docs : log LST-63 module core session learnings

.claude/skills/ticket-executor/LEARNINGS.md

@@ -93,6 +93,25 @@
 - Ticket laissé en **"En attente de validation" (4)**, pas "Terminé" : smoke visuel front (dev server + navigateur) et sign-off du **délta cosmétique d'ordre de sidebar** (décision 3 du plan) relèvent du PO. Implémentation + AC API validés.
 - Time-tracking 100 % sur la session principale cette fois (consigne des sous-agents : ne jamais toucher aux outils `mcp__lesstime__*`) — respecté.
 
+## Session 2026-06-19 (LST-63 / 1.1 — Module Core : identité User/Auth/JWT + Notifications + layer front)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-63-module-core.md`, 7 tasks / 6 phases A→F). Exécution : Phases A/B (1 sous-agent combiné), C (1 sous-agent), D (1 sous-agent), E + F faites en direct par la session principale (tâches courtes). Pilotage chrono/MCP/vérif + re-vérif login après chaque phase touchant l'auth sur la session principale.
+- 5 commits impl (`6ca91cb` A, `f8fc4d6`+`d70925b` B, `0b4874e` C, `f1a9b42` D, `a98ea3d` E, `117c2ff` F) + plan `8865bf5`. Tests : 110→120 verts. Timer impl 1012 = 43 min.
+
+### Patterns
+- **Move d'entité « strangler » sans migration** : `git mv` `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (table + colonnes + backticks VERBATIM) ; mapping Doctrine `Core` ajouté (dir `src/Module/Core/Domain/Entity`, prefix `App\Module\Core\Domain\Entity`) à côté de `App` ; `resolve_target_entities: UserInterface → Core\User`. `migrations:diff` reste vide (hors dérive préexistante `messenger_messages`) → AUCUNE migration. Idem Notification en Phase D.
+- **Alias temporaire pour découpler le move des relations** : Phase B pose un `class_alias(App\Entity\User::class → Core\User)` (fichier `_compat_user_alias.php` en `autoload.files`, exclu de l'autowiring `App\:` via `exclude` services.yaml + `notPath` php-cs-fixer). Permet de relier d'abord les 8 relations d'entités au CONTRAT `UserInterface::class` (resolver propre) ; l'alias n'est qu'un pont de type-hint PHP. Phase C retire l'alias EN DERNIER, seulement quand `grep App\Entity\User` est vide.
+- **Règle contrat-vs-concret pour migrer les consommateurs** (Phase C, ~50 fichiers) : type-hint `App\Shared\Domain\Contract\UserInterface` si le fichier n'appelle que les méthodes de lecture du contrat / instanceof / type DQL ; FQCN concret `App\Module\Core\Domain\Entity\User` si besoin de getters HR, `apiToken`, `avatarFileName`, setters, `new User()`. Les deux éliminent `App\Entity\User`. Collision de nom avec `Symfony\...\UserInterface` → aliaser en `SharedUserInterface`.
+- **Notifier (Phase D)** : `NotifierInterface` (Shared) = API publique inter-modules ; impl `Notifier` (Core) persiste + flush. `TaskNotificationListener` appelle `notify()` UNIQUEMENT en `postFlush` (jamais `onFlush` — le flush interne y est dangereux). Comportement identique conservé.
+- **Layer front d'un module (Phase F)** : `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`) + `git mv` des pages d'identité sous `modules/core/pages/`. Les imports `~/...` (alias srcDir) survivent au déplacement ; seuls les imports relatifs/par chemin casseraient. Les URLs (`/login`, `/profile`) restent identiques (fusion auto des `pages/` de layers).
+
+### Gotchas
+- **`admin.vue` = shell admin MULTI-domaines** (onglets clients/workflows/efforts/gitea/zimbra/mail/absences + 1 onglet `AdminUserTab`) : NE PAS le déplacer entier dans Core (il porterait les admins d'autres modules pas encore extraits). Conformément au plan, en cas de doute on déplace seulement login + profile, on documente. La décomposition de `admin.vue` viendra avec les modules respectifs.
+- **Vérifier la résolution des routes d'un layer Nuxt en SPA** : `ssr:false` → le dev server renvoie 200 pour N'IMPORTE QUEL chemin (shell SPA, routing client) — un `curl /login` = 200 ne prouve RIEN (testé : `/route-bidon-xyz` = 200 aussi). `nuxt prepare` ne génère pas le manifeste de routes. **Preuve déterministe** = `npx nuxt build` puis `grep 'name:"login"\|name:"profile"' .output/server/chunks/build/client.precomputed.mjs` (+ chunk CSS `profile.*.css` généré). Ne pas perturber un dev server déjà lancé (config `extends`/`imports.dirs` figée au démarrage avant création du layer) → lancer un dev frais sur un port libre pour smoke.
+- **Aligner le contrat sur la réalité de l'entité, pas l'inverse** : `User::getUsername()` est `?string` (pas `string`) et la méthode réelle est `getIsEmployee(): bool` (pas `isEmployee()`). Le plan écrivait `isEmployee()` — le contrat existant était déjà correct, aucun changement. Toujours lire l'entité avant de figer une signature de contrat.
+- **Tests fonctionnels qui persistent réellement** (pas de rollback transactionnel ici) : un `NotifierTest` qui crée une notif échoue au 2e run (`2 != 1`) → rendre les données uniques (`uniqid()` sur le titre) pour l'idempotence.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
 - **Commits concurrents**: NE PAS lancer deux sous-agents qui committent sur le même repo en parallèle (collision `.git/index.lock`) — séquencer.

config/modules.php

@@ -6,6 +6,9 @@ declare(strict_types=1);
  * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
  * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
  */
+
+use App\Module\Core\CoreModule;
+
 return [
-    // Aucun module pour l'instant — les modules arrivent à partir du ticket 1.1 (Core).
+    CoreModule::class,
 ];

config/packages/doctrine.yaml

@@ -14,7 +14,7 @@ doctrine:
             Doctrine\DBAL\Platforms\PostgreSQLPlatform: identity
         auto_mapping: true
         resolve_target_entities:
-            App\Shared\Domain\Contract\UserInterface: App\Entity\User
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
         mappings:
             App:
                 type: attribute
@@ -22,6 +22,11 @@ doctrine:
                 dir: '%kernel.project_dir%/src/Entity'
                 prefix: 'App\Entity'
                 alias: App
+            Core:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 

config/packages/security.yaml

@@ -10,7 +10,7 @@ security:
     providers:
         app_user_provider:
             entity:
-                class: App\Entity\User
+                class: App\Module\Core\Domain\Entity\User
                 property: username
 
     firewalls:

config/services.yaml

@@ -66,3 +66,7 @@ services:
             $uploadDir: '%absence_justification_upload_dir%'
 
     App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'
+
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+
+    App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'

docs/superpowers/plans/2026-06-19-lst-63-module-core.md

@@ -0,0 +1,732 @@
+# LST-63 (1.1) — Module Core : Identité (User/Auth/JWT) & Notifications — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Migrer l'identité (`User` + Auth/JWT + password hashing + `MeProvider`) et les notifications dans `src/Module/Core/`, exposer le contrat `UserInterface` enrichi + `NotifierInterface`, déclarer `CoreModule` (REQUIRED), et créer le premier vrai layer front `modules/core/` — **sans aucune migration destructive et sans casser le login à aucune étape**.
+
+**Architecture:** Strangler 100 % additif, phasé. On déplace physiquement la classe `User` vers `App\Module\Core\Domain\Entity\User` (table `user` inchangée → zéro migration), on re-pointe `resolve_target_entities` et le provider de sécurité, puis on bascule les 8 relations d'entités et les 26 consommateurs du concret `App\Entity\User` vers le **contrat** `App\Shared\Domain\Contract\UserInterface` (enrichi des accessors réellement utilisés). Les notifications passent par un `NotifierInterface` (impl Core). Chaque phase laisse `make test` vert ET le login JWT fonctionnel (re-vérifié par curl).
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / lexik/jwt-authentication / PostgreSQL 16 / PHPUnit 13 — front Nuxt 4.3 / Vue 3.5 / Pinia 3.
+
+## Global Constraints
+
+- **`declare(strict_types=1);`** en tête de chaque fichier PHP.
+- **Zéro migration destructive** : le déplacement de namespace ne change ni la table (`user`) ni les colonnes → `doctrine:migrations:diff` doit produire un diff VIDE. Si un diff non vide apparaît, c'est un bug (mapping mal recopié) — corriger, ne pas générer la migration.
+- **Login JWT fonctionnel à chaque phase** : vérif curl obligatoire (voir « Vérification login » ci-dessous) après toute phase touchant `User`/sécurité.
+- **AC ticket** : (1) login/JWT OK via le module ; (2) aucun `use App\Entity\User;` hors `src/Module/Core/` ; (3) `make test` vert, aucune migration destructive.
+- **Commits** : `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude/Anthropic.
+- **`config/reference.php`** : auto-généré, **jamais committé** (apparaît modifié dans `git status`).
+- **Tests** : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`. Baseline avant ce ticket : **115 tests, 227 assertions** (16 PHPUnit Notices préexistantes, non bloquantes).
+- **Front** : `nuxt typecheck` n'est PAS un gate vert sur ce stack (cf. plan LST-62) — gate front = zéro `Cannot find module`, auto-imports présents dans `.nuxt/imports.d.ts`, smoke runtime.
+- **PostgreSQL** : noms de colonnes en minuscules dans le SQL brut.
+
+## Vérification login (à exécuter après chaque phase back touchant User/sécurité)
+
+```bash
+# Doit renvoyer http=204 (cookie BEARER posé) puis le profil courant
+curl -s -c /tmp/cj.txt -X POST http://localhost:8082/api/login_check \
+  -H "Content-Type: application/json" -d '{"username":"alice","password":"alice"}' \
+  -o /dev/null -w "login http=%{http_code}\n"
+curl -s -b /tmp/cj.txt http://localhost:8082/api/me -w "\nme http=%{http_code}\n" | head -c 400
+# MCP apiToken (ApiTokenAuthenticator) — admin
+curl -s -X POST http://localhost:8082/_mcp -H "Authorization: Bearer dev-mcp-token-for-testing-only-do-not-use-in-production" \
+  -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":1,"method":"ping"}' -o /dev/null -w "mcp http=%{http_code}\n"
+```
+Attendu : `login http=204`, `me http=200` avec le JSON de l'utilisateur (`username`, `roles`), MCP répond (200). **Si l'un casse, arrêter la phase et corriger avant de committer.**
+
+## Décisions de conception (actées, à valider PO a posteriori)
+
+1. **`UserInterface` enrichi (contrat de lecture)** — plutôt que de garder `App\Entity\User` partout, on enrichit `App\Shared\Domain\Contract\UserInterface` des accessors **réellement consommés** hors Core (lecture). Les setters/écriture restent sur le concret (Core uniquement). Cela permet de typer les 8 relations et les 26 consommateurs sur le contrat sans casse.
+2. **Move physique, table inchangée** — `User` change de namespace mais garde `#[ORM\Table(name: '`user`')]` et toutes ses colonnes → aucune migration. La classe reste une entité Doctrine mappée (nouveau dir de mapping `Core`).
+3. **Relations via le contrat** — les 8 entités passent à `targetEntity: UserInterface::class` + type `?UserInterface`, résolu par `resolve_target_entities → Core\User`. C'est le pattern Starseed.
+4. **Notification dans Core + `NotifierInterface`** — `Notification` migre dans Core (couplée à l'identité) ; la création de notif passe par `NotifierInterface` (impl Core), `TaskNotificationListener` (qui reste legacy en Phase D) en dépend par contrat. L'API REST `/api/notifications` est préservée à l'identique.
+5. **Front layer `modules/core/`** — login, profile, admin users **déplacés** de `frontend/pages/` vers `frontend/modules/core/pages/` (premier layer réel ; le scan `readdirSync('modules/')` de LST-62 l'enregistre automatiquement). Le routage Nuxt est préservé (mêmes chemins d'URL).
+
+---
+
+## Phase A — Squelette Core + contrats (100 % additif, app inchangée)
+
+### Task 1: `CoreModule` + `UserRepositoryInterface` + `NotifierInterface` + contrat `UserInterface` enrichi
+
+**Files:**
+- Create: `src/Module/Core/CoreModule.php`
+- Create: `src/Module/Core/Domain/Repository/UserRepositoryInterface.php`
+- Create: `src/Shared/Domain/Contract/NotifierInterface.php`
+- Modify: `src/Shared/Domain/Contract/UserInterface.php` (enrichir)
+- Create: `tests/Unit/Module/Core/CoreModuleTest.php`
+
+**Interfaces:**
+- Produces :
+  - `App\Module\Core\CoreModule implements ModuleInterface` : `id()='core'`, `label()='Core'`, `isRequired()=true`, `permissions()` (stub pour 1.2, voir code).
+  - `App\Module\Core\Domain\Repository\UserRepositoryInterface` : `findByRole(string $role): array`, `findActiveEmployees(\DateTimeInterface $date): array`, `findOneByUsername(string $username): ?UserInterface`.
+  - `App\Shared\Domain\Contract\NotifierInterface` : `notify(UserInterface $user, string $type, string $title, string $message): void`.
+  - `UserInterface` enrichi (lecture) : `getId(): ?int`, `getUserIdentifier(): string`, `getUsername(): string`, `getRoles(): array`, `getFirstName(): ?string`, `getLastName(): ?string`, `getAvatarUrl(): ?string`, `isEmployee(): bool`.
+- Consumes : `App\Shared\Domain\Module\ModuleInterface` (existant).
+
+- [ ] **Step 1: Écrire le test unitaire `CoreModule`**
+
+`tests/Unit/Module/Core/CoreModuleTest.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Lancer le test, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: FAIL (classe `CoreModule` inexistante).
+
+- [ ] **Step 3: Créer `CoreModule`**
+
+`src/Module/Core/CoreModule.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
+            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
+            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+        ];
+    }
+}
+```
+
+> ⚠️ Confirmer la signature EXACTE de `ModuleInterface` (`src/Shared/Domain/Module/ModuleInterface.php`) avant d'écrire : la cartographie indique `id()`, `label()`, `isRequired()`, `permissions()` statiques. Si une méthode diffère (ex. non statique), aligner `CoreModule` ET le test dessus.
+
+- [ ] **Step 4: Lancer le test, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Enrichir le contrat `UserInterface`**
+
+Remplace `src/Shared/Domain/Contract/UserInterface.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
+interface UserInterface
+{
+    public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function isEmployee(): bool;
+}
+```
+
+> ⚠️ Cet enrichissement DOIT correspondre à des méthodes existantes de l'entité `User` (la cartographie confirme `getId`, `getUserIdentifier`, `getUsername`, `getRoles`, `getFirstName`, `getLastName`, `getAvatarUrl`, `isEmployee`). Si une signature diffère (ex. `getAvatarUrl(): string` non-nullable), aligner le contrat sur le réel. Ne PAS ajouter au contrat une méthode absente de `User`.
+
+- [ ] **Step 6: Créer `UserRepositoryInterface`**
+
+`src/Module/Core/Domain/Repository/UserRepositoryInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface UserRepositoryInterface
+{
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(\DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}
+```
+
+- [ ] **Step 7: Créer `NotifierInterface`**
+
+`src/Shared/Domain/Contract/NotifierInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+}
+```
+
+- [ ] **Step 8: Suite complète + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (115 + 3 = 118 tests). L'enrichissement du contrat ne casse rien (l'entité `User` implémente déjà ces méthodes ; `resolve_target_entities` pointe encore `App\Entity\User`).
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/CoreModule.php src/Module/Core/Domain/Repository/UserRepositoryInterface.php src/Shared/Domain/Contract/NotifierInterface.php src/Shared/Domain/Contract/UserInterface.php tests/Unit/Module/Core/CoreModuleTest.php
+git commit -m "feat(core) : add CoreModule, user repository contract, notifier contract and enriched user contract"
+```
+
+---
+
+## Phase B — Déplacer `User` + Auth dans Core (re-pointage, zéro migration)
+
+### Task 2: Déplacer la classe `User` vers Core + mapping Doctrine + provider sécurité
+
+**Files:**
+- Move: `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (namespace `App\Module\Core\Domain\Entity`)
+- Modify: `config/packages/doctrine.yaml` (mapping `Core` + `resolve_target_entities`)
+- Modify: `config/packages/security.yaml` (`app_user_provider.entity.class`)
+- Modify: `config/packages/api_platform.yaml` (mapping paths : ajouter le dir entité Core)
+
+**Interfaces:**
+- Produces : entité `App\Module\Core\Domain\Entity\User` (table `user` inchangée), résolue par `resolve_target_entities`.
+
+- [ ] **Step 1: Déplacer le fichier (git mv) et changer le namespace**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime
+mkdir -p src/Module/Core/Domain/Entity
+git mv src/Entity/User.php src/Module/Core/Domain/Entity/User.php
+```
+Puis éditer `src/Module/Core/Domain/Entity/User.php` :
+- `namespace App\Entity;` → `namespace App\Module\Core\Domain\Entity;`
+- Adapter les `use` internes devenus nécessaires (l'entité référençait `UserRepository`, `MeProvider`, `UserPasswordHasherProcessor`, l'enum `ContractType`, le contrat `UserInterface as SharedUserInterface`). Mettre les `use` complets vers leurs emplacements ACTUELS (la plupart bougent en Tasks 3/4 ; pour cette task, pointer encore vers `App\Repository\UserRepository`, `App\State\MeProvider`, `App\State\UserPasswordHasherProcessor`, `App\Entity\Enum\ContractType` ou l'emplacement réel — vérifier les `use` d'origine et les conserver tels quels tant que ces classes n'ont pas bougé).
+- Garder VERBATIM : tous les attributs `#[ORM\...]` (dont `#[ORM\Table(name: '`user`')]`), `#[ApiResource(...)]`, `#[ApiProperty(...)]`, toutes les propriétés/méthodes, `implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface`.
+
+> ⚠️ Lire le fichier d'origine en entier AVANT de déplacer pour relever tous les `use`. Ne changer QUE le `namespace` et, si besoin, garder les `use` pointant vers les emplacements actuels des classes non encore déplacées.
+
+- [ ] **Step 2: Mapping Doctrine + resolve_target_entities**
+
+Dans `config/packages/doctrine.yaml`, sous `orm:` :
+- `resolve_target_entities` :
+```yaml
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
+```
+- Ajouter un mapping pour les entités Core (en plus du mapping `App` existant qui scanne `src/Entity`) :
+```yaml
+        mappings:
+            App:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Entity'
+                prefix: 'App\Entity'
+                alias: App
+            Core:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
+```
+
+> Le mapping `App` (src/Entity) ne contient plus `User.php` (déplacé) → cohérent. Aucune entité orpheline.
+
+- [ ] **Step 3: Provider de sécurité**
+
+Dans `config/packages/security.yaml` :
+```yaml
+    providers:
+        app_user_provider:
+            entity:
+                class: App\Module\Core\Domain\Entity\User
+                property: username
+```
+
+- [ ] **Step 4: API Platform mapping paths**
+
+Dans `config/packages/api_platform.yaml`, ajouter au `mapping.paths` le dossier entité Core (l'`#[ApiResource]` est porté par l'entité `User` déplacée) :
+```yaml
+        - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+```
+> Conserver tous les paths existants. Si `api_platform.yaml` n'a pas de `mapping.paths` explicite (auto-discovery), vérifier que les Resources sous `src/Module/...` sont bien découvertes (comme `src/Shared/...` l'a été en #56 — cf. LEARNINGS : API Platform 4 auto-découvre). Si la découverte auto suffit, NE PAS ajouter de path ; sinon ajouter celui ci-dessus.
+
+- [ ] **Step 5: Vider le cache + vérifier qu'AUCUNE migration n'est nécessaire**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -20
+```
+Expected : schema VALID (mapping ok, sync DB ok). Le `diff` doit annoncer **« No changes detected »** (table/colonnes identiques). **Si une migration est générée, la SUPPRIMER** (`git status` → retirer le fichier sous `migrations/`) : un diff non vide = mapping mal recopié, corriger l'entité.
+
+- [ ] **Step 6: Vérif login + suite complète**
+
+Exécuter le bloc « Vérification login » (curl) → `login http=204`, `me http=200`, MCP 200.
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118). Les consommateurs importent encore `App\Entity\User` → **ERREUR attendue** : la classe n'existe plus à cet emplacement. ⇒ Cette task NE PASSE PAS seule ; elle est indissociable de la Task 3 (rewire). **Voir note ci-dessous.**
+
+> 🔴 **Note d'ordonnancement** : déplacer `User` casse les 26 `use App\Entity\User;`. Pour garder l'app bootable entre Task 2 et Task 3, **ajouter un alias de compatibilité TEMPORAIRE** au tout début de Task 2 et le retirer en fin de Task 3 :
+> Créer `src/Module/Core/_compat_user_alias.php` (chargé via `composer.json` `autoload.files`) :
+> ```php
+> <?php
+> declare(strict_types=1);
+> if (!class_exists(\App\Entity\User::class, false)) {
+>     class_alias(\App\Module\Core\Domain\Entity\User::class, \App\Entity\User::class);
+> }
+> ```
+> Ajouter `"files": ["src/Module/Core/_compat_user_alias.php"]` sous `autoload` dans `composer.json`, puis `composer dump-autoload`. Cela garde les 26 consommateurs fonctionnels (et Doctrine `targetEntity: User::class` résolu via l'alias) le temps de la Task 3. **L'alias est SUPPRIMÉ en Task 3 Step final** (avec le retrait du fichier, l'entrée composer et un nouveau `dump-autoload`) une fois tous les consommateurs basculés sur le contrat. La verif login de cette Step utilise donc l'alias — c'est attendu.
+
+- [ ] **Step 7: php-cs-fixer + commit (Phase B, avec alias temporaire)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/Domain/Entity/User.php src/Module/Core/_compat_user_alias.php composer.json composer.lock config/packages/doctrine.yaml config/packages/security.yaml config/packages/api_platform.yaml
+git commit -m "feat(core) : move user entity into core module and repoint security/doctrine (temp legacy alias)"
+```
+
+---
+
+## Phase C — Basculer relations + consommateurs sur le contrat, retirer l'alias
+
+### Task 3: Relations d'entités → `UserInterface::class`
+
+**Files (8 entités):**
+- Modify: `src/Entity/Task.php` (assignee ManyToOne, collaborators ManyToMany)
+- Modify: `src/Entity/TimeEntry.php` (user)
+- Modify: `src/Entity/AbsenceRequest.php` (user)
+- Modify: `src/Entity/AbsenceBalance.php` (user)
+- Modify: `src/Entity/TaskDocument.php` (user)
+- Modify: `src/Entity/TaskMailLink.php` (user)
+- Modify: `src/Module/Core/Domain/Entity/Notification.php` (user) — **après son déplacement en Phase D** ; en Phase C, `Notification` est encore `src/Entity/Notification.php`, la traiter ici aussi.
+
+> Pour CHAQUE relation vers User : remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;`, le `targetEntity: User::class` par `targetEntity: UserInterface::class`, et le type de propriété/param `?User` → `?UserInterface` (idem getters/setters). Doctrine résout via `resolve_target_entities`. La colonne FK et son nom restent identiques → **aucune migration**.
+
+- [ ] **Step 1: Modifier les relations (entité par entité)**
+
+Pour chaque fichier ci-dessus, lire puis appliquer le remplacement décrit. Exemple `Task.php` (assignee) :
+```php
+// avant
+use App\Entity\User;
+#[ORM\ManyToOne(targetEntity: User::class)]
+private ?User $assignee = null;
+public function getAssignee(): ?User { return $this->assignee; }
+public function setAssignee(?User $assignee): static { $this->assignee = $assignee; return $this; }
+// collaborators
+#[ORM\ManyToMany(targetEntity: User::class)]
+private Collection $collaborators;
+
+// après
+use App\Shared\Domain\Contract\UserInterface;
+#[ORM\ManyToOne(targetEntity: UserInterface::class)]
+private ?UserInterface $assignee = null;
+public function getAssignee(): ?UserInterface { return $this->assignee; }
+public function setAssignee(?UserInterface $assignee): static { $this->assignee = $assignee; return $this; }
+#[ORM\ManyToMany(targetEntity: UserInterface::class)]
+private Collection $collaborators;
+```
+> ⚠️ Conserver tous les autres attributs de relation (`inversedBy`, `joinTable`, `joinColumn`, `nullable`, `onDelete`, Groups…) VERBATIM. Ne changer que le type et `targetEntity`.
+
+- [ ] **Step 2: Valider le schéma (toujours zéro migration)**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+```
+Expected : « No changes detected ». Sinon corriger (un `joinColumn`/`onDelete` a été perdu).
+
+### Task 4: Consommateurs (26 fichiers) → contrat + repository interface, MeProvider/Processor dans Core, retrait alias
+
+**Files:** les 26 fichiers listés dans la cartographie (Controllers, Repositories, State, Services, EventListener, Security, DataFixtures, Mcp). Déplacements vers Core :
+- Move: `src/Repository/UserRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php` (implémente `UserRepositoryInterface`, namespace `App\Module\Core\Infrastructure\Doctrine`)
+- Move: `src/State/MeProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php`
+- Move: `src/State/UserPasswordHasherProcessor.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php`
+- Modify: l'`#[ApiResource]` de l'entité `User` (les `provider:`/`processor:` pointent vers les nouveaux FQCN Core).
+- Delete (en fin de task): `src/Module/Core/_compat_user_alias.php` + entrée `composer.json`.
+
+- [ ] **Step 1: Déplacer le repository et l'aligner sur l'interface**
+
+```bash
+mkdir -p src/Module/Core/Infrastructure/Doctrine src/Module/Core/Infrastructure/ApiPlatform/State
+git mv src/Repository/UserRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
+git mv src/State/MeProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
+git mv src/State/UserPasswordHasherProcessor.php src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
+```
+Éditer `DoctrineUserRepository.php` : `namespace App\Module\Core\Infrastructure\Doctrine;`, `class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface`, `use App\Module\Core\Domain\Entity\User;`, `use App\Module\Core\Domain\Repository\UserRepositoryInterface;`, et passer `User::class` au constructeur parent. Ajouter `findOneByUsername()` si absent (`return $this->findOneBy(['username' => $username]);`). Conserver `findByRole()` (SQL natif `roles::text LIKE`) et `findActiveEmployees()`.
+Éditer `User.php` : `#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]` avec le bon `use`.
+Éditer `MeProvider.php` / `UserPasswordHasherProcessor.php` : nouveaux namespaces ; `use App\Module\Core\Domain\Entity\User;` (le processor manipule le concret — c'est dans Core, autorisé).
+Mettre à jour les `provider:`/`processor:` dans l'`#[ApiResource]` de `User` vers les nouveaux FQCN.
+
+- [ ] **Step 2: Lier l'interface repository au service Doctrine**
+
+Dans `config/services.yaml`, alias pour l'injection par interface :
+```yaml
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+```
+
+- [ ] **Step 3: Basculer les 25 autres consommateurs sur le contrat**
+
+Pour chaque fichier important `App\Entity\User` (hors Core), remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;` et le type-hint `User` par `UserInterface` (params, retours, propriétés, `@var`, expressions). Cas particuliers :
+- `src/Repository/{Notification,AbsenceBalance,AbsenceRequest,TimeEntry}Repository.php` : les signatures `countUnreadByUser(User $user)` etc. → `UserInterface`. Ne pas changer la logique DQL (`n.user = :user` fonctionne avec l'instance).
+- `src/State/Absence*`, `TaskDocumentProvider`, `src/Service/AbsenceBalanceService`, `src/Security/MailAccessChecker`, `src/EventListener/TaskNotificationListener` (sera retravaillé en Phase D mais peut déjà passer au contrat ici), `src/Controller/*` (7), `src/Mcp/Tool/Absence/ReviewAbsenceRequestTool`, `src/Mcp/Tool/Serializer` : remplacer le type-hint.
+- `src/DataFixtures/AppFixtures.php` : **garde le concret** `App\Module\Core\Domain\Entity\User` (les fixtures INSTANCIENT `new User()` et appellent des setters d'écriture — c'est légitime ; importer le concret Core, pas le contrat). C'est hors `src/Module/Core/` mais c'est de l'écriture d'identité → exception documentée (les fixtures sont un cas d'amorçage, pas un consommateur métier).
+
+> Liste de contrôle : après cette step, `grep -rn "use App\\\\Entity\\\\User;" src/` ne doit retourner QUE `src/DataFixtures/AppFixtures.php` (qui importe désormais le FQCN Core, donc 0 occurrence de `App\Entity\User`). Viser **0 occurrence de `App\Entity\User`** dans tout `src/`.
+
+- [ ] **Step 4: Retirer l'alias de compatibilité**
+
+```bash
+git rm src/Module/Core/_compat_user_alias.php
+```
+Retirer l'entrée `"files": [...]` ajoutée sous `autoload` dans `composer.json` (Task 2), puis :
+```bash
+docker exec -t -u www-data php-lesstime-fpm composer dump-autoload
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+```
+
+- [ ] **Step 5: `grep` de garde (AC 2) + schéma + tests + login**
+
+```bash
+grep -rn "App\\\\Entity\\\\User" src/ config/ ; echo "(doit être VIDE)"
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected : grep VIDE, schéma valide, « No changes detected », **118 tests verts**. Puis bloc « Vérification login » (login 204, me 200, MCP 200).
+
+- [ ] **Step 6: php-cs-fixer + commit (Phase C)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config composer.json composer.lock
+git commit -m "refactor(core) : wire user relations and consumers to the shared contract, drop legacy alias"
+```
+> ⚠️ NE PAS `git add config/reference.php`. Vérifier `git status` avant le commit ; si `reference.php` est listé, l'exclure du `git add` (stager explicitement les fichiers voulus).
+
+---
+
+## Phase D — Notifications via `NotifierInterface` (impl Core)
+
+### Task 5: Déplacer `Notification` dans Core + `Notifier` (impl) + recâbler le listener
+
+**Files:**
+- Move: `src/Entity/Notification.php` → `src/Module/Core/Domain/Entity/Notification.php`
+- Move: `src/Repository/NotificationRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php`
+- Move: `src/State/NotificationProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php`
+- Create: `src/Module/Core/Infrastructure/Notifier.php` (implements `NotifierInterface`)
+- Modify: `src/EventListener/TaskNotificationListener.php` (dépend de `NotifierInterface`)
+- Modify: `config/packages/doctrine.yaml` (le mapping `Core` couvre déjà `Domain/Entity` → Notification incluse automatiquement)
+- Modify: `tests/` — ajouter `tests/Unit/Module/Core/NotifierTest.php` (ou Functional) si testable unitairement.
+
+- [ ] **Step 1: Écrire un test du `Notifier`**
+
+`tests/Functional/Module/Core/NotifierTest.php` (crée une notif et vérifie la persistance) :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $notifier->notify($user, 'task_assigned', 'Titre', 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\\Module\\Core\\Domain\\Entity\\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', 'Titre')->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** — `NotifierInterface` non instanciable / `Notification` introuvable au nouveau namespace.
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/NotifierTest.php`
+Expected: FAIL.
+
+- [ ] **Step 3: Déplacer `Notification` + repository + provider**
+
+```bash
+git mv src/Entity/Notification.php src/Module/Core/Domain/Entity/Notification.php
+git mv src/Repository/NotificationRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
+git mv src/State/NotificationProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
+```
+- `Notification.php` : `namespace App\Module\Core\Domain\Entity;`, `use App\Shared\Domain\Contract\UserInterface;`, relation `user` → `targetEntity: UserInterface::class` + type `?UserInterface`, `repositoryClass: DoctrineNotificationRepository::class`, conserver `#[ORM\Table(name:'notification')]` + index VERBATIM, ApiResource (provider → nouveau FQCN). **Table/colonnes inchangées.**
+- `DoctrineNotificationRepository.php` : namespace Core, `use App\Module\Core\Domain\Entity\Notification;`, signatures `UserInterface`.
+- `NotificationProvider.php` : namespace Core, mêmes dépendances.
+
+- [ ] **Step 4: Implémenter `Notifier`**
+
+`src/Module/Core/Infrastructure/Notifier.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(UserInterface $user, string $type, string $title, string $message): void
+    {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}
+```
+> ⚠️ Aligner sur les setters réels de `Notification` (la cartographie indique `user`, `type`, `title`, `message`, `isRead` default false, `createdAt`). Si `createdAt` n'est pas auto (prePersist), le poser ici. Si `setUser` attend le concret, accepter `UserInterface` (resolve_target_entities) — vérifier le type du setter.
+
+- [ ] **Step 5: Recâbler `TaskNotificationListener` sur `NotifierInterface`**
+
+Lire le listener ; remplacer la création directe de `Notification` (`new Notification()` + persist) par l'injection et l'appel de `NotifierInterface::notify(...)`. **Attention** : le listener tourne sur `onFlush`/`postFlush` — un `flush()` dans `notify()` pendant un `onFlush` est dangereux. Conserver le pattern existant (accumulation en `onFlush`, écriture en `postFlush`). Si `notify()` flush, l'appeler UNIQUEMENT en `postFlush` (jamais pendant `onFlush`). Préserver le comportement exact (mêmes types `task_assigned`/`task_collaborator_added`, mêmes destinataires). Adapter le test existant du listener s'il y en a un.
+
+> Si l'intrication onFlush/postFlush rend `NotifierInterface` inadapté (flush imbriqué), documenter et garder le listener en écriture directe via le repository Core, mais TOUJOURS dépendre du contrat pour le type User. Le but AC est « Notification exposée via NotifierInterface » : `NotifierInterface` doit exister et être l'API publique pour les autres modules ; le listener interne Core peut écrire directement.
+
+- [ ] **Step 6: Tests + login + endpoints notifications**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118 + 1 = 119). Vérifier `doctrine:migrations:diff` → « No changes detected ». Bloc login. Puis curl notifications :
+```bash
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications" -w "\nnotif http=%{http_code}\n" | head -c 200
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications/unread-count" -w "\nunread http=%{http_code}\n"
+```
+Expected : 200 sur les deux.
+
+- [ ] **Step 7: php-cs-fixer + commit**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config tests
+git commit -m "feat(core) : move notification into core and expose notifier contract"
+```
+
+---
+
+## Phase E — Déclarer `CoreModule` actif
+
+### Task 6: Enregistrer Core dans `config/modules.php`
+
+**Files:**
+- Modify: `config/modules.php`
+- Modify: `tests/Functional/Shared/ModulesEndpointTest.php` (ou équivalent — adapter l'assertion à la présence de `core`)
+
+- [ ] **Step 1: Adapter/écrire le test de l'endpoint modules**
+
+Vérifier le test existant de `/api/modules` (cartographie : `ModulesProvider`/`ModulesResource` créés en #56). Ajouter une assertion :
+```php
+public function testCoreModuleIsActive(): void
+{
+    $client = self::createClient();
+    // /api/modules est public (GET) d'après security.yaml
+    $client->request('GET', '/api/modules');
+    self::assertResponseIsSuccessful();
+    $data = json_decode($client->getResponse()->getContent(), true);
+    self::assertContains('core', $data['modules']);
+}
+```
+> Adapter le nom de classe/fichier de test à l'existant (#56). Si aucun test fonctionnel modules n'existe, créer `tests/Functional/Shared/ModulesEndpointTest.php`.
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (modules.php retourne `[]`).
+
+- [ ] **Step 3: Activer Core**
+
+`config/modules.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+use App\Module\Core\CoreModule;
+
+return [
+    CoreModule::class,
+];
+```
+
+- [ ] **Step 4: Tests + curl**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS. Curl :
+```bash
+curl -s http://localhost:8082/api/modules | head -c 200   # doit contenir "core"
+```
+
+- [ ] **Step 5: commit**
+
+```bash
+git add config/modules.php tests/
+git commit -m "feat(core) : activate core module in modules registry"
+```
+
+---
+
+## Phase F — Layer front `modules/core/`
+
+### Task 7: Déplacer login / profile / admin users dans `frontend/modules/core/`
+
+**Files:**
+- Create: `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`)
+- Move: `frontend/pages/login.vue` → `frontend/modules/core/pages/login.vue`
+- Move: `frontend/pages/profile.vue` → `frontend/modules/core/pages/profile.vue`
+- Move: `frontend/pages/admin/**` (gestion users) → `frontend/modules/core/pages/admin/**`
+- Move (si pertinent): composants/services liés à l'identité (ex. `frontend/components/user/**`, `frontend/components/admin/**`, `frontend/services/user.ts`) → `frontend/modules/core/{components,services}/**`
+
+> ⚠️ AVANT de déplacer, LIRE `frontend/pages/` et `frontend/components/` pour identifier précisément les pages/compos d'identité. Le scan `readdirSync('modules/')` (LST-62) ajoute `./modules/core` à `extends` et `modules/core/composables`/`stores` à `imports.dirs`. Les `pages/` d'un layer Nuxt sont fusionnées automatiquement → **les URLs (`/login`, `/profile`, `/admin/...`) restent identiques**. Vérifier qu'aucune page déplacée n'utilise un import PAR CHEMIN cassé (auto-import sinon).
+
+- [ ] **Step 1: Créer le layer + déplacer les pages d'identité**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p modules/core/pages
+printf 'export default defineNuxtConfig({})\n' > modules/core/nuxt.config.ts
+git mv pages/login.vue modules/core/pages/login.vue
+git mv pages/profile.vue modules/core/pages/profile.vue
+# admin users : adapter au réel (git mv pages/admin/... modules/core/pages/admin/...)
+```
+> Lister `frontend/pages/admin/` d'abord ; déplacer UNIQUEMENT les pages de gestion des utilisateurs (pas les pages admin d'autres domaines). En cas de doute, déplacer seulement login + profile en 1.1 et laisser admin users (documenter).
+
+- [ ] **Step 2: Corriger les imports par chemin éventuels**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && grep -rn "pages/login\|pages/profile\|~/pages" --include=*.ts --include=*.vue . | grep -v node_modules`
+Corriger toute référence cassée (les redirections `navigateTo('/login')` restent valides — c'est une URL, pas un chemin de fichier).
+
+- [ ] **Step 3: Gate front (cf. LST-62) + smoke**
+
+Run: `cd frontend && npx nuxt typecheck 2>&1 | grep "Cannot find module" | grep -E "modules/core|login|profile"` → doit être VIDE.
+Run: `grep -E "login|profile" frontend/.nuxt/routes.* 2>/dev/null` ou démarrer `make dev-nuxt` et confirmer que `/login`, `/profile` répondent (la fusion des pages du layer est effective).
+> Smoke runtime (login via navigateur) : laisser au PO si pas de navigateur côté exécutant.
+
+- [ ] **Step 4: commit**
+
+```bash
+git add -A -- frontend
+git commit -m "feat(core) : add core front layer with login, profile and admin users pages"
+```
+
+---
+
+## Acceptance check (après toutes les phases)
+
+- [ ] **AC1** Login/JWT OK via le module : `login http=204`, `/api/me` 200, MCP apiToken 200, `/api/notifications` 200.
+- [ ] **AC2** `grep -rn "App\\Entity\\User" src/ config/` → **VIDE** (User vit dans `src/Module/Core/Domain/Entity/`, consommé via contrat ; fixtures importent le FQCN Core).
+- [ ] **AC3** `make test` vert (≈119 tests), `doctrine:schema:validate` OK, `doctrine:migrations:diff` = « No changes detected » (**aucune migration destructive ni même additive**).
+- [ ] `/api/modules` renvoie `core` ; `CoreModule::isRequired() === true`.
+- [ ] `resolve_target_entities: UserInterface → App\Module\Core\Domain\Entity\User`.
+- [ ] Front : layer `modules/core/` détecté ; `/login`, `/profile` (+ admin users) accessibles aux mêmes URLs ; aucun `Cannot find module`.
+- [ ] `config/reference.php` jamais committé.
+
+## Notes pour le ticket suivant (1.2 — RBAC fin)
+
+`CoreModule::permissions()` est déjà posé (stub). 1.2 ajoutera `Role`/`Permission`, `app:sync-permissions`, `PermissionVoter`, et fera filtrer `SidebarProvider` **par permission** (en plus du module actif + du gate rôle minimal posé en 0.2). Le contrat `UserInterface` enrichi est prêt à recevoir `getPermissions()` si besoin.

frontend/modules/core/nuxt.config.ts

@@ -0,0 +1 @@
+export default defineNuxtConfig({})

src/Command/AccrueLeaveCommand.php

@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Command;
 
 use App\Enum\AbsenceType;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -37,7 +37,7 @@ use function sprintf;
 class AccrueLeaveCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly AbsenceBalanceRepository $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly EntityManagerInterface $entityManager,

src/Command/GenerateApiTokenCommand.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Command;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -22,7 +22,7 @@ use function sprintf;
 class GenerateApiTokenCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
     ) {
         parent::__construct();

src/Controller/Absence/AbsencePreviewController.php

@@ -4,13 +4,13 @@ declare(strict_types=1);
 
 namespace App\Controller\Absence;
 
-use App\Entity\User;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Repository\AbsenceBalanceRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -71,7 +71,7 @@ class AbsencePreviewController extends AbstractController
         );
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $available          = null;
         $projectedAvailable = null;

src/Controller/Mail/MailCreateTaskController.php

@@ -9,7 +9,7 @@ use App\Entity\Task;
 use App\Entity\TaskGroup;
 use App\Entity\TaskMailLink;
 use App\Entity\TaskStatus;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\MailMessageRepository;
 use App\Repository\TaskRepository;
 use App\Security\MailAccessChecker;

src/Controller/MarkAllReadController.php

@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
@@ -14,14 +14,14 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MarkAllReadController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/mark-all-read', name: 'notification_mark_all_read', methods: ['POST'], priority: 1)]
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): Response
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $this->notificationRepository->markAllReadByUser($user);

src/Controller/NotificationUnreadCountController.php

@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -14,14 +14,14 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class NotificationUnreadCountController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/unread-count', name: 'notification_unread_count', methods: ['GET'], priority: 1)]
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): JsonResponse
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $count = $this->notificationRepository->countUnreadByUser($user);

src/Controller/RegenerateApiTokenController.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;

src/Controller/TimeEntryExportController.php

@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Controller;
 
 use App\Entity\Project;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\TimeEntryRepository;
 use App\Service\TimeEntryExportService;
 use DateTimeImmutable;

src/Controller/UserAvatarController.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;

src/DataFixtures/AppFixtures.php

@@ -18,7 +18,6 @@ use App\Entity\TaskRecurrence;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
 use App\Entity\TimeEntry;
-use App\Entity\User;
 use App\Entity\Workflow;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\AbsenceStatus;
@@ -26,6 +25,7 @@ use App\Enum\AbsenceType;
 use App\Enum\ContractType;
 use App\Enum\RecurrenceType;
 use App\Enum\StatusCategory;
+use App\Module\Core\Domain\Entity\User;
 use DateTimeImmutable;
 use DateTimeZone;
 use Doctrine\Bundle\FixturesBundle\Fixture;

src/Entity/AbsenceBalance.php

@@ -10,6 +10,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use App\Enum\AbsenceType;
 use App\Repository\AbsenceBalanceRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\AbsenceBalanceProvider;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -45,10 +46,10 @@ class AbsenceBalance
     #[Groups(['absence_balance:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_balance:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_balance:read'])]
@@ -110,12 +111,12 @@ class AbsenceBalance
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 

src/Entity/AbsenceRequest.php

@@ -14,6 +14,7 @@ use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Repository\AbsenceRequestRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\AbsenceCancelProcessor;
 use App\State\AbsenceRequestProcessor;
 use App\State\AbsenceRequestProvider;
@@ -73,10 +74,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_request:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_request:read', 'absence_request:write'])]
@@ -130,10 +131,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?DateTimeImmutable $reviewedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['absence_request:read'])]
-    private ?User $reviewedBy = null;
+    private ?UserInterface $reviewedBy = null;
 
     #[Groups(['absence_request:read'])]
     public function getLabel(): ?string
@@ -156,12 +157,12 @@ class AbsenceRequest
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
@@ -312,12 +313,12 @@ class AbsenceRequest
         return $this;
     }
 
-    public function getReviewedBy(): ?User
+    public function getReviewedBy(): ?UserInterface
     {
         return $this->reviewedBy;
     }
 
-    public function setReviewedBy(?User $reviewedBy): static
+    public function setReviewedBy(?UserInterface $reviewedBy): static
     {
         $this->reviewedBy = $reviewedBy;
 

src/Entity/Task.php

@@ -16,6 +16,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TaskRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\TaskCalendarProcessor;
 use App\State\TaskNumberProcessor;
 use DateTimeImmutable;
@@ -80,13 +81,13 @@ class Task
     #[Groups(['task:read', 'task:write'])]
     private ?TaskPriority $priority = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task:read', 'task:write'])]
-    private ?User $assignee = null;
+    private ?UserInterface $assignee = null;
 
-    /** @var Collection<int, User> */
-    #[ORM\ManyToMany(targetEntity: User::class)]
+    /** @var Collection<int, UserInterface> */
+    #[ORM\ManyToMany(targetEntity: UserInterface::class)]
     #[ORM\JoinTable(
         name: 'task_collaborator',
         joinColumns: [new ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
@@ -239,25 +240,25 @@ class Task
         return $this;
     }
 
-    public function getAssignee(): ?User
+    public function getAssignee(): ?UserInterface
     {
         return $this->assignee;
     }
 
-    public function setAssignee(?User $assignee): static
+    public function setAssignee(?UserInterface $assignee): static
     {
         $this->assignee = $assignee;
 
         return $this;
     }
 
-    /** @return Collection<int, User> */
+    /** @return Collection<int, UserInterface> */
     public function getCollaborators(): Collection
     {
         return $this->collaborators;
     }
 
-    public function addCollaborator(User $user): static
+    public function addCollaborator(UserInterface $user): static
     {
         if (!$this->collaborators->contains($user)) {
             $this->collaborators->add($user);
@@ -266,7 +267,7 @@ class Task
         return $this;
     }
 
-    public function removeCollaborator(User $user): static
+    public function removeCollaborator(UserInterface $user): static
     {
         $this->collaborators->removeElement($user);
 

src/Entity/TaskDocument.php

@@ -12,6 +12,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use App\EventListener\TaskDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\TaskDocumentProcessor;
 use App\State\TaskDocumentProvider;
 use DateTimeImmutable;
@@ -77,10 +78,10 @@ class TaskDocument
     #[Groups(['task_document:read', 'task:read'])]
     private ?DateTimeImmutable $createdAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task_document:read', 'task:read'])]
-    private ?User $uploadedBy = null;
+    private ?UserInterface $uploadedBy = null;
 
     public function getId(): ?int
     {
@@ -176,12 +177,12 @@ class TaskDocument
         return $this;
     }
 
-    public function getUploadedBy(): ?User
+    public function getUploadedBy(): ?UserInterface
     {
         return $this->uploadedBy;
     }
 
-    public function setUploadedBy(?User $uploadedBy): static
+    public function setUploadedBy(?UserInterface $uploadedBy): static
     {
         $this->uploadedBy = $uploadedBy;
 

src/Entity/TaskMailLink.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use App\Repository\TaskMailLinkRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
@@ -29,9 +30,9 @@ class TaskMailLink
     #[ORM\Column(type: 'datetimetz_immutable')]
     private DateTimeImmutable $linkedAt;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(name: 'linked_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
-    private ?User $linkedBy = null;
+    private ?UserInterface $linkedBy = null;
 
     public function getId(): ?int
     {
@@ -74,12 +75,12 @@ class TaskMailLink
         return $this;
     }
 
-    public function getLinkedBy(): ?User
+    public function getLinkedBy(): ?UserInterface
     {
         return $this->linkedBy;
     }
 
-    public function setLinkedBy(?User $linkedBy): static
+    public function setLinkedBy(?UserInterface $linkedBy): static
     {
         $this->linkedBy = $linkedBy;
 

src/Entity/TimeEntry.php

@@ -14,6 +14,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TimeEntryRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\ActiveTimeEntryProvider;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -77,10 +78,10 @@ class TimeEntry
     #[Groups(['time_entry:read', 'time_entry:write'])]
     private ?DateTimeImmutable $stoppedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\ManyToOne(targetEntity: Project::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
@@ -160,12 +161,12 @@ class TimeEntry
         return $this;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 

src/EventListener/TaskNotificationListener.php

@@ -4,10 +4,9 @@ declare(strict_types=1);
 
 namespace App\EventListener;
 
-use App\Entity\Notification;
 use App\Entity\Task;
-use App\Entity\User;
-use DateTimeImmutable;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
 use Doctrine\ORM\Event\PostFlushEventArgs;
@@ -18,15 +17,18 @@ use Symfony\Bundle\SecurityBundle\Security;
 #[AsDoctrineListener(event: Events::postFlush)]
 final class TaskNotificationListener
 {
-    /** @var list<array{user: User, type: string, task: Task}> */
+    /** @var list<array{user: UserInterface, type: string, task: Task}> */
     private array $pending = [];
 
-    public function __construct(private readonly Security $security) {}
+    public function __construct(
+        private readonly Security $security,
+        private readonly NotifierInterface $notifier,
+    ) {}
 
     public function onFlush(OnFlushEventArgs $args): void
     {
         $actor = $this->security->getUser();
-        if (!$actor instanceof User) {
+        if (!$actor instanceof UserInterface) {
             return;
         }
 
@@ -38,7 +40,7 @@ final class TaskNotificationListener
                 continue;
             }
             $assignee = $entity->getAssignee();
-            if ($assignee instanceof User && $assignee !== $actor) {
+            if ($assignee instanceof UserInterface && $assignee !== $actor) {
                 $this->pending[] = ['user' => $assignee, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -53,7 +55,7 @@ final class TaskNotificationListener
                 continue;
             }
             $new = $changeSet['assignee'][1];
-            if ($new instanceof User && $new !== $actor) {
+            if ($new instanceof UserInterface && $new !== $actor) {
                 $this->pending[] = ['user' => $new, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -68,7 +70,7 @@ final class TaskNotificationListener
                 continue;
             }
             foreach ($collection->getInsertDiff() as $user) {
-                if ($user instanceof User && $user !== $actor) {
+                if ($user instanceof UserInterface && $user !== $actor) {
                     $this->pending[] = ['user' => $user, 'type' => 'task_collaborator_added', 'task' => $owner];
                 }
             }
@@ -84,25 +86,10 @@ final class TaskNotificationListener
         $pending       = $this->pending;
         $this->pending = [];
 
-        $em = $args->getObjectManager();
         foreach ($pending as $item) {
-            $em->persist($this->buildNotification($item['user'], $item['type'], $item['task']));
+            [$title, $message] = $this->render($item['type'], $item['task']);
+            $this->notifier->notify($item['user'], $item['type'], $title, $message);
         }
-        $em->flush();
-    }
-
-    private function buildNotification(User $user, string $type, Task $task): Notification
-    {
-        [$title, $message] = $this->render($type, $task);
-
-        $notification = new Notification();
-        $notification->setUser($user);
-        $notification->setType($type);
-        $notification->setTitle($title);
-        $notification->setMessage($message);
-        $notification->setCreatedAt(new DateTimeImmutable());
-
-        return $notification;
     }
 
     /**

src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php

@@ -9,9 +9,9 @@ use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
 use DateTimeImmutable;
@@ -28,7 +28,7 @@ class CreateAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly AbsencePolicyRepository $policyRepository,
         private readonly AbsenceRequestRepository $requestRepository,
         private readonly AbsenceDayCalculator $calculator,

src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php

@@ -6,8 +6,8 @@ namespace App\Mcp\Tool\Absence;
 
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -20,7 +20,7 @@ class ListAbsenceBalancesTool
 {
     public function __construct(
         private readonly AbsenceBalanceRepository $balanceRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 

src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php

@@ -7,8 +7,8 @@ namespace App\Mcp\Tool\Absence;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use DateTimeImmutable;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -22,7 +22,7 @@ class ListAbsenceRequestsTool
 {
     public function __construct(
         private readonly AbsenceRequestRepository $requestRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 

src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php

@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool\Absence;
 
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Mcp\Tool\Serializer;
 use App\Repository\AbsenceRequestRepository;
 use App\Service\AbsenceBalanceService;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -49,7 +49,7 @@ class ReviewAbsenceRequestTool
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ('approve' === $decision) {
             // Never let an approval push the balance below zero (CP only).

src/Mcp/Tool/Reference/GetUserTool.php

@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Mcp\Tool\Reference;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 

src/Mcp/Tool/Reference/ListUsersTool.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool\Reference;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListUsersTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 

src/Mcp/Tool/Reference/UpdateUserTool.php

@@ -6,7 +6,7 @@ namespace App\Mcp\Tool\Reference;
 
 use App\Enum\ContractType;
 use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -20,7 +20,7 @@ use function sprintf;
 class UpdateUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}

src/Mcp/Tool/Serializer.php

@@ -17,7 +17,7 @@ use App\Entity\TaskPriority;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
 use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\Common\Collections\Collection;
 
 /**

src/Mcp/Tool/Task/CreateTaskTool.php

@@ -6,6 +6,7 @@ namespace App\Mcp\Tool\Task;
 
 use App\Entity\Task;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskEffortRepository;
 use App\Repository\TaskGroupRepository;
@@ -13,7 +14,6 @@ use App\Repository\TaskPriorityRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskStatusRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
 use App\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -36,7 +36,7 @@ class CreateTaskTool
         private readonly TaskEffortRepository $taskEffortRepository,
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}

src/Mcp/Tool/Task/UpdateTaskTool.php

@@ -5,13 +5,13 @@ declare(strict_types=1);
 namespace App\Mcp\Tool\Task;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\TaskEffortRepository;
 use App\Repository\TaskGroupRepository;
 use App\Repository\TaskPriorityRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskStatusRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
 use App\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -33,7 +33,7 @@ class UpdateTaskTool
         private readonly TaskEffortRepository $taskEffortRepository,
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}

src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php

@@ -6,11 +6,11 @@ namespace App\Mcp\Tool\TimeEntry;
 
 use App\Entity\TimeEntry;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
 use App\Repository\TimeEntryRepository;
-use App\Repository\UserRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -25,7 +25,7 @@ class CreateTimeEntryTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,

src/Module/Core/CoreModule.php

@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
+            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
+            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+        ];
+    }
+}

src/Module/Core/Domain/Entity/Notification.php

@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Repository\NotificationRepository;
-use App\State\NotificationProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\NotificationProvider;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -28,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['notification:write']],
     order: ['createdAt' => 'DESC'],
 )]
-#[ORM\Entity(repositoryClass: NotificationRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineNotificationRepository::class)]
 #[ORM\Index(columns: ['user_id'], name: 'idx_notification_user')]
 #[ORM\Index(columns: ['user_id', 'is_read'], name: 'idx_notification_user_read')]
 class Notification
@@ -39,10 +40,10 @@ class Notification
     #[Groups(['notification:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['notification:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(length: 50)]
     #[Groups(['notification:read'])]
@@ -69,12 +70,12 @@ class Notification
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 

src/Module/Core/Domain/Entity/User.php

@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
@@ -12,10 +12,10 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Enum\ContractType;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
-use App\State\MeProvider;
-use App\State\UserPasswordHasherProcessor;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -43,7 +43,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
-#[ORM\Entity(repositoryClass: UserRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
 {

src/Module/Core/Domain/Repository/UserRepositoryInterface.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeInterface;
+
+interface UserRepositoryInterface
+{
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}

src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php

@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**

src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php

@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\Pagination\Pagination;
 use ApiPlatform\State\Pagination\TraversablePaginator;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\Notification;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Domain\Entity\Notification;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use ArrayIterator;
 use Doctrine\ORM\Tools\Pagination\Paginator as DoctrinePaginator;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -23,7 +23,7 @@ final readonly class NotificationProvider implements ProviderInterface
 {
     public function __construct(
         private Security $security,
-        private NotificationRepository $notificationRepository,
+        private DoctrineNotificationRepository $notificationRepository,
         private Pagination $pagination,
     ) {}
 

src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php

@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 

src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php

@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\Notification;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\ORM\QueryBuilder;
 use Doctrine\Persistence\ManagerRegistry;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\User\UserInterface;
 /**
  * @extends ServiceEntityRepository<Notification>
  */
-class NotificationRepository extends ServiceEntityRepository
+class DoctrineNotificationRepository extends ServiceEntityRepository
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -30,7 +30,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function countUnreadByUser(User $user): int
+    public function countUnreadByUser(SharedUserInterface $user): int
     {
         return (int) $this->createQueryBuilder('n')
             ->select('COUNT(n.id)')
@@ -42,7 +42,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function markAllReadByUser(User $user): int
+    public function markAllReadByUser(SharedUserInterface $user): int
     {
         return $this->createQueryBuilder('n')
             ->update()

src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php

@@ -2,9 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -12,7 +14,7 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<User>
  */
-class UserRepository extends ServiceEntityRepository
+class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -20,7 +22,7 @@ class UserRepository extends ServiceEntityRepository
     }
 
     /**
-     * @return User[]
+     * @return list<UserInterface>
      */
     public function findByRole(string $role): array
     {
@@ -43,7 +45,7 @@ class UserRepository extends ServiceEntityRepository
     /**
      * Employees active on the given date (hired on/before it, not yet left).
      *
-     * @return User[]
+     * @return list<UserInterface>
      */
     public function findActiveEmployees(DateTimeInterface $date): array
     {
@@ -59,4 +61,9 @@ class UserRepository extends ServiceEntityRepository
             ->getResult()
         ;
     }
+
+    public function findOneByUsername(string $username): ?UserInterface
+    {
+        return $this->findOneBy(['username' => $username]);
+    }
 }

src/Module/Core/Infrastructure/Notifier.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(UserInterface $user, string $type, string $title, string $message): void
+    {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $notification->setCreatedAt(new DateTimeImmutable());
+
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}

src/Repository/AbsenceBalanceRepository.php

@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\AbsenceBalance;
-use App\Entity\User;
 use App\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
@@ -20,7 +20,7 @@ class AbsenceBalanceRepository extends ServiceEntityRepository
         parent::__construct($registry, AbsenceBalance::class);
     }
 
-    public function findOneForPeriod(User $user, AbsenceType $type, string $period): ?AbsenceBalance
+    public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance
     {
         return $this->findOneBy([
             'user'   => $user,

src/Repository/AbsenceRequestRepository.php

@@ -5,9 +5,9 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -28,7 +28,7 @@ class AbsenceRequestRepository extends ServiceEntityRepository
      * end_a >= start_b.
      */
     public function hasOverlap(
-        User $user,
+        UserInterface $user,
         DateTimeInterface $startDate,
         DateTimeInterface $endDate,
         ?int $excludeId = null,
@@ -77,7 +77,7 @@ class AbsenceRequestRepository extends ServiceEntityRepository
      * @return AbsenceRequest[]
      */
     public function findFiltered(
-        ?User $user = null,
+        ?UserInterface $user = null,
         ?AbsenceStatus $status = null,
         ?AbsenceType $type = null,
         ?DateTimeInterface $from = null,

src/Repository/TimeEntryRepository.php

@@ -6,7 +6,7 @@ namespace App\Repository;
 
 use App\Entity\Project;
 use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -21,7 +21,7 @@ class TimeEntryRepository extends ServiceEntityRepository
         parent::__construct($registry, TimeEntry::class);
     }
 
-    public function findActiveByUser(User $user): ?TimeEntry
+    public function findActiveByUser(UserInterface $user): ?TimeEntry
     {
         return $this->findOneBy([
             'user'      => $user,
@@ -30,9 +30,9 @@ class TimeEntryRepository extends ServiceEntityRepository
     }
 
     /**
-     * @param null|User[]    $users
-     * @param null|Project[] $projects
-     * @param null|int[]     $tagIds
+     * @param null|UserInterface[] $users
+     * @param null|Project[]       $projects
+     * @param null|int[]           $tagIds
      *
      * @return TimeEntry[]
      */

src/Security/ApiTokenAuthenticator.php

@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Security;
 
-use App\Entity\User;
-use App\Repository\UserRepository;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -20,7 +20,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPasspor
 class ApiTokenAuthenticator extends AbstractAuthenticator
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
     ) {}
 
     public function supports(Request $request): ?bool

src/Security/MailAccessChecker.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Security;
 
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -23,7 +23,7 @@ final readonly class MailAccessChecker
      */
     public function ensureCanAccessMail(?UserInterface $user): void
     {
-        if (!$user instanceof User) {
+        if (!$user instanceof SharedUserInterface) {
             throw new AccessDeniedException('Authentication required');
         }
 
@@ -41,7 +41,7 @@ final readonly class MailAccessChecker
      */
     public function ensureIsAdmin(?UserInterface $user): void
     {
-        if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+        if (!$user instanceof SharedUserInterface || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Admin only');
         }
     }

src/Service/AbsenceBalanceService.php

@@ -6,8 +6,8 @@ namespace App\Service;
 
 use App\Entity\AbsenceBalance;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceType;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\AbsenceBalanceRepository;
 use DateTimeInterface;
 use Doctrine\ORM\EntityManagerInterface;

src/Shared/Domain/Contract/NotifierInterface.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+}

src/Shared/Domain/Contract/UserInterface.php

@@ -4,7 +4,26 @@ declare(strict_types=1);
 
 namespace App\Shared\Domain\Contract;
 
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
 interface UserInterface
 {
     public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): ?string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function getIsEmployee(): bool;
 }

src/State/AbsenceBalanceProvider.php

@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\AbsenceBalance;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceBalance|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo    = $this->entityManager->getRepository(AbsenceBalance::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');

src/State/AbsenceRequestProcessor.php

@@ -7,13 +7,13 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -42,7 +42,7 @@ final readonly class AbsenceRequestProcessor implements ProcessorInterface
         assert($data instanceof AbsenceRequest);
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $type      = $data->getType();
         $startDate = $data->getStartDate();

src/State/AbsenceRequestProvider.php

@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceRequest|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo    = $this->entityManager->getRepository(AbsenceRequest::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');

src/State/AbsenceReviewProcessor.php

@@ -7,9 +7,9 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Service\AbsenceBalanceService;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -55,7 +55,7 @@ final readonly class AbsenceReviewProcessor implements ProcessorInterface
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ($isApprove) {
             // Never let an approval push the balance below zero (CP only): the

src/State/TaskDocumentProvider.php

@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\TaskDocument;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class TaskDocumentProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|TaskDocument|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo = $this->entityManager->getRepository(TaskDocument::class);
 

tests/Functional/Controller/Mail/MailFoldersControllerTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Functional/Controller/Mail/MailMessagesControllerTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Functional/Controller/Mail/MailSettingsControllerTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php

@@ -8,7 +8,7 @@ use App\Entity\MailFolder;
 use App\Entity\MailMessage;
 use App\Entity\Project;
 use App\Entity\Task;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 

tests/Functional/Controller/ShareBrowseTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 

tests/Functional/Controller/ShareSearchTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 

tests/Functional/Controller/ShareSettingsTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Functional/EventListener/TaskNotificationListenerTest.php

@@ -6,8 +6,8 @@ namespace App\Tests\Functional\EventListener;
 
 use App\Entity\Project;
 use App\Entity\Task;
-use App\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
@@ -19,7 +19,7 @@ use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 class TaskNotificationListenerTest extends KernelTestCase
 {
     private EntityManagerInterface $em;
-    private NotificationRepository $notifications;
+    private DoctrineNotificationRepository $notifications;
     private TokenStorageInterface $tokenStorage;
     private Project $project;
     private User $actor;
@@ -31,7 +31,7 @@ class TaskNotificationListenerTest extends KernelTestCase
         self::bootKernel();
         $c                   = self::getContainer();
         $this->em            = $c->get(EntityManagerInterface::class);
-        $this->notifications = $c->get(NotificationRepository::class);
+        $this->notifications = $c->get(DoctrineNotificationRepository::class);
         $this->tokenStorage  = $c->get(TokenStorageInterface::class);
 
         $project = $this->em->getRepository(Project::class)->findOneBy([]);

tests/Functional/Mcp/AbsenceRequestLifecycleTest.php

@@ -6,15 +6,15 @@ namespace App\Tests\Functional\Mcp;
 
 use App\Entity\AbsenceBalance;
 use App\Entity\AbsencePolicy;
-use App\Entity\User;
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Absence\CancelAbsenceRequestTool;
 use App\Mcp\Tool\Absence\CreateAbsenceRequestTool;
 use App\Mcp\Tool\Absence\ReviewAbsenceRequestTool;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
 use Doctrine\ORM\EntityManagerInterface;
@@ -216,7 +216,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new CreateAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(UserRepository::class),
+            $c->get(DoctrineUserRepository::class),
             $c->get(AbsencePolicyRepository::class),
             $c->get(AbsenceRequestRepository::class),
             $c->get(AbsenceDayCalculator::class),

tests/Functional/Module/Core/NotifierTest.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $title = 'Titre-'.uniqid('', true);
+        $notifier->notify($user, 'task_assigned', $title, 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\Module\Core\Domain\Entity\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', $title)->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}

tests/Functional/Shared/ModulesEndpointTest.php

@@ -21,4 +21,14 @@ final class ModulesEndpointTest extends WebTestCase
         self::assertArrayHasKey('modules', $data);
         self::assertIsArray($data['modules']);
     }
+
+    public function testCoreModuleIsActive(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertContains('core', $data['modules']);
+    }
 }

tests/Functional/Shared/SidebarEndpointTest.php

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Shared;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**

tests/Unit/Module/Core/CoreModuleTest.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+}

tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php

@@ -79,6 +79,42 @@ final class TimestampableBlamableSubscriberTest extends TestCase
             {
                 return $this->id;
             }
+
+            public function getUserIdentifier(): string
+            {
+                return 'user-'.$this->id;
+            }
+
+            public function getUsername(): ?string
+            {
+                return 'user-'.$this->id;
+            }
+
+            /** @return list<string> */
+            public function getRoles(): array
+            {
+                return ['ROLE_USER'];
+            }
+
+            public function getFirstName(): ?string
+            {
+                return null;
+            }
+
+            public function getLastName(): ?string
+            {
+                return null;
+            }
+
+            public function getAvatarUrl(): ?string
+            {
+                return null;
+            }
+
+            public function getIsEmployee(): bool
+            {
+                return false;
+            }
         };
     }