+                                min-width="w-full"
+                            />
+                            <p v-if="touched.project && !form.projectId" class="mt-1 text-xs text-red-500">
+                                Le projet est requis
+                            </p>
+                        </div>
+
                         <!-- Two-column selects -->
                         <div class="mt-4 grid grid-cols-1 gap-x-6 gap-y-4 sm:grid-cols-2">
                             <MalioSelect
@@ -266,6 +280,8 @@ import type { TaskGroup } from '~/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
 import { useTaskService } from '~/services/tasks'
 
+import type { Project } from '~/services/dto/project'
+
 const props = defineProps<{
     modelValue: boolean
     task: Task | null
@@ -276,6 +292,7 @@ const props = defineProps<{
     tags: TaskTag[]
     groups: TaskGroup[]
     users: UserData[]
+    projects?: Project[]
 }>()
 
 const emit = defineEmits<{
@@ -289,6 +306,7 @@ const isOpen = computed({
 })
 
 function close() {
+    if (confirmDeleteDocOpen.value || confirmDeleteOpen.value) return
     isOpen.value = false
 }
 
@@ -317,10 +335,12 @@ const form = reactive({
     groupId: null as number | null,
     tagIds: [] as number[],
     clientTicketId: null as number | null,
+    projectId: null as number | null,
 })
 
 const touched = reactive({
     title: false,
+    project: false,
 })
 
 const statusOptions = computed(() =>
@@ -339,8 +359,22 @@ const userOptions = computed(() =>
     props.users.map(u => ({ label: u.username, value: u.id }))
 )
 
-const groupOptions = computed(() =>
-    props.groups.map(g => ({ label: g.title, value: g.id }))
+const groupOptions = computed(() => {
+    let filtered = props.groups
+    if (showProjectSelect.value && form.projectId) {
+        filtered = filtered.filter(g => g.project?.id === form.projectId)
+    }
+    return filtered.map(g => ({ label: g.title, value: g.id }))
+})
+
+const showProjectSelect = computed(() => !!props.projects?.length && !isEditing.value)
+
+const projectOptions = computed(() =>
+    (props.projects ?? []).map(p => ({ label: p.name, value: p.id }))
+)
+
+const resolvedProjectId = computed(() =>
+    showProjectSelect.value ? form.projectId : props.projectId
 )
 
 const canArchive = computed(() => {
@@ -384,16 +418,25 @@ function populateForm(task: Task | null) {
         form.groupId = null
         form.tagIds = []
         form.clientTicketId = null
+        form.projectId = null
     }
     touched.title = false
+    touched.project = false
 }
 
 watch(() => props.modelValue, async (open) => {
     if (open) {
+        confirmDeleteDocOpen.value = false
+        documentToDelete.value = null
         populateForm(props.task)
-        try {
-            clientTickets.value = await clientTicketService.getAll({ project: props.projectId })
-        } catch {
+        const pid = resolvedProjectId.value
+        if (pid) {
+            try {
+                clientTickets.value = await clientTicketService.getAll({ project: pid })
+            } catch {
+                clientTickets.value = []
+            }
+        } else {
             clientTickets.value = []
         }
         if (props.task?.project?.giteaOwner && props.task?.project?.giteaRepo && !giteaUrl.value) {
@@ -423,6 +466,22 @@ const clientTicketOptions = computed(() =>
     clientTickets.value.map(ct => ({ label: `CT-${String(ct.number).padStart(3, '0')} — ${ct.title}`, value: ct.id }))
 )
 
+// Reset group and reload client tickets when project changes in create mode
+watch(() => form.projectId, async (pid) => {
+    if (!showProjectSelect.value) return
+    form.groupId = null
+    form.clientTicketId = null
+    if (pid) {
+        try {
+            clientTickets.value = await clientTicketService.getAll({ project: pid })
+        } catch {
+            clientTickets.value = []
+        }
+    } else {
+        clientTickets.value = []
+    }
+})
+
 const authStore = useAuthStore()
 const isAdmin = computed(() => authStore.user?.roles?.includes('ROLE_ADMIN') ?? false)
 
@@ -509,7 +568,7 @@ async function handleArchive() {
     if (timerStore.activeEntry?.task) {
         const taskIri = typeof timerStore.activeEntry.task === 'string'
             ? timerStore.activeEntry.task
-            : (timerStore.activeEntry.task as any)?.['@id'] ?? `/api/tasks/${(timerStore.activeEntry.task as any)?.id}`
+            : (timerStore.activeEntry.task as Task)?.['@id'] ?? `/api/tasks/${(timerStore.activeEntry.task as Task)?.id}`
         if (taskIri === `/api/tasks/${props.task.id}`) {
             await timerStore.stop()
         }
@@ -538,7 +597,9 @@ async function handleUnarchive() {
 
 async function handleSubmit() {
     touched.title = true
+    touched.project = true
     if (!form.title.trim()) return
+    if (showProjectSelect.value && !form.projectId) return
 
     isSubmitting.value = true
     try {
@@ -550,7 +611,7 @@ async function handleSubmit() {
             priority: form.priorityId ? `/api/task_priorities/${form.priorityId}` : null,
             assignee: form.assigneeId ? `/api/users/${form.assigneeId}` : null,
             group: form.groupId ? `/api/task_groups/${form.groupId}` : null,
-            project: `/api/projects/${props.projectId}`,
+            project: `/api/projects/${resolvedProjectId.value}`,
             tags: form.tagIds.map(id => `/api/task_tags/${id}`),
             clientTicket: form.clientTicketId ? `/api/client_tickets/${form.clientTicketId}` : null,
         }

frontend/components/task/TaskPriorityDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier une priorité' : 'Ajouter une priorité'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('taskPriorities.editPriority') : $t('taskPriorities.addPriority')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.label"

frontend/components/task/TaskStatusDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un statut' : 'Ajouter un statut'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('taskStatuses.editStatus') : $t('taskStatuses.addStatus')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.label"

frontend/components/task/TaskTagDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un tag' : 'Ajouter un tag'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('taskTags.editTag') : $t('taskTags.addTag')">
         <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
             <MalioInputText
                 v-model="form.label"

frontend/components/time-tracking/TimeEntryBlock.vue

@@ -1,7 +1,7 @@
 <template>
     <div
         ref="blockEl"
-        class="absolute z-10 cursor-pointer rounded-md text-xs text-white shadow-sm select-none"
+        class="absolute z-10 cursor-pointer rounded-md text-xs shadow-sm select-none"
         :style="blockStyle"
         :class="{ 'opacity-40': isDragSource }"
         @contextmenu.prevent="emit('contextmenu', $event, entry)"
@@ -21,7 +21,7 @@
             <!-- Full display: title + project + type dot + duration -->
             <template v-if="sizeLevel >= 3">
                 <div class="flex items-center gap-1">
-                    <div class="font-semibold truncate">{{ entry.title || 'Sans titre' }}</div>
+                    <div class="font-semibold truncate">{{ entry.title || $t('common.untitled') }}</div>
                     <span class="ml-auto shrink-0 text-[10px] tabular-nums opacity-80">{{ duration }}</span>
                 </div>
                 <div v-if="entry.project" class="truncate text-[10px] opacity-80">{{ entry.project.name }}</div>
@@ -39,13 +39,13 @@
 
             <!-- Medium: title + duration -->
             <template v-else-if="sizeLevel === 2">
-                <div class="font-semibold truncate">{{ entry.title || 'Sans titre' }}</div>
+                <div class="font-semibold truncate">{{ entry.title || $t('common.untitled') }}</div>
                 <div class="text-[10px] tabular-nums opacity-80">{{ duration }}</div>
             </template>
 
             <!-- Small: title only -->
             <template v-else-if="sizeLevel === 1">
-                <div class="font-semibold truncate text-[10px] leading-tight">{{ entry.title || 'Sans titre' }}</div>
+                <div class="font-semibold truncate text-[10px] leading-tight">{{ entry.title || $t('common.untitled') }}</div>
             </template>
 
             <!-- Tiny: just a colored bar, no text -->
@@ -119,7 +119,10 @@ const sizeLevel = computed(() => {
 const blockStyle = computed(() => {
     const startMinutes = startDate.value.getHours() * 60 + startDate.value.getMinutes() + resizeTopDeltaMinutes.value
     const topPx = ((startMinutes - props.dayStartHour * 60) / 60) * props.hourHeight
-    const bgColor = props.entry.project?.color ?? '#94a3b8'
+    const hex = (props.entry.project?.color ?? '#94a3b8').replace('#', '')
+    const r = parseInt(hex.substring(0, 2), 16)
+    const g = parseInt(hex.substring(2, 4), 16)
+    const b = parseInt(hex.substring(4, 6), 16)
 
     const col = props.columnIndex ?? 0
     const total = props.totalColumns ?? 1
@@ -130,7 +133,8 @@ const blockStyle = computed(() => {
     return {
         top: `${topPx}px`,
         height: `${heightPx.value}px`,
-        backgroundColor: bgColor,
+        backgroundColor: `rgb(${Math.round(r + (255 - r) * 0.6)}, ${Math.round(g + (255 - g) * 0.6)}, ${Math.round(b + (255 - b) * 0.6)})`,
+        color: `rgb(${r}, ${g}, ${b})`,
         left: `calc(${leftPercent}% + ${gapPx}px)`,
         width: `calc(${widthPercent}% - ${gapPx * 2}px)`,
     }

frontend/components/time-tracking/TimeEntryDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un temps' : 'Ajouter une Activité'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('timeEntries.editEntry') : $t('timeEntries.addEntry')">
         <form class="space-y-4" @submit.prevent="onSubmit">
             <div>
                 <label class="mb-1 block text-sm font-semibold text-neutral-700">Titre</label>
@@ -117,7 +117,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry, TimeEntryWrite } from '~/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/services/dto/project'
 import type { TaskTag } from '~/services/dto/task-tag'
@@ -257,7 +257,7 @@ async function onSubmit() {
     if (isEditing.value && props.entry) {
         await update(props.entry.id, payload)
     } else {
-        await create(payload as any)
+        await create(payload as TimeEntryWrite)
     }
 
     emit('saved')

frontend/components/time-tracking/TimeEntryList.vue

@@ -1,7 +1,7 @@
 <template>
     <div class="space-y-2">
         <div v-if="entries.length === 0" class="rounded-lg border border-neutral-200 bg-neutral-50 py-12 text-center text-sm text-neutral-400">
-            Aucune activité pour cette période
+            {{ $t('timeEntries.noEntries') }}
         </div>
 
         <div
@@ -20,7 +20,7 @@
             <div class="min-w-0 flex-1">
                 <div class="flex items-center gap-2">
                     <span class="truncate text-sm font-semibold text-neutral-900">
-                        {{ entry.title || 'Sans titre' }}
+                        {{ entry.title || $t('common.untitled') }}
                     </span>
                     <span
                         v-for="tag in entry.tags"
@@ -56,7 +56,7 @@
             <!-- Delete action -->
             <button
                 class="shrink-0 rounded-md p-1.5 text-neutral-300 opacity-0 transition hover:bg-red-50 hover:text-red-500 group-hover:opacity-100"
-                title="Supprimer"
+                :title="$t('common.delete')"
                 @click.stop="emit('deleteEntry', entry)"
             >
                 <Icon name="mdi:delete-outline" size="18" />

frontend/components/time-tracking/TimeTrackingCalendar.vue

@@ -99,7 +99,7 @@
                             :style="{ backgroundColor: entry.project?.color ?? '#94a3b8' }"
                         />
                         <div class="min-w-0">
-                            <div class="truncate text-xs font-medium text-neutral-800">{{ entry.title || 'Sans titre' }}</div>
+                            <div class="truncate text-xs font-medium text-neutral-800">{{ entry.title || $t('common.untitled') }}</div>
                             <div class="text-[10px] text-neutral-500">
                                 {{ formatTime(entry.startedAt) }} – {{ entry.stoppedAt ? formatTime(entry.stoppedAt) : '...' }}
                             </div>
@@ -141,6 +141,8 @@
 <script setup lang="ts">
 import type { TimeEntry } from '~/services/dto/time-entry'
 
+const { t } = useI18n()
+
 const props = defineProps<{
     entries: TimeEntry[]
     startDate: Date
@@ -459,7 +461,7 @@ function onMoveStart(payload: { entry: TimeEntry; offsetY: number }, sourceDayIn
     dragState.value = {
         entryId: entry.id,
         entry,
-        title: entry.title || 'Sans titre',
+        title: entry.title || t('common.untitled'),
         color: entry.project?.color ?? '#94a3b8',
         durationMinutes,
         ghostHeightPx: Math.max((durationMinutes / 60) * hourHeight, 20),

frontend/components/ui/ConfirmDeleteDocumentModal.vue

@@ -2,7 +2,7 @@
     <Teleport v-if="modelValue" to="body">
         <Transition name="modal" appear>
             <div class="fixed inset-0 z-[70] flex items-center justify-center">
-                <div class="absolute inset-0 bg-black/30" @click="cancel" />
+                <div class="absolute inset-0 bg-black/30" @click.stop="cancel" />
                 <div class="relative z-10 w-full max-w-md rounded-lg bg-white p-6 shadow-xl">
                     <h3 class="text-lg font-bold text-neutral-900">{{ $t('taskDocuments.confirmDeleteTitle') }}</h3>
                     <p class="mt-3 text-sm text-neutral-600">

frontend/components/ui/ConfirmDeleteStatusModal.vue

@@ -4,19 +4,18 @@
             <div class="fixed inset-0 z-50 flex items-center justify-center">
                 <div class="absolute inset-0 bg-black/30" @click="cancel" />
                 <div class="relative z-10 w-full max-w-md rounded-lg bg-white p-6 shadow-xl">
-                    <h3 class="text-lg font-bold text-neutral-900">Supprimer le statut « {{ statusLabel }} »</h3>
+                    <h3 class="text-lg font-bold text-neutral-900">{{ $t('taskStatuses.deleteStatus', { label: statusLabel }) }}</h3>
 
                     <p class="mt-3 text-sm text-neutral-600">
-                        {{ taskCount }} tâche{{ taskCount > 1 ? 's sont liées' : ' est liée' }} à ce statut.
-                        Choisissez où les déplacer :
+                        {{ taskCount > 1 ? $t('taskStatuses.linkedTasksPlural', { count: taskCount }) : $t('taskStatuses.linkedTasks', { count: taskCount }) }}
                     </p>
 
                     <div class="mt-4">
                         <MalioSelect
                             v-model="targetStatusId"
                             :options="targetOptions"
-                            label="Déplacer vers"
-                            empty-option-label="Backlog (sans statut)"
+                            :label="$t('taskStatuses.moveTo')"
+                            :empty-option-label="$t('taskStatuses.backlog')"
                             min-width="w-full"
                         />
                     </div>
@@ -27,7 +26,7 @@
                             class="rounded-md border border-neutral-300 px-4 py-2 text-sm font-semibold text-neutral-700 hover:bg-neutral-50"
                             @click="cancel"
                         >
-                            Annuler
+                            {{ $t('common.cancel') }}
                         </button>
                         <button
                             type="button"
@@ -35,7 +34,7 @@
                             :disabled="isProcessing"
                             @click="confirm"
                         >
-                            Supprimer
+                            {{ $t('common.delete') }}
                         </button>
                     </div>
                 </div>

frontend/components/user/UserDrawer.vue

@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un utilisateur' : 'Ajouter un utilisateur'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('users.editUser') : $t('users.addUser')">
         <form class="flex flex-col gap-2" @submit.prevent="handleSubmit">
             <MalioInputText
                 v-model="form.username"
@@ -90,6 +90,8 @@ import { useProjectService } from '~/services/projects'
 import type { Client } from '~/services/dto/client'
 import type { Project } from '~/services/dto/project'
 
+const { t } = useI18n()
+
 const props = defineProps<{
     modelValue: boolean
     item: UserData | null
@@ -114,7 +116,7 @@ const clients = ref<Client[]>([])
 const allProjects = ref<Project[]>([])
 
 const clientOptions = computed(() => [
-    { label: 'Aucun client', value: null as number | null },
+    { label: t('common.noClient'), value: null as number | null },
     ...clients.value.map((c) => ({ label: c.name, value: c.id as number | null })),
 ])
 
@@ -190,7 +192,7 @@ async function handleSubmit() {
             allowedProjects: form.allowedProjectIds.map((id) => `/api/projects/${id}`),
         }
         if (form.password) {
-            payload.password = form.password
+            payload.plainPassword = form.password
         }
 
         if (isEditing.value && props.item) {

frontend/composables/useApi.ts

@@ -177,13 +177,16 @@ export function useApi(): ApiClient {
   ) {
     const needsJsonBody = method === 'POST' || method === 'PUT'
     const needsMergePatch = method === 'PATCH'
+    const isFormData = typeof FormData !== 'undefined' && options.body instanceof FormData
 
     const headers = new Headers(options.headers as HeadersInit | undefined)
 
-    if (needsMergePatch && !headers.has('Content-Type')) {
-      headers.set('Content-Type', 'application/merge-patch+json')
-    } else if (needsJsonBody && !headers.has('Content-Type')) {
-      headers.set('Content-Type', 'application/json')
+    if (!isFormData) {
+      if (needsMergePatch && !headers.has('Content-Type')) {
+        headers.set('Content-Type', 'application/merge-patch+json')
+      } else if (needsJsonBody && !headers.has('Content-Type')) {
+        headers.set('Content-Type', 'application/json')
+      }
     }
 
     return client<T>(url, { ...options, method, headers })

frontend/composables/useAvatarService.ts

@@ -5,11 +5,13 @@ export function useAvatarService() {
         const formData = new FormData()
         formData.append('file', file, 'avatar.png')
 
-        return $fetch(`/api/users/${userId}/avatar`, {
-            method: 'POST',
-            body: formData,
-            credentials: 'include',
-        })
+        return api.post<{ avatarUrl: string }>(
+            `/users/${userId}/avatar`,
+            formData as unknown as Record<string, unknown>,
+            {
+                toastSuccessKey: 'profile.avatarUpdated',
+            }
+        )
     }
 
     async function remove(userId: number): Promise<void> {

frontend/i18n/locales/fr.json

@@ -22,43 +22,66 @@
     "clients": {
         "created": "Client créé avec succès.",
         "updated": "Client mis à jour avec succès.",
-        "deleted": "Client supprimé avec succès."
+        "deleted": "Client supprimé avec succès.",
+        "addClient": "Ajouter un client",
+        "editClient": "Modifier un client"
     },
     "projects": {
+        "title": "Projets",
         "created": "Projet créé avec succès.",
         "updated": "Projet mis à jour avec succès.",
         "deleted": "Projet supprimé avec succès.",
         "archived": "Projet archivé avec succès.",
         "unarchived": "Projet désarchivé avec succès.",
         "showArchived": "Voir les projets archivés",
-        "hideArchived": "Masquer les projets archivés"
+        "hideArchived": "Masquer les projets archivés",
+        "noProjects": "Aucun projet trouvé.",
+        "noArchivedProjects": "Aucun projet archivé.",
+        "addProject": "Ajouter un projet",
+        "addProjectShort": "Projet",
+        "editProject": "Modifier un projet"
     },
     "taskStatuses": {
         "created": "Statut créé avec succès.",
         "updated": "Statut mis à jour avec succès.",
-        "deleted": "Statut supprimé avec succès."
+        "deleted": "Statut supprimé avec succès.",
+        "addStatus": "Ajouter un statut",
+        "editStatus": "Modifier un statut",
+        "deleteStatus": "Supprimer le statut « {label} »",
+        "linkedTasks": "{count} tâche est liée à ce statut. Choisissez où les déplacer :",
+        "linkedTasksPlural": "{count} tâches sont liées à ce statut. Choisissez où les déplacer :",
+        "moveTo": "Déplacer vers",
+        "backlog": "Backlog (sans statut)"
     },
     "taskEfforts": {
         "created": "Effort créé avec succès.",
         "updated": "Effort mis à jour avec succès.",
-        "deleted": "Effort supprimé avec succès."
+        "deleted": "Effort supprimé avec succès.",
+        "addEffort": "Ajouter un effort",
+        "editEffort": "Modifier un effort"
     },
     "taskPriorities": {
         "created": "Priorité créée avec succès.",
         "updated": "Priorité mise à jour avec succès.",
-        "deleted": "Priorité supprimée avec succès."
+        "deleted": "Priorité supprimée avec succès.",
+        "addPriority": "Ajouter une priorité",
+        "editPriority": "Modifier une priorité"
     },
     "taskTags": {
         "created": "Tag créé avec succès.",
         "updated": "Tag mis à jour avec succès.",
-        "deleted": "Tag supprimé avec succès."
+        "deleted": "Tag supprimé avec succès.",
+        "addTag": "Ajouter un tag",
+        "editTag": "Modifier un tag"
     },
     "taskGroups": {
         "created": "Groupe créé avec succès.",
         "updated": "Groupe mis à jour avec succès.",
         "deleted": "Groupe supprimé avec succès.",
         "archived": "Groupe archivé avec succès.",
-        "unarchived": "Groupe désarchivé avec succès."
+        "unarchived": "Groupe désarchivé avec succès.",
+        "addGroup": "Ajouter un groupe",
+        "editGroup": "Modifier un groupe"
     },
     "taskDocuments": {
         "title": "Documents",
@@ -78,17 +101,24 @@
         "archived": "Ticket archivé avec succès.",
         "unarchived": "Ticket désarchivé avec succès.",
         "deleteConfirmTitle": "Supprimer le ticket",
-        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible."
+        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible.",
+        "addTask": "Ajouter un ticket",
+        "editTask": "Modifier un ticket"
     },
     "users": {
         "created": "Utilisateur créé avec succès.",
         "updated": "Utilisateur mis à jour avec succès.",
-        "deleted": "Utilisateur supprimé avec succès."
+        "deleted": "Utilisateur supprimé avec succès.",
+        "addUser": "Ajouter un utilisateur",
+        "editUser": "Modifier un utilisateur"
     },
     "timeEntries": {
         "created": "Temps enregistré",
         "updated": "Temps modifié",
-        "deleted": "Temps supprimé"
+        "deleted": "Temps supprimé",
+        "noEntries": "Aucune activité pour cette période",
+        "addEntry": "Ajouter une Activité",
+        "editEntry": "Modifier un temps"
     },
     "archive": {
         "title": "Archives",
@@ -112,7 +142,8 @@
         "allEfforts": "Tous les efforts",
         "allAssignees": "Tous",
         "noTasks": "Aucune tâche",
-        "backlog": "Backlog"
+        "backlog": "Backlog",
+        "createTask": "Créer une tâche"
     },
     "dashboard": {
         "title": "Tableau de bord",
@@ -168,7 +199,12 @@
         "cancel": "Annuler",
         "save": "Enregistrer",
         "edit": "Modifier",
+        "delete": "Supprimer",
+        "add": "Ajouter",
         "loading": "Chargement...",
+        "archived": "Archivé",
+        "noClient": "Aucun client",
+        "untitled": "Sans titre",
         "dateFilter": "Date",
         "today": "Aujourd'hui",
         "thisWeek": "Cette semaine",

frontend/layouts/default.vue

@@ -123,9 +123,9 @@
                 </div>
             </aside>
 
-            <div class="h-full flex-1 flex flex-col min-h-0">
+            <div class="h-full flex-1 flex flex-col min-h-0 min-w-0">
                 <AppTopNav :user="auth.user" />
-                <main class="flex flex-1 flex-col overflow-y-auto bg-white px-4 pb-24 sm:px-8 lg:px-16">
+                <main class="flex flex-1 flex-col overflow-y-auto overflow-x-hidden bg-white px-4 pb-24 sm:px-8 lg:px-16">
                     <div aria-hidden="true" class="pointer-events-none sticky top-0 z-30 h-8 flex-shrink-0 bg-white sm:h-12" />
                     <slot/>
                 </main>
@@ -148,6 +148,7 @@ import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/services/dto/project'
 import type { TaskTag } from '~/services/dto/task-tag'
 import { useAppVersion } from '~/composables/useAppVersion'
+import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
 
 const auth = useAuthStore()
@@ -211,9 +212,9 @@ async function loadRefData() {
     if (refData.loaded) return
     const api = useApi()
     const [usersData, projectsData, typesData] = await Promise.all([
-        api.get<any>('/users'),
-        api.get<any>('/projects'),
-        api.get<any>('/task_tags'),
+        api.get<HydraCollection<UserData>>('/users'),
+        api.get<HydraCollection<Project>>('/projects'),
+        api.get<HydraCollection<TaskTag>>('/task_tags'),
     ])
     refData.users = extractHydraMembers(usersData)
     refData.projects = extractHydraMembers(projectsData)

frontend/middleware/admin.ts

@@ -0,0 +1,7 @@
+export default defineNuxtRouteMiddleware(() => {
+    const auth = useAuthStore()
+
+    if (!auth.isAuthenticated || !auth.user?.roles?.includes('ROLE_ADMIN')) {
+        return navigateTo('/')
+    }
+})

frontend/nuxt.config.ts

@@ -23,14 +23,6 @@ export default defineNuxtConfig({
     devServer: {
         port: 3002,
     },
-    nitro: {
-        devProxy: {
-            '/api': {
-                target: 'http://nginx',
-                changeOrigin: true,
-            },
-        },
-    },
     components: [
         {path: '~/components', pathPrefix: false},
     ],

frontend/pages/admin.vue

@@ -35,6 +35,7 @@
 </template>
 
 <script setup lang="ts">
+definePageMeta({ middleware: ['admin'] })
 useHead({ title: 'Administration' })
 
 const tabs = [

frontend/pages/index.vue

@@ -471,7 +471,7 @@ const lineOptions = {
         legend: { display: false },
         tooltip: {
             callbacks: {
-                label: (ctx: any) => `${formatHours(ctx.raw)}`,
+                label: (ctx: { raw: unknown }) => `${formatHours(ctx.raw as number)}`,
             },
         },
     },
@@ -480,7 +480,7 @@ const lineOptions = {
             beginAtZero: true,
             grid: { color: '#f3f4f6' },
             ticks: {
-                callback: (value: any) => `${value}h`,
+                callback: (value: number | string) => `${value}h`,
             },
         },
         x: {

frontend/pages/my-tasks.vue

@@ -214,6 +214,11 @@ async function onDropBacklog(event: DragEvent) {
 }
 
 // Modal
+function openTaskCreate() {
+    selectedTask.value = null
+    taskModalOpen.value = true
+}
+
 function openTaskEdit(task: Task) {
     selectedTask.value = task
     taskModalOpen.value = true
@@ -229,28 +234,37 @@ onMounted(() => {
 </script>
 
 <template>
-    <div>
+    <div class="min-w-0">
         <!-- Header + Filters -->
         <div class="sticky top-8 z-20 bg-white pb-4 sm:top-12">
             <div class="flex items-center justify-between gap-3">
                 <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">{{ $t('myTasks.title') }}</h1>
-                <div class="flex gap-1">
+                <div class="flex items-center gap-2">
                     <button
-                        class="rounded-lg p-2 transition-colors"
-                        :class="viewMode === 'kanban' ? 'bg-primary-500 text-white' : 'text-neutral-400 hover:text-primary-500'"
-                        :title="$t('myTasks.viewKanban')"
-                        @click="viewMode = 'kanban'"
+                        class="flex items-center gap-1.5 rounded-lg bg-primary-500 px-3 py-1.5 text-sm font-semibold text-white transition-colors hover:bg-secondary-500"
+                        @click="openTaskCreate"
                     >
-                        <Icon name="mdi:view-column-outline" size="20" />
-                    </button>
-                    <button
-                        class="rounded-lg p-2 transition-colors"
-                        :class="viewMode === 'list' ? 'bg-primary-500 text-white' : 'text-neutral-400 hover:text-primary-500'"
-                        :title="$t('myTasks.viewList')"
-                        @click="viewMode = 'list'"
-                    >
-                        <Icon name="mdi:view-list-outline" size="20" />
+                        <Icon name="mdi:plus" size="18" />
+                        {{ $t('myTasks.createTask') }}
                     </button>
+                    <div class="flex gap-1">
+                        <button
+                            class="flex items-center justify-center rounded-md p-1.5 transition-colors"
+                            :class="viewMode === 'kanban' ? 'bg-primary-500 text-white' : 'text-neutral-400 hover:text-primary-500'"
+                            :title="$t('myTasks.viewKanban')"
+                            @click="viewMode = 'kanban'"
+                        >
+                            <Icon name="mdi:view-column-outline" size="18" />
+                        </button>
+                        <button
+                            class="flex items-center justify-center rounded-md p-1.5 transition-colors"
+                            :class="viewMode === 'list' ? 'bg-primary-500 text-white' : 'text-neutral-400 hover:text-primary-500'"
+                            :title="$t('myTasks.viewList')"
+                            @click="viewMode = 'list'"
+                        >
+                            <Icon name="mdi:view-list-outline" size="18" />
+                        </button>
+                    </div>
                 </div>
             </div>
 
@@ -314,11 +328,11 @@ onMounted(() => {
 
         <!-- Kanban View -->
         <div v-if="viewMode === 'kanban'">
-            <div class="mt-6 flex gap-4 overflow-x-auto pb-4">
+            <div class="mt-6 flex h-[calc(100vh-260px)] gap-3 overflow-x-auto pb-4">
                 <div
                     v-for="status in sortedStatuses"
                     :key="status.id"
-                    class="flex w-72 shrink-0 flex-col rounded-lg transition-colors"
+                    class="flex min-w-36 flex-1 flex-col rounded-lg transition-colors"
                     :class="dragOverStatusId === status.id ? 'bg-neutral-200' : 'bg-neutral-50'"
                     @dragover.prevent
                     @dragenter.prevent="onDragEnter(status.id)"
@@ -326,24 +340,26 @@ onMounted(() => {
                     @drop.prevent="onDropStatus($event, status)"
                 >
                     <div
-                        class="rounded-t-lg px-4 py-3 text-sm font-bold text-white"
+                        class="shrink-0 rounded-t-lg px-4 py-3 text-sm font-bold text-white"
                         :style="{ backgroundColor: status.color }"
                     >
                         {{ status.label }} ({{ tasksByStatus(status.id).length }})
                     </div>
-                    <div class="flex flex-col gap-3 p-3">
-                        <TaskCard
-                            v-for="task in tasksByStatus(status.id)"
-                            :key="task.id"
-                            :task="task"
-                            @click="openTaskEdit(task)"
-                        />
-                        <p
-                            v-if="tasksByStatus(status.id).length === 0"
-                            class="py-4 text-center text-xs text-neutral-400"
-                        >
-                            {{ $t('myTasks.noTasks') }}
-                        </p>
+                    <div class="min-h-0 flex-1 overflow-y-auto p-3">
+                        <div class="flex flex-col gap-3">
+                            <TaskCard
+                                v-for="task in tasksByStatus(status.id)"
+                                :key="task.id"
+                                :task="task"
+                                @click="openTaskEdit(task)"
+                            />
+                            <p
+                                v-if="tasksByStatus(status.id).length === 0"
+                                class="py-4 text-center text-xs text-neutral-400"
+                            >
+                                {{ $t('myTasks.noTasks') }}
+                            </p>
+                        </div>
                     </div>
                 </div>
             </div>
@@ -446,6 +462,7 @@ onMounted(() => {
             :tags="tags"
             :groups="selectedTask?.project?.id ? groups.filter(g => g.project?.id === selectedTask?.project?.id) : groups"
             :users="users"
+            :projects="projects"
             @saved="onSaved"
         />
     </div>

frontend/pages/portal/index.vue

@@ -53,10 +53,8 @@ const ticketCountByProject = computed(() => {
     const counts: Record<number, number> = {}
     for (const ticket of tickets.value) {
         if (ticket.status === 'new' || ticket.status === 'in_progress') {
-            // Extract project ID from IRI
-            const match = ticket.project.match(/\/api\/projects\/(\d+)/)
-            if (match) {
-                const projectId = Number(match[1])
+            const projectId = extractIdFromIri(ticket.project)
+            if (projectId) {
                 counts[projectId] = (counts[projectId] ?? 0) + 1
             }
         }

frontend/pages/portal/projects/[id]/index.vue

@@ -31,13 +31,13 @@
         </div>
 
         <!-- Kanban board -->
-        <div v-else class="mt-4 flex flex-col gap-4 sm:flex-row sm:overflow-x-auto sm:pb-4">
+        <div v-else class="mt-4 flex h-[calc(100vh-200px)] flex-col gap-4 sm:flex-row sm:overflow-x-auto sm:pb-4">
             <div
                 v-for="col in columns"
                 :key="col.status"
-                class="min-w-0 flex-1 sm:min-w-[280px]"
+                class="flex min-w-0 flex-1 flex-col sm:min-w-[280px]"
             >
-                <div class="mb-3 flex items-center gap-2">
+                <div class="mb-3 flex shrink-0 items-center gap-2">
                     <div class="h-2 w-2 rounded-full" :class="col.dotClass" />
                     <h3 class="text-sm font-bold text-neutral-700">{{ col.label }}</h3>
                     <span class="ml-auto rounded-full bg-neutral-100 px-2 py-0.5 text-xs font-semibold text-neutral-500">
@@ -45,7 +45,7 @@
                     </span>
                 </div>
                 <div
-                    class="min-h-[60px] space-y-2 rounded-lg border-2 border-transparent p-1 transition-colors"
+                    class="min-h-0 flex-1 space-y-2 overflow-y-auto rounded-lg border-2 border-transparent p-1 transition-colors"
                     :class="dragOverStatus === col.status ? 'border-primary-300 bg-primary-50/50' : ''"
                     @dragover.prevent="onDragOver(col.status)"
                     @dragleave="onDragLeave"

frontend/pages/projects/[id]/index.vue

@@ -1,5 +1,5 @@
 <template>
-    <div>
+    <div class="min-w-0">
         <div class="sticky top-8 z-20 bg-white pb-4 sm:top-12">
             <div class="flex items-center justify-between gap-3">
                 <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">{{ project?.name ?? '' }}</h1>
@@ -62,11 +62,11 @@
         </div>
 
         <!-- Kanban -->
-        <div class="mt-6 flex gap-4 overflow-x-auto pb-4">
+        <div class="mt-6 flex h-[calc(100vh-200px)] gap-3 overflow-x-auto pb-4">
             <div
                 v-for="status in statuses"
                 :key="status.id"
-                class="flex w-72 shrink-0 flex-col rounded-lg transition-colors"
+                class="flex min-w-36 flex-1 flex-col rounded-lg transition-colors"
                 :class="dragOverStatusId === status.id ? 'bg-neutral-200' : 'bg-neutral-50'"
                 @dragover.prevent
                 @dragenter.prevent="onDragEnter(status.id)"
@@ -74,24 +74,26 @@
                 @drop.prevent="onDropStatus($event, status)"
             >
                 <div
-                    class="rounded-t-lg px-4 py-3 text-sm font-bold text-white"
+                    class="shrink-0 rounded-t-lg px-4 py-3 text-sm font-bold text-white"
                     :style="{ backgroundColor: status.color }"
                 >
                     {{ status.label }} ({{ tasksByStatus(status.id).length }})
                 </div>
-                <div class="flex flex-col gap-3 p-3">
-                    <TaskCard
-                        v-for="task in tasksByStatus(status.id)"
-                        :key="task.id"
-                        :task="task"
-                        @click="openTaskEdit(task)"
-                    />
-                    <p
-                        v-if="tasksByStatus(status.id).length === 0"
-                        class="py-4 text-center text-xs text-neutral-400"
-                    >
-                        Aucun ticket
-                    </p>
+                <div class="min-h-0 flex-1 overflow-y-auto p-3">
+                    <div class="flex flex-col gap-3">
+                        <TaskCard
+                            v-for="task in tasksByStatus(status.id)"
+                            :key="task.id"
+                            :task="task"
+                            @click="openTaskEdit(task)"
+                        />
+                        <p
+                            v-if="tasksByStatus(status.id).length === 0"
+                            class="py-4 text-center text-xs text-neutral-400"
+                        >
+                            Aucun ticket
+                        </p>
+                    </div>
                 </div>
             </div>
         </div>

frontend/pages/projects/index.vue

@@ -2,7 +2,7 @@
     <div>
         <div class="sticky top-8 z-20 bg-white pb-4 sm:top-12">
             <div class="flex flex-wrap items-center justify-between gap-3">
-                <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">Projets</h1>
+                <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">{{ $t('projects.title') }}</h1>
                 <div class="flex items-center gap-2 sm:gap-3">
                     <button
                         class="flex items-center gap-1.5 rounded-md px-2 py-2 text-sm font-medium transition sm:px-3"
@@ -18,8 +18,8 @@
                         class="shrink-0 rounded-md bg-primary-500 px-3 py-2 text-xs font-semibold text-white hover:bg-secondary-500 sm:px-4 sm:text-sm"
                         @click="openCreate"
                     >
-                        <span class="hidden sm:inline">+ Ajouter un projet</span>
-                        <span class="sm:hidden">+ Projet</span>
+                        <span class="hidden sm:inline">+ {{ $t('projects.addProject') }}</span>
+                        <span class="sm:hidden">+ {{ $t('projects.addProjectShort') }}</span>
                     </button>
                 </div>
             </div>
@@ -29,8 +29,9 @@
             <div
                 v-for="project in projects"
                 :key="project.id"
-                class="cursor-pointer rounded-[6px] border border-neutral-200 bg-tertiary-500 p-4 shadow-sm transition hover:shadow-md"
+                class="cursor-pointer p-4 shadow-sm transition hover:shadow-md"
                 :class="{ 'opacity-60': project.archived }"
+                :style="projectCardStyle(project.color)"
                 @click="navigateTo(`/projects/${project.id}`)"
             >
                 <div class="flex items-center justify-between">
@@ -40,7 +41,7 @@
                             v-if="project.archived"
                             class="rounded bg-amber-100 px-1.5 py-0.5 text-xs font-medium text-amber-700"
                         >
-                            Archivé
+                            {{ $t('common.archived') }}
                         </span>
                     </div>
                     <button
@@ -59,7 +60,7 @@
                 v-if="projects.length === 0 && !isLoading"
                 class="col-span-full py-12 text-center text-neutral-400"
             >
-                {{ showArchived ? 'Aucun projet archivé.' : 'Aucun projet trouvé.' }}
+                {{ showArchived ? $t('projects.noArchivedProjects') : $t('projects.noProjects') }}
             </div>
         </div>
 
@@ -80,6 +81,17 @@ import { useClientService } from '~/services/clients'
 
 useHead({ title: 'Projets' })
 
+function projectCardStyle(color: string | null) {
+    const hex = (color || '#222783').replace('#', '')
+    const r = parseInt(hex.substring(0, 2), 16)
+    const g = parseInt(hex.substring(2, 4), 16)
+    const b = parseInt(hex.substring(4, 6), 16)
+    return {
+        borderRadius: '16px',
+        backgroundColor: `rgba(${r}, ${g}, ${b}, 0.08)`,
+    }
+}
+
 const projectService = useProjectService()
 const clientService = useClientService()
 

frontend/pages/time-tracking.vue

@@ -126,6 +126,7 @@ import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/services/dto/project'
 import type { TaskTag } from '~/services/dto/task-tag'
 import { useTimeEntryService } from '~/services/time-entries'
+import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
 
 useHead({ title: 'Suivi des temps' })
@@ -308,9 +309,9 @@ async function loadReferenceData() {
     const api = useApi()
 
     const [usersData, projectsData, typesData] = await Promise.all([
-        api.get<any>('/users'),
-        api.get<any>('/projects'),
-        api.get<any>('/task_tags'),
+        api.get<HydraCollection<UserData>>('/users'),
+        api.get<HydraCollection<Project>>('/projects'),
+        api.get<HydraCollection<TaskTag>>('/task_tags'),
     ])
 
     users.value = extractHydraMembers(usersData)

frontend/services/dto/user-data.ts

@@ -12,7 +12,7 @@ export type UserData = {
 
 export type UserWrite = {
     username: string
-    password?: string
+    plainPassword?: string
     roles: string[]
     client?: string | null
     allowedProjects?: string[]

frontend/utils/iri.ts

@@ -0,0 +1,11 @@
+/**
+ * Extract the numeric ID from an API Platform IRI string.
+ * Example: "/api/projects/5" → 5
+ */
+export function extractIdFromIri(iri: string | null | undefined): number {
+    if (!iri) return 0
+    const lastSlash = iri.lastIndexOf('/')
+    if (lastSlash === -1) return 0
+    const id = Number(iri.substring(lastSlash + 1))
+    return Number.isFinite(id) ? id : 0
+}

migrations/Version20260316124157.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20260316124157 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE time_entry ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD CONSTRAINT FK_6E537C0C9B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_6E537C0C9B2097DD ON time_entry (client_ticket_id)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE time_entry DROP CONSTRAINT FK_6E537C0C9B2097DD');
+        $this->addSql('DROP INDEX IDX_6E537C0C9B2097DD');
+        $this->addSql('ALTER TABLE time_entry DROP client_ticket_id');
+    }
+}

script/deploy-release.sh

@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage: ./script/deploy-release.sh v0.1.0
+# Requires: curl, tar, (optional) rsync
+#
+# Auth token: set RELEASE_TOKEN env var or create /etc/lesstime-release-token
+umask 002
+
+TAG="${1:-}"
+if [ -z "$TAG" ]; then
+  echo "Usage: $0 v0.1.0" >&2
+  exit 1
+fi
+
+REPO_OWNER="MALIO-DEV"
+REPO_NAME="Lesstime"
+GITEA_API="https://gitea.malio.fr/api/v1"
+DEPLOY_DIR="/var/www/lesstime"
+
+if [ -f /etc/lesstime-release-token ] && [ -z "${RELEASE_TOKEN:-}" ]; then
+  RELEASE_TOKEN="$(cat /etc/lesstime-release-token)"
+fi
+
+tmp_dir="$(mktemp -d)"
+cleanup() {
+  rm -rf "$tmp_dir"
+}
+trap cleanup EXIT
+
+release_json="$tmp_dir/release.json"
+curl_opts=(-sS)
+if [ -n "${RELEASE_TOKEN:-}" ]; then
+  curl_opts+=(-H "Authorization: token ${RELEASE_TOKEN}")
+fi
+curl "${curl_opts[@]}" \
+  "${GITEA_API}/repos/${REPO_OWNER}/${REPO_NAME}/releases/tags/${TAG}" \
+  -o "$release_json"
+
+asset_url="$(python3 - "$release_json" <<'PY'
+import json, sys
+data = json.load(open(sys.argv[1], 'r'))
+assets = data.get("assets", [])
+for a in assets:
+    name = a.get("name", "")
+    if name.startswith("lesstime-") and name.endswith(".tar.gz"):
+        print(a.get("browser_download_url", ""))
+        break
+PY
+)"
+
+if [ -z "$asset_url" ]; then
+  echo "Release asset not found for tag ${TAG}" >&2
+  exit 1
+fi
+
+archive="$tmp_dir/artefact.tar.gz"
+curl "${curl_opts[@]}" -L "$asset_url" -o "$archive"
+
+tar -xzf "$archive" -C "$tmp_dir"
+
+if command -v rsync >/dev/null 2>&1; then
+  rsync -a --delete --no-perms --no-owner --no-group \
+    --exclude ".env" \
+    --exclude ".env.local" \
+    --exclude "config/jwt" \
+    --exclude "var" \
+    "$tmp_dir"/ "$DEPLOY_DIR"/
+else
+  cp -a "$tmp_dir"/. "$DEPLOY_DIR"/
+fi
+
+# Ensure Nginx can traverse the deploy path.
+chmod o+rx "$(dirname "$DEPLOY_DIR")" "$DEPLOY_DIR" 2>/dev/null || true
+
+# Create frontend/dist symlink if needed (nginx serves from frontend/dist)
+if [ -d "${DEPLOY_DIR}/frontend/.output/public" ] && [ ! -L "${DEPLOY_DIR}/frontend/dist" ]; then
+  ln -sfn "${DEPLOY_DIR}/frontend/.output/public" "${DEPLOY_DIR}/frontend/dist"
+fi
+
+echo "Release ${TAG} deployed to ${DEPLOY_DIR}"
+
+# Ensure var/log exists and is writable by PHP (www-data)
+mkdir -p "${DEPLOY_DIR}/var/log"
+chown www-data:www-data "${DEPLOY_DIR}/var/log"
+chmod 775 "${DEPLOY_DIR}/var/log"
+
+if [ -f "${DEPLOY_DIR}/.env.local" ]; then
+  echo "Clearing cache..."
+  php "${DEPLOY_DIR}/bin/console" cache:clear --env=prod --no-debug
+
+  echo "Running migrations (if any)..."
+  php "${DEPLOY_DIR}/bin/console" doctrine:migrations:migrate --no-interaction --env=prod
+else
+  echo "Skip post-deploy: ${DEPLOY_DIR}/.env.local not found" >&2
+fi

src/ApiResource/GiteaBranch.php

@@ -17,6 +17,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             uriTemplate: '/tasks/{taskId}/gitea/branches',
             normalizationContext: ['groups' => ['gitea_branch:read']],
             provider: GiteaBranchProvider::class,
+            security: "is_granted('ROLE_USER')",
         ),
         new Post(
             uriTemplate: '/tasks/{taskId}/gitea/branches',
@@ -24,6 +25,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['gitea_branch:read']],
             provider: GiteaBranchProvider::class,
             processor: GiteaBranchProcessor::class,
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]

src/ApiResource/GiteaBranchName.php

@@ -15,6 +15,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             uriTemplate: '/tasks/{taskId}/gitea/branch-name/{type}',
             normalizationContext: ['groups' => ['gitea_branch_name:read']],
             provider: GiteaBranchNameProvider::class,
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]

src/ApiResource/GiteaPullRequest.php

@@ -15,6 +15,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             uriTemplate: '/tasks/{taskId}/gitea/pull-requests',
             normalizationContext: ['groups' => ['gitea_pr:read']],
             provider: GiteaPullRequestProvider::class,
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]

src/Controller/TaskDocumentDownloadController.php

@@ -51,9 +51,12 @@ class TaskDocumentDownloadController extends AbstractController
         $mimeType = $document->getMimeType() ?? 'application/octet-stream';
 
         // Inline for images and PDFs, attachment for everything else
-        $disposition = str_starts_with($mimeType, 'image/') || 'application/pdf' === $mimeType
-            ? ResponseHeaderBag::DISPOSITION_INLINE
-            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+        // SVG files are always served as attachment to prevent XSS via embedded JavaScript
+        $disposition = 'image/svg+xml' === $mimeType
+            ? ResponseHeaderBag::DISPOSITION_ATTACHMENT
+            : (str_starts_with($mimeType, 'image/') || 'application/pdf' === $mimeType
+                ? ResponseHeaderBag::DISPOSITION_INLINE
+                : ResponseHeaderBag::DISPOSITION_ATTACHMENT);
 
         $response->setContentDisposition($disposition, $document->getOriginalName());
         $response->headers->set('Content-Type', $mimeType);

src/Controller/UserAvatarController.php

@@ -91,7 +91,7 @@ class UserAvatarController extends AbstractController
         $extension = pathinfo($user->getAvatarFileName(), PATHINFO_EXTENSION);
         $mimeMap   = ['jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'png' => 'image/png', 'webp' => 'image/webp', 'gif' => 'image/gif'];
         $response->headers->set('Content-Type', $mimeMap[$extension] ?? 'application/octet-stream');
-        $response->headers->set('Cache-Control', 'no-cache, must-revalidate');
+        $response->headers->set('Cache-Control', 'public, max-age=86400');
 
         return $response;
     }

src/Doctrine/ProjectAllowedExtension.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Doctrine;
+
+use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
+use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface;
+use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
+use ApiPlatform\Metadata\Operation;
+use App\Entity\Project;
+use App\Entity\User;
+use Doctrine\ORM\QueryBuilder;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class ProjectAllowedExtension implements QueryCollectionExtensionInterface, QueryItemExtensionInterface
+{
+    public function __construct(
+        private Security $security,
+    ) {}
+
+    public function applyToCollection(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, ?Operation $operation = null, array $context = []): void
+    {
+        $this->addWhere($queryBuilder, $resourceClass);
+    }
+
+    public function applyToItem(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, string $resourceClass, array $identifiers, ?Operation $operation = null, array $context = []): void
+    {
+        $this->addWhere($queryBuilder, $resourceClass);
+    }
+
+    private function addWhere(QueryBuilder $queryBuilder, string $resourceClass): void
+    {
+        if (Project::class !== $resourceClass) {
+            return;
+        }
+
+        $user = $this->security->getUser();
+
+        if (!$user instanceof User) {
+            return;
+        }
+
+        // Only restrict for ROLE_CLIENT users who are NOT admins
+        if (!in_array('ROLE_CLIENT', $user->getRoles(), true) || in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            return;
+        }
+
+        $rootAlias = $queryBuilder->getRootAliases()[0];
+
+        $allowedProjectIds = $user->getAllowedProjects()->map(
+            fn (Project $project) => $project->getId(),
+        )->toArray();
+
+        if ([] === $allowedProjectIds) {
+            $queryBuilder->andWhere('1 = 0');
+
+            return;
+        }
+
+        $queryBuilder
+            ->andWhere($rootAlias.'.id IN (:allowed_project_ids)')
+            ->setParameter('allowed_project_ids', $allowedProjectIds)
+        ;
+    }
+}

src/Entity/BookStackConfiguration.php

@@ -6,6 +6,7 @@ namespace App\Entity;
 
 use App\Repository\BookStackConfigurationRepository;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Validator\Constraints as Assert;
 
 #[ORM\Entity(repositoryClass: BookStackConfigurationRepository::class)]
 class BookStackConfiguration
@@ -16,6 +17,7 @@ class BookStackConfiguration
     private ?int $id = null;
 
     #[ORM\Column(length: 255, nullable: true)]
+    #[Assert\Url]
     private ?string $url = null;
 
     #[ORM\Column(type: 'text', nullable: true)]

src/Entity/ClientTicket.php

@@ -19,6 +19,7 @@ use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Validator\Constraints as Assert;
 
 #[ApiResource(
     operations: [
@@ -54,6 +55,27 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 class ClientTicket
 {
+    public const string TYPE_BUG         = 'bug';
+    public const string TYPE_IMPROVEMENT = 'improvement';
+    public const string TYPE_OTHER       = 'other';
+
+    public const array TYPES = [
+        self::TYPE_BUG,
+        self::TYPE_IMPROVEMENT,
+        self::TYPE_OTHER,
+    ];
+
+    public const string STATUS_NEW         = 'new';
+    public const string STATUS_IN_PROGRESS = 'in_progress';
+    public const string STATUS_DONE        = 'done';
+    public const string STATUS_REJECTED    = 'rejected';
+
+    public const array STATUSES = [
+        self::STATUS_NEW,
+        self::STATUS_IN_PROGRESS,
+        self::STATUS_DONE,
+        self::STATUS_REJECTED,
+    ];
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -66,6 +88,7 @@ class ClientTicket
 
     #[ORM\Column(length: 20)]
     #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
+    #[Assert\Choice(choices: self::TYPES)]
     private ?string $type = null;
 
     #[ORM\Column(length: 255)]
@@ -78,10 +101,12 @@ class ClientTicket
 
     #[ORM\Column(length: 255, nullable: true)]
     #[Groups(['client_ticket:read', 'client_ticket:write'])]
+    #[Assert\Url]
     private ?string $url = null;
 
     #[ORM\Column(length: 20)]
     #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
+    #[Assert\Choice(choices: self::STATUSES)]
     private ?string $status = 'new';
 
     #[ORM\Column(type: 'text', nullable: true)]

src/Entity/GiteaConfiguration.php

@@ -6,6 +6,7 @@ namespace App\Entity;
 
 use App\Repository\GiteaConfigurationRepository;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Validator\Constraints as Assert;
 
 #[ORM\Entity(repositoryClass: GiteaConfigurationRepository::class)]
 class GiteaConfiguration
@@ -16,6 +17,7 @@ class GiteaConfiguration
     private ?int $id = null;
 
     #[ORM\Column(length: 255, nullable: true)]
+    #[Assert\Url]
     private ?string $url = null;
 
     #[ORM\Column(type: 'text', nullable: true)]

src/Entity/TaskBookStackLink.php

@@ -7,6 +7,7 @@ namespace App\Entity;
 use App\Repository\TaskBookStackLinkRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Validator\Constraints as Assert;
 
 #[ORM\Entity(repositoryClass: TaskBookStackLinkRepository::class)]
 #[ORM\UniqueConstraint(name: 'UNIQ_task_bookstack_link', columns: ['task_id', 'bookstack_id', 'bookstack_type'])]
@@ -31,6 +32,7 @@ class TaskBookStackLink
     private string $title;
 
     #[ORM\Column(length: 500)]
+    #[Assert\Url]
     private string $url;
 
     #[ORM\Column]

src/Entity/TimeEntry.php

@@ -85,6 +85,11 @@ class TimeEntry
     #[Groups(['time_entry:read', 'time_entry:write'])]
     private ?Task $task = null;
 
+    #[ORM\ManyToOne(targetEntity: ClientTicket::class)]
+    #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['time_entry:read', 'time_entry:write'])]
+    private ?ClientTicket $clientTicket = null;
+
     /** @var Collection<int, TaskTag> */
     #[ORM\ManyToMany(targetEntity: TaskTag::class)]
     #[ORM\JoinTable(
@@ -189,6 +194,18 @@ class TimeEntry
         return $this;
     }
 
+    public function getClientTicket(): ?ClientTicket
+    {
+        return $this->clientTicket;
+    }
+
+    public function setClientTicket(?ClientTicket $clientTicket): static
+    {
+        $this->clientTicket = $clientTicket;
+
+        return $this;
+    }
+
     /** @return Collection<int, TaskTag> */
     public function getTags(): Collection
     {

src/Entity/User.php

@@ -61,9 +61,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private array $roles = [];
 
     #[ORM\Column]
-    #[Groups(['user:write'])]
     private ?string $password = null;
 
+    #[Groups(['user:write'])]
+    private ?string $plainPassword = null;
+
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
     private ?DateTimeImmutable $createdAt = null;
 
@@ -224,5 +226,20 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
         return '/api/users/'.$this->id.'/avatar';
     }
 
-    public function eraseCredentials(): void {}
+    public function getPlainPassword(): ?string
+    {
+        return $this->plainPassword;
+    }
+
+    public function setPlainPassword(?string $plainPassword): static
+    {
+        $this->plainPassword = $plainPassword;
+
+        return $this;
+    }
+
+    public function eraseCredentials(): void
+    {
+        $this->plainPassword = null;
+    }
 }

src/Mcp/Tool/Project/CreateProjectTool.php

@@ -10,6 +10,8 @@ use App\Repository\ClientRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -19,6 +21,7 @@ class CreateProjectTool
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly ClientRepository $clientRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -28,6 +31,10 @@ class CreateProjectTool
         ?string $color = null,
         ?int $clientId = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $project = new Project();
         $project->setName($name);
         $project->setCode($code);

src/Mcp/Tool/Project/GetProjectTool.php

@@ -9,6 +9,8 @@ use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -18,10 +20,15 @@ class GetProjectTool
     public function __construct(
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(int $id): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $project = $this->projectRepository->find($id);
 
         if (null === $project) {

src/Mcp/Tool/Project/ListProjectsTool.php

@@ -7,16 +7,23 @@ namespace App\Mcp\Tool\Project;
 use App\Mcp\Tool\Serializer;
 use App\Repository\ProjectRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-projects', description: 'List all projects with optional archive filter')]
 class ListProjectsTool
 {
     public function __construct(
         private readonly ProjectRepository $projectRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(bool $archived = false): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $projects = $this->projectRepository->findBy(['archived' => $archived], ['name' => 'ASC']);
 
         return json_encode(array_map(Serializer::project(...), $projects));

src/Mcp/Tool/Project/UpdateProjectTool.php

@@ -10,6 +10,8 @@ use App\Repository\ProjectRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -20,6 +22,7 @@ class UpdateProjectTool
         private readonly ProjectRepository $projectRepository,
         private readonly ClientRepository $clientRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -31,6 +34,10 @@ class UpdateProjectTool
         ?int $clientId = null,
         ?bool $archived = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $project = $this->projectRepository->find($id);
 
         if (null === $project) {

src/Mcp/Tool/Reference/ListClientsTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\Reference;
 
 use App\Repository\ClientRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-clients', description: 'List all clients with their IDs, names, and emails. Use this to discover valid client IDs for project parameters.')]
 class ListClientsTool
 {
     public function __construct(
         private readonly ClientRepository $clientRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
         $clients = $this->clientRepository->findBy([], ['name' => 'ASC']);
 
         return json_encode(array_map(fn ($client) => [

src/Mcp/Tool/Reference/ListUsersTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\Reference;
 
 use App\Repository\UserRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-users', description: 'List all users with their IDs and usernames. Use this to discover valid user IDs for assignee or time entry parameters.')]
 class ListUsersTool
 {
     public function __construct(
         private readonly UserRepository $userRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
         $users = $this->userRepository->findBy([], ['username' => 'ASC']);
 
         return json_encode(array_map(fn ($user) => [

src/Mcp/Tool/Serializer.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool;
 
+use App\Entity\ClientTicket;
 use App\Entity\Project;
 use App\Entity\Task;
 use App\Entity\TaskDocument;
@@ -239,22 +240,39 @@ final class Serializer
         ];
     }
 
+    /**
+     * @return null|array{id: ?int, number: ?int, title: ?string}
+     */
+    public static function clientTicketRef(?ClientTicket $ticket): ?array
+    {
+        if (null === $ticket) {
+            return null;
+        }
+
+        return [
+            'id'     => $ticket->getId(),
+            'number' => $ticket->getNumber(),
+            'title'  => $ticket->getTitle(),
+        ];
+    }
+
     /**
      * @return array<string, mixed>
      */
     public static function timeEntry(TimeEntry $entry): array
     {
         return [
-            'id'          => $entry->getId(),
-            'title'       => $entry->getTitle(),
-            'description' => $entry->getDescription(),
-            'startedAt'   => $entry->getStartedAt()?->format('c'),
-            'stoppedAt'   => $entry->getStoppedAt()?->format('c'),
-            'duration'    => self::durationMinutes($entry),
-            'user'        => self::user($entry->getUser()),
-            'project'     => $entry->getProject() ? self::projectRef($entry->getProject()) : null,
-            'task'        => self::taskRef($entry->getTask()),
-            'tags'        => self::tags($entry->getTags()),
+            'id'           => $entry->getId(),
+            'title'        => $entry->getTitle(),
+            'description'  => $entry->getDescription(),
+            'startedAt'    => $entry->getStartedAt()?->format('c'),
+            'stoppedAt'    => $entry->getStoppedAt()?->format('c'),
+            'duration'     => self::durationMinutes($entry),
+            'user'         => self::user($entry->getUser()),
+            'project'      => $entry->getProject() ? self::projectRef($entry->getProject()) : null,
+            'task'         => self::taskRef($entry->getTask()),
+            'clientTicket' => self::clientTicketRef($entry->getClientTicket()),
+            'tags'         => self::tags($entry->getTags()),
         ];
     }
 

src/Mcp/Tool/Task/CreateTaskTool.php

@@ -17,6 +17,8 @@ use App\Repository\UserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -33,6 +35,7 @@ class CreateTaskTool
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
         private readonly UserRepository $userRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -46,6 +49,10 @@ class CreateTaskTool
         ?int $groupId = null,
         ?array $tagIds = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $project = $this->projectRepository->find($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
@@ -54,7 +61,6 @@ class CreateTaskTool
         $task = new Task();
         $task->setProject($project);
         $task->setTitle($title);
-        $task->setNumber($this->taskRepository->findMaxNumberByProject($project) + 1);
 
         if (null !== $description) {
             $task->setDescription($description);
@@ -104,8 +110,11 @@ class CreateTaskTool
             }
         }
 
-        $this->entityManager->persist($task);
-        $this->entityManager->flush();
+        $this->entityManager->wrapInTransaction(function () use ($task, $project): void {
+            $task->setNumber($this->taskRepository->findMaxNumberByProjectForUpdate($project) + 1);
+            $this->entityManager->persist($task);
+            $this->entityManager->flush();
+        });
 
         return json_encode([
             'id'          => $task->getId(),

src/Mcp/Tool/Task/DeleteTaskTool.php

@@ -8,6 +8,8 @@ use App\Repository\TaskRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -17,10 +19,15 @@ class DeleteTaskTool
     public function __construct(
         private readonly TaskRepository $taskRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(int $id): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $task = $this->taskRepository->find($id);
 
         if (null === $task) {

src/Mcp/Tool/Task/GetTaskTool.php

@@ -8,6 +8,8 @@ use App\Mcp\Tool\Serializer;
 use App\Repository\TaskRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -16,10 +18,15 @@ class GetTaskTool
 {
     public function __construct(
         private readonly TaskRepository $taskRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(int $id): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $task = $this->taskRepository->find($id);
 
         if (null === $task) {

src/Mcp/Tool/Task/ListTasksTool.php

@@ -7,12 +7,15 @@ namespace App\Mcp\Tool\Task;
 use App\Mcp\Tool\Serializer;
 use App\Repository\TaskRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-tasks', description: 'List tasks with optional filters by project, status, assignee, priority, group, tags, and archive state. Returns max 100 results by default, use filters to narrow down.')]
 class ListTasksTool
 {
     public function __construct(
         private readonly TaskRepository $taskRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -25,6 +28,10 @@ class ListTasksTool
         bool $archived = false,
         int $limit = 100,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $limit = min($limit, 200);
 
         $qb = $this->taskRepository->createQueryBuilder('t')

src/Mcp/Tool/Task/UpdateTaskTool.php

@@ -15,6 +15,8 @@ use App\Repository\UserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -30,6 +32,7 @@ class UpdateTaskTool
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
         private readonly UserRepository $userRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -44,6 +47,10 @@ class UpdateTaskTool
         ?array $tagIds = null,
         ?bool $archived = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $task = $this->taskRepository->find($id);
 
         if (null === $task) {

src/Mcp/Tool/TaskMeta/CreateGroupTool.php

@@ -10,6 +10,8 @@ use App\Repository\ProjectRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -19,6 +21,7 @@ class CreateGroupTool
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly ProjectRepository $projectRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -27,6 +30,10 @@ class CreateGroupTool
         ?string $description = null,
         ?string $color = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $project = $this->projectRepository->find($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));

src/Mcp/Tool/TaskMeta/ListEffortsTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\TaskMeta;
 
 use App\Repository\TaskEffortRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-efforts', description: 'List all task effort levels. Efforts are global (shared across all projects).')]
 class ListEffortsTool
 {
     public function __construct(
         private readonly TaskEffortRepository $taskEffortRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $efforts = $this->taskEffortRepository->findBy([], ['label' => 'ASC']);
 
         return json_encode(array_map(fn ($e) => [

src/Mcp/Tool/TaskMeta/ListGroupsTool.php

@@ -7,16 +7,23 @@ namespace App\Mcp\Tool\TaskMeta;
 use App\Mcp\Tool\Serializer;
 use App\Repository\TaskGroupRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-groups', description: 'List task groups, optionally filtered by project. Groups are per-project (each group belongs to one project).')]
 class ListGroupsTool
 {
     public function __construct(
         private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(?int $projectId = null, bool $archived = false): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $criteria = ['archived' => $archived];
         if (null !== $projectId) {
             $criteria['project'] = $projectId;

src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\TaskMeta;
 
 use App\Repository\TaskPriorityRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-priorities', description: 'List all task priorities. Priorities are global (shared across all projects).')]
 class ListPrioritiesTool
 {
     public function __construct(
         private readonly TaskPriorityRepository $taskPriorityRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $priorities = $this->taskPriorityRepository->findBy([], ['label' => 'ASC']);
 
         return json_encode(array_map(fn ($p) => [

src/Mcp/Tool/TaskMeta/ListStatusesTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\TaskMeta;
 
 use App\Repository\TaskStatusRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-statuses', description: 'List all task statuses ordered by position. Statuses are global (shared across all projects). Use the returned IDs when creating or updating tasks.')]
 class ListStatusesTool
 {
     public function __construct(
         private readonly TaskStatusRepository $taskStatusRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $statuses = $this->taskStatusRepository->findBy([], ['position' => 'ASC']);
 
         return json_encode(array_map(fn ($s) => [

src/Mcp/Tool/TaskMeta/ListTagsTool.php

@@ -6,16 +6,23 @@ namespace App\Mcp\Tool\TaskMeta;
 
 use App\Repository\TaskTagRepository;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-tags', description: 'List all task tags. Tags are global (shared across all projects).')]
 class ListTagsTool
 {
     public function __construct(
         private readonly TaskTagRepository $taskTagRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $tags = $this->taskTagRepository->findBy([], ['label' => 'ASC']);
 
         return json_encode(array_map(fn ($t) => [

src/Mcp/Tool/TaskMeta/UpdateGroupTool.php

@@ -9,6 +9,8 @@ use App\Repository\TaskGroupRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -18,6 +20,7 @@ class UpdateGroupTool
     public function __construct(
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -27,6 +30,10 @@ class UpdateGroupTool
         ?string $color = null,
         ?bool $archived = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $group = $this->taskGroupRepository->find($id);
 
         if (null === $group) {

src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php

@@ -6,6 +6,7 @@ namespace App\Mcp\Tool\TimeEntry;
 
 use App\Entity\TimeEntry;
 use App\Mcp\Tool\Serializer;
+use App\Repository\ClientTicketRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
@@ -15,6 +16,8 @@ use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -28,6 +31,8 @@ class CreateTimeEntryTool
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,
         private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly ClientTicketRepository $clientTicketRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -39,7 +44,12 @@ class CreateTimeEntryTool
         ?int $taskId = null,
         ?array $tagIds = null,
         ?string $description = null,
+        ?int $clientTicketId = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $user = $this->userRepository->find($userId);
         if (null === $user) {
             throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
@@ -80,6 +90,13 @@ class CreateTimeEntryTool
             }
             $entry->setTask($task);
         }
+        if (null !== $clientTicketId) {
+            $clientTicket = $this->clientTicketRepository->find($clientTicketId);
+            if (null === $clientTicket) {
+                throw new InvalidArgumentException(sprintf('ClientTicket with ID %d not found.', $clientTicketId));
+            }
+            $entry->setClientTicket($clientTicket);
+        }
         if (null !== $tagIds) {
             foreach ($tagIds as $tagId) {
                 $tag = $this->taskTagRepository->find($tagId);

src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php

@@ -8,6 +8,8 @@ use App\Repository\TimeEntryRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -17,10 +19,15 @@ class DeleteTimeEntryTool
     public function __construct(
         private readonly TimeEntryRepository $timeEntryRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(int $id): string
     {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $entry = $this->timeEntryRepository->find($id);
 
         if (null === $entry) {

src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php

@@ -8,22 +8,30 @@ use App\Mcp\Tool\Serializer;
 use App\Repository\TimeEntryRepository;
 use DateTimeImmutable;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 #[McpTool(name: 'list-time-entries', description: 'List time entries with optional filters. Duration is computed in minutes and null for active timers.')]
 class ListTimeEntriesTool
 {
     public function __construct(
         private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
         ?int $userId = null,
         ?int $projectId = null,
         ?int $taskId = null,
+        ?int $clientTicketId = null,
         ?string $startDate = null,
         ?string $endDate = null,
         int $limit = 100,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $limit = min($limit, 200);
 
         $qb = $this->timeEntryRepository->createQueryBuilder('te')
@@ -31,6 +39,7 @@ class ListTimeEntriesTool
             ->leftJoin('te.project', 'p')->addSelect('p')
             ->leftJoin('te.task', 't')->addSelect('t')
             ->leftJoin('te.tags', 'tg')->addSelect('tg')
+            ->leftJoin('te.clientTicket', 'ct')->addSelect('ct')
             ->orderBy('te.startedAt', 'DESC')
             ->setMaxResults($limit)
         ;
@@ -44,6 +53,9 @@ class ListTimeEntriesTool
         if (null !== $taskId) {
             $qb->andWhere('t.id = :taskId')->setParameter('taskId', $taskId);
         }
+        if (null !== $clientTicketId) {
+            $qb->andWhere('ct.id = :clientTicketId')->setParameter('clientTicketId', $clientTicketId);
+        }
         if (null !== $startDate) {
             $qb->andWhere('te.startedAt >= :startDate')
                 ->setParameter('startDate', new DateTimeImmutable($startDate.' 00:00:00'))

src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Mcp\Tool\TimeEntry;
 
 use App\Mcp\Tool\Serializer;
+use App\Repository\ClientTicketRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
@@ -13,6 +14,8 @@ use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 use function sprintf;
 
@@ -24,7 +27,9 @@ class UpdateTimeEntryTool
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,
+        private readonly ClientTicketRepository $clientTicketRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
     ) {}
 
     public function __invoke(
@@ -36,7 +41,12 @@ class UpdateTimeEntryTool
         ?int $taskId = null,
         ?array $tagIds = null,
         ?string $description = null,
+        ?int $clientTicketId = null,
     ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
         $entry = $this->timeEntryRepository->find($id);
 
         if (null === $entry) {
@@ -69,6 +79,13 @@ class UpdateTimeEntryTool
             }
             $entry->setTask($task);
         }
+        if (null !== $clientTicketId) {
+            $clientTicket = $this->clientTicketRepository->find($clientTicketId);
+            if (null === $clientTicket) {
+                throw new InvalidArgumentException(sprintf('ClientTicket with ID %d not found.', $clientTicketId));
+            }
+            $entry->setClientTicket($clientTicket);
+        }
         if (null !== $tagIds) {
             foreach ($entry->getTags()->toArray() as $existingTag) {
                 $entry->removeTag($existingTag);

src/Repository/ClientTicketRepository.php

@@ -20,18 +20,26 @@ class ClientTicketRepository extends ServiceEntityRepository
     }
 
     /**
-     * Returns the next ticket number for a project, using a row-level lock
+     * Returns the max ticket number for a project, using an advisory lock
      * to prevent race conditions when creating tickets concurrently.
      */
-    public function findNextNumberForProjectForUpdate(Project $project): int
+    public function findMaxNumberByProjectForUpdate(Project $project): int
     {
         $conn = $this->getEntityManager()->getConnection();
 
+        // Use PostgreSQL advisory lock instead of FOR UPDATE
+        // because FOR UPDATE is not allowed with aggregate functions in PostgreSQL.
+        // Offset by 1000000 to avoid collision with task locks on the same project ID.
+        $conn->executeStatement(
+            'SELECT pg_advisory_xact_lock(:lockKey)',
+            ['lockKey' => $project->getId() + 1000000],
+        );
+
         $result = $conn->fetchOne(
-            'SELECT COALESCE(MAX(number), 0) FROM client_ticket WHERE project_id = :project FOR UPDATE',
+            'SELECT COALESCE(MAX(number), 0) FROM client_ticket WHERE project_id = :project',
             ['project' => $project->getId()],
         );
 
-        return ((int) $result) + 1;
+        return (int) $result;
     }
 }

src/Repository/TaskRepository.php

@@ -20,15 +20,22 @@ class TaskRepository extends ServiceEntityRepository
     }
 
     /**
-     * Returns the max task number for a project, using a row-level lock
+     * Returns the max task number for a project, using an advisory lock
      * to prevent race conditions when creating tasks concurrently.
      */
     public function findMaxNumberByProjectForUpdate(Project $project): int
     {
         $conn = $this->getEntityManager()->getConnection();
 
+        // Use PostgreSQL advisory lock (project ID as lock key) instead of FOR UPDATE
+        // because FOR UPDATE is not allowed with aggregate functions in PostgreSQL.
+        $conn->executeStatement(
+            'SELECT pg_advisory_xact_lock(:project)',
+            ['project' => $project->getId()],
+        );
+
         $result = $conn->fetchOne(
-            'SELECT COALESCE(MAX(number), 0) FROM task WHERE project_id = :project FOR UPDATE',
+            'SELECT COALESCE(MAX(number), 0) FROM task WHERE project_id = :project',
             ['project' => $project->getId()],
         );
 

src/State/ClientTicketNumberProcessor.php

@@ -53,7 +53,8 @@ final readonly class ClientTicketNumberProcessor implements ProcessorInterface
 
         $now = new DateTimeImmutable();
 
-        $data->setNumber($this->clientTicketRepository->findNextNumberForProjectForUpdate($project));
+        $maxNumber = $this->clientTicketRepository->findMaxNumberByProjectForUpdate($project);
+        $data->setNumber($maxNumber + 1);
         $data->setSubmittedBy($user);
         $data->setStatus('new');
         $data->setCreatedAt($now);

src/State/TaskDocumentProcessor.php

@@ -25,7 +25,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
     private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
 
     private const ALLOWED_MIME_TYPES = [
-        'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/svg+xml',
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
         'application/pdf',
         'application/msword',
         'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
@@ -40,7 +40,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
 
     private const MIME_TO_EXTENSION = [
         'image/jpeg'                                                                => 'jpg', 'image/png' => 'png', 'image/gif' => 'gif',
-        'image/webp'                                                                => 'webp', 'image/svg+xml' => 'svg',
+        'image/webp'                                                                => 'webp',
         'application/pdf'                                                           => 'pdf',
         'application/msword'                                                        => 'doc',
         'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
@@ -92,6 +92,11 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         $clientTicket = null;
 
         if ('' !== $taskIri) {
+            // ROLE_CLIENT (without ROLE_ADMIN) cannot upload documents directly to tasks
+            if ($this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN')) {
+                throw new AccessDeniedHttpException('Clients can only upload documents to client tickets.');
+            }
+
             $task = $this->entityManager->getRepository(Task::class)->find((int) basename($taskIri));
 
             if (null === $task) {