fix(core) : harden review findings (me-provider null guard, audit-ignore plainpassword, rbac self-edit guard, module id dedup, audit pagination guard)

.claude/skills/ticket-executor/LEARNINGS.md

@@ -145,3 +145,25 @@
 - **MCP status**: Toujours mettre "En cours" AVANT de commencer, "Terminé" APRÈS validation
 - **PostgreSQL gotchas**: Tester les queries SQL avec agrégation + locking sur PostgreSQL, pas MySQL
 - **Agents**: Les agents simples (1-3 fichiers) terminent en ~30s, les complexes (22 fichiers) en ~8min
+
+## Session 2026-06-19 (LST-61 / 1.3 — Audit log : #[Auditable], audit_log, AuditListener, resource)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-61-audit-log.md`, Tasks A→F). Exécution : 1 sous-agent par task (A, B, C, D, E) en séquence, vérif + smoke par la session principale entre chaque ; Task F (validation finale + correctif front + learnings + push + statut) en direct.
+- Infra portée VERBATIM depuis Starseed (réf canonique `/home/matthieu/dev_malio/Starseed`) : `AuditListener` byte-identique (`diff -q` OK), + 6 fichiers API (DTO/paginator/providers/resources) copiés tels quels — namespaces `App\Module\Core\...` et `App\Shared\Domain\Attribute\...` DÉJÀ alignés entre les deux projets, zéro adaptation.
+- 6 commits impl (`934cf08` A, `d8553f0` B, `8c3699a` C, `90b8ca1` D, `e7af415` E, `9b26b43` fix front) + plan `fda03bd`. Tests : 147→157 verts. Branche `feat/lst-61-audit-log` empilée sur `feat/lst-57-rbac-fin`.
+
+### Patterns
+- **Audit en 4 couches additives** : (1) marquage déclaratif `#[Auditable]`(TARGET_CLASS) / `#[AuditIgnore]`(TARGET_PROPERTY) dans `src/Shared/Domain/Attribute/` (Shared, pas Core → aucun module n'a de dépendance circulaire) ; (2) capture `AuditListener` Doctrine sur `onFlush` (lit `UnitOfWork` : insertions/updates/deletions + `getScheduledCollectionUpdates/Deletions` pour le M2M) puis `postFlush` (écrit, swap-and-clear anti-réentrance) ; (3) écriture `AuditLogWriter` sur connexion DBAL dédiée `audit` (hors transaction ORM → survit aux rollbacks) ; (4) lecture `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator implements PaginatorInterface` (API Platform génère `hydra:view` seul).
+- **Connexion DBAL dédiée + `schema_filter`** : restructurer `doctrine.yaml` de connexion unique → `connections: {default, audit}` (même DSN), `default_connection: default`, `schema_filter: '~^(?!audit_log$).+~'` sur `default` (la table n'a PAS d'entité → exclue de `migrations:diff`/`schema:validate`). Le bloc `orm` reste INCHANGÉ (l'EM par défaut se lie à `default_connection`). En `when@test`, propager `dbname_suffix` aux DEUX connexions (sinon `audit` écrit en base dev pendant que l'ORM écrit en test).
+- **Table append-only hors ORM** : créée par migration manuelle (squelette via `doctrine:migrations:generate` puis contenu écrit à la main — JAMAIS `migrations:diff`, qui ne voit pas la table). `id uuid` natif PG, `changes JSONB`, `performed_at TIMESTAMP(6) WITH TIME ZONE`. UUID v7 (writer, tri monotone) / v4 (requestId par requête HTTP). `entity_type` au format `module.Entity` (regex `App\Module\<module>\...\<Entity>` → `core.User`).
+- **Marquage scope = entités migrées** : `#[Auditable]` posé sur User/Role/Permission (Core) uniquement ; `#[AuditIgnore]` sur `User.password` ET `User.apiToken` (Lesstime n'a pas de `plainPassword`). Défense en profondeur : `AuditLogWriter::SENSITIVE_KEYS` strippe aussi `password/plainPassword/apiToken/token/secret`. Les entités métier legacy (`src/Entity/*`) seront marquées à leur migration en modules (2.x).
+
+### Gotchas
+- **Tests fonctionnels Lesstime SANS rollback transactionnel** (pas de DAMADoctrineTestBundle) : les entités persistées survivent d'un run à l'autre → violation d'unicité `username`. Convention projet : `uniqid()` OU nettoyage explicite en `setUp()` (`DELETE FROM "user" WHERE username LIKE 'audit\_%'`). Les données d'audit de test se seedent directement via `doctrine.dbal.audit_connection` (DELETE + inserts UUID v7) pour du déterministe.
+- **`migrations:diff` génère un fichier jetable** même quand on ne veut que vérifier : toujours supprimer le `Version<ts>.php` non suivi créé après un diff de contrôle (`git ls-files --others migrations/`). Une dérive préexistante `messenger_messages` (DROP) pollue le diff — sans rapport, ne pas committer.
+- **`/audit-log-entity-types` = ressource item unique, pas une collection** : `Get` API Platform avec `uriTemplate` fixe sans `{id}` → renvoie `{ entityTypes: string[] }` (PAS d'enveloppe hydra `member`). Le service front ne doit PAS passer par `extractHydraMembers` ici (bug livré par le sous-agent E, corrigé en `9b26b43`). `/audit-logs` en revanche est bien une collection paginée hydra.
+- **Login en curl = `/login_check` (POST), pas `/api/login`** ; le JWT json_login est capricieux en curl pur (405/cookie). La preuve d'auth faisant autorité reste le test fonctionnel (client `loginUser()`), pas un smoke curl.
+
+### Time-tracking / orchestration
+- **Interdire explicitement aux sous-agents de toucher au MCP lesstime** (timer + statut ticket) : un sous-agent a spontanément créé/stoppé une time entry (1016) alors que le chrono est piloté par la session principale. Ajouter la consigne « NE TOUCHE PAS au time-tracking » dans chaque prompt de sous-agent. Pas de conflit ici (il avait stoppé l'actif avant), mais découpage involontaire.

config/packages/doctrine.yaml

@@ -1,12 +1,19 @@
 doctrine:
     dbal:
-        url: '%env(resolve:DATABASE_URL)%'
-
-        # IMPORTANT: You MUST configure your server version,
-        # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '16'
-
-        profiling_collect_backtrace: '%kernel.debug%'
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
     orm:
         validate_xml_mapping: true
         naming_strategy: doctrine.orm.naming_strategy.underscore_number_aware
@@ -33,8 +40,13 @@ doctrine:
 when@test:
     doctrine:
         dbal:
-            # "TEST_TOKEN" is typically set by ParaTest
-            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
 
 when@prod:
     doctrine:

docs/superpowers/plans/2026-06-19-lst-61-audit-log.md

@@ -0,0 +1,706 @@
+# LST-61 (1.3) · Audit log — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Porter l'infrastructure d'audit de Starseed dans Lesstime : tracer create/update/delete des entités `#[Auditable]` dans une table append-only `audit_log`, exposée en lecture seule via `GET /api/audit-logs` (paginé + filtrable), avec une page de consultation front gated RBAC.
+
+**Architecture:** 4 couches indépendantes, additives (strangler) — (1) **marquage** déclaratif `#[Auditable]`/`#[AuditIgnore]` dans `src/Shared/Domain/Attribute/` ; (2) **capture** par un `AuditListener` Doctrine sur `onFlush`/`postFlush` (capture en mémoire puis écriture déphasée) ; (3) **écriture** via `AuditLogWriter` sur une connexion DBAL dédiée `audit` (hors transaction ORM, survit aux rollbacks) ; (4) **lecture API** via `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator`. Front Nuxt : service + page consultation gated `core.audit_log.view`.
+
+**Tech Stack:** Symfony 8, API Platform 4, Doctrine ORM/DBAL, PostgreSQL 16, PHP 8.4, PHPUnit, symfony/uid (vendoré), Nuxt 4 / Vue 3 / Pinia / @nuxtjs/i18n.
+
+## Global Constraints
+
+- **Aucune mention de Claude/Anthropic/IA** dans les écritures Git (commits, trailers, descriptions MR, merge). Messages factuels et techniques.
+- **Additif uniquement** : aucune migration destructive (pas de DROP/ALTER sur tables existantes en `up()`).
+- **PostgreSQL** : noms de colonnes toujours en minuscules snake_case dans le SQL brut.
+- **Code** : `declare(strict_types=1)`, PSR-12, patterns API Platform / Doctrine existants. Variables et commentaires en anglais.
+- **`config/reference.php`** auto-généré — NE JAMAIS committer.
+- Toujours lire un fichier avant de le modifier ; reproduire le style existant.
+- Branche : `feat/lst-61-audit-log` (empilée sur `feat/lst-57-rbac-fin`).
+- Tests Docker : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`.
+
+---
+
+## File Structure
+
+**Créés :**
+- `src/Shared/Domain/Attribute/Auditable.php` — marqueur classe
+- `src/Shared/Domain/Attribute/AuditIgnore.php` — marqueur propriété
+- `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php` — écriture DBAL `audit`
+- `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php` — UUID par requête
+- `src/Module/Core/Infrastructure/Doctrine/AuditListener.php` — capture onFlush/postFlush
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+- `src/Module/Core/Application/DTO/AuditLogOutput.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+- `migrations/Version20260619XXXXXX.php` — table `audit_log`
+- `tests/Functional/Module/Core/AuditListenerTest.php`
+- `tests/Functional/Module/Core/AuditLogApiTest.php`
+- `frontend/modules/core/services/audit-logs.ts`
+- `frontend/components/admin/AdminAuditTab.vue`
+
+**Modifiés :**
+- `config/packages/doctrine.yaml` — connexion `audit` + `schema_filter` audit_log
+- `src/Module/Core/CoreModule.php` — permission `core.audit_log.view`
+- `src/Module/Core/Domain/Entity/User.php` — `#[Auditable]` + `#[AuditIgnore]` password/apiToken
+- `src/Module/Core/Domain/Entity/Role.php` — `#[Auditable]`
+- `src/Module/Core/Domain/Entity/Permission.php` — `#[Auditable]`
+- `tests/Unit/Module/Core/CoreModuleTest.php` — assert nouvelle permission
+- `frontend/pages/admin.vue` — onglet Audit gated `core.audit_log.view`
+- `frontend/i18n/locales/fr.json` — clés `admin.audit.*` + `audit.entity.*`
+
+---
+
+## Task A: Marquage + table + connexion DBAL audit
+
+**Files:**
+- Create: `src/Shared/Domain/Attribute/Auditable.php`, `src/Shared/Domain/Attribute/AuditIgnore.php`
+- Create: `migrations/Version20260619XXXXXX.php`
+- Modify: `config/packages/doctrine.yaml`
+
+**Interfaces produced:** `App\Shared\Domain\Attribute\Auditable` (TARGET_CLASS), `App\Shared\Domain\Attribute\AuditIgnore` (TARGET_PROPERTY) ; service DBAL `doctrine.dbal.audit_connection` ; table `audit_log`.
+
+- [ ] **Step A1: Attributs** — créer les deux fichiers :
+
+```php
+<?php
+// src/Shared/Domain/Attribute/Auditable.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable
+{
+}
+```
+
+```php
+<?php
+// src/Shared/Domain/Attribute/AuditIgnore.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore
+{
+}
+```
+
+- [ ] **Step A2: Migration** — créer `migrations/Version20260619XXXXXX.php` (timestamp réel via `php bin/console make:migration` puis remplacer le contenu, OU horodatage manuel cohérent > 20260619145109) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619XXXXXX extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}
+```
+
+- [ ] **Step A3: Connexion DBAL `audit`** — restructurer `config/packages/doctrine.yaml`. Remplacer le bloc `dbal` racine (connexion unique) par des connexions nommées, et propager le `dbname_suffix` de test aux deux connexions. **Le bloc `orm` reste inchangé** (l'EM par défaut se lie à `default_connection`).
+
+Remplacer :
+```yaml
+    dbal:
+        url: '%env(resolve:DATABASE_URL)%'
+
+        # IMPORTANT: You MUST configure your server version,
+        # either here or in the DATABASE_URL env var (see .env file)
+        #server_version: '16'
+
+        profiling_collect_backtrace: '%kernel.debug%'
+```
+par :
+```yaml
+    dbal:
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
+```
+
+Et remplacer le bloc `when@test` :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # "TEST_TOKEN" is typically set by ParaTest
+            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+par :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+
+- [ ] **Step A4: Vérifier la non-régression** — la restructuration des connexions est le point sensible. Lancer la suite existante :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected: 147 tests toujours verts (aucune régression liée au changement de connexions).
+
+- [ ] **Step A5: Appliquer la migration (dev + test)** :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n --env=test
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -i "audit_log" || echo "OK: audit_log absent du diff (schema_filter actif)"
+```
+Expected: table créée, `audit_log` absente de tout diff généré.
+
+- [ ] **Step A6: Commit**
+```bash
+git add src/Shared/Domain/Attribute config/packages/doctrine.yaml migrations/
+git commit -m "feat(core) : add audit attributes, audit_log table and dedicated dbal connection"
+```
+
+---
+
+## Task B: AuditLogWriter + RequestIdProvider
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php`
+- Create: `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php`
+
+**Interfaces produced:** `AuditLogWriter::log(string $entityType, string $entityId, string $action, array $changes): void` ; `RequestIdProvider::getRequestId(): ?string`.
+
+- [ ] **Step B1: RequestIdProvider** (verbatim Starseed) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}
+```
+
+- [ ] **Step B2: AuditLogWriter** (verbatim Starseed, connexion `audit`) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {
+    }
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}
+```
+
+- [ ] **Step B3: Vérifier le câblage** (autowiring) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:container App\\Module\\Core\\Infrastructure\\Audit\\AuditLogWriter 2>&1 | head -20
+```
+Expected: service trouvé, injection `doctrine.dbal.audit_connection` résolue.
+
+- [ ] **Step B4: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Audit/
+git commit -m "feat(core) : add audit log writer and request id provider"
+```
+
+---
+
+## Task C: AuditListener + marquage des entités Core
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Doctrine/AuditListener.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php`, `Role.php`, `Permission.php`
+- Test: `tests/Functional/Module/Core/AuditListenerTest.php`
+
+**Interfaces consumed:** `AuditLogWriter`, attributs `Auditable`/`AuditIgnore`.
+
+- [ ] **Step C1: Écrire le test fonctionnel (échec attendu)** — `tests/Functional/Module/Core/AuditListenerTest.php`. Le test crée/modifie/supprime un User via l'EntityManager dans le kernel de test, puis lit `audit_log` via la connexion `audit`. (S'inspirer du style des tests fonctionnels existants — `RoleApiTest`, `UserRbacApiTest`.)
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container = self::getContainer();
+        $this->em = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions.
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+}
+```
+
+> **Note adaptation :** vérifier la signature réelle de `User` (setters disponibles : `setUsername`, `setPassword`, `setRoles`, `setFirstName`). Ajuster `makeUser()` aux champs NOT NULL réels de la table `user`. Si `User` exige d'autres champs obligatoires (ex. `createdAt` initialisé au constructeur — déjà le cas), ne rien ajouter.
+
+- [ ] **Step C2: Run le test → échec** (listener absent, entités non marquées) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: FAIL.
+
+- [ ] **Step C3: Créer `AuditListener`** (verbatim Starseed, namespace `App\Module\Core\Infrastructure\Doctrine`). Copier intégralement le listener fourni dans le rapport Starseed (onFlush capture + postFlush écriture, swap-and-clear, gestion collections, snapshot create/delete, buildUpdateChanges, formatEntityType regex `App\Module\<module>\...\<Entity>`, caches Auditable/AuditIgnore). **Ne rien simplifier.**
+
+- [ ] **Step C4: Marquer les entités Core.**
+
+`src/Module/Core/Domain/Entity/User.php` — ajouter import + attribut classe + `#[AuditIgnore]` sur `password` et `apiToken` :
+```php
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+```
+```php
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
+#[ORM\Table(name: '`user`')]
+class User implements ...
+```
+Sur la propriété `password` (ligne ~89-90) et `apiToken` (ligne ~99-100), ajouter `#[AuditIgnore]` au-dessus de la ligne `private ?string $password = null;` / `private ?string $apiToken = null;`.
+
+`src/Module/Core/Domain/Entity/Role.php` — ajouter `use App\Shared\Domain\Attribute\Auditable;` et `#[Auditable]` au-dessus de `#[ORM\Entity...]`.
+
+`src/Module/Core/Domain/Entity/Permission.php` — idem `#[Auditable]`.
+
+- [ ] **Step C5: Run le test → succès** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: PASS (3 tests).
+
+- [ ] **Step C6: Suite complète + cs-fixer** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+Expected: tout vert.
+
+- [ ] **Step C7: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Doctrine/AuditListener.php src/Module/Core/Domain/Entity/ tests/Functional/Module/Core/AuditListenerTest.php
+git commit -m "feat(core) : add doctrine audit listener and mark core entities auditable"
+```
+
+---
+
+## Task D: API de lecture `/api/audit-logs` + permission
+
+**Files:**
+- Create: `AuditLogOutput.php`, `DbalPaginator.php`, `AuditLogProvider.php`, `AuditLogResource.php`, `AuditLogEntityTypesResource.php`, `AuditLogEntityTypesProvider.php`
+- Modify: `src/Module/Core/CoreModule.php` (permission), `tests/Unit/Module/Core/CoreModuleTest.php`
+- Test: `tests/Functional/Module/Core/AuditLogApiTest.php`
+
+**Interfaces consumed:** table `audit_log`, connexion `doctrine.dbal.default_connection`, permission `core.audit_log.view`.
+
+- [ ] **Step D1: Permission** — ajouter dans `CoreModule::permissions()` :
+```php
+['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
+```
+Mettre à jour `tests/Unit/Module/Core/CoreModuleTest.php` pour asserter la présence de ce code (la liste passe à 6 permissions).
+
+- [ ] **Step D2: DTO + Paginator + Providers + Resources** — créer les 6 fichiers verbatim depuis le rapport Starseed :
+  - `src/Module/Core/Application/DTO/AuditLogOutput.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+
+  **Adaptation pagination :** Lesstime n'a pas de `itemsPerPage`/`maximum_items_per_page` explicite dans `api_platform.yaml`. Le provider utilise `Pagination::getPage()`/`getLimit()` (défauts API Platform : 30/page). C'est acceptable. Conserver le clamp `max(1, page)`.
+
+- [ ] **Step D3: Écrire le test API (échec attendu)** — `tests/Functional/Module/Core/AuditLogApiTest.php`. S'aligner sur le helper d'auth des tests existants (login admin/admin via cookie JWT, cf. `RoleApiTest`). Tests :
+  - admin authentifié : `GET /api/audit-logs` → 200, structure hydra paginée.
+  - filtre `?action=update` → ne renvoie que des updates.
+  - filtre `?entity_type=core.User`.
+  - `?action=bogus` → 400.
+  - utilisateur sans permission (alice) : 403.
+  - non authentifié : 401.
+
+  Préparer des données : créer/modifier un User via l'EM avant les assertions (le listener écrit), OU insérer directement des lignes via la connexion `audit`.
+
+- [ ] **Step D4: Run → échec, puis vérifier la route** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:router 2>&1 | grep -i audit
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditLogApiTest.php
+```
+Expected: routes `/api/audit-logs`, `/api/audit-logs/{id}`, `/api/audit-log-entity-types` présentes ; test passe une fois les providers branchés.
+
+- [ ] **Step D5: sync-permissions** (enregistre `core.audit_log.view` en base dev + test) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions --env=test
+```
+
+- [ ] **Step D6: Suite complète + cs-fixer**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+
+- [ ] **Step D7: Commit**
+```bash
+git add src/Module/Core/ tests/
+git commit -m "feat(core) : expose read-only audit-logs api with dbal provider and pagination"
+```
+
+---
+
+## Task E: Front — page consultation gated RBAC
+
+**Files:**
+- Create: `frontend/modules/core/services/audit-logs.ts`, `frontend/components/admin/AdminAuditTab.vue`
+- Modify: `frontend/pages/admin.vue`, `frontend/i18n/locales/fr.json`
+
+**Interfaces consumed:** `GET /api/audit-logs`, composable `usePermissions` (livré en 1.2), pattern onglet admin (cf. `AdminRoleTab.vue` créé en 1.2).
+
+- [ ] **Step E1: Service** — `frontend/modules/core/services/audit-logs.ts` : fonction `fetchAuditLogs(params)` via `useApi()` (suivre `roles.ts`/`permissions.ts` créés en 1.2). Types : `AuditLogItem { id, entityType, entityId, action, changes, performedBy, performedAt, ipAddress, requestId }`.
+
+- [ ] **Step E2: Composant onglet** — `frontend/components/admin/AdminAuditTab.vue` : tableau paginé (colonnes date, utilisateur, type d'entité, action, id), filtre par `entityType` et `action`. Labels via i18n `audit.entity.*` et `audit.action.*`. Reproduire le style de `AdminRoleTab.vue`.
+
+- [ ] **Step E3: Onglet dans admin.vue** — ajouter un onglet « Audit » gated `can('core.audit_log.view')` (suivre le gating de l'onglet rôles ajouté en 1.2).
+
+- [ ] **Step E4: i18n** — `frontend/i18n/locales/fr.json` : ajouter `admin.audit.*` (titre, colonnes, filtres) et `audit.entity.core.User` = « Utilisateur », `audit.entity.core.Role` = « Rôle », `audit.entity.core.Permission` = « Permission » ; `audit.action.create/update/delete`.
+
+- [ ] **Step E5: Vérifier la route déterministe (SPA)** :
+```bash
+cd frontend && npx nuxt build 2>&1 | tail -5
+grep -o 'name:"admin"' .output/server/chunks/build/client.precomputed.mjs | head -1
+```
+Expected: build OK (la page admin reste enregistrée).
+
+- [ ] **Step E6: Commit**
+```bash
+git add frontend/
+git commit -m "feat(core) : add audit log consultation tab in admin gated by permission"
+```
+
+---
+
+## Task F: Validation finale + statut
+
+- [ ] **Step F1: Suite complète verte + login fumée**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Vérifier login admin → 204 + `GET /api/me` 200 + `GET /api/audit-logs` 200 (cURL ou via test).
+
+- [ ] **Step F2: migrations:diff propre** (audit_log absente du diff) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -ci audit_log
+```
+Expected: 0.
+
+- [ ] **Step F3: Learnings** — append session #61 à `.claude/skills/ticket-executor/LEARNINGS.md`, commit `docs : log LST-61 audit log session learnings`.
+
+- [ ] **Step F4: Push branche + MR empilée sur #57** (Gitea, base `feat/lst-57-rbac-fin`), draft puis un-draft via API si voulu.
+
+- [ ] **Step F5: Ticket #61 (id 647) → « En attente de validation » (statut 4)**, stopper le timer, informer l'utilisateur.
+
+---
+
+## Self-Review (couverture spec)
+
+| Critère d'acceptation | Tâche |
+|---|---|
+| CRUD des entités `#[Auditable]` tracé | C (listener + test create/update/delete) |
+| Endpoint `/api/audit-logs` paginé/filtrable | D (provider DBAL + DbalPaginator + filtres) |
+| `make test` vert, aucune migration destructive | A (migration additive), C/D/F (suite) |
+| `#[Auditable]`/`#[AuditIgnore]` dans Shared | A1 |
+| Table `audit_log` (qui/quoi/quand/diff/requestId) + COMMENT | A2 |
+| `#[AuditIgnore]` champs sensibles (password, apiToken) | C4 + B2 blacklist |
+| Front consultation + i18n `audit.entity.*` gated RBAC | E |
+
+**Décision de scope :** `#[Auditable]` posé sur les **entités migrées** (User, Role, Permission) conformément au libellé du ticket. Les entités métier legacy (`src/Entity/*`) ne sont pas marquées ici — elles le seront lors de leur migration en modules (phases 2.x+). L'infra est prête à les auditer sans modification dès qu'elles portent l'attribut.

frontend/components/admin/AdminAuditTab.vue

@@ -0,0 +1,160 @@
+<template>
+    <div>
+        <div class="flex items-center justify-between">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('admin.audit.title') }}</h2>
+        </div>
+
+        <div class="mt-4 flex flex-wrap gap-4">
+            <MalioSelect
+                v-model="entityTypeFilter"
+                :options="entityTypeOptions"
+                :label="$t('admin.audit.filterEntityType')"
+                :empty-option-label="$t('admin.audit.filterEntityTypeAll')"
+                group-class="w-64"
+            />
+            <MalioSelect
+                v-model="actionFilter"
+                :options="actionOptions"
+                :label="$t('admin.audit.filterAction')"
+                :empty-option-label="$t('admin.audit.filterActionAll')"
+                group-class="w-64"
+            />
+        </div>
+
+        <DataTable
+            :columns="columns"
+            :items="rows"
+            :loading="isLoading"
+            :empty-message="$t('admin.audit.empty')"
+        >
+            <template #cell-performedAt="{ item }">
+                {{ formatDate(item.performedAt) }}
+            </template>
+            <template #cell-entityType="{ item }">
+                {{ entityTypeLabel(item.entityType) }}
+            </template>
+            <template #cell-action="{ item }">
+                {{ actionLabel(item.action) }}
+            </template>
+        </DataTable>
+
+        <div class="mt-4 flex items-center justify-between">
+            <span class="text-sm text-neutral-500">{{ $t('admin.audit.page', { page }) }}</span>
+            <div class="flex gap-2">
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.previous')"
+                    :disabled="page <= 1 || isLoading"
+                    @click="goToPage(page - 1)"
+                />
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.next')"
+                    :disabled="!hasNextPage || isLoading"
+                    @click="goToPage(page + 1)"
+                />
+            </div>
+        </div>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { AuditLogAction, AuditLogItem } from '~/modules/core/services/audit-logs'
+import { useAuditLogService } from '~/modules/core/services/audit-logs'
+
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t, te } = useI18n()
+
+const PAGE_SIZE = 30
+
+const columns = computed<DataTableColumn[]>(() => [
+    { key: 'performedAt', label: t('admin.audit.date'), primary: true },
+    { key: 'performedBy', label: t('admin.audit.performedBy') },
+    { key: 'entityType', label: t('admin.audit.entityType') },
+    { key: 'action', label: t('admin.audit.action') },
+    { key: 'entityId', label: t('admin.audit.entityId') },
+])
+
+const actionOptions = computed<{ value: AuditLogAction, label: string }[]>(() => [
+    { value: 'create', label: t('audit.action.create') },
+    { value: 'update', label: t('audit.action.update') },
+    { value: 'delete', label: t('audit.action.delete') },
+])
+
+const auditLogService = useAuditLogService()
+
+const rows = ref<AuditLogItem[]>([])
+const entityTypes = ref<string[]>([])
+const totalItems = ref(0)
+const page = ref(1)
+const isLoading = ref(true)
+const entityTypeFilter = ref<string | null>(null)
+const actionFilter = ref<AuditLogAction | null>(null)
+
+const entityTypeOptions = computed<{ value: string, label: string }[]>(() =>
+    entityTypes.value.map((value) => ({ value, label: entityTypeLabel(value) })),
+)
+
+// PAGE_SIZE must match the API default page size. The full-page guard keeps the
+// "next" button accurate even on the last (partial) page.
+const hasNextPage = computed(() => rows.value.length >= PAGE_SIZE && page.value * PAGE_SIZE < totalItems.value)
+
+function entityTypeLabel(value: string): string {
+    const key = `audit.entity.${value}`
+    return te(key) ? t(key) : value
+}
+
+function actionLabel(action: AuditLogAction): string {
+    return t(`audit.action.${action}`)
+}
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+        hour: '2-digit',
+        minute: '2-digit',
+    })
+}
+
+async function loadItems() {
+    isLoading.value = true
+    try {
+        const result = await auditLogService.list({
+            page: page.value,
+            entityType: entityTypeFilter.value ?? undefined,
+            action: actionFilter.value ?? undefined,
+        })
+        rows.value = result.items
+        totalItems.value = result.totalItems
+    } finally {
+        isLoading.value = false
+    }
+}
+
+async function loadEntityTypes() {
+    entityTypes.value = await auditLogService.entityTypes()
+}
+
+function goToPage(target: number) {
+    if (target < 1) {
+        return
+    }
+    page.value = target
+    loadItems()
+}
+
+watch([entityTypeFilter, actionFilter], () => {
+    page.value = 1
+    loadItems()
+})
+
+onMounted(() => {
+    loadItems()
+    loadEntityTypes()
+})
+</script>

frontend/i18n/locales/fr.json

@@ -214,6 +214,36 @@
             "created": "Rôle créé avec succès.",
             "updated": "Rôle mis à jour avec succès.",
             "deleted": "Rôle supprimé avec succès."
+        },
+        "audit": {
+            "title": "Audit",
+            "empty": "Aucune entrée d'audit trouvée.",
+            "date": "Date",
+            "performedBy": "Utilisateur",
+            "entityType": "Type d'entité",
+            "action": "Action",
+            "entityId": "Identifiant",
+            "filterEntityType": "Type d'entité",
+            "filterEntityTypeAll": "Tous les types",
+            "filterAction": "Action",
+            "filterActionAll": "Toutes les actions",
+            "previous": "Précédent",
+            "next": "Suivant",
+            "page": "Page {page}"
+        }
+    },
+    "audit": {
+        "entity": {
+            "core": {
+                "User": "Utilisateur",
+                "Role": "Rôle",
+                "Permission": "Permission"
+            }
+        },
+        "action": {
+            "create": "Création",
+            "update": "Modification",
+            "delete": "Suppression"
         }
     },
     "timeEntries": {

frontend/modules/core/services/audit-logs.ts

@@ -0,0 +1,65 @@
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type AuditLogAction = 'create' | 'update' | 'delete'
+
+export type AuditLogItem = {
+    id: string
+    '@id'?: string
+    entityType: string
+    entityId: string
+    action: AuditLogAction
+    changes: Record<string, unknown>
+    performedBy: string
+    performedAt: string
+    ipAddress: string | null
+    requestId: string | null
+}
+
+export type AuditLogQuery = {
+    page?: number
+    entityType?: string
+    action?: AuditLogAction
+}
+
+export type AuditLogPage = {
+    items: AuditLogItem[]
+    totalItems: number
+}
+
+export type AuditLogEntityTypes = {
+    '@id'?: string
+    entityTypes: string[]
+}
+
+export function useAuditLogService() {
+    const api = useApi()
+
+    async function list(params: AuditLogQuery = {}): Promise<AuditLogPage> {
+        const query: Record<string, unknown> = {}
+        if (params.page !== undefined) {
+            query.page = params.page
+        }
+        if (params.entityType) {
+            query.entity_type = params.entityType
+        }
+        if (params.action) {
+            query.action = params.action
+        }
+
+        const data = await api.get<HydraCollection<AuditLogItem>>('/audit-logs', query)
+        return {
+            items: extractHydraMembers(data),
+            totalItems: data['hydra:totalItems'] ?? data['totalItems'] ?? 0,
+        }
+    }
+
+    async function entityTypes(): Promise<string[]> {
+        // `/audit-log-entity-types` is a single API Platform item resource
+        // (not a hydra collection): it returns `{ entityTypes: string[] }`.
+        const data = await api.get<AuditLogEntityTypes>('/audit-log-entity-types')
+        return data.entityTypes ?? []
+    }
+
+    return { list, entityTypes }
+}

frontend/pages/admin.vue

@@ -28,6 +28,7 @@
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
             <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
+            <AdminAuditTab v-if="activeTab === 'audit' && canViewAudit" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
@@ -46,6 +47,7 @@ const { can } = usePermissions()
 const { t } = useI18n()
 
 const canViewRoles = computed(() => can('core.roles.view'))
+const canViewAudit = computed(() => can('core.audit_log.view'))
 
 const tabs = [
     { key: 'clients', label: 'Clients' },
@@ -55,6 +57,7 @@ const tabs = [
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
     { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
+    { key: 'audit', label: t('admin.audit.title'), permission: 'core.audit_log.view' },
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },

migrations/Version20260619185448.php

@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619185448 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}

src/Module/Core/Application/DTO/AuditLogOutput.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\DTO;
+
+use DateTimeImmutable;
+
+/**
+ * DTO de sortie pour une ligne d'audit.
+ *
+ * Readonly : aucune mutation possible apres hydration. La resource API
+ * Platform expose directement ce DTO (pas d'entite sous-jacente car la
+ * table audit_log n'est pas geree par l'ORM).
+ */
+final readonly class AuditLogOutput
+{
+    public function __construct(
+        public string $id,
+        public string $entityType,
+        public string $entityId,
+        public string $action,
+        /** @var array<string, mixed> */
+        public array $changes,
+        public string $performedBy,
+        public DateTimeImmutable $performedAt,
+        public ?string $ipAddress,
+        public ?string $requestId,
+    ) {}
+}

src/Module/Core/CoreModule.php

@@ -36,6 +36,7 @@ final class CoreModule implements ModuleInterface
             ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
             ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
             ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
+            ['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
         ];
     }
 }

src/Module/Core/Domain/Entity/Permission.php

@@ -8,10 +8,12 @@ use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use App\Shared\Domain\Attribute\Auditable;
 use Doctrine\ORM\Mapping as ORM;
 use InvalidArgumentException;
 use Symfony\Component\Serializer\Attribute\Groups;
 
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
 #[ORM\Table(name: 'permission')]
 #[ORM\Index(name: 'idx_permission_module', columns: ['module'])]

src/Module/Core/Domain/Entity/Role.php

@@ -13,6 +13,7 @@ use ApiPlatform\Metadata\Post;
 use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use App\Shared\Domain\Attribute\Auditable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -20,6 +21,7 @@ use InvalidArgumentException;
 use Symfony\Component\Serializer\Attribute\Groups;
 use Symfony\Component\Serializer\Attribute\SerializedName;
 
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
 #[ORM\Table(name: '`role`')]
 #[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]

src/Module/Core/Domain/Entity/User.php

@@ -16,6 +16,8 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -58,6 +60,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
@@ -87,9 +90,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     private array $roles = [];
 
     #[ORM\Column]
+    #[AuditIgnore]
     private ?string $password = null;
 
     #[Groups(['user:write'])]
+    #[AuditIgnore]
     private ?string $plainPassword = null;
 
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
@@ -97,6 +102,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
 
     #[ORM\Column(length: 64, unique: true, nullable: true)]
     #[Groups(['me:read'])]
+    #[AuditIgnore]
     private ?string $apiToken = null;
 
     #[ORM\Column(length: 255, nullable: true)]

src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php

@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Pagination;
+
+use ApiPlatform\State\Pagination\PaginatorInterface;
+use ArrayIterator;
+use IteratorAggregate;
+use Traversable;
+
+/**
+ * Paginator pour resources alimentees par DBAL (pas par Doctrine ORM).
+ *
+ * Implemente PaginatorInterface : API Platform l'introspecte pour generer
+ * automatiquement la section `hydra:view` (first / next / previous / last)
+ * dans la reponse JSON-LD. Aucun calcul manuel de liens.
+ *
+ * @template T of object
+ *
+ * @implements PaginatorInterface<T>
+ */
+final readonly class DbalPaginator implements PaginatorInterface, IteratorAggregate
+{
+    /**
+     * @param list<T> $items        Items deja decoupes sur la page courante
+     * @param int     $currentPage  Page courante (1-indexee)
+     * @param int     $itemsPerPage Limite appliquee a la requete SQL
+     * @param int     $totalItems   Resultat du COUNT(*) sans limite
+     */
+    public function __construct(
+        private array $items,
+        private int $currentPage,
+        private int $itemsPerPage,
+        private int $totalItems,
+    ) {}
+
+    public function getCurrentPage(): float
+    {
+        return (float) $this->currentPage;
+    }
+
+    public function getLastPage(): float
+    {
+        if ($this->itemsPerPage <= 0) {
+            return 1.0;
+        }
+
+        return (float) max(1, (int) ceil($this->totalItems / $this->itemsPerPage));
+    }
+
+    public function getItemsPerPage(): float
+    {
+        return (float) $this->itemsPerPage;
+    }
+
+    public function getTotalItems(): float
+    {
+        return (float) $this->totalItems;
+    }
+
+    public function count(): int
+    {
+        return count($this->items);
+    }
+
+    /**
+     * @return Traversable<int, T>
+     */
+    public function getIterator(): Traversable
+    {
+        return new ArrayIterator($this->items);
+    }
+}

src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogEntityTypesProvider;
+
+/**
+ * Retourne la liste des valeurs distinctes de `entity_type` presentes dans
+ * `audit_log`, pour alimenter le filtre multi-selection cote front (journal
+ * d'audit). La liste evolue automatiquement avec les nouvelles entites
+ * `#[Auditable]` au fil des ecritures.
+ */
+#[ApiResource(
+    shortName: 'AuditLogEntityTypes',
+    operations: [
+        new Get(
+            uriTemplate: '/audit-log-entity-types',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogEntityTypesProvider::class,
+        ),
+    ],
+)]
+final class AuditLogEntityTypesResource
+{
+    /** @param list<string> $entityTypes */
+    public function __construct(
+        public readonly string $id = 'entity-types',
+        public readonly array $entityTypes = [],
+    ) {}
+}

src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogProvider;
+
+/**
+ * Resource API Platform en lecture seule sur le journal d'audit.
+ *
+ * Aucune operation d'ecriture exposee (POST/PUT/PATCH/DELETE -> 405)
+ * conformement au caractere append-only de la table `audit_log`.
+ *
+ * La resource est un simple porteur de metadonnees #[ApiResource] ; le
+ * provider lit via DBAL et retourne directement des instances du DTO
+ * `AuditLogOutput` (declare via `output:`). La table n'est pas geree par
+ * l'ORM : aucune entite Doctrine n'est necessaire ici.
+ *
+ * Filtres query-param supportes par le provider :
+ *   ?entity_type=core.User
+ *   ?entity_id=42
+ *   ?action=update
+ *   ?performed_by=admin
+ *   ?performed_at[after]=2026-04-01T00:00:00Z
+ *   ?performed_at[before]=2026-04-30T23:59:59Z
+ *
+ * La pagination herite du standard global (10 items / page, max 50, cf.
+ * `config/packages/api_platform.yaml`). Elle est materialisee par le
+ * DbalPaginator du provider qui implemente PaginatorInterface — API Platform
+ * genere automatiquement hydra:view sans construction manuelle.
+ */
+#[ApiResource(
+    shortName: 'AuditLog',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/audit-logs',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+        new Get(
+            uriTemplate: '/audit-logs/{id}',
+            requirements: ['id' => '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'],
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+    ],
+    output: AuditLogOutput::class,
+)]
+final class AuditLogResource {}

src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php

@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 
 /**
  * @implements ProviderInterface<User>
@@ -20,7 +21,11 @@ final readonly class MeProvider implements ProviderInterface
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
     {
-        // @var User $user
-        return $this->security->getUser();
+        $user = $this->security->getUser();
+        if (!$user instanceof User) {
+            throw new UnauthorizedHttpException('Bearer', 'Not authenticated.');
+        }
+
+        return $user;
     }
 }

src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php

@@ -8,6 +8,8 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 use function assert;
 
@@ -16,12 +18,23 @@ use function assert;
  */
 final readonly class UserRbacProcessor implements ProcessorInterface
 {
-    public function __construct(private EntityManagerInterface $em) {}
+    public function __construct(
+        private EntityManagerInterface $em,
+        private Security $security,
+    ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
     {
         assert($data instanceof User);
 
+        // Defense-in-depth: a user may never edit their OWN RBAC assignment
+        // through this endpoint, even with core.users.manage — this prevents
+        // self-escalation if the permission is ever delegated to a non-admin.
+        $current = $this->security->getUser();
+        if ($current instanceof User && $current->getId() === $data->getId()) {
+            throw new AccessDeniedHttpException('You cannot edit your own RBAC assignment.');
+        }
+
         $this->em->persist($data);
         $this->em->flush();
 

src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Infrastructure\ApiPlatform\Resource\AuditLogEntityTypesResource;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL : SELECT DISTINCT entity_type FROM audit_log.
+ *
+ * @implements ProviderInterface<AuditLogEntityTypesResource>
+ */
+final readonly class AuditLogEntityTypesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogEntityTypesResource
+    {
+        /** @var list<string> $types */
+        $types = $this->connection
+            ->executeQuery('SELECT DISTINCT entity_type FROM audit_log ORDER BY entity_type ASC')
+            ->fetchFirstColumn()
+        ;
+
+        return new AuditLogEntityTypesResource(entityTypes: $types);
+    }
+}

src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php

@@ -0,0 +1,247 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\CollectionOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\Pagination\Pagination;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\Pagination\DbalPaginator;
+use DateTimeImmutable;
+use Doctrine\DBAL\ArrayParameterType;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Query\QueryBuilder;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Provider API Platform pour la resource AuditLog.
+ *
+ * Lit la table `audit_log` via DBAL (pas d'entite ORM). Retourne soit :
+ *  - une instance unique d'AuditLogOutput (operation Get) ;
+ *  - un DbalPaginator de AuditLogOutput (operation GetCollection).
+ *
+ * Le paginator implementant PaginatorInterface laisse API Platform generer
+ * automatiquement la section `hydra:view` : aucune manipulation manuelle.
+ *
+ * Connexion DBAL : `default` (lecture — aucun besoin de la connexion `audit`
+ * reservee a l'ecriture hors transaction ORM).
+ */
+final readonly class AuditLogProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+        private Pagination $pagination,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogOutput|DbalPaginator|null
+    {
+        if (!$operation instanceof CollectionOperationInterface) {
+            return $this->provideItem((string) $uriVariables['id']);
+        }
+
+        return $this->provideCollection($operation, $context);
+    }
+
+    private function provideItem(string $id): ?AuditLogOutput
+    {
+        /** @var array<string, mixed>|false $row */
+        $row = $this->connection->fetchAssociative(
+            'SELECT id, entity_type, entity_id, action, changes, performed_by, performed_at, ip_address, request_id
+             FROM audit_log WHERE id = :id',
+            ['id' => $id],
+        );
+
+        if (false === $row) {
+            return null;
+        }
+
+        return $this->hydrate($row);
+    }
+
+    /**
+     * @param array<string, mixed> $context
+     */
+    private function provideCollection(Operation $operation, array $context): DbalPaginator
+    {
+        // Contrairement aux ressources ORM (cf. CategoryProvider), ce provider
+        // ne gere PAS l'echappatoire `?pagination=false` : la pagination y est
+        // toujours forcee. `audit_log` est une table append-only a croissance
+        // infinie — la dumper entierement saturerait memoire/reseau et n'a aucun
+        // usage front (pas de <select> alimente par l'audit). Le flag global
+        // `pagination_client_enabled: true` reste donc volontairement inerte ici.
+        //
+        // `page` brut peut etre <= 0 (parametre client) → OFFSET negatif → 500 PG
+        // (`SQLSTATE[22023] OFFSET must not be negative`). API Platform clampe
+        // `itemsPerPage` au max de la resource mais pas `page` ; on impose un
+        // minimum a 1 cote provider.
+        $page         = max(1, $this->pagination->getPage($context));
+        $itemsPerPage = $this->pagination->getLimit($operation, $context);
+        $offset       = ($page - 1) * $itemsPerPage;
+        $filters      = $this->extractFilters($context['filters'] ?? []);
+
+        $dataQuery = $this->buildBaseQuery()
+            ->select('id', 'entity_type', 'entity_id', 'action', 'changes', 'performed_by', 'performed_at', 'ip_address', 'request_id')
+            ->orderBy('performed_at', 'DESC')
+            // Tie-breaker sur `id` (UUID v7 monotone) : garantit un tri
+            // totalement deterministe quand plusieurs lignes partagent la
+            // meme timestamp (ex: batch fixture, bulk flush < 1µs).
+            ->addOrderBy('id', 'DESC')
+            ->setFirstResult($offset)
+            ->setMaxResults($itemsPerPage)
+        ;
+
+        $countQuery = $this->buildBaseQuery()->select('COUNT(*)');
+
+        $this->applyFilters($dataQuery, $filters);
+        $this->applyFilters($countQuery, $filters);
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows       = $dataQuery->executeQuery()->fetchAllAssociative();
+        $totalItems = (int) $countQuery->executeQuery()->fetchOne();
+
+        $items = array_map(fn (array $row) => $this->hydrate($row), $rows);
+
+        return new DbalPaginator($items, $page, $itemsPerPage, $totalItems);
+    }
+
+    private function buildBaseQuery(): QueryBuilder
+    {
+        return $this->connection->createQueryBuilder()->from('audit_log');
+    }
+
+    /**
+     * @param array<string, mixed> $raw
+     *
+     * @return array{entity_type?: list<string>|string, entity_id?: string, action?: string, performed_by?: string, performed_at_after?: string, performed_at_before?: string}
+     */
+    private function extractFilters(array $raw): array
+    {
+        $filters = [];
+
+        // `entity_type` accepte soit une chaine, soit une liste (query syntax
+        // `entity_type[]=core.User&entity_type[]=core.Role`) pour le filtre
+        // multi-selection cote front. On normalise en list<string> non-vide.
+        if (isset($raw['entity_type'])) {
+            if (is_string($raw['entity_type']) && '' !== $raw['entity_type']) {
+                $filters['entity_type'] = $raw['entity_type'];
+            } elseif (is_array($raw['entity_type'])) {
+                $cleaned = array_values(array_filter(
+                    $raw['entity_type'],
+                    static fn ($v): bool => is_string($v) && '' !== $v,
+                ));
+                if ([] !== $cleaned) {
+                    $filters['entity_type'] = $cleaned;
+                }
+            }
+        }
+
+        foreach (['entity_id', 'performed_by'] as $key) {
+            if (isset($raw[$key]) && is_string($raw[$key]) && '' !== $raw[$key]) {
+                $filters[$key] = $raw[$key];
+            }
+        }
+
+        // `action` : whitelist stricte. Un input hors-liste provoquait avant
+        // un simple match vide (resultat 0 ligne) mais permettait d'incrementer
+        // le log applicatif a chaque variation ; on rejette en 400 explicite.
+        if (isset($raw['action']) && is_string($raw['action']) && '' !== $raw['action']) {
+            if (!in_array($raw['action'], ['create', 'update', 'delete'], true)) {
+                throw new BadRequestHttpException(
+                    'Filtre "action" invalide : valeurs autorisees create|update|delete.',
+                );
+            }
+            $filters['action'] = $raw['action'];
+        }
+
+        // Filtres de plage `performed_at[after]` / `performed_at[before]`.
+        // Sans validation, un input malforme remonte jusqu'a Postgres qui
+        // leve `SQLSTATE[22007]: invalid input syntax for type timestamp` →
+        // 500 Internal Server Error, log Monolog pollue, mauvaise UX API.
+        // On valide en amont et on rejette en 400 explicite.
+        if (isset($raw['performed_at']) && is_array($raw['performed_at'])) {
+            $range = $raw['performed_at'];
+            foreach (['after', 'before'] as $bound) {
+                if (!isset($range[$bound]) || !is_string($range[$bound]) || '' === $range[$bound]) {
+                    continue;
+                }
+                if (false === strtotime($range[$bound])) {
+                    throw new BadRequestHttpException(sprintf(
+                        'Filtre "performed_at[%s]" invalide : date ISO 8601 attendue (ex: 2026-04-22T00:00:00Z).',
+                        $bound,
+                    ));
+                }
+                $filters['performed_at_'.$bound] = $range[$bound];
+            }
+        }
+
+        return $filters;
+    }
+
+    /**
+     * @param array<string, list<string>|string> $filters
+     */
+    private function applyFilters(QueryBuilder $qb, array $filters): void
+    {
+        if (isset($filters['entity_type'])) {
+            if (is_array($filters['entity_type'])) {
+                $qb->andWhere('entity_type IN (:entity_types)')
+                    ->setParameter('entity_types', $filters['entity_type'], ArrayParameterType::STRING)
+                ;
+            } else {
+                $qb->andWhere('entity_type = :entity_type')->setParameter('entity_type', $filters['entity_type']);
+            }
+        }
+        if (isset($filters['entity_id'])) {
+            $qb->andWhere('entity_id = :entity_id')->setParameter('entity_id', $filters['entity_id']);
+        }
+        if (isset($filters['action'])) {
+            $qb->andWhere('action = :action')->setParameter('action', $filters['action']);
+        }
+        if (isset($filters['performed_by'])) {
+            // Recherche contains insensible a la casse pour matcher "adm" → "admin".
+            // On echappe `%`, `_` et `\` saisis par l'utilisateur pour qu'ils soient
+            // interpretes comme caracteres litteraux (sinon `%` matche tout, `_`
+            // matche n'importe quel caractere). Pas de clause ESCAPE : `\` est
+            // deja le caractere d'echappement LIKE par defaut en PostgreSQL.
+            $escaped = str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $filters['performed_by']);
+            $qb->andWhere('performed_by ILIKE :performed_by')
+                ->setParameter('performed_by', '%'.$escaped.'%')
+            ;
+        }
+        if (isset($filters['performed_at_after'])) {
+            $qb->andWhere('performed_at >= :performed_at_after')->setParameter('performed_at_after', $filters['performed_at_after']);
+        }
+        if (isset($filters['performed_at_before'])) {
+            $qb->andWhere('performed_at <= :performed_at_before')->setParameter('performed_at_before', $filters['performed_at_before']);
+        }
+    }
+
+    /**
+     * @param array<string, mixed> $row
+     */
+    private function hydrate(array $row): AuditLogOutput
+    {
+        /** @var string $rawChanges */
+        $rawChanges = $row['changes'] ?? '{}';
+
+        /** @var array<string, mixed> $changes */
+        $changes = is_array($rawChanges) ? $rawChanges : json_decode((string) $rawChanges, true, 512, JSON_THROW_ON_ERROR);
+
+        return new AuditLogOutput(
+            id: (string) $row['id'],
+            entityType: (string) $row['entity_type'],
+            entityId: (string) $row['entity_id'],
+            action: (string) $row['action'],
+            changes: $changes,
+            performedBy: (string) $row['performed_by'],
+            performedAt: new DateTimeImmutable((string) $row['performed_at']),
+            ipAddress: null !== $row['ip_address'] ? (string) $row['ip_address'] : null,
+            requestId: null !== $row['request_id'] ? (string) $row['request_id'] : null,
+        );
+    }
+}

src/Module/Core/Infrastructure/Audit/AuditLogWriter.php

@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {}
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}

src/Module/Core/Infrastructure/Audit/RequestIdProvider.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}

src/Module/Core/Infrastructure/Doctrine/AuditListener.php

@@ -0,0 +1,513 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Infrastructure\Audit\AuditLogWriter;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+use DateTimeInterface;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\Event\OnFlushEventArgs;
+use Doctrine\ORM\Event\PostFlushEventArgs;
+use Doctrine\ORM\Events;
+use Doctrine\ORM\Mapping\ClassMetadata;
+use Doctrine\ORM\PersistentCollection;
+use Doctrine\ORM\UnitOfWork;
+use Psr\Log\LoggerInterface;
+use ReflectionClass;
+use ReflectionProperty;
+use Throwable;
+
+/**
+ * Listener Doctrine qui produit les lignes d'audit pour les entites portant
+ * l'attribut #[Auditable].
+ *
+ * Pipeline en deux temps :
+ *  1. onFlush : on traverse UnitOfWork (insertions / updates / deletions) et
+ *     on capture les changements en memoire. Aucune ecriture SQL cote audit
+ *     a ce stade pour ne pas interferer avec la transaction ORM en cours.
+ *  2. postFlush : on ecrit via AuditLogWriter (connexion DBAL dediee).
+ *
+ * Pattern swap-and-clear dans postFlush :
+ *  - on copie localement la liste des evenements ;
+ *  - on vide la propriete pendingLogs immediatement ;
+ *  - on itere la copie.
+ * Pourquoi : si une ecriture audit declenchait un flush re-entrant (cas rare,
+ * ex: callback listener externe), l'etat de pendingLogs serait deja nettoye —
+ * pas de double insertion, pas de boucle infinie.
+ *
+ * Erreurs silencieuses : un INSERT audit qui echoue est logue en error mais
+ * jamais propage. Acceptable pour un CRM interne ; a reconsiderer si besoin
+ * de garantie forte (dead-letter queue, retry).
+ *
+ * Collections (OneToMany / ManyToMany) :
+ *  - Les modifications de collections sont tracees via
+ *    `getScheduledCollectionUpdates()` et reportees comme un changement
+ *    `{fieldName: {added: [ids], removed: [ids]}}` dans le changeset de
+ *    l'entite proprietaire.
+ *  - Si l'entite proprietaire est deja scheduled pour insertion, la diff
+ *    est merge dans le snapshot create (en tant que liste d'IDs initiaux).
+ *  - Si l'entite proprietaire est scheduled pour deletion, les collections
+ *    associees sont ignorees (deja couvertes par le snapshot delete).
+ *
+ * Limitations connues :
+ *  - Les ManyToOne sont tracees par ID (null-safe via `?->getId()`).
+ *  - Les DELETE / UPDATE bulk DQL et les `Connection::executeStatement()`
+ *    bruts BYPASSENT le listener : onFlush n'est jamais appele. Toute
+ *    operation de purge/nettoyage qui doit etre auditee doit passer par
+ *    `EntityManager::remove()` + `flush()`. Si un futur batch (ex: commande
+ *    "purger users inactifs") utilise du DQL bulk, les suppressions ne
+ *    seront pas dans `audit_log` — choix d'architecture explicite a faire.
+ */
+#[AsDoctrineListener(event: Events::onFlush)]
+#[AsDoctrineListener(event: Events::postFlush)]
+final class AuditListener
+{
+    /**
+     * Cache par FQCN : true si la classe porte #[Auditable], false sinon.
+     * Evite une ReflectionClass par entite a chaque flush.
+     *
+     * @var array<class-string, bool>
+     */
+    private array $auditableCache = [];
+
+    /**
+     * Cache par FQCN : liste des noms de proprietes ignorees (#[AuditIgnore]).
+     *
+     * @var array<class-string, list<string>>
+     */
+    private array $ignoredPropertiesCache = [];
+
+    /**
+     * Logs en attente d'ecriture (remplis en onFlush, consommes en postFlush).
+     *
+     * Pour les inserts, l'ID est assignee DURANT le flush : on capture la
+     * reference de l'entite et on resout l'ID au moment du postFlush.
+     *
+     * @var list<array{entity: object, metadata: ClassMetadata, entityType: string, action: string, changes: array<string, mixed>, capturedId: ?string}>
+     */
+    private array $pendingLogs = [];
+
+    public function __construct(
+        private readonly AuditLogWriter $writer,
+        private readonly LoggerInterface $logger,
+    ) {}
+
+    public function onFlush(OnFlushEventArgs $args): void
+    {
+        /** @var EntityManagerInterface $em */
+        $em  = $args->getObjectManager();
+        $uow = $em->getUnitOfWork();
+
+        // Reset defensif en debut de cycle : si un flush precedent a leve une
+        // exception, Doctrine n'appelle PAS postFlush et pendingLogs reste
+        // rempli avec des changements jamais committes. Sans ce reset, un
+        // flush ulterieur reussi ecrirait les fausses entrees dans audit_log.
+        // Le swap-and-clear dans postFlush couvre deja les flushes re-entrants,
+        // ce reset ne le fragilise donc pas.
+        $this->pendingLogs = [];
+
+        foreach ($uow->getScheduledEntityInsertions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'create');
+        }
+
+        foreach ($uow->getScheduledEntityUpdates() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'update');
+        }
+
+        foreach ($uow->getScheduledEntityDeletions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'delete');
+        }
+
+        // Collections to-many (OneToMany / ManyToMany) : `getEntityChangeSet()`
+        // ne les expose pas, il faut interroger `UnitOfWork` separement. On
+        // merge la diff dans le log de l'entite proprietaire si elle est deja
+        // scheduled, sinon on cree une entree "update" dediee.
+        foreach ($uow->getScheduledCollectionUpdates() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: false);
+        }
+
+        foreach ($uow->getScheduledCollectionDeletions() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: true);
+        }
+    }
+
+    public function postFlush(PostFlushEventArgs $args): void
+    {
+        // Swap-and-clear : protege d'un flush re-entrant (aucune double
+        // insertion meme si un callback utilisateur re-declenche un flush).
+        $logs              = $this->pendingLogs;
+        $this->pendingLogs = [];
+
+        foreach ($logs as $log) {
+            // Pour les inserts, l'ID n'etait pas encore disponible en onFlush :
+            // on la resout maintenant (Doctrine l'a hydratee pendant le flush).
+            $entityId = $log['capturedId'] ?? $this->resolveEntityId($log['entity'], $log['metadata']);
+
+            if (null === $entityId) {
+                $this->logger->warning(
+                    'AuditListener : impossible de resoudre l\'ID de l\'entite apres flush, entree ignoree',
+                    ['entityType' => $log['entityType'], 'action' => $log['action']]
+                );
+
+                continue;
+            }
+
+            try {
+                $this->writer->log(
+                    $log['entityType'],
+                    $entityId,
+                    $log['action'],
+                    $log['changes'],
+                );
+            } catch (Throwable $e) {
+                // Erreur audit : logue mais ne crashe jamais le flux metier.
+                $this->logger->error(
+                    'Echec d\'ecriture audit_log',
+                    [
+                        'exception'  => $e,
+                        'entityType' => $log['entityType'],
+                        'entityId'   => $entityId,
+                        'action'     => $log['action'],
+                    ]
+                );
+            }
+        }
+    }
+
+    private function capturePendingLog(object $entity, EntityManagerInterface $em, UnitOfWork $uow, string $action): void
+    {
+        // Resolution via ClassMetadata : `$entity::class` renvoie le FQCN du
+        // proxy Doctrine pour une entite chargee en lazy (ex:
+        // `Proxies\__CG__\App\Module\Core\Domain\Entity\User`) — `isAuditable()`
+        // le verrait comme non-auditable car `#[Auditable]` n'est declare que
+        // sur la classe parente.
+        $metadata = $em->getClassMetadata($entity::class);
+        $class    = $metadata->getName();
+
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        // Sur `delete`, on inclut aussi les collections to-many dans le
+        // snapshot : c'est la derniere occasion de capturer l'etat complet
+        // (ex: quelles permissions etaient rattachees au role supprime).
+        // Sur `create`, les collections initiales sont rapportees via
+        // captureCollectionChange quand l'entite est scheduled avec un
+        // collection update dans le meme flush.
+        $changes = match ($action) {
+            'update' => $this->buildUpdateChanges($entity, $uow, $class),
+            'create' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: false),
+            'delete' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: true),
+            default  => [],
+        };
+
+        if ('update' === $action && [] === $changes) {
+            // Flush sans changement reel sur une entite auditable : on n'emet pas.
+            return;
+        }
+
+        // Pour delete/update, l'ID est deja set en onFlush — on la capture
+        // maintenant (apres postFlush, l'entite detachee peut perdre sa ref
+        // dans l'identity map). Pour create (IDENTITY), l'ID est generee par
+        // le flush — on differe a postFlush.
+        $capturedId = 'create' === $action ? null : $this->resolveEntityId($entity, $metadata);
+
+        $this->pendingLogs[] = [
+            'entity'     => $entity,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => $action,
+            'changes'    => $changes,
+            'capturedId' => $capturedId,
+        ];
+    }
+
+    /**
+     * Capture la modification d'une collection to-many.
+     *
+     * Strategie de merge :
+     *  - Si l'entite proprietaire est deja scheduled pour `delete` → ignore
+     *    (redondant avec le snapshot delete deja produit).
+     *  - Si l'entite est deja scheduled pour `create` → on ajoute le champ
+     *    collection au snapshot initial, sous forme de liste d'IDs ajoutes.
+     *  - Si l'entite est deja scheduled pour `update` → on merge la diff
+     *    {added, removed} dans le changeset existant.
+     *  - Sinon → on cree une nouvelle entree `update` dediee pour l'entite
+     *    proprietaire (cas d'une collection modifiee sans autre changement
+     *    sur l'entite elle-meme, ex : ajout d'une permission a un role).
+     *
+     * @param bool $cleared true si la collection entiere est supprimee
+     *                      (getScheduledCollectionDeletions) — tous les
+     *                      items du snapshot sont consideres comme retires
+     */
+    private function captureCollectionChange(PersistentCollection $collection, EntityManagerInterface $em, bool $cleared): void
+    {
+        $owner = $collection->getOwner();
+        if (null === $owner) {
+            return;
+        }
+
+        // Voir capturePendingLog : meme contournement proxy Doctrine.
+        $class = $em->getClassMetadata($owner::class)->getName();
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        $fieldName = $collection->getMapping()->fieldName;
+        if (in_array($fieldName, $this->getIgnoredProperties($class), true)) {
+            return;
+        }
+
+        if ($cleared) {
+            $added   = [];
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getSnapshot(),
+            );
+        } else {
+            $added = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getInsertDiff(),
+            );
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getDeleteDiff(),
+            );
+        }
+
+        if ([] === $added && [] === $removed) {
+            return;
+        }
+
+        // Chercher un log deja en attente pour cette entite, pour merger la
+        // diff au lieu de creer une entree d'audit redondante.
+        foreach ($this->pendingLogs as $idx => $log) {
+            if ($log['entity'] !== $owner) {
+                continue;
+            }
+
+            if ('delete' === $log['action']) {
+                // Deletion de l'entite : la collection suit mecaniquement,
+                // pas d'entree dediee (le snapshot delete contient deja
+                // l'etat a supprimer).
+                return;
+            }
+
+            if ('create' === $log['action']) {
+                // Insertion : le snapshot create ne contient pas les
+                // collections (buildSnapshot ignore les to-many). On ajoute
+                // donc la liste des items initiaux comme IDs, pour avoir
+                // une trace complete de l'etat a la creation. array_values
+                // garantit un array JSON (pas un objet) si les cles du diff
+                // ne sont pas sequentielles.
+                $this->pendingLogs[$idx]['changes'][$fieldName] = array_values($added);
+
+                return;
+            }
+
+            // Update : on merge dans le changeset existant.
+            $this->pendingLogs[$idx]['changes'][$fieldName] = [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ];
+
+            return;
+        }
+
+        // Aucun log existant : l'entite n'a eu QUE des changements de
+        // collection. On cree une entree update minimale.
+        $metadata = $em->getClassMetadata($class);
+
+        $this->pendingLogs[] = [
+            'entity'     => $owner,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => 'update',
+            'changes'    => [$fieldName => [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ]],
+            'capturedId' => $this->resolveEntityId($owner, $metadata),
+        ];
+    }
+
+    /**
+     * Build du changeset "update" : {champ: {old, new}} a partir de
+     * `UnitOfWork::getEntityChangeSet()`. ManyToOne : on log l'ID,
+     * null-safe via `?->getId()`.
+     *
+     * @return array<string, array{old: mixed, new: mixed}>
+     */
+    private function buildUpdateChanges(object $entity, UnitOfWork $uow, string $class): array
+    {
+        $changeSet       = $uow->getEntityChangeSet($entity);
+        $ignored         = $this->getIgnoredProperties($class);
+        $filteredChanges = [];
+
+        foreach ($changeSet as $field => [$oldValue, $newValue]) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $filteredChanges[$field] = [
+                'old' => $this->normalizeValue($oldValue),
+                'new' => $this->normalizeValue($newValue),
+            ];
+        }
+
+        return $filteredChanges;
+    }
+
+    /**
+     * Build d'un snapshot complet (create / delete) : lit toutes les
+     * proprietes non-ignorees via Reflection.
+     *
+     * @param bool $includeCollections si true, les associations to-many sont
+     *                                 aussi snapshotees (liste d'IDs). Utilise
+     *                                 uniquement sur `delete` pour preserver
+     *                                 l'etat des relations au moment de la
+     *                                 suppression. En create, on laisse
+     *                                 captureCollectionChange enrichir le
+     *                                 snapshot si une collection est modifiee
+     *                                 dans le meme flush.
+     *
+     * @return array<string, mixed>
+     */
+    private function buildSnapshot(object $entity, ClassMetadata $metadata, string $class, bool $includeCollections): array
+    {
+        $ignored  = $this->getIgnoredProperties($class);
+        $snapshot = [];
+
+        foreach ($metadata->getFieldNames() as $field) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $snapshot[$field] = $this->normalizeValue($metadata->getFieldValue($entity, $field));
+        }
+
+        foreach ($metadata->getAssociationNames() as $assoc) {
+            if (in_array($assoc, $ignored, true)) {
+                continue;
+            }
+
+            if ($metadata->isSingleValuedAssociation($assoc)) {
+                $related          = $metadata->getFieldValue($entity, $assoc);
+                $snapshot[$assoc] = null !== $related && method_exists($related, 'getId')
+                    ? $related->getId()
+                    : null;
+
+                continue;
+            }
+
+            if (!$includeCollections) {
+                continue;
+            }
+
+            // Collection to-many : snapshot = liste d'IDs. On itere la
+            // Collection (PersistentCollection ou ArrayCollection) pour
+            // obtenir les elements. Pour un delete, la collection est deja
+            // chargee (Doctrine en a besoin pour les cascades).
+            $collection = $metadata->getFieldValue($entity, $assoc);
+            if (!is_iterable($collection)) {
+                continue;
+            }
+            $ids = [];
+            foreach ($collection as $item) {
+                $ids[] = $this->normalizeValue($item);
+            }
+            $snapshot[$assoc] = $ids;
+        }
+
+        return $snapshot;
+    }
+
+    private function isAuditable(string $class): bool
+    {
+        if (array_key_exists($class, $this->auditableCache)) {
+            return $this->auditableCache[$class];
+        }
+
+        $reflection                   = new ReflectionClass($class);
+        $isAuditable                  = [] !== $reflection->getAttributes(Auditable::class);
+        $this->auditableCache[$class] = $isAuditable;
+
+        return $isAuditable;
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function getIgnoredProperties(string $class): array
+    {
+        if (array_key_exists($class, $this->ignoredPropertiesCache)) {
+            return $this->ignoredPropertiesCache[$class];
+        }
+
+        $ignored    = [];
+        $reflection = new ReflectionClass($class);
+
+        foreach ($reflection->getProperties(ReflectionProperty::IS_PROTECTED | ReflectionProperty::IS_PRIVATE | ReflectionProperty::IS_PUBLIC) as $property) {
+            if ([] !== $property->getAttributes(AuditIgnore::class)) {
+                $ignored[] = $property->getName();
+            }
+        }
+
+        $this->ignoredPropertiesCache[$class] = $ignored;
+
+        return $ignored;
+    }
+
+    /**
+     * Transforme un FQCN `App\Module\Core\Domain\Entity\User` en `core.User`.
+     *
+     * Format `module.Entity` pour eviter les collisions inter-modules.
+     */
+    private function formatEntityType(string $class): string
+    {
+        if (1 === preg_match('#^App\\\Module\\\(?<module>[^\\\]+)\\\.+\\\(?<entity>[^\\\]+)$#', $class, $matches)) {
+            return strtolower($matches['module']).'.'.$matches['entity'];
+        }
+
+        // Fallback : on retourne le FQCN complet si la regex ne matche pas
+        // (entite hors structure modulaire — ne devrait pas arriver).
+        return $class;
+    }
+
+    private function resolveEntityId(object $entity, ClassMetadata $metadata): ?string
+    {
+        $identifier = $metadata->getIdentifierValues($entity);
+        if ([] === $identifier) {
+            return null;
+        }
+
+        // Cle composee : on concatene les valeurs. Cas rare sur le projet.
+        return implode('-', array_map(static fn ($v) => (string) $v, $identifier));
+    }
+
+    /**
+     * Normalise une valeur pour encodage JSON stable.
+     */
+    private function normalizeValue(mixed $value): mixed
+    {
+        if ($value instanceof DateTimeInterface) {
+            return $value->format(DateTimeInterface::ATOM);
+        }
+
+        if (is_object($value)) {
+            // Relation to-one non parsee par buildSnapshot (cas update sur
+            // un champ qui devient un objet) : on tente getId() si possible.
+            if (method_exists($value, 'getId')) {
+                return $value->getId();
+            }
+
+            return (string) $value;
+        }
+
+        return $value;
+    }
+}

src/Shared/Domain/Attribute/AuditIgnore.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore {}

src/Shared/Domain/Attribute/Auditable.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable {}

src/Shared/Domain/Module/ModuleRegistry.php

@@ -17,9 +17,14 @@ final class ModuleRegistry
     {
         $ids = [];
         foreach ($moduleClasses as $moduleClass) {
-            if (is_a($moduleClass, ModuleInterface::class, true)) {
-                $ids[] = $moduleClass::id();
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
             }
+            $id = $moduleClass::id();
+            if (in_array($id, $ids, true)) {
+                throw new InvalidArgumentException(sprintf('Module ID "%s" déclaré plusieurs fois dans la configuration des modules.', $id));
+            }
+            $ids[] = $id;
         }
 
         return $ids;

tests/Functional/Module/Core/AuditListenerTest.php

@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container             = self::getContainer();
+        $this->em              = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions: these tests are not wrapped
+        // in a rolled-back transaction, so remove any leftover rows from a
+        // previous run before each test.
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username LIKE 'audit\\_%'");
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+}

tests/Functional/Module/Core/AuditLogApiTest.php

@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * @internal
+ */
+final class AuditLogApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'alice');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanListAuditLogs(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+        self::assertArrayHasKey('totalItems', $data);
+        self::assertGreaterThanOrEqual(3, $data['totalItems']);
+    }
+
+    public function testFilterByActionReturnsOnlyMatchingEntries(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=update');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('update', $entry['action']);
+        }
+    }
+
+    public function testFilterByEntityType(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?entity_type=core.User');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('core.User', $entry['entityType']);
+        }
+    }
+
+    public function testInvalidActionFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=bogus');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    /**
+     * Insert deterministic audit rows directly through the audit connection.
+     *
+     * The table audit_log has no ORM entity (written via raw DBAL), so we
+     * clean and seed it via the dedicated connection. These tests are not
+     * wrapped in a rolled-back transaction, hence the upfront DELETE.
+     */
+    private function seedAuditLog(): void
+    {
+        /** @var Connection $audit */
+        $audit = self::getContainer()->get('doctrine.dbal.audit_connection');
+        $audit->executeStatement('DELETE FROM audit_log');
+
+        $rows = [
+            ['core.User', 'create', '{"username":"seed-create"}'],
+            ['core.User', 'update', '{"firstName":{"old":"a","new":"b"}}'],
+            ['core.Role', 'delete', '{}'],
+        ];
+
+        $performedAt = '2026-04-22 10:00:00';
+        foreach ($rows as $i => [$entityType, $action, $changes]) {
+            $audit->insert('audit_log', [
+                'id'           => Uuid::v7()->toRfc4122(),
+                'entity_type'  => $entityType,
+                'entity_id'    => (string) ($i + 1),
+                'action'       => $action,
+                'changes'      => $changes,
+                'performed_by' => 'admin',
+                'performed_at' => $performedAt,
+                'ip_address'   => '127.0.0.1',
+                'request_id'   => 'req-'.$i,
+            ]);
+        }
+    }
+
+    private function loginUser(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}

tests/Unit/Module/Core/CoreModuleTest.php

@@ -32,4 +32,12 @@ final class CoreModuleTest extends TestCase
             self::assertArrayHasKey('label', $permission);
         }
     }
+
+    public function testPermissionsExposeAuditLogView(): void
+    {
+        $codes = array_column(CoreModule::permissions(), 'code');
+
+        self::assertCount(6, $codes);
+        self::assertContains('core.audit_log.view', $codes);
+    }
 }