chore: bump version to v0.4.46

Merge pull request 'fix(project) : sélection du workflow à la création + filet par défaut' (#29 ) from fix/project-creation-workflow into develop
Reviewed-on: #29
2026-06-26 14:52:54 +00:00 · 2026-06-26 14:52:44 +00:00 · 2026-06-26 14:50:08 +00:00 · 2026-06-26 16:49:33 +02:00 · 2026-06-26 16:42:02 +02:00 · 2026-06-26 14:21:43 +00:00
36 changed files with 2449 additions and 157 deletions
@@ -91,6 +91,20 @@ ENCRYPTION_KEY=change_me_in_env_local
 # POSTGRES_PORT=5435
 # XDEBUG_CLIENT_HOST=host.docker.internal
 # ===========================================================================
 # Error tracking — GlitchTip (compatible SDK Sentry)
 # ===========================================================================
 # DSN du projet GlitchTip "lesstime-api" (BACKEND, runtime).
 # Actif uniquement en prod (bundle prod-only). Vide/absent => Sentry inerte.
 # A definir dans infra/prod/.env (pas en dev). Ex : http://<cle>@glitchtip.interne:<port>/<id>
 # SENTRY_DSN=
 # NB : le DSN FRONT (lesstime-front) et l'upload des source maps sont fournis
 # au BUILD de l'image, pas au runtime. Voir infra/prod/Dockerfile (ARG) et la
 # CI .gitea/workflows/build-docker.yml (build-args depuis les secrets Gitea) :
 #   NUXT_PUBLIC_SENTRY_DSN, SENTRY_URL, SENTRY_ORG, SENTRY_PROJECT, SENTRY_AUTH_TOKEN
 # ===========================================================================
 # Frontend (frontend/.env)
 # ===========================================================================
@@ -20,6 +20,11 @@ jobs:
        run: |
          docker build \
            -f infra/prod/Dockerfile \
            --build-arg NUXT_PUBLIC_SENTRY_DSN="${{ secrets.SENTRY_FRONT_DSN }}" \
            --build-arg SENTRY_URL="${{ secrets.SENTRY_URL }}" \
            --build-arg SENTRY_ORG="${{ secrets.SENTRY_ORG }}" \
            --build-arg SENTRY_PROJECT="${{ secrets.SENTRY_FRONT_PROJECT }}" \
            --build-arg SENTRY_AUTH_TOKEN="${{ secrets.SENTRY_AUTH_TOKEN }}" \
            -t gitea.malio.fr/malio-dev/lesstime:${{ gitea.ref_name }} \
            -t gitea.malio.fr/malio-dev/lesstime:latest \
            .
@@ -1,12 +1,5 @@
 {
    "mcpServers": {
        "lesstime": {
            "type": "http",
            "url": "http://project.malio-dev.fr/_mcp",
            "headers": {
                "Authorization": "Bearer 7e8b410a5b79b5c0432951dcee3a3a81e0731e86d9f70d8784ec079a2b759c64"
            }
        },
        "lesstime-local": {
            "command": "docker",
            "args": [
@@ -23,6 +23,7 @@ Application de gestion de projet avec suivi du temps et portail client.
 - Intégration Gitea (issues, repos)
 - Intégration Mail IMAP (boîte partagée OVH, voir `docs/mail-integration.md`)
 - Serveur MCP pour assistants IA
 - Error tracking centralisé back + front (GlitchTip / SDK Sentry, prod uniquement — voir « Error tracking »)
 - Multi-langue (i18n)
 ## Prérequis
@@ -74,6 +75,7 @@ peuvent être surchargées dans `.env.local` (jamais committé). En prod, elles
 | `CORS_ALLOW_ORIGIN` | Origines CORS autorisées | localhost | ✅ (domaine prod) |
 | **`ENCRYPTION_KEY`** | **Clé hex 32 bytes chiffrant les credentials IMAP/SMTP (feature mail)** | placeholder | ✅ — doit rester **stable**, sinon les credentials mail stockés deviennent illisibles |
 | **`LOCK_DSN`** | **Store de verrous Symfony pour la sync mail (anti-chevauchement)** | `flock` | `flock` suffit |
 | `SENTRY_DSN` | Error tracking **backend** → GlitchTip (projet `lesstime-api`) | _(vide)_ | ⚪ optionnel — active le tracking (voir « Error tracking ») |
 > **Messagerie** : `ENCRYPTION_KEY` et `LOCK_DSN` sont introduites par l'intégration mail.
 > Détails de config et cron de synchronisation : `docs/mail-integration.md` et `docs/mail-cron-setup.md`.
@@ -217,28 +219,60 @@ Lesstime expose un serveur MCP (Model Context Protocol) permettant aux assistant
 }
 ```
-### Configuration réseau (HTTP)
+### Configuration réseau (HTTP) — par poste, hors git
 Le transport HTTP nécessite un **token API** (Bearer), qui est un **secret** : il ne va **jamais**
 dans le `.mcp.json` versionné (celui-ci ne contient que le serveur STDIO local, sans secret).
 Chaque développeur configure le serveur HTTP dans sa **config Claude Code locale**.
 **Méthode recommandée (identique sur Fedora, Windows et macOS) :**
 ```bash
 claude mcp add --transport http --scope user lesstime \
  http://project.malio-dev.fr/_mcp \
  --header "Authorization: Bearer <api-token>"
 ```
 - En prod : `http://project.malio-dev.fr/_mcp`
 - En réseau local : `http://<ip-serveur>:8082/_mcp`
 **Où c'est stocké** (si tu édites le fichier à la main, sous la clé `mcpServers`) :
 | OS | Fichier de config Claude Code |
 |----|-------------------------------|
 | **Fedora / Linux** | `~/.claude.json` |
 | **Windows** (collègue) | `%USERPROFILE%\.claude.json` (ex. `C:\Users\<user>\.claude.json`) |
 | **macOS** | `~/.claude.json` |
 ```json
 {
  "mcpServers": {
    "lesstime": {
-      "type": "url",
+      "type": "http",
-      "url": "http://<ip-serveur>:8082/_mcp",
+      "url": "http://project.malio-dev.fr/_mcp",
-      "headers": {
+      "headers": { "Authorization": "Bearer <api-token>" }
        "Authorization": "Bearer <api-token>"
      }
    }
  }
 }
 ```
 Après modification, relancer la connexion avec `/mcp` dans Claude Code.
 ### Gestion des tokens API
 Générer / régénérer un token pour un utilisateur :
 ```bash
 # En dev (container local)
 docker exec -u www-data php-lesstime-fpm php bin/console app:generate-api-token <username>
 # En prod (sur le serveur, dans infra/prod)
 sudo docker compose exec -T -u www-data app php bin/console app:generate-api-token <username>
 ```
 ⚠️ Le token est **invalidé à chaque reset/reseed de la base**. Symptôme : `/mcp` renvoie
 `HTTP 401 "Invalid API token"`. Il faut alors le **régénérer** (commande ci-dessus) puis remplacer
 la valeur `Bearer ...` dans ta config locale (par poste).
 ## Déploiement
 La prod tourne en **Docker** : l'image est buildée par la CI Gitea sur push de tag `v*`
@@ -255,6 +289,131 @@ Le script active la maintenance, pull l'image, redémarre le container, lance le
 et vide le cache. Guide complet (première installation, BDD, Nginx, JWT, rollback) :
 **`doc/deployment-docker.md`**.
 ## Error tracking (GlitchTip)
 Les erreurs **backend** et **frontend** sont remontées vers **GlitchTip** (instance auto-hébergée
 interne, compatible SDK Sentry) qui les **groupe par projet** et compte les occurrences. Activé
 **uniquement en prod** : en dev, sans DSN, le SDK est inerte (zéro impact). Ticket de référence :
 INFRA #146.
 ### Pourquoi back et front se configurent différemment
 | | Backend (Symfony) | Frontend (Nuxt SPA) |
 |---|---|---|
 | Nature | process PHP qui tourne en continu | fichiers JS/HTML **statiques** (`nuxt generate`) |
 | Quand le DSN est lu | au **runtime** | **figé au build** (baké dans le JS) |
 | Où mettre le DSN | `.env` du serveur (`/var/www/lesstime/.env`) — runtime | **secrets Gitea** → build-args de la CI |
 > Les erreurs partent **toujours vers GlitchTip**, jamais vers la CI. La CI ne sert qu'à *écrire*
 > le DSN front dans le bundle au moment du build (il n'y a aucun process front en prod qui
 > pourrait lire une variable d'environnement).
 ### Variables
 **Backend — fichier `.env` du serveur** (`/var/www/lesstime/.env`, chargé via `env_file` ; le repo ne fournit que le template `infra/prod/.env.example`) :
 ```env
 SENTRY_DSN=http://<clé>@glitchtip.interne:<port>/<id-projet-api>
 ```
 **Frontend — secrets Gitea** (repo → Settings → Actions → Secrets), consommés par
 `.gitea/workflows/build-docker.yml` :
 | Secret Gitea | Rôle |
 |---|---|
 | `SENTRY_FRONT_DSN` | DSN du projet `lesstime-front` (public, baké dans le JS) |
 | `SENTRY_URL` | URL de l'instance GlitchTip |
 | `SENTRY_ORG` | slug de l'organisation GlitchTip |
 | `SENTRY_FRONT_PROJECT` | slug du projet front |
 | `SENTRY_AUTH_TOKEN` | token d'upload des **source maps** (vrai secret) |
 > Sans source maps, seul `SENTRY_FRONT_DSN` est requis (les stacktraces front seront sur du JS
 > minifié). Le build n'échoue pas si les autres secrets sont absents.
 ### Fichiers concernés
 | Fichier | Rôle |
 |---|---|
 | `config/packages/sentry.yaml` | conf backend (prod-only, exceptions, 4xx ignorés, release = `app.version`) |
 | `config/bundles.php` | `SentryBundle` enregistré `['prod' => true]` |
 | `frontend/nuxt.config.ts` | module Sentry chargé **uniquement si DSN présent** + upload source maps |
 | `frontend/sentry.client.config.ts` | init du SDK client (no-op si DSN vide) |
 | `infra/prod/Dockerfile` | build-args front (`NUXT_PUBLIC_SENTRY_DSN`, `SENTRY_*`) |
 | `.gitea/workflows/build-docker.yml` | injection des secrets Gitea en build-args |
 ### Activation (résumé)
 1. Dans GlitchTip : créer les projets `lesstime-api` et `lesstime-front`, récupérer les 2 DSN
   (+ un auth token pour les source maps).
 2. Backend : ajouter `SENTRY_DSN` dans le `.env` du serveur (`/var/www/lesstime/.env`).
 3. Frontend : ajouter les secrets Gitea ci-dessus.
 4. Tagger une version (`v*`) → la CI build l'image avec le DSN front baké → `deploy.sh`.
 ### Certificat HTTPS interne (CA auto-signée)
 GlitchTip est servi en **HTTPS** sur `https://logs.malio-dev.fr` (nginx devant), avec un certificat
 **auto-signé** par une **CA interne** (« MALIO-DEV Local Root CA », cert serveur `*.malio-dev.fr`).
 `malio-dev.fr` est un **domaine interne uniquement** (DNS local, pas de résolution publique).
 > **Pourquoi pas Let's Encrypt ?** Une CA publique doit valider le domaine via Internet (challenge
 > HTTP ou DNS public). Comme `malio-dev.fr` n'existe qu'en interne, aucune validation n'est
 > possible → on reste sur la CA interne, qu'il faut faire **approuver partout** où la connexion TLS
 > est établie. Tant que la CA n'est pas approuvée, **rien ne remonte** : le backend logue
 > « Message not sent » (SDK Sentry) et le navigateur affiche « connexion non sécurisée » (le front
 > n'envoie rien).
 **Qui doit faire confiance à la CA ?** La connexion à `logs.malio-dev.fr` part de deux endroits
 différents, donc deux fixes distincts :
 | Émetteur des erreurs | Qui établit le TLS | Où approuver la CA |
 |---|---|---|
 | Backend (Symfony) | le **container PHP** | CA bakée dans l'**image Docker** (ci-dessous) |
 | Frontend (SPA) | le **navigateur du poste** | CA poussée sur les **postes via GPO** (ci-dessous) |
 #### Fix backend — CA bakée dans l'image
 Le certificat **public** de la root CA est committé dans le repo (`infra/prod/malio-dev-root-ca.crt`,
 aucune clé privée) et installé dans le trust store du container au build (`infra/prod/Dockerfile`,
 stage production — `ca-certificates` est déjà installé) :
 ```dockerfile
 COPY infra/prod/malio-dev-root-ca.crt /usr/local/share/ca-certificates/malio-dev-root-ca.crt
 RUN update-ca-certificates
 ```
 Le container fait alors confiance à tout `*.malio-dev.fr` interne et le SDK Sentry backend peut
 envoyer. Vérification :
 ```bash
 curl --cacert infra/prod/malio-dev-root-ca.crt https://logs.malio-dev.fr/api/1/store/   # → HTTP 200
 ```
 #### Fix postes — CA poussée par GPO (Active Directory)
 Le front est une SPA : c'est le **navigateur de l'utilisateur** qui contacte `logs.malio-dev.fr`,
 donc c'est le **poste** qui doit faire confiance à la CA (la CA de l'image ne sert qu'au backend).
 Sur le domaine Active Directory, on pousse la CA **une seule fois via GPO** plutôt que poste par poste :
 1. Contrôleur de domaine → **Group Policy Management** → éditer une GPO.
 2. `Configuration ordinateur → Stratégies → Paramètres Windows → Paramètres de sécurité → Stratégies
   de clé publique → Autorités de certification racines de confiance`.
 3. Clic droit → **Importer** → sélectionner `rootCA.crt` (« MALIO-DEV Local Root CA »).
 4. Sur les postes : `gpupdate /force` (ou attendre le rafraîchissement), puis **redémarrer le navigateur**.
 - Chrome / Edge utilisent le magasin Windows → confiance automatique.
 - ⚠️ **Firefox** a son propre magasin : activer `security.enterprise_roots.enabled = true`
  (`about:config` ou via policy) pour qu'il lise le magasin Windows.
 > **Validation poste** : ouvrir `https://logs.malio-dev.fr` → cadenas vert sans avertissement = CA
 > approuvée = le front peut envoyer.
 #### Renouvellement / changement de CA
 Si la CA interne change (rotation, expiration) :
 1. Remplacer `infra/prod/malio-dev-root-ca.crt` par le nouveau certificat public, commit + **rebuild
   de l'image** (re-tag `v*`) pour le backend.
 2. **Re-pousser** la nouvelle CA via GPO (étapes ci-dessus) pour les postes.
 ## Licence
 Propriétaire — Tous droits réservés.
@@ -20,6 +20,7 @@
        "phpoffice/phpspreadsheet": "^5.5",
        "phpstan/phpdoc-parser": "^2.3",
        "sabre/vobject": "^4.5",
        "sentry/sentry-symfony": "^5.10",
        "symfony/asset": "8.0.*",
        "symfony/console": "8.0.*",
        "symfony/doctrine-messenger": "^8.0",
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "eee87b9c0011fb88523cb5aea0de29ba",
+    "content-hash": "106755bef51fd069316cd7f3a7e1a0b6",
    "packages": [
        {
            "name": "api-platform/doctrine-common",
@@ -2508,6 +2508,125 @@
            },
            "time": "2026-02-08T16:21:46+00:00"
        },
        {
            "name": "guzzlehttp/psr7",
            "version": "2.12.3",
            "source": {
                "type": "git",
                "url": "https://github.com/guzzle/psr7.git",
                "reference": "7ec62dc3f44aa218487dbed81a9bf9bc647be55d"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/guzzle/psr7/zipball/7ec62dc3f44aa218487dbed81a9bf9bc647be55d",
                "reference": "7ec62dc3f44aa218487dbed81a9bf9bc647be55d",
                "shasum": ""
            },
            "require": {
                "php": "^7.2.5 || ^8.0",
                "psr/http-factory": "^1.0",
                "psr/http-message": "^1.1 || ^2.0",
                "ralouphie/getallheaders": "^3.0",
                "symfony/deprecation-contracts": "^2.5 || ^3.0",
                "symfony/polyfill-php80": "^1.25"
            },
            "provide": {
                "psr/http-factory-implementation": "1.0",
                "psr/http-message-implementation": "1.0"
            },
            "require-dev": {
                "bamarni/composer-bin-plugin": "^1.8.2",
                "http-interop/http-factory-tests": "1.1.0",
                "jshttp/mime-db": "1.54.0.1",
                "phpunit/phpunit": "^8.5.52 || ^9.6.34"
            },
            "suggest": {
                "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
            },
            "type": "library",
            "extra": {
                "bamarni-bin": {
                    "bin-links": true,
                    "forward-command": false
                }
            },
            "autoload": {
                "psr-4": {
                    "GuzzleHttp\\Psr7\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Graham Campbell",
                    "email": "hello@gjcampbell.co.uk",
                    "homepage": "https://github.com/GrahamCampbell"
                },
                {
                    "name": "Michael Dowling",
                    "email": "mtdowling@gmail.com",
                    "homepage": "https://github.com/mtdowling"
                },
                {
                    "name": "George Mponos",
                    "email": "gmponos@gmail.com",
                    "homepage": "https://github.com/gmponos"
                },
                {
                    "name": "Tobias Nyholm",
                    "email": "tobias.nyholm@gmail.com",
                    "homepage": "https://github.com/Nyholm"
                },
                {
                    "name": "Márk Sági-Kazár",
                    "email": "mark.sagikazar@gmail.com",
                    "homepage": "https://github.com/sagikazarmark"
                },
                {
                    "name": "Tobias Schultze",
                    "email": "webmaster@tubo-world.de",
                    "homepage": "https://github.com/Tobion"
                },
                {
                    "name": "Márk Sági-Kazár",
                    "email": "mark.sagikazar@gmail.com",
                    "homepage": "https://sagikazarmark.hu"
                }
            ],
            "description": "PSR-7 message implementation that also provides common utility methods",
            "keywords": [
                "http",
                "message",
                "psr-7",
                "request",
                "response",
                "stream",
                "uri",
                "url"
            ],
            "support": {
                "issues": "https://github.com/guzzle/psr7/issues",
                "source": "https://github.com/guzzle/psr7/tree/2.12.3"
            },
            "funding": [
                {
                    "url": "https://github.com/GrahamCampbell",
                    "type": "github"
                },
                {
                    "url": "https://github.com/Nyholm",
                    "type": "github"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
                    "type": "tidelift"
                }
            ],
            "time": "2026-06-23T15:21:08+00:00"
        },
        {
            "name": "icewind/smb",
            "version": "3.8.1",
@@ -2960,6 +3079,66 @@
            },
            "time": "2026-05-04T12:34:54+00:00"
        },
        {
            "name": "jean85/pretty-package-versions",
            "version": "2.1.1",
            "source": {
                "type": "git",
                "url": "https://github.com/Jean85/pretty-package-versions.git",
                "reference": "4d7aa5dab42e2a76d99559706022885de0e18e1a"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/Jean85/pretty-package-versions/zipball/4d7aa5dab42e2a76d99559706022885de0e18e1a",
                "reference": "4d7aa5dab42e2a76d99559706022885de0e18e1a",
                "shasum": ""
            },
            "require": {
                "composer-runtime-api": "^2.1.0",
                "php": "^7.4|^8.0"
            },
            "require-dev": {
                "friendsofphp/php-cs-fixer": "^3.2",
                "jean85/composer-provided-replaced-stub-package": "^1.0",
                "phpstan/phpstan": "^2.0",
                "phpunit/phpunit": "^7.5|^8.5|^9.6",
                "rector/rector": "^2.0",
                "vimeo/psalm": "^4.3 || ^5.0"
            },
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "1.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "Jean85\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Alessandro Lai",
                    "email": "alessandro.lai85@gmail.com"
                }
            ],
            "description": "A library to get pretty versions strings of installed dependencies",
            "keywords": [
                "composer",
                "package",
                "release",
                "versions"
            ],
            "support": {
                "issues": "https://github.com/Jean85/pretty-package-versions/issues",
                "source": "https://github.com/Jean85/pretty-package-versions/tree/2.1.1"
            },
            "time": "2025-03-19T14:43:43+00:00"
        },
        {
            "name": "lcobucci/jwt",
            "version": "5.6.0",
@@ -4939,6 +5118,50 @@
            },
            "time": "2021-10-29T13:26:27+00:00"
        },
        {
            "name": "ralouphie/getallheaders",
            "version": "3.0.3",
            "source": {
                "type": "git",
                "url": "https://github.com/ralouphie/getallheaders.git",
                "reference": "120b605dfeb996808c31b6477290a714d356e822"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
                "reference": "120b605dfeb996808c31b6477290a714d356e822",
                "shasum": ""
            },
            "require": {
                "php": ">=5.6"
            },
            "require-dev": {
                "php-coveralls/php-coveralls": "^2.1",
                "phpunit/phpunit": "^5 || ^6.5"
            },
            "type": "library",
            "autoload": {
                "files": [
                    "src/getallheaders.php"
                ]
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Ralph Khattar",
                    "email": "ralph.khattar@gmail.com"
                }
            ],
            "description": "A polyfill for getallheaders.",
            "support": {
                "issues": "https://github.com/ralouphie/getallheaders/issues",
                "source": "https://github.com/ralouphie/getallheaders/tree/develop"
            },
            "time": "2019-03-08T08:55:37+00:00"
        },
        {
            "name": "sabre/uri",
            "version": "3.0.2",
@@ -5172,6 +5395,201 @@
            },
            "time": "2024-09-06T08:00:55+00:00"
        },
        {
            "name": "sentry/sentry",
            "version": "4.28.0",
            "source": {
                "type": "git",
                "url": "https://github.com/getsentry/sentry-php.git",
                "reference": "662cb7a01a342a7f33780fc955ff4a028d8b785a"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/getsentry/sentry-php/zipball/662cb7a01a342a7f33780fc955ff4a028d8b785a",
                "reference": "662cb7a01a342a7f33780fc955ff4a028d8b785a",
                "shasum": ""
            },
            "require": {
                "ext-curl": "*",
                "ext-json": "*",
                "ext-mbstring": "*",
                "guzzlehttp/psr7": "^1.8.4|^2.1.1",
                "jean85/pretty-package-versions": "^1.5|^2.0.4",
                "php": "^7.2|^8.0",
                "psr/log": "^1.0|^2.0|^3.0",
                "symfony/options-resolver": "^4.4.30|^5.0.11|^6.0|^7.0|^8.0"
            },
            "conflict": {
                "raven/raven": "*"
            },
            "require-dev": {
                "carthage-software/mago": "1.30.0",
                "friendsofphp/php-cs-fixer": "^3.4",
                "guzzlehttp/promises": "^2.0.3",
                "monolog/monolog": "^1.6|^2.0|^3.0",
                "nyholm/psr7": "^1.8",
                "open-telemetry/api": "^1.0",
                "open-telemetry/exporter-otlp": "^1.0",
                "open-telemetry/sdk": "^1.0",
                "phpstan/phpstan": "^1.3",
                "phpunit/phpunit": "^8.5.52|^9.6.34",
                "spiral/roadrunner-http": "^3.6",
                "spiral/roadrunner-worker": "^3.6"
            },
            "suggest": {
                "ext-excimer": "Enable Sentry profiling with the Excimer PHP extension.",
                "monolog/monolog": "Allow sending log messages to Sentry by using the included Monolog handler."
            },
            "type": "library",
            "autoload": {
                "files": [
                    "src/functions.php"
                ],
                "psr-4": {
                    "Sentry\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Sentry",
                    "email": "accounts@sentry.io"
                }
            ],
            "description": "PHP SDK for Sentry (http://sentry.io)",
            "homepage": "http://sentry.io",
            "keywords": [
                "crash-reporting",
                "crash-reports",
                "error-handler",
                "error-monitoring",
                "log",
                "logging",
                "profiling",
                "sentry",
                "tracing"
            ],
            "support": {
                "issues": "https://github.com/getsentry/sentry-php/issues",
                "source": "https://github.com/getsentry/sentry-php/tree/4.28.0"
            },
            "funding": [
                {
                    "url": "https://sentry.io/",
                    "type": "custom"
                },
                {
                    "url": "https://sentry.io/pricing/",
                    "type": "custom"
                }
            ],
            "time": "2026-06-11T12:22:38+00:00"
        },
        {
            "name": "sentry/sentry-symfony",
            "version": "5.10.0",
            "source": {
                "type": "git",
                "url": "https://github.com/getsentry/sentry-symfony.git",
                "reference": "6f49255f4cdcfc43a3a283bd3a1f65d483e9192f"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/getsentry/sentry-symfony/zipball/6f49255f4cdcfc43a3a283bd3a1f65d483e9192f",
                "reference": "6f49255f4cdcfc43a3a283bd3a1f65d483e9192f",
                "shasum": ""
            },
            "require": {
                "guzzlehttp/psr7": "^2.1.1",
                "jean85/pretty-package-versions": "^1.5||^2.0",
                "php": "^7.2||^8.0",
                "sentry/sentry": "^4.23.0",
                "symfony/cache-contracts": "^1.1||^2.4||^3.0",
                "symfony/config": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/console": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/dependency-injection": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/event-dispatcher": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/http-kernel": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/polyfill-php80": "^1.22",
                "symfony/psr-http-message-bridge": "^1.2||^2.0||^6.4||^7.0||^8.0",
                "symfony/yaml": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0"
            },
            "require-dev": {
                "doctrine/dbal": "^2.13||^3.3||^4.0",
                "doctrine/doctrine-bundle": "^2.6||^3.0",
                "friendsofphp/php-cs-fixer": "^2.19||^3.40",
                "masterminds/html5": "^2.8",
                "phpstan/extension-installer": "^1.0",
                "phpstan/phpstan": "1.12.5",
                "phpstan/phpstan-phpunit": "1.4.0",
                "phpstan/phpstan-symfony": "1.4.10",
                "phpunit/phpunit": "^8.5.40||^9.6.21",
                "symfony/browser-kit": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/cache": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/dom-crawler": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/framework-bundle": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/http-client": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/messenger": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/monolog-bundle": "^3.4||^4.0",
                "symfony/phpunit-bridge": "^5.2.6||^6.0||^7.0||^8.0",
                "symfony/process": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/security-core": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/security-http": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "symfony/twig-bundle": "^4.4.20||^5.0.11||^6.0||^7.0||^8.0",
                "vimeo/psalm": "^4.3||^5.16.0"
            },
            "suggest": {
                "doctrine/doctrine-bundle": "Allow distributed tracing of database queries using Sentry.",
                "monolog/monolog": "Allow sending log messages to Sentry by using the included Monolog handler.",
                "symfony/cache": "Allow distributed tracing of cache pools using Sentry.",
                "symfony/twig-bundle": "Allow distributed tracing of Twig template rendering using Sentry."
            },
            "type": "symfony-bundle",
            "autoload": {
                "files": [
                    "src/aliases.php"
                ],
                "psr-4": {
                    "Sentry\\SentryBundle\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Sentry",
                    "email": "accounts@sentry.io"
                }
            ],
            "description": "Symfony integration for Sentry (http://getsentry.com)",
            "homepage": "http://getsentry.com",
            "keywords": [
                "errors",
                "logging",
                "sentry",
                "symfony"
            ],
            "support": {
                "issues": "https://github.com/getsentry/sentry-symfony/issues",
                "source": "https://github.com/getsentry/sentry-symfony/tree/5.10.0"
            },
            "funding": [
                {
                    "url": "https://sentry.io/",
                    "type": "custom"
                },
                {
                    "url": "https://sentry.io/pricing/",
                    "type": "custom"
                }
            ],
            "time": "2026-04-01T14:50:32+00:00"
        },
        {
            "name": "symfony/asset",
            "version": "v8.0.6",
@@ -8,6 +8,7 @@ use Doctrine\Bundle\FixturesBundle\DoctrineFixturesBundle;
 use Doctrine\Bundle\MigrationsBundle\DoctrineMigrationsBundle;
 use Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle;
 use Nelmio\CorsBundle\NelmioCorsBundle;
 use Sentry\SentryBundle\SentryBundle;
 use Symfony\AI\McpBundle\McpBundle;
 use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
 use Symfony\Bundle\MonologBundle\MonologBundle;
@@ -24,4 +25,5 @@ return [
    LexikJWTAuthenticationBundle::class => ['all' => true],
    McpBundle::class                    => ['all' => true],
    MonologBundle::class                => ['all' => true],
    SentryBundle::class                 => ['prod' => true],
 ];
@@ -22,6 +22,7 @@ security:
            pattern: ^/login_check
            stateless: true
            provider: app_user_provider
            user_checker: App\Module\Core\Infrastructure\Security\ArchivedUserChecker
            login_throttling:
                max_attempts: 5
                interval: '1 minute'
@@ -41,6 +42,7 @@ security:
            pattern: ^/api
            stateless: true
            provider: app_user_provider
            user_checker: App\Module\Core\Infrastructure\Security\ArchivedUserChecker
            jwt: ~
            logout:
                path: /api/logout
@@ -0,0 +1,23 @@
 # Error tracking → GlitchTip (compatible SDK Sentry).
 # Actif uniquement en prod (bundle enregistre seulement pour prod dans bundles.php).
 # Si SENTRY_DSN est vide/non defini, le SDK est inerte (rien n'est envoye).
 when@prod:
    parameters:
        # Valeur par defaut : DSN vide => Sentry desactive tant qu'il n'est pas fourni.
        env(SENTRY_DSN): ''
    sentry:
        dsn: '%env(SENTRY_DSN)%'
        # Capture les exceptions levees par le kernel (comportement par defaut).
        register_error_listener: true
        register_error_handler: true
        options:
            environment: '%env(APP_ENV)%'
            release: '%app.version%'
            # Pas d'APM/tracing (DuckDB hors perimetre du ticket #146).
            traces_sample_rate: 0.0
            # Ne pas remonter les 4xx HTTP comme des erreurs (bruit).
            ignore_exceptions:
                - Symfony\Component\HttpKernel\Exception\NotFoundHttpException
                - Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException
                - Symfony\Component\Security\Core\Exception\AccessDeniedException
@@ -1752,6 +1752,90 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
 *         },
 *     }>,
 * }
 * @psalm-type SentryConfig = array{
 *     dsn?: scalar|Param|null, // If this value is not provided, the SDK will try to read it from the SENTRY_DSN environment variable. If that variable also does not exist, the SDK will not send any events.
 *     register_error_listener?: bool|Param, // Default: true
 *     register_error_handler?: bool|Param, // Default: true
 *     logger?: scalar|Param|null, // The service ID of the PSR-3 logger used to log messages coming from the SDK client. Be aware that setting the same logger of the application may create a circular loop when an event fails to be sent. // Default: null
 *     options?: array{
 *         integrations?: mixed, // Default: []
 *         default_integrations?: bool|Param,
 *         prefixes?: list<scalar|Param|null>,
 *         sample_rate?: float|Param, // The sampling factor to apply to events. A value of 0 will deny sending any event, and a value of 1 will send all events.
 *         enable_tracing?: bool|Param,
 *         traces_sample_rate?: float|Param, // The sampling factor to apply to transactions. A value of 0 will deny sending any transaction, and a value of 1 will send all transactions.
 *         traces_sampler?: scalar|Param|null,
 *         profiles_sample_rate?: float|Param, // The sampling factor to apply to profiles. A value of 0 will deny sending any profiles, and a value of 1 will send all profiles. Profiles are sampled in relation to traces_sample_rate
 *         enable_logs?: bool|Param,
 *         log_flush_threshold?: mixed, // Default: null
 *         enable_metrics?: bool|Param, // Default: true
 *         attach_stacktrace?: bool|Param,
 *         attach_metric_code_locations?: bool|Param,
 *         context_lines?: int|Param,
 *         environment?: scalar|Param|null, // Default: "%kernel.environment%"
 *         logger?: scalar|Param|null,
 *         spotlight?: bool|Param,
 *         spotlight_url?: scalar|Param|null,
 *         release?: scalar|Param|null, // Default: "%env(default::SENTRY_RELEASE)%"
 *         org_id?: int|Param,
 *         server_name?: scalar|Param|null,
 *         ignore_exceptions?: list<scalar|Param|null>,
 *         ignore_transactions?: list<scalar|Param|null>,
 *         before_send?: scalar|Param|null,
 *         before_send_transaction?: scalar|Param|null,
 *         before_send_check_in?: scalar|Param|null,
 *         before_send_metrics?: scalar|Param|null,
 *         before_send_log?: scalar|Param|null,
 *         before_send_metric?: scalar|Param|null,
 *         trace_propagation_targets?: mixed,
 *         strict_trace_continuation?: bool|Param,
 *         tags?: array<string, scalar|Param|null>,
 *         error_types?: scalar|Param|null,
 *         max_breadcrumbs?: int|Param,
 *         before_breadcrumb?: mixed,
 *         in_app_exclude?: list<scalar|Param|null>,
 *         in_app_include?: list<scalar|Param|null>,
 *         send_default_pii?: bool|Param,
 *         max_value_length?: int|Param,
 *         transport?: scalar|Param|null,
 *         http_client?: scalar|Param|null,
 *         http_proxy?: scalar|Param|null,
 *         http_proxy_authentication?: scalar|Param|null,
 *         http_connect_timeout?: float|Param, // The maximum number of seconds to wait while trying to connect to a server. It works only when using the default transport.
 *         http_timeout?: float|Param, // The maximum execution time for the request+response as a whole. It works only when using the default transport.
 *         http_ssl_verify_peer?: bool|Param,
 *         http_compression?: bool|Param,
 *         capture_silenced_errors?: bool|Param,
 *         max_request_body_size?: "none"|"never"|"small"|"medium"|"always"|Param,
 *         class_serializers?: array<string, scalar|Param|null>,
 *     },
 *     messenger?: bool|array{
 *         enabled?: bool|Param, // Default: true
 *         capture_soft_fails?: bool|Param, // Default: true
 *         isolate_breadcrumbs_by_message?: bool|Param, // Default: false
 *         isolate_context_by_message?: bool|Param, // Default: false
 *     },
 *     tracing?: bool|array{
 *         enabled?: bool|Param, // Default: true
 *         dbal?: bool|array{
 *             enabled?: bool|Param, // Default: true
 *             ignore_prepare_spans?: bool|Param, // Default: false
 *             connections?: list<scalar|Param|null>,
 *         },
 *         twig?: bool|array{
 *             enabled?: bool|Param, // Default: false
 *         },
 *         cache?: bool|array{
 *             enabled?: bool|Param, // Default: true
 *         },
 *         http_client?: bool|array{
 *             enabled?: bool|Param, // Default: true
 *         },
 *         console?: array{
 *             excluded_commands?: list<scalar|Param|null>,
 *         },
 *     },
 * }
 * @psalm-type ConfigType = array{
 *     imports?: ImportsConfig,
 *     parameters?: ParametersConfig,
@@ -1792,6 +1876,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
 *         lexik_jwt_authentication?: LexikJwtAuthenticationConfig,
 *         mcp?: McpConfig,
 *         monolog?: MonologConfig,
 *         sentry?: SentryConfig,
 *     },
 *     "when@test"?: array{
 *         imports?: ImportsConfig,
@@ -125,6 +125,10 @@ services:
        tags:
            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\CommercialReport', event: prePersist }
    App\Module\ProjectManagement\Infrastructure\EventListener\ProjectDefaultWorkflowListener:
        tags:
            - { name: doctrine.orm.entity_listener, entity: 'App\Module\ProjectManagement\Domain\Entity\Project', event: prePersist }
    App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
        arguments:
            $uploadDir: '%task_document_upload_dir%'
@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.4.40'
+    app.version: '0.4.46'
@@ -32,6 +32,13 @@
                empty-option-label="Aucun client"
                group-class="w-full"
            />
            <MalioSelect
                v-if="!isEditing"
                v-model="form.workflowId"
                :options="workflowOptions"
                label="Workflow"
                group-class="w-full"
            />
            <div class="mt-4">
                <ColorPicker v-model="form.color" />
            </div>
@@ -124,10 +131,12 @@
 <script setup lang="ts">
 import type { Project, ProjectWrite } from '~/modules/project-management/services/dto/project'
 import type { Workflow } from '~/modules/project-management/services/dto/workflow'
 import type { Client } from '~/modules/directory/services/dto/client'
 import type { GiteaRepository } from '~/modules/integration/services/dto/gitea'
 import type { BookStackShelf } from '~/modules/integration/services/dto/bookstack'
 import { useProjectService } from '~/modules/project-management/services/projects'
 import { useWorkflowService } from '~/modules/project-management/services/workflows'
 import { useGiteaService } from '~/modules/integration/services/gitea'
 import { useBookStackService } from '~/modules/integration/services/bookstack'
@@ -174,12 +183,24 @@ const bookstackShelfOptions = computed(() =>
    bookstackShelves.value.map(s => ({ label: s.name, value: s.id }))
 )
 const { getAll: getAllWorkflows } = useWorkflowService()
 const workflows = ref<Workflow[]>([])
 const workflowOptions = computed(() =>
    workflows.value.map(w => ({ label: w.name, value: w.id }))
 )
 function defaultWorkflowId(): number | null {
    return (workflows.value.find(w => w.isDefault) ?? workflows.value[0])?.id ?? null
 }
 const form = reactive({
    code: '',
    name: '',
    description: '',
    color: '#222783',
    clientId: null as number | null,
    workflowId: null as number | null,
    giteaRepoFullName: null as string | null,
    bookstackShelfId: null as number | null,
 })
@@ -222,6 +243,7 @@ watch(() => props.modelValue, (open) => {
            form.description = ''
            form.color = '#222783'
            form.clientId = null
            form.workflowId = defaultWorkflowId()
            form.giteaRepoFullName = null
            form.bookstackShelfId = null
        }
@@ -269,6 +291,9 @@ async function handleSubmit() {
            await update(props.project.id, payload)
        } else {
            payload.code = form.code
            if (form.workflowId) {
                payload.workflow = `/api/workflows/${form.workflowId}`
            }
            await create(payload)
        }
@@ -308,6 +333,15 @@ async function handleArchiveToggle() {
 }
 onMounted(async () => {
    try {
        workflows.value = await getAllWorkflows()
        // Si le drawer est déjà ouvert en création, pré-remplir une fois les workflows chargés.
        if (props.modelValue && !props.project && !form.workflowId) {
            form.workflowId = defaultWorkflowId()
        }
    } catch {
        // Workflows indisponibles, ignore (le serveur assignera le défaut)
    }
    try {
        giteaRepos.value = await listRepositories()
    } catch {
@@ -33,6 +33,9 @@ export default defineNuxtConfig({
        'nuxt-toast',
        '@nuxtjs/i18n',
        '@nuxt/icon',
        // Error tracking GlitchTip : charge le module uniquement si un DSN est fourni
        // (donc seulement au build prod). En dev, aucun DSN => zero impact.
        ...(process.env.NUXT_PUBLIC_SENTRY_DSN ? ['@sentry/nuxt/module'] : []),
    ],
    dir: {
        layouts: 'app/layouts',
@@ -56,6 +59,23 @@ export default defineNuxtConfig({
    runtimeConfig: {
        public: {
            apiBase: process.env.NUXT_PUBLIC_API_BASE,
            sentry: {
                // DSN du projet GlitchTip "lesstime-front" (vide => SDK inerte).
                dsn: process.env.NUXT_PUBLIC_SENTRY_DSN || '',
                environment: process.env.NODE_ENV || 'development',
            },
        },
    },
    // Upload des source maps vers GlitchTip (stacktraces lisibles cote front).
    // Ne s'execute au build que si un token d'upload est fourni.
    sourcemap: { client: 'hidden' },
    sentry: {
        sourceMapsUploadOptions: {
            url: process.env.SENTRY_URL,
            org: process.env.SENTRY_ORG,
            project: process.env.SENTRY_PROJECT,
            authToken: process.env.SENTRY_AUTH_TOKEN,
        },
    },
    devServer: {
@@ -16,6 +16,7 @@
        "@nuxtjs/i18n": "^10.2.3",
        "@nuxtjs/tailwindcss": "^6.14.0",
        "@pinia/nuxt": "^0.11.3",
        "@sentry/nuxt": "^10.61.0",
        "@tailwindcss/typography": "^0.5.19",
        "@vuepic/vue-datepicker": "^12.1.0",
        "chart.js": "^4.5.1",
@@ -0,0 +1,18 @@
 import * as Sentry from '@sentry/nuxt'
 // Init Sentry cote client (SPA). Le DSN provient du build prod (NUXT_PUBLIC_SENTRY_DSN).
 // Si le DSN est vide (dev), Sentry.init est un no-op : rien n'est envoye.
 const config = useRuntimeConfig()
 const dsn = config.public.sentry?.dsn
 if (dsn) {
    Sentry.init({
        dsn,
        environment: config.public.sentry?.environment,
        // Pas d'APM/tracing (hors perimetre ticket #146) : on ne remonte que les erreurs.
        tracesSampleRate: 0,
        // Pas de session replay (volume).
        replaysSessionSampleRate: 0,
        replaysOnErrorSampleRate: 0,
    })
 }
@@ -29,10 +29,26 @@ COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci
 COPY frontend/ ./
 # Sentry / GlitchTip (front) — fourni au BUILD :
 #  - NUXT_PUBLIC_SENTRY_DSN est bake dans le bundle statique (SPA generee).
 #  - SENTRY_URL/ORG/PROJECT/AUTH_TOKEN servent a uploader les source maps.
 # Si NUXT_PUBLIC_SENTRY_DSN est vide, le module Sentry n'est pas charge (no-op).
 ARG NUXT_PUBLIC_SENTRY_DSN=""
 ARG SENTRY_URL=""
 ARG SENTRY_ORG=""
 ARG SENTRY_PROJECT=""
 ARG SENTRY_AUTH_TOKEN=""
 ENV CI=1 \
    NUXT_TELEMETRY_DISABLED=1 \
    NUXT_PUBLIC_API_BASE=/api \
-    NUXT_PUBLIC_APP_BASE=/
+    NUXT_PUBLIC_APP_BASE=/ \
    NUXT_PUBLIC_SENTRY_DSN=$NUXT_PUBLIC_SENTRY_DSN \
    SENTRY_URL=$SENTRY_URL \
    SENTRY_ORG=$SENTRY_ORG \
    SENTRY_PROJECT=$SENTRY_PROJECT \
    SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
 RUN npm run generate
 # --- Stage 3: Production image ---
@@ -40,10 +56,15 @@ FROM php:8.4-fpm AS production
 RUN apt-get update && apt-get install -y \
        libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
-        nginx supervisor smbclient \
+        nginx supervisor smbclient ca-certificates \
    && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
    && rm -rf /var/lib/apt/lists/*
 # CA racine interne MALIO (auto-signée) — permet au SDK Sentry/HttpClient de
 # joindre les services HTTPS internes (ex. GlitchTip sur logs.malio-dev.fr).
 COPY infra/prod/malio-dev-root-ca.crt /usr/local/share/ca-certificates/malio-dev-root-ca.crt
 RUN update-ca-certificates
 # PHP production config
 RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
@@ -37,6 +37,14 @@ echo "==> Clearing cache..."
 sudo docker compose exec -T -u www-data app php bin/console cache:clear --env=prod
 sudo docker compose exec -T -u www-data app php bin/console cache:warmup --env=prod
 echo "==> Checking error tracking (GlitchTip)..."
 SENTRY_DSN_VALUE="$(sudo docker compose exec -T app printenv SENTRY_DSN 2>/dev/null || true)"
 if [ -n "${SENTRY_DSN_VALUE}" ]; then
  echo "    SENTRY_DSN detecte — erreurs backend envoyees a GlitchTip."
 else
  echo "    SENTRY_DSN absent/vide — error tracking backend desactive (ajouter SENTRY_DSN dans .env)."
 fi
 echo "==> Disabling maintenance mode..."
 rm -f maintenance.on
@@ -2,6 +2,10 @@ services:
  app:
    image: gitea.malio.fr/malio-dev/lesstime:${LESSTIME_IMAGE_TAG:-latest}
    container_name: lesstime-app
    # Error tracking backend → GlitchTip : ajouter `SENTRY_DSN=...` (projet
    # GlitchTip "lesstime-api") dans ce fichier .env. Vide/absent => Sentry inerte.
    # (Le DSN FRONT et l'upload des source maps sont fournis au BUILD de l'image,
    #  pas ici — voir infra/prod/Dockerfile + .gitea/workflows/build-docker.yml.)
    env_file: .env
    ports:
      - "8081:80"
@@ -0,0 +1,31 @@
 -----BEGIN CERTIFICATE-----
 MIIFZzCCA0+gAwIBAgIUOiZigxwgIgtLipnLnu4eSgItc5MwDQYJKoZIhvcNAQEL
 BQAwQzELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU1BTElPLURFVjEgMB4GA1UEAwwX
 TUFMSU8tREVWIExvY2FsIFJvb3QgQ0EwHhcNMjYwNjI1MTYxMjIwWhcNMzYwNjIy
 MTYxMjIwWjBDMQswCQYDVQQGEwJGUjESMBAGA1UECgwJTUFMSU8tREVWMSAwHgYD
 VQQDDBdNQUxJTy1ERVYgTG9jYWwgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
 ggIPADCCAgoCggIBALqHXVWEae9aKtveLfSpxYy9RS0Aslw2Ls9+LWI33lpMRs02
 QssE9wquf3WGjz8NnHUWl5RM0QHC0DOCCddcbnRBciDRJeTaU43IGdNg+TSY+7aM
 3t/jysZrpc/eu/udlIs7npCPaOGnRiuGN68Fkf9Q70FtmaASpusUe7J3jKDinznr
 R2hARplO4OF01tFauu039A4yudLrZTUFTldicuZ6a5U3NhajgfNZA+pyJqvL3tLT
 lXG3KupPD9BsbWe4zSM96CmyHM22QNlcL+M5XG5+EtDtM07tkDcyxFOsREjQHvSQ
 NH+7h6G/QBHHKkYJhdyiuvpj6b5tEJBM2PVgy1T2JX5TuOBOLx6HvHLbNjUY/JI5
 0sIjnHbeybQCOfnKNAwidtnqjAfVg+XJ9UZCiGJOeRJOdN5isvvqEKydsX4ouCTj
 89kwBbfCJeCS6BiadvNFUwnM0PksV0ovnOiUEEAPHRiP74jZ3IvH95BEwiZzyLpy
 tXiJMW7cJMaqlT3jNwq3P00irfrpJNy4S1Mg2cBQh5ucv+PcMBfQT8YiarzlTQJo
 saksh/2C43WH+qIFAL2aeD+rKReVBZcGa1XOBI8FUJTu3rLd37+iS4N2BUKq4fWo
 FttuX5NOfeU3BRDLlCJ2AXau7o0czVy896R9iZTfBJC95QWD07PdHgoctuexAgMB
 AAGjUzBRMB0GA1UdDgQWBBRNU0WsMg/pqo5XF/WXx78GrAzD5TAfBgNVHSMEGDAW
 gBRNU0WsMg/pqo5XF/WXx78GrAzD5TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
 DQEBCwUAA4ICAQBFXsuT7Rm2oJBlWT/RsJtmWr95NoFLHovVDycgM8Vjm+E8hv/m
 AcSjPjZDmXQLOrN31T/XUAs0nURHxSFgVzdIKpq2gOlGgHkZRMAW/iTON9Cqjn81
 Arjp5fjAJyFkoCiT3eTOElpteF4NhL8xMFaOg1Y2CEfOYO9OZR7Z38HdB6IArVwr
 W3Dxq3DPtarCeo1k8SHJmJzUduYCltV8urB43gIiI2Hqd7aAlpkTfDhruKxxr7sJ
 3/TpemJDCN9m8XMv2QvxqpMwH6EXg/7oqit5k0MvD445f3xt9vZydmV/x6F7u/A/
 gJitN+ixA4AKv7Lw210vaupiChqdY+78TXgLoPJ2/l2QPWG/R7Fb4yNZ2rEd6lyt
 KLPxHDcdZetFnyqyaoB2SNtLx9hNUE5G3udU6DkNhDfQlDhqEG4f7GAInOu/cMWE
 2uiIUEjcGSLM+XrrTFRc1tdXy6hnu+sw5ckvhwJ+kjah/pVGz21/y5a0p42AUznI
 iN7HBV8YaSkeJLvBPnfakUAat1R98e0l72DucHe8RF44NmZCywpaUBsTpNy+bO2f
 atqp4/ZEGJJlJ38rLv9bAuwr6d8x6T+m0oHknqtJHcWfO0kr4l3Lxsd8mRpGgmBe
 zOjqjrat4vSc04Rqic4UV2IEoWCiSS/TSiBx8JAB6Ck0+YR9dUgXVQsFFg==
 -----END CERTIFICATE-----
@@ -0,0 +1,31 @@
 <?php
 declare(strict_types=1);
 namespace DoctrineMigrations;
 use Doctrine\DBAL\Schema\Schema;
 use Doctrine\Migrations\AbstractMigration;
 /**
 * Adds a soft-delete flag on user. Deleting a user now archives it instead of
 * removing the row, preserving referential integrity (tasks, time entries,
 * notifications…). Existing users are kept active (archived = false).
 */
 final class Version20260626153721 extends AbstractMigration
 {
    public function getDescription(): string
    {
        return 'Add archived flag on user (soft delete)';
    }
    public function up(Schema $schema): void
    {
        $this->addSql('ALTER TABLE "user" ADD archived BOOLEAN DEFAULT false NOT NULL');
    }
    public function down(Schema $schema): void
    {
        $this->addSql('ALTER TABLE "user" DROP archived');
    }
 }
@@ -13,6 +13,10 @@
    <php>
        <ini name="display_errors" value="1" />
        <ini name="error_reporting" value="-1" />
        <!-- API Platform's serializer/metadata boot is memory-hungry on the first
             call in a process (cold phpdoc + serializer metadata). 128M is too
             tight for non-paginated collections such as GET /api/users. -->
        <ini name="memory_limit" value="512M" />
        <server name="APP_ENV" value="test" force="true" />
        <server name="SHELL_VERBOSITY" value="-1" />
        <server name="KERNEL_CLASS" value="App\Kernel" />
@@ -0,0 +1,139 @@
 <?php
 declare(strict_types=1);
 namespace App\Command;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\DBAL\Connection;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use function sprintf;
 /**
 * Recreates user rows that are still referenced by other tables but no longer
 * exist (legacy hard-deletes performed before the foreign keys enforced
 * ON DELETE SET NULL / CASCADE). Recreated accounts are archived: their data
 * (tasks, time entries, notifications…) is preserved and references become
 * valid again, fixing the serialization crash (EntityNotFoundException), but
 * the accounts cannot log in and are hidden from selectable user lists.
 *
 * Idempotent and non-destructive — nothing is deleted.
 */
 #[AsCommand(
    name: 'app:restore-missing-users',
    description: 'Recreate (as archived) users that are still referenced but were hard-deleted, to restore referential integrity',
 )]
 final class RestoreMissingUsersCommand extends Command
 {
    public function __construct(
        private readonly Connection $connection,
        private readonly UserPasswordHasherInterface $passwordHasher,
    ) {
        parent::__construct();
    }
    protected function configure(): void
    {
        $this->addOption('dry-run', null, InputOption::VALUE_NONE, 'List missing user ids without recreating them');
    }
    protected function execute(InputInterface $input, OutputInterface $output): int
    {
        $io     = new SymfonyStyle($input, $output);
        $dryRun = (bool) $input->getOption('dry-run');
        // 1. Discover every (table, column) that references "user" via a foreign key.
        $references = $this->connection->fetchAllAssociative(<<<'SQL'
            SELECT t.relname AS child_table, a.attname AS child_col
            FROM pg_constraint c
            JOIN pg_class t ON t.oid = c.conrelid
            JOIN pg_class rt ON rt.oid = c.confrelid
            JOIN unnest(c.conkey) WITH ORDINALITY AS k(attnum, ord) ON true
            JOIN pg_attribute a ON a.attrelid = c.conrelid AND a.attnum = k.attnum
            WHERE c.contype = 'f' AND rt.relname = 'user'
            ORDER BY t.relname, a.attname
            SQL);
        // 2. Collect distinct orphan ids across all those columns.
        $missingIds = [];
        foreach ($references as $ref) {
            $table = $ref['child_table'];
            $col   = $ref['child_col'];
            $ids = $this->connection->fetchFirstColumn(sprintf(
                'SELECT DISTINCT %1$s FROM %2$s WHERE %1$s IS NOT NULL AND %1$s NOT IN (SELECT id FROM "user")',
                $this->connection->quoteIdentifier($col),
                $this->connection->quoteIdentifier($table),
            ));
            foreach ($ids as $id) {
                $missingIds[(int) $id] = true;
            }
        }
        $missingIds = array_keys($missingIds);
        sort($missingIds);
        $io->section(sprintf('%d foreign-key column(s) scanned', count($references)));
        if ([] === $missingIds) {
            $io->success('No missing users referenced. Nothing to restore.');
            return Command::SUCCESS;
        }
        $io->writeln(sprintf('Missing user id(s): %s', implode(', ', $missingIds)));
        if ($dryRun) {
            $io->note('Dry run — no user recreated.');
            return Command::SUCCESS;
        }
        // 3. Recreate each missing user as an archived placeholder, preserving its id.
        $hash    = $this->passwordHasher->hashPassword(new User(), bin2hex(random_bytes(16)));
        $created = 0;
        foreach ($missingIds as $id) {
            $inserted = $this->connection->executeStatement(
                <<<'SQL'
                    INSERT INTO "user"
                        (id, username, first_name, last_name, roles, password, created_at,
                         is_employee, work_time_ratio, annual_leave_days, reference_period_start,
                         initial_leave_balance, archived)
                    VALUES
                        (:id, :username, :firstName, :lastName, :roles, :password, NOW(),
                         false, 1.0, 25.0, '06-01', 0.0, true)
                    ON CONFLICT (id) DO NOTHING
                    SQL,
                [
                    'id'        => $id,
                    'username'  => sprintf('deleted-user-%d', $id),
                    'firstName' => 'Compte',
                    'lastName'  => sprintf('supprimé #%d', $id),
                    'roles'     => json_encode(['ROLE_USER'], JSON_THROW_ON_ERROR),
                    'password'  => $hash,
                ],
            );
            // ON CONFLICT may have skipped an already-present row — only count real inserts.
            if ($inserted > 0) {
                ++$created;
                $io->writeln(sprintf('  ✓ user #%d recreated (archived)', $id));
            } else {
                $io->writeln(sprintf('  • user #%d already present — skipped', $id));
            }
        }
        $io->success(sprintf('%d user(s) restored as archived. References are valid again — no data lost.', $created));
        return Command::SUCCESS;
    }
 }
@@ -4,6 +4,8 @@ declare(strict_types=1);
 namespace App\Module\Core\Domain\Entity;
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Metadata\ApiFilter;
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -13,6 +15,7 @@ use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Module\Core\Domain\Enum\ContractType;
 use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserArchiveProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
@@ -47,7 +50,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
        ),
        new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
        new Patch(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')", processor: UserArchiveProcessor::class),
        new Get(
            uriTemplate: '/users/{id}/rbac',
            security: "is_granted('core.users.manage')",
@@ -63,6 +66,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
    ],
    denormalizationContext: ['groups' => ['user:write']],
 )]
 // Archived users are hidden from the default /users collection by
 // ExcludeArchivedUserExtension; an admin can still list them with ?archived=true.
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
 #[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
@@ -111,6 +117,16 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
    #[ORM\Column(length: 255, nullable: true)]
    private ?string $avatarFileName = null;
    /**
     * Soft-delete flag. Archived users are kept for referential integrity
     * (tasks, time entries, notifications…) but cannot log in and are hidden
     * from selectable user lists.
     */
    #[ORM\Column(options: ['default' => false])]
    #[ApiProperty(security: "is_granted('ROLE_ADMIN')")]
    #[Groups(['me:read', 'user:list', 'user:write'])]
    private bool $archived = false;
    // --- HR / absence management fields (readable only by an admin or the user themselves) ---
    /** Whether this user is an employee subject to absence management. */
@@ -228,6 +244,18 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
        return (string) $this->username;
    }
    public function isArchived(): bool
    {
        return $this->archived;
    }
    public function setArchived(bool $archived): static
    {
        $this->archived = $archived;
        return $this;
    }
    /** @return list<string> */
    public function getRoles(): array
    {
@@ -0,0 +1,49 @@
 <?php
 declare(strict_types=1);
 namespace App\Module\Core\Infrastructure\ApiPlatform\Extension;
 use ApiPlatform\Doctrine\Orm\Extension\QueryCollectionExtensionInterface;
 use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
 use ApiPlatform\Metadata\Operation;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\QueryBuilder;
 use Symfony\Bundle\SecurityBundle\Security;
 use function array_key_exists;
 /**
 * Hides archived (soft-deleted) users from the `/users` collection so they are
 * no longer offered as assignees/collaborators, while existing references to
 * them (already stored on tasks, time entries…) keep resolving normally.
 *
 * An admin can opt back in to see archived users — e.g. to restore one — by
 * passing the `archived` query filter explicitly (`?archived=true`), in which
 * case the BooleanFilter declared on User handles the predicate instead.
 */
 final readonly class ExcludeArchivedUserExtension implements QueryCollectionExtensionInterface
 {
    public function __construct(private Security $security) {}
    public function applyToCollection(
        QueryBuilder $queryBuilder,
        QueryNameGeneratorInterface $queryNameGenerator,
        string $resourceClass,
        ?Operation $operation = null,
        array $context = [],
    ): void {
        if (User::class !== $resourceClass) {
            return;
        }
        // Let an admin explicitly query archived users via ?archived=...
        $filters = $context['filters'] ?? [];
        if (array_key_exists('archived', $filters) && $this->security->isGranted('ROLE_ADMIN')) {
            return;
        }
        $alias = $queryBuilder->getRootAliases()[0];
        $queryBuilder->andWhere(sprintf('%s.archived = false', $alias));
    }
 }
@@ -0,0 +1,53 @@
 <?php
 declare(strict_types=1);
 namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use function assert;
 /**
 * Soft-delete processor wired on the User `Delete` operation: instead of
 * removing the row (which would orphan every task / time entry / notification
 * referencing it and break their serialization), the user is archived. The
 * account is kept for referential integrity but can no longer log in
 * (ArchivedUserChecker) and is hidden from selectable user lists
 * (ExcludeArchivedUserExtension).
 *
 * @implements ProcessorInterface<User, null|User>
 */
 final readonly class UserArchiveProcessor implements ProcessorInterface
 {
    public function __construct(
        private EntityManagerInterface $em,
        private Security $security,
    ) {}
    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?User
    {
        assert($data instanceof User);
        // Prevent an admin from archiving (locking out) their own account.
        $current = $this->security->getUser();
        if ($current instanceof User && $current->getId() === $data->getId()) {
            throw new AccessDeniedHttpException('You cannot archive your own account.');
        }
        if ($data->isArchived()) {
            return null;
        }
        $data->setArchived(true);
        $data->setApiToken(null);
        $this->em->flush();
        return null;
    }
 }
@@ -0,0 +1,28 @@
 <?php
 declare(strict_types=1);
 namespace App\Module\Core\Infrastructure\Security;
 use App\Module\Core\Domain\Entity\User;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 /**
 * Rejects authentication for archived (soft-deleted) users, both at password
 * login and on every JWT-authenticated request, so an archived account is
 * effectively locked out while its data is preserved.
 */
 final class ArchivedUserChecker implements UserCheckerInterface
 {
    public function checkPreAuth(UserInterface $user, ?TokenInterface $token = null): void
    {
        if ($user instanceof User && $user->isArchived()) {
            throw new CustomUserMessageAccountStatusException('This account has been archived.');
        }
    }
    public function checkPostAuth(UserInterface $user, ?TokenInterface $token = null): void {}
 }
@@ -92,10 +92,11 @@ class Project implements ProjectInterface, TimestampableInterface, BlamableInter
    #[Groups(['project:read', 'project:write'])]
    private ?ClientInterface $client = null;
    // workflow_id reste NOT NULL en base ; quand l'appelant n'en fournit pas,
    // ProjectDefaultWorkflowListener assigne le workflow par défaut au prePersist.
    #[ORM\ManyToOne(targetEntity: Workflow::class)]
    #[ORM\JoinColumn(nullable: false, onDelete: 'RESTRICT')]
    #[Groups(['project:read', 'project:write', 'task:read'])]
    #[Assert\NotNull(message: 'Un projet doit avoir un workflow.')]
    private ?Workflow $workflow = null;
    #[ORM\Column(length: 255, nullable: true)]
@@ -0,0 +1,36 @@
 <?php
 declare(strict_types=1);
 namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\ORM\Event\PrePersistEventArgs;
 use RuntimeException;
 /**
 * Assigns the default workflow to a project when none was provided.
 * Guarantees the NOT NULL workflow_id constraint across every persistence
 * path (API Platform, raw API, MCP) without forcing the caller to supply one.
 */
 final readonly class ProjectDefaultWorkflowListener
 {
    public function __construct(private WorkflowRepositoryInterface $workflowRepository) {}
    public function prePersist(Project $project, PrePersistEventArgs $args): void
    {
        if (null !== $project->getWorkflow()) {
            return;
        }
        $default = $this->workflowRepository->findDefault()
            ?? ($this->workflowRepository->findBy([], ['position' => 'ASC'], 1)[0] ?? null);
        if (null === $default) {
            throw new RuntimeException('Cannot create a project: no workflow exists. Seed at least one workflow first.');
        }
        $project->setWorkflow($default);
    }
 }
@@ -6,6 +6,7 @@ namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -15,12 +16,13 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use function sprintf;
-#[McpTool(name: 'create-project', description: 'Create a new project. Code must be 2-10 uppercase letters.')]
+#[McpTool(name: 'create-project', description: 'Create a new project. Code must be 2-10 uppercase letters. Optional workflowId selects the kanban workflow; the default workflow is used when omitted.')]
 class CreateProjectTool
 {
    public function __construct(
        private readonly EntityManagerInterface $entityManager,
        private readonly ClientRepositoryInterface $clientRepository,
        private readonly WorkflowRepositoryInterface $workflowRepository,
        private readonly Security $security,
    ) {}
@@ -30,6 +32,7 @@ class CreateProjectTool
        ?string $description = null,
        ?string $color = null,
        ?int $clientId = null,
        ?int $workflowId = null,
    ): string {
        if (!$this->security->isGranted('ROLE_USER')) {
            throw new AccessDeniedException('Access denied: ROLE_USER required.');
@@ -52,6 +55,14 @@ class CreateProjectTool
            }
            $project->setClient($client);
        }
        if (null !== $workflowId) {
            $workflow = $this->workflowRepository->findById($workflowId);
            if (null === $workflow) {
                throw new InvalidArgumentException(sprintf('Workflow with ID %d not found.', $workflowId));
            }
            $project->setWorkflow($workflow);
        }
        // When no workflow is supplied, ProjectDefaultWorkflowListener assigns the default at prePersist.
        $this->entityManager->persist($project);
        $this->entityManager->flush();
@@ -23,11 +23,13 @@ use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
 use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
 use App\Module\ProjectManagement\Domain\Entity\TaskTag;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\TaskTagInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\EntityNotFoundException;
 /**
 * Shared serialization helpers for MCP tools.
@@ -59,11 +61,8 @@ final class Serializer
            'name'        => $project->getName(),
            'description' => $project->getDescription(),
            'color'       => $project->getColor(),
-            'client'      => $project->getClient() ? [
+            'client'      => self::clientRef($project->getClient()),
-                'id'   => $project->getClient()->getId(),
+            'archived'    => $project->isArchived(),
                'name' => $project->getClient()->getName(),
            ] : null,
            'archived' => $project->isArchived(),
        ];
    }
@@ -516,4 +515,31 @@ final class Serializer
            'initialLeaveBalance'  => $u->getInitialLeaveBalance(),
        ];
    }
    /**
     * Safely serialize a project's client reference.
     *
     * The client association uses ON DELETE SET NULL, but a stale row may leave
     * a dangling foreign key (e.g. data imported with the constraint disabled).
     * In that case Doctrine returns an uninitialized proxy whose hydration
     * throws EntityNotFoundException; we treat such a reference as absent rather
     * than letting it crash the whole tool.
     *
     * @return null|array{id: ?int, name: ?string}
     */
    private static function clientRef(?ClientInterface $client): ?array
    {
        if (null === $client) {
            return null;
        }
        try {
            return [
                'id'   => $client->getId(),
                'name' => $client->getName(),
            ];
        } catch (EntityNotFoundException) {
            return null;
        }
    }
 }
@@ -124,6 +124,15 @@
            "bin/phpunit"
        ]
    },
    "sentry/sentry-symfony": {
        "version": "5.10",
        "recipe": {
            "repo": "github.com/symfony/recipes-contrib",
            "branch": "main",
            "version": "5.0",
            "ref": "aac2bc5220e9ab5b9e3838a7a4da90e7f74e6148"
        }
    },
    "symfony/console": {
        "version": "8.0",
        "recipe": {
@@ -0,0 +1,145 @@
 <?php
 declare(strict_types=1);
 namespace App\Tests\Functional\Module\Core;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 /**
 * Covers the soft-delete behaviour: deleting a user archives it (the row is
 * kept so referencing tasks/time entries still serialize), archived users are
 * hidden from the default collection but an admin can list and restore them.
 *
 * @internal
 */
 final class UserArchiveApiTest extends WebTestCase
 {
    public function testDeleteArchivesUserInsteadOfRemovingIt(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $target = $this->createUser($em, 'archive-target-'.uniqid());
        $em->flush();
        $targetId = $target->getId();
        $this->loginAdmin($client);
        $client->request('DELETE', '/api/users/'.$targetId);
        self::assertResponseStatusCodeSame(204);
        $em->clear();
        $reloaded = $em->getRepository(User::class)->find($targetId);
        self::assertInstanceOf(User::class, $reloaded, 'Row must still exist (soft delete)');
        self::assertTrue($reloaded->isArchived(), 'User must be flagged archived');
        self::assertNull($reloaded->getApiToken(), 'API token must be cleared on archive');
    }
    public function testAdminCannotArchiveOwnAccount(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $this->loginAdmin($client);
        $adminId = $this->userId('admin');
        $client->request('DELETE', '/api/users/'.$adminId);
        self::assertResponseStatusCodeSame(403);
        $em->clear();
        $admin = $em->getRepository(User::class)->find($adminId);
        self::assertFalse($admin->isArchived(), 'Admin must not have archived itself');
    }
    public function testArchivedUserIsHiddenFromDefaultCollection(): void
    {
        $client   = self::createClient();
        $username = $this->createArchivedUser();
        $this->loginAdmin($client);
        $client->request('GET', '/api/users', server: ['HTTP_ACCEPT' => 'application/json']);
        self::assertResponseIsSuccessful();
        $usernames = array_column(json_decode($client->getResponse()->getContent(), true), 'username');
        self::assertNotContains($username, $usernames, 'Archived user must not appear in the default list');
    }
    public function testAdminCanListArchivedUsersViaFilter(): void
    {
        $client   = self::createClient();
        $username = $this->createArchivedUser();
        $this->loginAdmin($client);
        $client->request('GET', '/api/users?archived=true', server: ['HTTP_ACCEPT' => 'application/json']);
        self::assertResponseIsSuccessful();
        $usernames = array_column(json_decode($client->getResponse()->getContent(), true), 'username');
        self::assertContains($username, $usernames, 'Admin must be able to list archived users via ?archived=true');
    }
    public function testAdminCanRestoreUserViaPatch(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $user = $this->createUser($em, 'restore-target-'.uniqid());
        $user->setArchived(true);
        $em->flush();
        $userId = $user->getId();
        $em->clear();
        $this->loginAdmin($client);
        $client->request('PATCH', '/api/users/'.$userId, server: [
            'CONTENT_TYPE' => 'application/merge-patch+json',
        ], content: json_encode(['archived' => false]));
        self::assertResponseIsSuccessful();
        $em->clear();
        $reloaded = $em->getRepository(User::class)->find($userId);
        self::assertFalse($reloaded->isArchived(), 'Admin PATCH must be able to un-archive a user');
    }
    private function createArchivedUser(): string
    {
        $em       = self::getContainer()->get(EntityManagerInterface::class);
        $username = 'archived-'.uniqid();
        $user     = $this->createUser($em, $username);
        $user->setArchived(true);
        $em->flush();
        $em->clear();
        return $username;
    }
    private function createUser(EntityManagerInterface $em, string $username): User
    {
        $user = new User();
        $user->setUsername($username);
        $user->setPassword('x');
        $user->setRoles(['ROLE_USER']);
        $em->persist($user);
        return $user;
    }
    private function loginAdmin(KernelBrowser $client): void
    {
        $em   = self::getContainer()->get(EntityManagerInterface::class);
        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
        self::assertInstanceOf(User::class, $user);
        $client->loginUser($user);
    }
    private function userId(string $username): int
    {
        $em   = self::getContainer()->get(EntityManagerInterface::class);
        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
        self::assertInstanceOf(User::class, $user);
        return $user->getId();
    }
 }
@@ -0,0 +1,92 @@
 <?php
 declare(strict_types=1);
 namespace App\Tests\Functional\Module\ProjectManagement;
 use App\Module\Core\Domain\Entity\Permission;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Workflow;
 use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 /**
 * Vérifie que la création d'un projet fonctionne avec ou sans workflow fourni :
 * - sans workflow → le workflow par défaut est assigné par le listener prePersist
 * - avec workflow → le workflow choisi est conservé.
 *
 * @internal
 */
 final class ProjectCreationWorkflowTest extends WebTestCase
 {
    public function testCreateProjectWithoutWorkflowAssignsDefault(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $client->loginUser($this->createManager($em));
        $client->request('POST', '/api/projects', server: [
            'CONTENT_TYPE' => 'application/ld+json',
        ], content: json_encode([
            'code' => $this->randomCode(),
            'name' => 'Projet sans workflow',
        ]));
        self::assertResponseStatusCodeSame(201);
        $data = json_decode($client->getResponse()->getContent(), true);
        self::assertArrayHasKey('workflow', $data);
        self::assertNotNull($data['workflow'], 'Un workflow par défaut doit avoir été assigné.');
    }
    public function testCreateProjectWithExplicitWorkflow(): void
    {
        $client = self::createClient();
        $em     = self::getContainer()->get(EntityManagerInterface::class);
        $workflow = self::getContainer()->get(WorkflowRepositoryInterface::class)->findDefault()
            ?? $em->getRepository(Workflow::class)->findOneBy([]);
        self::assertInstanceOf(Workflow::class, $workflow, 'Les fixtures doivent fournir au moins un workflow.');
        $client->loginUser($this->createManager($em));
        $client->request('POST', '/api/projects', server: [
            'CONTENT_TYPE' => 'application/ld+json',
        ], content: json_encode([
            'code'     => $this->randomCode(),
            'name'     => 'Projet avec workflow',
            'workflow' => '/api/workflows/'.$workflow->getId(),
        ]));
        self::assertResponseStatusCodeSame(201);
        $data = json_decode($client->getResponse()->getContent(), true);
        self::assertSame($workflow->getId(), $data['workflow']['id'] ?? null);
    }
    private function createManager(EntityManagerInterface $em): User
    {
        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'project-management.projects.manage']);
        self::assertInstanceOf(Permission::class, $permission, 'Lancer app:sync-permissions pour project-management.projects.manage.');
        $user = new User();
        $user->setUsername('proj-create-'.uniqid());
        $user->setPassword('x');
        $user->setRoles(['ROLE_USER']);
        $user->addDirectPermission($permission);
        $em->persist($user);
        $em->flush();
        return $user;
    }
    private function randomCode(): string
    {
        $letters = '';
        for ($i = 0; $i < 6; ++$i) {
            $letters .= chr(random_int(65, 90));
        }
        return $letters;
    }
 }
@@ -0,0 +1,43 @@
 <?php
 declare(strict_types=1);
 namespace App\Tests\Unit\Module\Core\Infrastructure\Security;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Core\Infrastructure\Security\ArchivedUserChecker;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 /**
 * @internal
 */
 final class ArchivedUserCheckerTest extends TestCase
 {
    public function testArchivedUserIsRejectedPreAuth(): void
    {
        $user = new User()->setArchived(true);
        $this->expectException(CustomUserMessageAccountStatusException::class);
        new ArchivedUserChecker()->checkPreAuth($user);
    }
    public function testActiveUserPassesPreAuth(): void
    {
        $user = new User()->setArchived(false);
        new ArchivedUserChecker()->checkPreAuth($user);
        $this->addToAssertionCount(1);
    }
    public function testNonAppUserIsIgnored(): void
    {
        // A user that is not our entity must not be rejected by this checker.
        new ArchivedUserChecker()->checkPreAuth(new InMemoryUser('someone', null));
        $this->addToAssertionCount(1);
    }
 }
Author	SHA1	Message	Date
gitea-actions	3a2b268337	chore: bump version to v0.4.46 Auto Tag Develop / tag (push) Successful in 7s Details Build & Push Docker Image / build (push) Successful in 44s Details	2026-06-26 14:52:54 +00:00
matthieu	f676b217bc	Merge pull request 'fix(project) : sélection du workflow à la création + filet par défaut' (#29 ) from fix/project-creation-workflow into develop Auto Tag Develop / tag (push) Successful in 9s Details Reviewed-on: #29	2026-06-26 14:52:44 +00:00
matthieu	8bebfe1595	Merge branch 'develop' into fix/project-creation-workflow Pull Request — Quality gate / Frontend (build) (pull_request) Successful in 1m28s Details Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m40s Details	2026-06-26 14:50:08 +00:00
Matthieu	49267ad2fb	fix(project) : erreur explicite si aucun workflow à la création au lieu d'une violation NOT NULL Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Has been cancelled Details Pull Request — Quality gate / Frontend (build) (pull_request) Has been cancelled Details	2026-06-26 16:49:33 +02:00
Matthieu	d3abb584a9	fix(project) : permet de choisir un workflow à la création + filet par défaut Pull Request — Quality gate / Frontend (build) (pull_request) Successful in 38s Details Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m39s Details La création de projet échouait : `Project.workflow` est obligatoire mais n'était jamais fourni (formulaire frontend, MCP create-project), tout POST /api/projects partait en erreur de validation/contrainte NOT NULL. - ProjectDefaultWorkflowListener (prePersist) : assigne le workflow par défaut quand aucun n'est fourni, couvrant API Platform, API brute et MCP. - retrait de l'Assert\NotNull sur Project::workflow (la validation tournait avant le flush et empêchait le filet) ; la contrainte DB reste le garde-fou. - CreateProjectTool (MCP) : paramètre optionnel workflowId. - ProjectDrawer : sélecteur Workflow en création, pré-rempli sur le défaut, IRI envoyée dans le payload. - tests fonctionnels : création avec et sans workflow.	2026-06-26 16:42:02 +02:00
gitea-actions	98e3990fa5	chore: bump version to v0.4.45 Auto Tag Develop / tag (push) Successful in 8s Details Build & Push Docker Image / build (push) Successful in 3m27s Details	2026-06-26 14:21:43 +00:00
matthieu	172f79d348	Merge pull request 'fix(user) : archivage au lieu de suppression + réparation des références orphelines' (#28 ) from fix/user-soft-delete-orphan-references into develop Auto Tag Develop / tag (push) Successful in 11s Details Reviewed-on: #28	2026-06-26 14:21:30 +00:00
matthieu	f221976573	Merge branch 'develop' into fix/user-soft-delete-orphan-references Pull Request — Quality gate / Frontend (build) (pull_request) Successful in 41s Details Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m0s Details	2026-06-26 14:17:09 +00:00
Matthieu	133f205393	test(user) : couvre le soft-delete + désarchivage admin et corrige les retours de review Pull Request — Quality gate / Frontend (build) (pull_request) Successful in 39s Details Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m39s Details - ajoute des tests fonctionnels (archive au DELETE, exclusion de la collection, listing/désarchivage admin, anti-auto-archivage) et un test unitaire du ArchivedUserChecker - expose un filtre BooleanFilter `archived` + bypass admin dans ExcludeArchivedUserExtension pour lister les archivés (?archived=true) - rend `archived` modifiable par un admin (groupe user:write + ApiProperty ROLE_ADMIN) → désarchivage possible via PATCH /api/users/{id} - RestoreMissingUsersCommand : ne compte que les insertions réelles (ON CONFLICT DO NOTHING n'est plus comptabilisé à tort) - relève memory_limit des tests à 512M (boot sérialiseur API Platform)	2026-06-26 16:14:11 +02:00
Matthieu	d8d755d4c5	fix(user) : archivage au lieu de suppression + réparation des références orphelines Pull Request — Quality gate / Frontend (build) (pull_request) Successful in 39s Details Pull Request — Quality gate / Backend (PHP CS + PHPUnit) (pull_request) Successful in 1m1s Details Un user supprimé physiquement laissait des références orphelines (task.assignee, time entries, notifications) car les FK vers "user" ont été créées NOT VALID lors du refactor modular-monolith : elles n'ont jamais nettoyé les orphelins legacy. La sérialisation API Platform d'une tâche embarquant un assignee inexistant levait une EntityNotFoundException non rattrapable (HTTP 500 sur tout PATCH/GET de ces tickets). - User::$archived (bool) + migration (soft delete) - Delete de User -> UserArchiveProcessor : archive (archived=true, apiToken vidé) au lieu de supprimer, préservant l'intégrité référentielle - ArchivedUserChecker : login bloqué pour un user archivé (firewalls login + api) - ExcludeArchivedUserExtension : archivés exclus de GET /api/users (assignation), les références existantes restent sérialisées normalement - Commande app:restore-missing-users : recrée (en archivés) les users encore référencés mais supprimés, restaurant l'intégrité sans perte de données. Idempotente, option --dry-run. À lancer une fois en prod après déploiement.	2026-06-26 15:51:27 +02:00
gitea-actions	3ea1a31784	chore: bump version to v0.4.44 Auto Tag Develop / tag (push) Successful in 9s Details Build & Push Docker Image / build (push) Successful in 1m42s Details	2026-06-25 20:53:41 +00:00
matthieu	a2dcab6ec1	docs : config MCP HTTP par poste (token local, Fedora/Windows) + rotation token Auto Tag Develop / tag (push) Successful in 8s Details Le serveur MCP HTTP (token Bearer) se configure dans la config Claude Code locale (jamais dans le .mcp.json versionné). Ajout de la méthode cross-OS (claude mcp add), des emplacements de fichier par OS (Fedora/Linux, Windows, macOS) et de la procédure de régénération du token (invalidé au reseed BDD). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 22:53:31 +02:00
gitea-actions	d55a088e41	chore: bump version to v0.4.43 Auto Tag Develop / tag (push) Successful in 10s Details Build & Push Docker Image / build (push) Successful in 23s Details	2026-06-25 20:22:20 +00:00
matthieu	95b192858b	docs : recap HTTPS/CA interne pour l'error tracking GlitchTip (INFRA #153 ) Auto Tag Develop / tag (push) Successful in 11s Details Sous-section "Certificat HTTPS interne (CA auto-signée)" : contexte (CA interne, domaine non public, Let's Encrypt impossible), fix backend (CA bakée dans l'image), fix postes via GPO (+ caveat Firefox), procédure de renouvellement. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 22:05:03 +02:00
matthieu	6fc6eee5b9	chore : bump version to v0.4.42 Auto Tag Develop / tag (push) Successful in 8s Details Build & Push Docker Image / build (push) Successful in 2m30s Details Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:42:23 +02:00
matthieu	7fe427d676	fix(observability) : trust la CA interne MALIO pour l'ingest GlitchTip (TLS) logs.malio-dev.fr utilise un certificat signé par la CA auto-signée "MALIO-DEV Local Root CA", inconnue du container -> le SDK Sentry échouait en TLS ("Message not sent"). On installe la CA racine (publique) dans le trust store de l'image (ca-certificates + update-ca-certificates), ce qui débloque aussi tout futur appel HTTPS interne. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:42:02 +02:00
matthieu	617d70a754	chore : normalise config/reference.php (auto-généré, php-cs-fixer) Auto Tag Develop / tag (push) Successful in 8s Details Build & Push Docker Image / build (push) Successful in 1m39s Details Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:16:02 +02:00
matthieu	a7bf3101c5	chore : bump version to v0.4.41 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:15:08 +02:00
matthieu	d68e3d42f3	chore(mcp) : retire le token MCP du .mcp.json versionné Le serveur MCP HTTP lesstime (token Bearer) passe en config locale (~/.claude.json, hors git). Le repo ne garde que lesstime-local (STDIO docker, sans secret). Évite de committer un token d'API en clair. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:15:03 +02:00
matthieu	1dd7053ebd	feat(observability) : error tracking GlitchTip back + front (INFRA #146 ) Backend : sentry/sentry-symfony branché en prod uniquement (bundle prod-only, exceptions seules, 4xx ignorés, release = app.version), DSN via SENTRY_DSN (runtime, infra/prod/.env). Frontend : @sentry/nuxt chargé seulement si NUXT_PUBLIC_SENTRY_DSN présent (donc au build prod), upload des source maps gated sur les secrets. DSN front et secrets passés en build-args (Dockerfile) depuis les secrets Gitea (CI). Doc README (section Error tracking) + .env.example. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:14:53 +02:00
matthieu	e59c5c510a	fix(mcp) : list-projects crash sur client orphelin (FK danglante) Serializer::project() forçait l'hydratation d'un proxy Doctrine Client via getId()/getName() même quand la FK pointait vers un Client supprimé, ce qui levait EntityNotFoundException et faisait planter tout l'outil (-32603). Extraction d'un helper clientRef() qui catch EntityNotFoundException et renvoie null (sémantique ON DELETE SET NULL). Robustifie aussi get-project, create-project, update-project qui réutilisent ce serializer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-25 21:14:44 +02:00
`@@ -1,2 +1,2 @@`
	`parameters:`	`parameters:`
	`app.version: '0.4.40'`	`app.version: '0.4.46'`