fix(share) : durcissement download (allowlist inline anti-XSS + nosniff) et masquage des erreurs SMB

- Ajout vue-pdf-embed@2.1.4
- DTO share.ts (FileEntry, Breadcrumb, ShareBrowseResult, ShareStatus, ShareSettings, ShareSettingsWrite, ShareTestResult)
- Service share.ts (browse, getStatus, getDownloadUrl)
- Service share-settings.ts (getSettings, saveSettings, testConnection)

CLAUDE.md

@@ -109,7 +109,7 @@ La librairie `@malio/layer-ui` fournit les composants de formulaire et d'action.
 
 ### MCP Server
 
-- 25 tools MCP exposant projets, tâches, métadonnées, time tracking, et récurrences
+- 60 tools MCP exposant projets, tâches, métadonnées, time tracking, récurrences, documents et absences
 - Transport STDIO (local) : `docker exec -i php-lesstime-fpm php bin/console mcp:server`
 - Transport HTTP (réseau) : `POST /_mcp` avec header `Authorization: Bearer <token>`
 - Auth HTTP : `ApiTokenAuthenticator` vérifie le champ `apiToken` de l'entité `User`

composer.json

@@ -12,6 +12,7 @@
         "doctrine/doctrine-bundle": "^3.2",
         "doctrine/doctrine-migrations-bundle": "^4.0",
         "doctrine/orm": "^3.6",
+        "icewind/smb": "^3.8",
         "lexik/jwt-authentication-bundle": "^3.2",
         "nelmio/cors-bundle": "^2.6",
         "nyholm/psr7": "^1.8",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "dc72ee68996f3f738763eafd350bc0e0",
+    "content-hash": "eee87b9c0011fb88523cb5aea0de29ba",
     "packages": [
         {
             "name": "api-platform/doctrine-common",
@@ -2508,6 +2508,78 @@
             },
             "time": "2026-02-08T16:21:46+00:00"
         },
+        {
+            "name": "icewind/smb",
+            "version": "3.8.1",
+            "source": {
+                "type": "git",
+                "url": "https://codeberg.org/icewind/SMB",
+                "reference": "97063a63b44edc6554966f6121679506b8d85103"
+            },
+            "require": {
+                "icewind/streams": ">=0.7.3",
+                "php": ">=8.2"
+            },
+            "require-dev": {
+                "friendsofphp/php-cs-fixer": "v3.89.0",
+                "phpstan/phpstan": "^0.12.57",
+                "phpunit/phpunit": "10.5.58",
+                "psalm/phar": "6.*"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Icewind\\SMB\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Robin Appelman",
+                    "email": "robin@icewind.nl"
+                }
+            ],
+            "description": "php wrapper for smbclient and libsmbclient-php",
+            "time": "2025-11-13T16:17:19+00:00"
+        },
+        {
+            "name": "icewind/streams",
+            "version": "v0.7.8",
+            "source": {
+                "type": "git",
+                "url": "https://codeberg.org/icewind/streams",
+                "reference": "cb2bd3ed41b516efb97e06e8da35a12ef58ba48b"
+            },
+            "require": {
+                "php": ">=7.1"
+            },
+            "require-dev": {
+                "friendsofphp/php-cs-fixer": "^2",
+                "phpstan/phpstan": "^0.12",
+                "phpunit/phpunit": "^9"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Icewind\\Streams\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Robin Appelman",
+                    "email": "icewind@owncloud.com"
+                }
+            ],
+            "description": "A set of generic stream wrappers",
+            "time": "2024-12-05T14:36:22+00:00"
+        },
         {
             "name": "illuminate/collections",
             "version": "v13.8.0",

config/services.yaml

@@ -45,6 +45,14 @@ services:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
+    App\Mcp\Tool\Task\AddTaskDocumentTool:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Mcp\Tool\Task\UpdateTaskDocumentTool:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
     App\Controller\UserAvatarController:
         arguments:
             $avatarUploadDir: '%avatar_upload_dir%'
@@ -56,3 +64,5 @@ services:
     App\Controller\Absence\AbsenceJustificationDownloadController:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
+
+    App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'

config/version.yaml

@@ -1,2 +1,2 @@
 parameters:
-    app.version: '0.4.8'
+    app.version: '0.4.23'

docs/superpowers/specs/2026-06-03-explorateur-partage-windows-design.md

@@ -0,0 +1,186 @@
+# Explorateur de partage réseau Windows + viewer — Design
+
+Date : 2026-06-03
+Statut : design validé (brainstorming), à transformer en plan d'implémentation.
+
+## 1. Objectif
+
+Donner accès, **depuis Lesstime**, à un partage de fichiers Windows (SMB), avec :
+
+- un **explorateur de fichiers façon Google Drive / SharePoint** qui parcourt le partage **en direct** (live, pas d'index) ;
+- un **viewer propre** pour ouvrir les documents (image, PDF, texte) sans quitter l'app ;
+- une **configuration en admin** (serveur, partage, identifiants) avec un **bouton « Tester la connexion »** et un **interrupteur d'activation**, sur le même modèle que les intégrations existantes (Zimbra, Gitea, BookStack) ;
+- une **visibilité conditionnelle** : si l'option SMB est **désactivée** dans l'admin, l'entrée « Documents » et la page **n'apparaissent pas** pour les utilisateurs.
+
+### Hors périmètre (POC)
+
+- Pas d'index en base, pas de recherche plein texte, pas d'extraction de contenu (pas de Tika).
+- Pas d'OCR.
+- Pas d'écriture sur le partage (lecture seule).
+- Pas de cron / synchronisation. Tout est lu **à la volée** à chaque navigation.
+
+## 2. Décisions d'architecture
+
+| Sujet | Décision |
+|-------|----------|
+| Accès au partage | **`icewind/smb`** (protocole SMB en PHP), **pas de montage CIFS**. La connexion est configurée dans l'app. |
+| Configuration | Entité `ShareConfiguration` (1 ligne) saisie en admin, mot de passe chiffré au repos — calquée sur `ZimbraConfiguration`. |
+| Abstraction | Interface `FileSource` (lister / lire), implémentation `SmbFileSource`. Permet de remplacer la source plus tard sans toucher au front ni aux endpoints. |
+| API navigation | 2 endpoints live : `browse` (lister un dossier) et `download` (streamer un fichier). |
+| Front | Explorateur **maison léger** (fil d'Ariane + tableau), cohérent avec `@malio/layer-ui`. Aucune lib de file-manager externe (elFinder/vue-finder écartés : vieux ou hors design system). |
+| Rendu PDF | **PDF.js via `vue-pdf-embed`** dans le viewer (meilleur rendu qu'un `<iframe>`). Images et texte : rendu natif. |
+| Sécurité chemin | Validation stricte anti path-traversal : tout chemin demandé doit rester sous la racine configurée. |
+
+### Schéma
+
+```
+//WIN-SRV/Partage
+      │  SMB (icewind/smb, identifiants chiffrés en base)
+      ▼
+Lesstime (Symfony)  ──FileSource → SmbFileSource──┐
+      │                                           │
+      ├─ GET /api/share/browse?path=/Compta/2024  → listing live (dossiers + fichiers)
+      ├─ GET /api/share/download?path=…/x.pdf      → stream du fichier (viewer / download)
+      ├─ GET/PUT /api/settings/share               → lire / enregistrer la config (admin)
+      └─ POST   /api/settings/share/test           → tester la connexion (admin)
+```
+
+## 3. Backend (Symfony)
+
+### 3.1 Entité `ShareConfiguration`
+
+Une seule ligne de config (singleton, comme `ZimbraConfiguration`). Champs :
+
+- `id`
+- `host` (string, ex. `WIN-SRV` ou IP)
+- `shareName` (string, nom du partage SMB, ex. `Documents`)
+- `basePath` (string nullable, sous-dossier racine optionnel, ex. `/Projets`) — la navigation est confinée à cette racine
+- `domain` (string nullable, workgroup/domaine, défaut `WORKGROUP`)
+- `username` (string nullable)
+- `encryptedPassword` (text nullable) — chiffré, réutilise le mécanisme de chiffrement déjà employé par Zimbra
+- `enabled` (bool, défaut `false`)
+- `hasPassword()` helper
+
+Migration Doctrine dédiée. Repository singleton (`findConfiguration()` renvoie la ligne unique ou en crée une vide), calqué sur `ZimbraConfigurationRepository`.
+
+### 3.2 Ressources API de configuration (admin)
+
+Calquées **à l'identique** sur Zimbra :
+
+- `ShareSettings` (ApiResource) — `Get` + `Put` sur `/api/settings/share`, `security: ROLE_ADMIN`.
+  - Champs lus/écrits : `host`, `shareName`, `basePath`, `domain`, `username`, `enabled`.
+  - `password` : **write-only** (groupe write uniquement).
+  - `hasPassword` : **read-only** (indique si un mot de passe est déjà enregistré).
+  - Provider `ShareSettingsProvider` (lit l'entité → DTO), Processor `ShareSettingsProcessor` (DTO → entité, chiffre le mot de passe si fourni, ne l'écrase pas s'il est vide).
+- `ShareTestConnection` (ApiResource) — `Post` sur `/api/settings/share/test`, `input: false`, `security: ROLE_ADMIN`.
+  - Renvoie `{ success: bool, message: string|null }`.
+  - Provider `ShareTestConnectionProvider` : tente une connexion SMB + un `dir()` sur la racine ; `success=false` + message d'erreur lisible en cas d'échec.
+
+### 3.3 Source de fichiers
+
+```
+interface FileSource {
+    list(string $relativeDir): FileEntry[]   // dossiers d'abord, puis fichiers
+    read(string $relativePath): resource      // flux binaire du fichier
+    test(): TestResult                         // connexion + accès racine
+}
+```
+
+`FileEntry` = `{ name, path, isDir, size, modifiedAt, mimeType }`.
+
+`SmbFileSource` :
+
+- construit la connexion à partir de `ShareConfiguration` (déchiffre le mot de passe) via `icewind/smb` ;
+- préfixe tous les chemins par `basePath` ;
+- **valide chaque chemin** (`normalize` + rejet de tout chemin qui s'échappe de la racine : pas de `..`, pas de chemin absolu hors racine) → `InvalidPathException` sinon ;
+- déduit le `mimeType` à partir de l'extension (suffisant pour piloter le viewer ; pas de lecture du contenu pour le listing).
+
+> **Dépendance infra** : `icewind/smb` requiert le binaire `smbclient` (ou l'extension `libsmbclient`) dans le conteneur PHP. Les deux images sont Debian (`apt-get`), donc une seule ligne suffit, **à appliquer dans les deux Dockerfiles** :
+> - `infra/dev/Dockerfile` — ajouter `smbclient` à la liste `apt-get install` existante (~ligne 9).
+> - `infra/prod/Dockerfile` — ajouter `smbclient` à l'`apt-get install` du **stage `production`** (le runtime FPM, ~ligne 41), **pas** au stage de build.
+>
+> Conséquence déploiement : l'image prod (`lesstime-app`) doit être **rebuildée et redéployée** pour embarquer `smbclient` ; sans ça, la fonctionnalité marcherait en dev et échouerait en prod. À inscrire comme étape du plan (avec la migration Doctrine de `ShareConfiguration`).
+
+### 3.4 Endpoints de navigation
+
+Controllers custom sous `/api/` (pas d'entité Doctrine derrière → controllers, avec `priority: 1` sur la route pour éviter le conflit avec API Platform `{id}`), `security: IS_AUTHENTICATED_FULLY` :
+
+- `GET /api/share/browse?path=<rel>` → `ShareBrowseController`
+  - renvoie `{ path, breadcrumb[], entries: FileEntry[] }` ;
+  - si config désactivée/incomplète → `409` avec message clair ;
+  - chemin invalide → `400`.
+- `GET /api/share/download?path=<rel>&disposition=inline|attachment` → `ShareDownloadController`
+  - streame le fichier (`StreamedResponse`) avec le bon `Content-Type` ;
+  - `inline` par défaut (pour le viewer), `attachment` pour le téléchargement ;
+  - fichier absent → `404`.
+- `GET /api/share/status` → `ShareStatusController`, `security: IS_AUTHENTICATED_FULLY`
+  - renvoie `{ enabled: bool }` — **uniquement le booléen**, aucune donnée de connexion ;
+  - utilisé par le front pour afficher/masquer l'entrée « Documents » et garder la page.
+
+## 4. Frontend (Nuxt)
+
+### 4.1 Explorateur — `pages/documents.vue`
+
+- **Fil d'Ariane** du chemin courant (cliquable pour remonter).
+- **Tableau** des entrées : dossiers d'abord, puis fichiers ; colonnes nom (icône par type), taille, date de modification.
+  - clic dossier → on descend (met à jour `path`, recharge `browse`) ;
+  - clic fichier → ouvre le viewer.
+- **Filtre par nom** du dossier courant, **côté client** (live, non-indexé) — filtre simplement la liste déjà chargée.
+- États : chargement, dossier vide, erreur (config désactivée / connexion KO) avec message.
+
+### 4.2 Viewer — `components/share/SharedFilePreview.vue`
+
+Adapté de `TaskDocumentPreview.vue` existant :
+
+- **Image** : `<img>` sur l'URL `download?disposition=inline`.
+- **PDF** : **`vue-pdf-embed`** (PDF.js) — rendu, pagination, zoom.
+- **Texte/markdown/csv/json** : chargement du contenu + `<pre>` (comme l'existant).
+- **Autre** : carte « fichier » + bouton de téléchargement (`attachment`).
+- Navigation précédent/suivant dans la liste du dossier courant, fermeture clavier — repris de l'existant.
+
+### 4.3 Service & config admin
+
+- `services/share.ts` : `browse(path)`, `getDownloadUrl(path, disposition)` + DTO `FileEntry`.
+- `services/share-settings.ts` (+ DTO) : `get()`, `update(payload)`, `test()` — calqué sur `services/zimbra.ts`.
+- `components/admin/AdminShareTab.vue` : calqué sur `Admin ZimbraTab.vue` — champs host / shareName / basePath / domain / username / password + toggle `enabled`, bouton **« Tester la connexion »** (toast succès/échec) et **« Enregistrer »**. Onglet ajouté à la page admin.
+- **i18n** : nouvelles clés (`sharedFiles.*`, `adminShare.*`) dans `frontend/i18n/locales/`.
+- **Navigation conditionnelle** : le lien « Documents » du layout n'est affiché **que si** `GET /api/share/status` renvoie `enabled=true` (récupéré via un composable, ex. `useShareStatus`, mis en cache). Le middleware/garde de `pages/documents.vue` redirige vers l'accueil si la fonctionnalité est désactivée (défense en profondeur, en plus du `409` backend).
+
+### 4.4 Dépendance frontend
+
+`vue-pdf-embed` (+ `pdfjs-dist`) ajouté au `package.json` du frontend.
+
+## 5. Flux
+
+- **Configuration** (admin) : saisie host/partage/identifiants → « Tester » (`POST /settings/share/test`) → « Enregistrer » (`PUT /settings/share`).
+- **Navigation** (utilisateur) : ouverture `/documents` → `GET /share/browse?path=/` → tableau ; clic dossier → re-`browse` ; clic fichier → viewer → `GET /share/download?...inline`.
+- **Téléchargement** : bouton → `GET /share/download?...attachment`.
+
+## 6. Gestion des erreurs
+
+- **SMB injoignable / identifiants faux** → `browse`/`download` renvoient une erreur ; l'UI affiche un message clair. Le test de connexion renvoie `success=false` + message.
+- **Config désactivée ou incomplète** → `browse` `409`, UI invite à configurer (admin).
+- **Path-traversal** (`..`, chemin hors racine) → `400`, jamais d'accès hors `basePath`.
+- **Fichier supprimé/déplacé entre listing et ouverture** → `download` `404`, message dans le viewer.
+
+## 7. Sécurité
+
+- **Lecture seule** : aucune écriture sur le partage.
+- **Rôles** : navigation/lecture = utilisateur authentifié (`IS_AUTHENTICATED_FULLY`) ; configuration = `ROLE_ADMIN`.
+- **Mot de passe chiffré au repos** (réutilise le mécanisme Zimbra), jamais renvoyé au front (`hasPassword` seulement).
+- **Confinement** strict à `basePath` (anti path-traversal).
+
+## 8. Tests
+
+- **Unitaire**
+  - `SmbFileSource` : validation/normalisation de chemin, rejet `..` et chemins hors racine (connexion SMB mockée).
+  - Déduction du `mimeType` par extension.
+- **Fonctionnel**
+  - `GET/PUT /api/settings/share` et `POST /api/settings/share/test` exigent `ROLE_ADMIN` ; le mot de passe n'est jamais exposé en lecture.
+  - `GET /api/share/browse` et `/download` exigent l'authentification ; un chemin `..` est rejeté (`400`).
+
+## 9. Notes & suites possibles
+
+- Perf : chaque `browse` = un aller-retour SMB live ; acceptable pour un POC. Gros dossiers = listing potentiellement lent (pas de pagination au POC).
+- Évolutions naturelles (non incluses) : index + recherche plein texte (Tika), miniatures, multi-partages, restriction par dossier/rôle, mise en cache des listings.
+```

frontend/assets/css/app.css

@@ -0,0 +1,21 @@
+/*
+ * App-level layout fixes (not theme-related).
+ */
+
+/*
+ * MalioDrawer : donne au corps scrollable un peu d'espace vertical.
+ *
+ * Le body du drawer est `overflow-y-auto` sans padding vertical. Or le label
+ * flottant d'un champ Malio remonte (-1.25rem) au focus/remplissage : pour le
+ * PREMIER champ, collé en haut du body, ce label dépasse le bord supérieur et
+ * se fait rogner (il « grossit et passe sous l'entête »). Le dernier champ
+ * (popover de date, hint) souffre du même rognage en bas.
+ *
+ * On ajoute donc un padding vertical au body de TOUS les drawers via l'API de
+ * test stable de la lib (@malio/layer-ui), sans la modifier ni toucher chaque
+ * drawer un par un. Le sélecteur reste limité au panneau du drawer.
+ */
+[data-test="panel"] > [data-test="body"] {
+    padding-top: 1rem;
+    padding-bottom: 1rem;
+}

frontend/components/absence/AbsenceBalanceCards.vue

@@ -102,7 +102,8 @@ const others = computed<AbsenceBalance[]>(() =>
 )
 
 function formatNumber(n: number): string {
-    return (Math.round(n * 2) / 2).toString()
+    // Valeur réelle avec décimales (ex. 8,75) : pas d'arrondi qui gonflerait le solde.
+    return new Intl.NumberFormat('fr-FR', { maximumFractionDigits: 2 }).format(n)
 }
 
 // Total entitlement = acquired (N-1) + in-progress (N); falls back to the

frontend/components/absence/EmployeeDrawer.vue

@@ -7,16 +7,22 @@
             </div>
         </template>
         <form v-if="user" class="grid grid-cols-1 gap-4 sm:grid-cols-2" @submit.prevent="save">
-            <MalioDate
-                v-model="form.hireDate"
-                :label="$t('absences.admin.employees.fields.hireDate')"
-                group-class="w-full"
-            />
-            <MalioDate
-                v-model="form.endDate"
-                :label="$t('absences.admin.employees.fields.endDate')"
-                group-class="w-full"
-            />
+            <!-- Dates en pleine largeur (1 par ligne) : le popover du calendrier
+                 a besoin de toute la largeur pour s'afficher correctement. -->
+            <div class="sm:col-span-2">
+                <MalioDate
+                    v-model="form.hireDate"
+                    :label="$t('absences.admin.employees.fields.hireDate')"
+                    group-class="w-full"
+                />
+            </div>
+            <div class="sm:col-span-2">
+                <MalioDate
+                    v-model="form.endDate"
+                    :label="$t('absences.admin.employees.fields.endDate')"
+                    group-class="w-full"
+                />
+            </div>
             <MalioSelect
                 v-model="form.contractType"
                 :label="$t('absences.admin.employees.fields.contractType')"

frontend/components/admin/AdminShareTab.vue

@@ -0,0 +1,144 @@
+<template>
+    <div>
+        <h2 class="text-lg font-bold text-neutral-900">{{ $t('adminShare.title') }}</h2>
+
+        <form class="mt-6 max-w-lg space-y-4" @submit.prevent="handleSave">
+            <MalioInputText
+                v-model="form.host"
+                :label="$t('adminShare.host')"
+                :placeholder="$t('adminShare.hostPlaceholder')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.shareName"
+                :label="$t('adminShare.shareName')"
+                :placeholder="$t('adminShare.shareNamePlaceholder')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.basePath"
+                :label="$t('adminShare.basePath')"
+                :placeholder="$t('adminShare.basePathPlaceholder')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.domain"
+                :label="$t('adminShare.domain')"
+                :placeholder="$t('adminShare.domainPlaceholder')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.username"
+                :label="$t('adminShare.username')"
+                :placeholder="$t('adminShare.usernamePlaceholder')"
+                input-class="w-full"
+            />
+            <div>
+                <MalioInputPassword
+                    v-model="form.password"
+                    :label="$t('adminShare.password')"
+                    input-class="w-full"
+                />
+                <p v-if="hasPassword && !form.password" class="mt-1 text-xs text-green-600">
+                    {{ $t('adminShare.passwordConfigured') }}
+                </p>
+            </div>
+            <label class="flex cursor-pointer items-center gap-2">
+                <input v-model="form.enabled" type="checkbox" class="rounded border-neutral-300" />
+                <span class="text-sm">{{ $t('adminShare.enabled') }}</span>
+            </label>
+            <div class="flex gap-3">
+                <MalioButton
+                    :label="$t('adminShare.save')"
+                    button-class="w-auto px-4"
+                    :disabled="isSaving"
+                    @click="handleSave"
+                />
+                <MalioButton
+                    variant="tertiary"
+                    :label="$t('adminShare.testConnection')"
+                    button-class="w-auto px-4"
+                    :disabled="isTesting"
+                    @click="handleTest"
+                />
+            </div>
+            <p v-if="testResult !== null" class="text-sm font-medium" :class="testResult ? 'text-green-600' : 'text-red-600'">
+                {{ testResult ? $t('adminShare.testSuccess') : (testMessage ?? $t('adminShare.testFailed')) }}
+            </p>
+        </form>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useShareSettingsService } from '~/services/share-settings'
+
+const { getSettings, saveSettings, testConnection } = useShareSettingsService()
+
+const form = reactive({
+    host: '',
+    shareName: '',
+    basePath: '',
+    domain: '',
+    username: '',
+    password: '',
+    enabled: false,
+})
+
+const hasPassword = ref(false)
+const isSaving = ref(false)
+const isTesting = ref(false)
+const testResult = ref<boolean | null>(null)
+const testMessage = ref<string | null>(null)
+
+async function loadSettings() {
+    const settings = await getSettings()
+    form.host = settings.host ?? ''
+    form.shareName = settings.shareName ?? ''
+    form.basePath = settings.basePath ?? ''
+    form.domain = settings.domain ?? ''
+    form.username = settings.username ?? ''
+    form.enabled = settings.enabled
+    hasPassword.value = settings.hasPassword
+}
+
+async function handleSave() {
+    isSaving.value = true
+    try {
+        const result = await saveSettings({
+            host: form.host.trim() || null,
+            shareName: form.shareName.trim() || null,
+            basePath: form.basePath.trim() || null,
+            domain: form.domain.trim() || null,
+            username: form.username.trim() || null,
+            password: form.password || null,
+            enabled: form.enabled,
+        })
+        hasPassword.value = result.hasPassword
+        form.password = ''
+        testResult.value = null
+        testMessage.value = null
+    } finally {
+        isSaving.value = false
+    }
+}
+
+async function handleTest() {
+    isTesting.value = true
+    testResult.value = null
+    testMessage.value = null
+    try {
+        const result = await testConnection()
+        testResult.value = result.success
+        testMessage.value = result.message
+    } catch {
+        testResult.value = false
+        testMessage.value = null
+    } finally {
+        isTesting.value = false
+    }
+}
+
+onMounted(() => {
+    loadSettings()
+})
+</script>

frontend/components/share/SharedFilePreview.vue

@@ -0,0 +1,173 @@
+<template>
+    <Teleport to="body">
+        <Transition name="fade" appear>
+            <div
+                v-if="entry"
+                class="fixed inset-0 z-[60] flex items-center justify-center bg-black/80"
+                @click.self="$emit('close')"
+                @keydown.escape="$emit('close')"
+                @keydown.left="$emit('prev')"
+                @keydown.right="$emit('next')"
+                tabindex="0"
+                ref="overlayRef"
+            >
+                <!-- Close button -->
+                <MalioButtonIcon
+                    icon="heroicons:x-mark"
+                    aria-label="Fermer"
+                    variant="ghost"
+                    icon-size="24"
+                    button-class="absolute right-4 top-4 rounded-full bg-black/50 text-white hover:bg-black/70"
+                    @click="$emit('close')"
+                />
+
+                <!-- Navigation arrows -->
+                <MalioButtonIcon
+                    v-if="hasPrev"
+                    icon="heroicons:chevron-left"
+                    aria-label="Précédent"
+                    variant="ghost"
+                    icon-size="24"
+                    button-class="absolute left-4 top-1/2 -translate-y-1/2 rounded-full bg-black/50 text-white hover:bg-black/70"
+                    @click="$emit('prev')"
+                />
+                <MalioButtonIcon
+                    v-if="hasNext"
+                    icon="heroicons:chevron-right"
+                    aria-label="Suivant"
+                    variant="ghost"
+                    icon-size="24"
+                    button-class="absolute right-4 top-1/2 -translate-y-1/2 rounded-full bg-black/50 text-white hover:bg-black/70"
+                    @click="$emit('next')"
+                />
+
+                <!-- Content -->
+                <div class="flex max-h-[90vh] max-w-[90vw] flex-col items-center">
+                    <!-- Image preview -->
+                    <img
+                        v-if="isImage"
+                        :src="inlineUrl"
+                        :alt="entry.name"
+                        class="max-h-[85vh] max-w-[90vw] object-contain"
+                    />
+
+                    <!-- PDF preview — iframe pattern, même approche que TaskDocumentPreview -->
+                    <iframe
+                        v-else-if="isPdf"
+                        :src="inlineUrl"
+                        class="h-[85vh] w-[80vw] rounded-lg bg-white"
+                    />
+
+                    <!-- Text / Markdown / JSON / XML / CSV / Log preview -->
+                    <div
+                        v-else-if="isText"
+                        class="flex max-h-[85vh] w-[85vw] max-w-3xl flex-col overflow-hidden rounded-xl bg-white"
+                    >
+                        <div class="flex items-center justify-between gap-2 border-b border-neutral-200 px-4 py-3">
+                            <p class="truncate text-sm font-medium text-neutral-700">{{ entry.name }}</p>
+                            <a
+                                :href="downloadUrl"
+                                class="inline-flex items-center gap-1.5 rounded-lg bg-blue-600 px-3 py-1.5 text-sm font-semibold text-white transition-colors hover:bg-blue-700"
+                            >
+                                {{ $t('sharedFiles.download') }}
+                            </a>
+                        </div>
+                        <div class="overflow-auto p-4">
+                            <div v-if="loadingText" class="flex justify-center py-10">
+                                <Icon name="heroicons:arrow-path" class="h-6 w-6 animate-spin text-neutral-400" />
+                            </div>
+                            <pre
+                                v-else
+                                class="whitespace-pre-wrap break-words font-mono text-xs leading-relaxed text-neutral-800"
+                            >{{ textContent }}</pre>
+                        </div>
+                    </div>
+
+                    <!-- Generic file — download fallback -->
+                    <div v-else class="flex flex-col items-center gap-4 rounded-xl bg-white p-10">
+                        <Icon name="heroicons:document" class="h-16 w-16 text-neutral-400" />
+                        <p class="max-w-xs truncate text-lg font-medium text-neutral-700">{{ entry.name }}</p>
+                        <p class="text-sm text-neutral-400">{{ formatFileSize(entry.size) }}</p>
+                        <a
+                            :href="downloadUrl"
+                            class="mt-2 rounded-lg bg-blue-600 px-6 py-2 text-sm font-semibold text-white transition-colors hover:bg-blue-700"
+                        >
+                            {{ $t('sharedFiles.download') }}
+                        </a>
+                    </div>
+
+                    <!-- File name footer (hors bloc texte car il a déjà le nom dans l'en-tête) -->
+                    <p v-if="!isText" class="mt-3 text-sm text-white/70">{{ entry.name }}</p>
+                </div>
+            </div>
+        </Transition>
+    </Teleport>
+</template>
+
+<script setup lang="ts">
+import type { FileEntry } from '~/services/dto/share'
+import { useShareService } from '~/services/share'
+import { formatFileSize } from '~/utils/format'
+
+const props = defineProps<{
+    entry: FileEntry | null
+    hasPrev: boolean
+    hasNext: boolean
+}>()
+
+defineEmits<{
+    close: []
+    prev: []
+    next: []
+}>()
+
+const overlayRef = ref<HTMLElement | null>(null)
+const textContent = ref('')
+const loadingText = ref(false)
+
+const { getDownloadUrl } = useShareService()
+
+const TEXT_RE = /\.(md|markdown|txt|csv|json|xml|log)$/i
+
+const inlineUrl = computed(() => props.entry ? getDownloadUrl(props.entry.path, 'inline') : '')
+const downloadUrl = computed(() => props.entry ? getDownloadUrl(props.entry.path, 'attachment') : '')
+const isImage = computed(() => props.entry?.mimeType.startsWith('image/') ?? false)
+const isPdf = computed(() => props.entry?.mimeType === 'application/pdf')
+const isText = computed(() =>
+    props.entry
+        ? (props.entry.mimeType.startsWith('text/') || TEXT_RE.test(props.entry.name))
+        : false
+)
+
+watch(() => props.entry, async (entry) => {
+    textContent.value = ''
+    if (!entry) return
+
+    nextTick(() => overlayRef.value?.focus())
+
+    if (isText.value) {
+        loadingText.value = true
+        try {
+            textContent.value = await $fetch<string>(inlineUrl.value, {
+                credentials: 'include',
+                responseType: 'text' as never,
+            })
+        } catch {
+            textContent.value = ''
+        } finally {
+            loadingText.value = false
+        }
+    }
+}, { immediate: true })
+</script>
+
+<style scoped>
+.fade-enter-active,
+.fade-leave-active {
+    transition: opacity 0.2s ease;
+}
+.fade-enter-from,
+.fade-leave-to {
+    opacity: 0;
+}
+</style>

frontend/components/task/TaskBulkActions.vue

@@ -79,6 +79,17 @@
                 @update:model-value="(v: number | null) => v && emit('bulk-update', 'group', v)"
             />
 
+            <!-- Archive (only when current filter targets a final status) -->
+            <MalioButtonIcon
+                v-if="canArchive"
+                icon="mdi:archive-outline"
+                aria-label="Archiver"
+                variant="ghost"
+                icon-size="22"
+                button-class="self-end text-neutral-500 hover:bg-primary-50 hover:text-primary-500"
+                @click="emit('bulk-archive')"
+            />
+
             <!-- Delete -->
             <MalioButtonIcon
                 icon="mdi:delete-outline"
@@ -113,9 +124,11 @@ const props = withDefaults(defineProps<{
     groups: TaskGroup[]
     selectedTasks?: Task[]
     projects?: Project[]
+    canArchive?: boolean
 }>(), {
     selectedTasks: () => [],
     projects: () => [],
+    canArchive: false,
 })
 
 const emit = defineEmits<{

frontend/components/task/TaskDocumentList.vue

@@ -68,6 +68,7 @@ function isImage(mimeType: string): boolean {
 }
 
 function getIconForMime(mimeType: string): string {
+    if (mimeType === 'text/markdown') return 'mdi:language-markdown'
     if (mimeType === 'application/pdf') return 'heroicons:document-text'
     if (mimeType.includes('spreadsheet') || mimeType.includes('excel')) return 'heroicons:table-cells'
     if (mimeType.includes('word') || mimeType.includes('document')) return 'heroicons:document'

frontend/components/task/TaskDocumentPreview.vue

@@ -58,6 +58,46 @@
                         class="h-[85vh] w-[80vw] rounded-lg bg-white"
                     />
 
+                    <!-- Text / Markdown preview -->
+                    <div
+                        v-else-if="isText"
+                        class="flex max-h-[85vh] w-[85vw] max-w-3xl flex-col overflow-hidden rounded-xl bg-white"
+                    >
+                        <div class="flex items-center justify-between gap-2 border-b border-neutral-200 px-4 py-3">
+                            <p class="truncate text-sm font-medium text-neutral-700">{{ document.originalName }}</p>
+                            <div class="flex shrink-0 items-center gap-2">
+                                <button
+                                    type="button"
+                                    class="inline-flex items-center gap-1.5 rounded-lg bg-neutral-100 px-3 py-1.5 text-sm font-medium text-neutral-700 transition-colors hover:bg-neutral-200"
+                                    @click="copyContent"
+                                >
+                                    <Icon
+                                        :name="copied ? 'heroicons:check' : 'mdi:content-copy'"
+                                        class="h-4 w-4"
+                                        :class="copied ? 'text-green-600' : ''"
+                                    />
+                                    {{ copied ? $t('taskDocuments.copied') : $t('taskDocuments.copy') }}
+                                </button>
+                                <a
+                                    :href="downloadUrl"
+                                    download
+                                    class="inline-flex items-center gap-1.5 rounded-lg bg-blue-600 px-3 py-1.5 text-sm font-semibold text-white transition-colors hover:bg-blue-700"
+                                >
+                                    {{ $t('taskDocuments.download') }}
+                                </a>
+                            </div>
+                        </div>
+                        <div class="overflow-auto p-4">
+                            <div v-if="loadingText" class="flex justify-center py-10">
+                                <Icon name="heroicons:arrow-path" class="h-6 w-6 animate-spin text-neutral-400" />
+                            </div>
+                            <pre
+                                v-else
+                                class="whitespace-pre-wrap break-words font-mono text-xs leading-relaxed text-neutral-800"
+                            >{{ textContent }}</pre>
+                        </div>
+                    </div>
+
                     <!-- Generic file -->
                     <div v-else class="flex flex-col items-center gap-4 rounded-xl bg-white p-10">
                         <Icon name="heroicons:document" class="h-16 w-16 text-neutral-400" />
@@ -73,7 +113,7 @@
                     </div>
 
                     <!-- File name footer -->
-                    <p class="mt-3 text-sm text-white/70">{{ document.originalName }}</p>
+                    <p v-if="!isText" class="mt-3 text-sm text-white/70">{{ document.originalName }}</p>
                 </div>
             </div>
         </Transition>
@@ -84,6 +124,7 @@
 import type { TaskDocument } from '~/services/dto/task-document'
 import { useTaskDocumentService } from '~/services/task-documents'
 import { formatFileSize } from '~/utils/format'
+import { copyToClipboard } from '~/utils/clipboard'
 
 const props = defineProps<{
     document: TaskDocument | null
@@ -98,19 +139,53 @@ defineEmits<{
 }>()
 
 const overlayRef = ref<HTMLElement | null>(null)
+const textContent = ref('')
+const loadingText = ref(false)
+const copied = ref(false)
 
-const { getDownloadUrl } = useTaskDocumentService()
+const { getDownloadUrl, getContent } = useTaskDocumentService()
+const { t } = useI18n()
+
+const TEXT_MIME_TYPES = ['text/markdown', 'text/plain', 'text/csv', 'application/json', 'application/xml', 'text/xml']
+
+function isTextDocument(doc: TaskDocument | null): boolean {
+    if (!doc) return false
+    if (TEXT_MIME_TYPES.includes(doc.mimeType)) return true
+    return /\.(md|markdown|txt|csv|json|xml)$/i.test(doc.originalName)
+}
 
 const downloadUrl = computed(() => props.document ? getDownloadUrl(props.document.id) : '')
 const isImage = computed(() => props.document?.mimeType.startsWith('image/') ?? false)
 const isPdf = computed(() => props.document?.mimeType === 'application/pdf')
+const isText = computed(() => isTextDocument(props.document))
 
-// Focus overlay for keyboard events
-watch(() => props.document, (doc) => {
-    if (doc) {
-        nextTick(() => overlayRef.value?.focus())
+async function copyContent() {
+    if (await copyToClipboard(textContent.value)) {
+        copied.value = true
+        useToast().success(t('taskDocuments.copied'))
+        setTimeout(() => { copied.value = false }, 2000)
     }
-})
+}
+
+// Focus overlay for keyboard events, and load text content for text/markdown documents
+watch(() => props.document, async (doc) => {
+    textContent.value = ''
+    copied.value = false
+    if (!doc) return
+
+    nextTick(() => overlayRef.value?.focus())
+
+    if (isTextDocument(doc)) {
+        loadingText.value = true
+        try {
+            textContent.value = await getContent(doc.id)
+        } catch {
+            textContent.value = ''
+        } finally {
+            loadingText.value = false
+        }
+    }
+}, { immediate: true })
 </script>
 
 <style scoped>

frontend/components/task/TaskGitSection.vue

@@ -229,6 +229,7 @@
 import type { Task } from '~/services/dto/task'
 import type { GiteaBranch, GiteaPullRequest } from '~/services/dto/gitea'
 import { useGiteaService } from '~/services/gitea'
+import { copyToClipboard } from '~/utils/clipboard'
 
 const { t } = useI18n()
 const props = defineProps<{
@@ -374,7 +375,7 @@ async function handleCreate() {
 async function handleCopy() {
     try {
         const result = await getBranchName(props.task.id, branchForm.type)
-        await navigator.clipboard.writeText(result.name)
+        await copyToClipboard(result.name)
         const { success } = useToast()
         success(t('gitea.branch.copied'))
     } catch {

frontend/components/user/UserDrawer.vue

@@ -11,6 +11,16 @@
                 :error="touched.username && !form.username.trim() ? 'Le nom est requis' : ''"
                 @blur="touched.username = true"
             />
+            <MalioInputText
+                v-model="form.firstName"
+                label="Prénom"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.lastName"
+                label="Nom"
+                input-class="w-full"
+            />
             <MalioInputPassword
                 v-model="form.password"
                 label="Mot de passe"
@@ -84,6 +94,8 @@ const isSubmitting = ref(false)
 
 const form = reactive({
     username: '',
+    firstName: '',
+    lastName: '',
     password: '',
     roles: [] as string[],
     isEmployee: false,
@@ -98,11 +110,15 @@ watch(() => props.modelValue, (open) => {
     if (open) {
         if (props.item) {
             form.username = props.item.username ?? ''
+            form.firstName = props.item.firstName ?? ''
+            form.lastName = props.item.lastName ?? ''
             form.password = ''
             form.roles = [...props.item.roles]
             form.isEmployee = props.item.isEmployee ?? false
         } else {
             form.username = ''
+            form.firstName = ''
+            form.lastName = ''
             form.password = ''
             form.roles = ['ROLE_USER']
             form.isEmployee = false
@@ -124,6 +140,8 @@ async function handleSubmit() {
     try {
         const payload: UserWrite = {
             username: form.username.trim(),
+            firstName: form.firstName.trim() || null,
+            lastName: form.lastName.trim() || null,
             roles: form.roles,
             isEmployee: form.isEmployee,
         }

frontend/composables/useAbsenceHelpers.ts

@@ -75,9 +75,11 @@ export function useAbsenceHelpers() {
     }
 
     function formatDays(days: number): string {
-        const rounded = Math.round(days * 2) / 2
-        const unit = rounded > 1 ? t('absences.daysPlural') : t('absences.daySingular')
-        return `${rounded} ${unit}`
+        // Affiche la valeur réelle avec décimales (ex. 8,75) : un solde de CP se
+        // gère en demi/quart de journée, arrondir masquerait des droits réels.
+        const value = new Intl.NumberFormat('fr-FR', { maximumFractionDigits: 2 }).format(days)
+        const unit = days >= 2 ? t('absences.daysPlural') : t('absences.daySingular')
+        return `${value} ${unit}`
     }
 
     return {

frontend/composables/useShareStatus.ts

@@ -0,0 +1,23 @@
+import { useShareService } from '~/services/share'
+
+export function useShareStatus() {
+    const enabled = useState<boolean | null>('share-enabled', () => null)
+    const { getStatus } = useShareService()
+
+    async function refresh() {
+        try {
+            const status = await getStatus()
+            enabled.value = status.enabled
+        } catch {
+            enabled.value = false
+        }
+    }
+
+    async function ensureLoaded() {
+        if (enabled.value === null) {
+            await refresh()
+        }
+    }
+
+    return { enabled, refresh, ensureLoaded }
+}

frontend/i18n/locales/fr.json

@@ -126,6 +126,8 @@
         "confirmDeleteTitle": "Supprimer le document",
         "confirmDeleteMessage": "Êtes-vous sûr de vouloir supprimer ce document ?",
         "download": "Télécharger",
+        "copy": "Copier",
+        "copied": "Contenu copié !",
         "maxSizeError": "Le fichier dépasse la taille maximale de 50 Mo."
     },
     "tasks": {
@@ -426,6 +428,40 @@
             "testFailed": "Connexion échouée"
         }
     },
+    "sharedFiles": {
+        "title": "Documents",
+        "root": "Racine",
+        "empty": "Ce dossier est vide.",
+        "filterPlaceholder": "Filtrer ce dossier…",
+        "download": "Télécharger",
+        "colName": "Nom",
+        "colSize": "Taille",
+        "colModified": "Modifié le",
+        "sidebar": {
+            "title": "Documents"
+        }
+    },
+    "adminShare": {
+        "title": "Partage réseau (SMB)",
+        "host": "Serveur",
+        "hostPlaceholder": "ex. WIN-SRV ou 192.168.1.10",
+        "shareName": "Nom du partage",
+        "shareNamePlaceholder": "ex. Documents",
+        "basePath": "Sous-dossier racine (optionnel)",
+        "basePathPlaceholder": "ex. /Projets",
+        "domain": "Domaine / groupe de travail",
+        "domainPlaceholder": "WORKGROUP",
+        "username": "Identifiant",
+        "usernamePlaceholder": "ex. lesstime",
+        "password": "Mot de passe",
+        "passwordConfigured": "Un mot de passe est déjà enregistré.",
+        "enabled": "Activer l'accès au partage",
+        "save": "Enregistrer",
+        "saved": "Configuration enregistrée.",
+        "testConnection": "Tester la connexion",
+        "testSuccess": "Connexion réussie.",
+        "testFailed": "Échec de la connexion."
+    },
     "taskRecurrence": {
         "created": "Récurrence créée",
         "updated": "Récurrence mise à jour",

frontend/layouts/default.vue

@@ -100,6 +100,14 @@
                         :collapsed="sidebarIsCollapsed"
                         @click="ui.closeMobileSidebar()"
                     />
+                    <SidebarLink
+                        v-if="isDocumentsVisible"
+                        to="/documents"
+                        icon="mdi:folder-network-outline"
+                        :label="$t('sharedFiles.sidebar.title')"
+                        :collapsed="sidebarIsCollapsed"
+                        @click="ui.closeMobileSidebar()"
+                    />
                     <div v-if="isMailVisible" class="relative">
                         <SidebarLink
                             to="/mail"
@@ -119,11 +127,14 @@
                     </div>
 
                     <!-- Section : Absences -->
-                    <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                        Absences
-                    </p>
-                    <div v-else class="mx-2 my-3 border-t border-secondary-500" />
+                    <template v-if="isAbsenceSectionVisible">
+                        <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
+                            Absences
+                        </p>
+                        <div v-else class="mx-2 my-3 border-t border-secondary-500" />
+                    </template>
                     <SidebarLink
+                        v-if="isEmployee"
                         to="/absences"
                         icon="mdi:umbrella-beach-outline"
                         label="Mes absences"
@@ -211,12 +222,17 @@ const {version} = useAppVersion()
 const route = useRoute()
 
 const isAdmin = computed(() => (auth.user?.roles ?? []).includes('ROLE_ADMIN'))
+const isEmployee = computed(() => Boolean(auth.user?.isEmployee))
+const isAbsenceSectionVisible = computed(() => isEmployee.value || isAdmin.value)
 
 const isMailVisible = computed(() => {
     const roles: string[] = auth.user?.roles ?? []
     return roles.includes('ROLE_USER') || roles.includes('ROLE_ADMIN')
 })
 
+const { enabled: shareEnabled, ensureLoaded: ensureShareStatus } = useShareStatus()
+const isDocumentsVisible = computed(() => shareEnabled.value === true)
+
 // On mobile, sidebar is always expanded (not collapsed icon mode)
 const sidebarIsCollapsed = computed(() => {
     if (ui.sidebarOpen) return false
@@ -262,13 +278,17 @@ onMounted(() => {
     if (isMailVisible.value) {
         mailStore.startPolling()
     }
+    ensureShareStatus()
 })
 
 watch(() => auth.user, (user) => {
     if (!user) {
         mailStore.stopPolling()
-    } else if (isMailVisible.value) {
-        mailStore.startPolling()
+    } else {
+        if (isMailVisible.value) {
+            mailStore.startPolling()
+        }
+        ensureShareStatus()
     }
 })
 

frontend/middleware/employee.ts

@@ -0,0 +1,9 @@
+export default defineNuxtRouteMiddleware(() => {
+    const auth = useAuthStore()
+
+    // "Mes absences" is reserved for users flagged as employees (subject to the
+    // absence management). Non-employees are redirected to the home page.
+    if (!auth.isAuthenticated || !auth.user?.isEmployee) {
+        return navigateTo('/')
+    }
+})

frontend/nuxt.config.ts

@@ -2,7 +2,7 @@ export default defineNuxtConfig({
     compatibilityDate: '2025-07-15',
     devtools: {enabled: false},
     ssr: false,
-    css: ['~/assets/css/dark.css'],
+    css: ['~/assets/css/app.css', '~/assets/css/dark.css'],
     app: {
         baseURL: process.env.NODE_ENV === 'production'
             ? (process.env.NUXT_PUBLIC_APP_BASE || '/')

frontend/pages/absences.vue

@@ -75,6 +75,8 @@ import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
 
 type Row = AbsenceRequest & { typeLabelText: string; periodText: string; daysText: string; createdAtText: string }
 
+definePageMeta({ middleware: ['employee'] })
+
 const { t } = useI18n()
 const service = useAbsenceService()
 const { statusLabel, statusVariant, statusIcon, formatRange, formatDays, formatDate } = useAbsenceHelpers()

frontend/pages/admin.vue

@@ -30,6 +30,7 @@
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
+            <AdminShareTab v-if="activeTab === 'share'" />
             <AdminMailTab v-if="activeTab === 'mail'" />
             <AdminAbsencePolicyTab v-if="activeTab === 'absences'" />
         </div>
@@ -50,6 +51,7 @@ const tabs = [
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },
+    { key: 'share', label: 'Partage' },
     { key: 'mail', label: 'Mail' },
     { key: 'absences', label: 'Absences' },
 ] as const

frontend/pages/documents.vue

@@ -0,0 +1,151 @@
+<template>
+    <div>
+        <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">{{ $t('sharedFiles.title') }}</h1>
+
+        <!-- Fil d'Ariane -->
+        <nav class="mt-4 flex flex-wrap items-center gap-1 text-sm text-neutral-500">
+            <button class="hover:text-primary-500" @click="openPath('')">{{ $t('sharedFiles.root') }}</button>
+            <template v-for="crumb in breadcrumb" :key="crumb.path">
+                <span>/</span>
+                <button class="hover:text-primary-500" @click="openPath(crumb.path)">{{ crumb.name }}</button>
+            </template>
+        </nav>
+
+        <!-- Filtre local -->
+        <div class="mt-4 max-w-sm">
+            <MalioInputText
+                v-model="filter"
+                :placeholder="$t('sharedFiles.filterPlaceholder')"
+                input-class="w-full"
+            />
+        </div>
+
+        <!-- États -->
+        <div v-if="loading" class="mt-10 flex justify-center">
+            <Icon name="heroicons:arrow-path" class="h-6 w-6 animate-spin text-neutral-400" />
+        </div>
+        <p v-else-if="error" class="mt-10 text-sm text-red-600">{{ error }}</p>
+        <p v-else-if="visibleEntries.length === 0" class="mt-10 text-sm text-neutral-400">{{ $t('sharedFiles.empty') }}</p>
+
+        <!-- Tableau -->
+        <table v-else class="mt-6 w-full text-sm">
+            <thead class="border-b border-neutral-200 text-left text-xs uppercase tracking-wider text-neutral-400">
+                <tr>
+                    <th class="py-2">{{ $t('sharedFiles.colName') }}</th>
+                    <th class="py-2">{{ $t('sharedFiles.colSize') }}</th>
+                    <th class="py-2">{{ $t('sharedFiles.colModified') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr
+                    v-for="entry in visibleEntries"
+                    :key="entry.path"
+                    class="cursor-pointer border-b border-neutral-100 hover:bg-neutral-50"
+                    @click="onEntryClick(entry)"
+                >
+                    <td class="flex items-center gap-2 py-2">
+                        <Icon :name="entry.isDir ? 'mdi:folder-outline' : iconForMime(entry.mimeType)" class="h-5 w-5 text-neutral-400" />
+                        <span class="truncate">{{ entry.name }}</span>
+                    </td>
+                    <td class="py-2 text-neutral-500">{{ entry.isDir ? '—' : formatFileSize(entry.size) }}</td>
+                    <td class="py-2 text-neutral-500">{{ formatDate(entry.modifiedAt) }}</td>
+                </tr>
+            </tbody>
+        </table>
+
+        <SharedFilePreview
+            :entry="previewEntry"
+            :has-prev="previewIndex > 0"
+            :has-next="previewIndex >= 0 && previewIndex < fileEntries.length - 1"
+            @close="previewEntry = null"
+            @prev="stepPreview(-1)"
+            @next="stepPreview(1)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Breadcrumb, FileEntry } from '~/services/dto/share'
+import { useShareService } from '~/services/share'
+import { formatFileSize } from '~/utils/format'
+
+useHead({ title: 'Documents' })
+
+const { browse } = useShareService()
+const { enabled, ensureLoaded } = useShareStatus()
+
+const currentPath = ref('')
+const breadcrumb = ref<Breadcrumb[]>([])
+const entries = ref<FileEntry[]>([])
+const filter = ref('')
+const loading = ref(false)
+const error = ref<string | null>(null)
+
+const previewEntry = ref<FileEntry | null>(null)
+
+const visibleEntries = computed(() => {
+    const f = filter.value.trim().toLowerCase()
+    if (!f) return entries.value
+    return entries.value.filter((e) => e.name.toLowerCase().includes(f))
+})
+
+const fileEntries = computed(() => visibleEntries.value.filter((e) => !e.isDir))
+const previewIndex = computed(() => previewEntry.value ? fileEntries.value.findIndex((e) => e.path === previewEntry.value!.path) : -1)
+
+async function load(path: string) {
+    loading.value = true
+    error.value = null
+    try {
+        const result = await browse(path)
+        currentPath.value = result.path
+        breadcrumb.value = result.breadcrumb
+        entries.value = result.entries
+    } catch (e: unknown) {
+        error.value = (e as Error)?.message ?? 'Erreur'
+        entries.value = []
+    } finally {
+        loading.value = false
+    }
+}
+
+function openPath(path: string) {
+    filter.value = ''
+    load(path)
+}
+
+function onEntryClick(entry: FileEntry) {
+    if (entry.isDir) {
+        openPath(entry.path)
+    } else {
+        previewEntry.value = entry
+    }
+}
+
+function stepPreview(delta: number) {
+    const idx = previewIndex.value + delta
+    if (idx >= 0 && idx < fileEntries.value.length) {
+        previewEntry.value = fileEntries.value[idx] ?? null
+    }
+}
+
+function iconForMime(mime: string): string {
+    if (mime.startsWith('image/')) return 'mdi:file-image-outline'
+    if (mime === 'application/pdf') return 'mdi:file-pdf-box'
+    if (mime.startsWith('text/')) return 'mdi:file-document-outline'
+    return 'mdi:file-outline'
+}
+
+function formatDate(ts: number | null): string {
+    if (!ts) return '—'
+    return new Date(ts * 1000).toLocaleString()
+}
+
+onMounted(async () => {
+    await ensureLoaded()
+    if (enabled.value === false) {
+        await navigateTo('/')
+        return
+    }
+    load('')
+})
+</script>

frontend/pages/my-tasks.vue

@@ -439,7 +439,7 @@ onMounted(async () => {
                 <div
                     v-for="cat in CATEGORIES"
                     :key="cat"
-                    class="flex min-w-40 flex-1 flex-col rounded-lg bg-neutral-50 transition"
+                    class="flex w-72 shrink-0 flex-col rounded-lg bg-neutral-50 transition"
                     :class="dragOverCategory === cat ? 'ring-2 ring-primary-400' : ''"
                     @dragover.prevent="dragOverCategory = cat"
                     @dragleave="dragOverCategory = null"

frontend/pages/profile.vue

@@ -129,6 +129,7 @@
 <script setup lang="ts">
 import { useAvatarService } from '~/composables/useAvatarService'
 import { useApiTokenService } from '~/services/api-token'
+import { copyToClipboard } from '~/utils/clipboard'
 
 const auth = useAuthStore()
 const toast = useToast()
@@ -181,10 +182,9 @@ async function onRemove() {
 
 async function onCopy() {
     if (!auth.user?.apiToken) return
-    try {
-        await navigator.clipboard.writeText(auth.user.apiToken)
+    if (await copyToClipboard(auth.user.apiToken)) {
         toast.success({ message: t('profile.apiToken.copied') })
-    } catch {
+    } else {
         toast.error({ message: t('profile.apiToken.copyFailed') })
     }
 }

frontend/pages/projects/[id]/index.vue

@@ -96,7 +96,7 @@
             <div
                 v-for="status in statuses"
                 :key="status.id"
-                class="flex min-w-36 flex-1 flex-col rounded-lg transition-colors"
+                class="flex w-72 shrink-0 flex-col rounded-lg transition-colors"
                 :class="dragOverStatusId === status.id ? 'bg-neutral-200' : 'bg-neutral-50'"
                 @dragover.prevent
                 @dragenter.prevent="onDragEnter(status.id)"
@@ -161,6 +161,7 @@
                 :priorities="priorities"
                 :efforts="efforts"
                 :groups="groups"
+                :can-archive="canArchiveSelection"
                 @toggle-all="toggleSelectAll(filteredTasks)"
                 @bulk-update="onBulkUpdate"
                 @bulk-archive="onBulkArchive"
@@ -297,6 +298,12 @@ const effortFilterOptions = computed(() =>
     efforts.value.map(e => ({ label: e.label, value: e.id }))
 )
 
+const canArchiveSelection = computed(() => {
+    if (selectedStatusId.value === null) return false
+    const status = statuses.value.find(s => s.id === selectedStatusId.value)
+    return status?.isFinal === true
+})
+
 const filteredTasks = computed(() => {
     let result = tasks.value.filter(t => !t.archived)
     if (selectedGroupId.value) {
@@ -323,6 +330,14 @@ const filteredTasks = computed(() => {
     return result
 })
 
+watch(filteredTasks, (list) => {
+    if (selectedTaskIds.size === 0) return
+    const visibleIds = new Set(list.map(t => t.id))
+    for (const id of selectedTaskIds) {
+        if (!visibleIds.has(id)) selectedTaskIds.delete(id)
+    }
+})
+
 function tasksByStatus(statusId: number): Task[] {
     return filteredTasks.value.filter(t => t.status?.id === statusId)
 }

frontend/services/dto/share.ts

@@ -0,0 +1,48 @@
+export type FileEntry = {
+    name: string
+    path: string
+    isDir: boolean
+    size: number
+    modifiedAt: number | null
+    mimeType: string
+}
+
+export type Breadcrumb = {
+    name: string
+    path: string
+}
+
+export type ShareBrowseResult = {
+    path: string
+    breadcrumb: Breadcrumb[]
+    entries: FileEntry[]
+}
+
+export type ShareStatus = {
+    enabled: boolean
+}
+
+export type ShareSettings = {
+    host: string | null
+    shareName: string | null
+    basePath: string | null
+    domain: string | null
+    username: string | null
+    enabled: boolean
+    hasPassword: boolean
+}
+
+export type ShareSettingsWrite = {
+    host: string | null
+    shareName: string | null
+    basePath: string | null
+    domain: string | null
+    username: string | null
+    password?: string | null
+    enabled: boolean
+}
+
+export type ShareTestResult = {
+    success: boolean
+    message: string | null
+}

frontend/services/dto/user-data.ts

@@ -4,6 +4,8 @@ export type UserData = {
     id: number
     '@id'?: string
     username: string
+    firstName?: string | null
+    lastName?: string | null
     roles: string[]
     avatarUrl?: string | null
     apiToken?: string | null
@@ -20,6 +22,8 @@ export type UserData = {
 
 export type UserWrite = {
     username: string
+    firstName?: string | null
+    lastName?: string | null
     plainPassword?: string
     roles: string[]
     // HR / absence management

frontend/services/share-settings.ts

@@ -0,0 +1,21 @@
+import type { ShareSettings, ShareSettingsWrite, ShareTestResult } from './dto/share'
+
+export function useShareSettingsService() {
+    const api = useApi()
+
+    async function getSettings(): Promise<ShareSettings> {
+        return api.get<ShareSettings>('/settings/share')
+    }
+
+    async function saveSettings(payload: ShareSettingsWrite): Promise<ShareSettings> {
+        return api.put<ShareSettings>('/settings/share', payload as Record<string, unknown>, {
+            toastSuccessKey: 'adminShare.saved',
+        })
+    }
+
+    async function testConnection(): Promise<ShareTestResult> {
+        return api.post<ShareTestResult>('/settings/share/test', {})
+    }
+
+    return { getSettings, saveSettings, testConnection }
+}

frontend/services/share.ts

@@ -0,0 +1,22 @@
+import type { ShareBrowseResult, ShareStatus } from './dto/share'
+
+export function useShareService() {
+    const api = useApi()
+    const config = useRuntimeConfig()
+
+    async function browse(path: string): Promise<ShareBrowseResult> {
+        const query = path ? `?path=${encodeURIComponent(path)}` : ''
+        return api.get<ShareBrowseResult>(`/share/browse${query}`)
+    }
+
+    async function getStatus(): Promise<ShareStatus> {
+        return api.get<ShareStatus>('/share/status')
+    }
+
+    function getDownloadUrl(path: string, disposition: 'inline' | 'attachment' = 'inline'): string {
+        const base = config.public.apiBase || '/api'
+        return `${base}/share/download?path=${encodeURIComponent(path)}&disposition=${disposition}`
+    }
+
+    return { browse, getStatus, getDownloadUrl }
+}

frontend/services/task-documents.ts

@@ -41,5 +41,12 @@ export function useTaskDocumentService() {
         return `${baseURL}/task_documents/${id}/download`
     }
 
-    return { getByTask, upload, remove, getDownloadUrl }
+    async function getContent(id: number): Promise<string> {
+        return $fetch<string>(`${baseURL}/task_documents/${id}/download`, {
+            credentials: 'include',
+            responseType: 'text',
+        })
+    }
+
+    return { getByTask, upload, remove, getDownloadUrl, getContent }
 }

frontend/services/time-entries.ts

@@ -25,7 +25,7 @@ export function useTimeEntryService() {
         if (params.tag) {
             query['tags[]'] = `/api/task_tags/${params.tag}`
         }
-        const data = await api.get<HydraCollection<TimeEntry>>('/time_entries', query)
+        const data = await api.get<HydraCollection<TimeEntry>>('/time_entries/range', query)
         return extractHydraMembers(data)
     }
 

frontend/utils/clipboard.ts

@@ -0,0 +1,40 @@
+/**
+ * Copy text to the clipboard with a fallback for non-secure contexts.
+ *
+ * `navigator.clipboard` is only available in secure contexts (HTTPS or
+ * localhost). On a plain HTTP origin (e.g. an internal/prod server without
+ * TLS) the API is missing, so we fall back to the legacy
+ * `document.execCommand('copy')` using a temporary off-screen textarea.
+ *
+ * @returns `true` if the copy succeeded, `false` otherwise.
+ */
+export async function copyToClipboard(text: string): Promise<boolean> {
+    // Preferred path: available in secure contexts (HTTPS / localhost).
+    if (navigator.clipboard && window.isSecureContext) {
+        try {
+            await navigator.clipboard.writeText(text)
+            return true
+        } catch {
+            // Fall through to the legacy fallback below.
+        }
+    }
+
+    // Legacy fallback: works on plain HTTP origins.
+    try {
+        const textarea = document.createElement('textarea')
+        textarea.value = text
+        // Keep it out of view and prevent layout shift / scrolling.
+        textarea.style.position = 'fixed'
+        textarea.style.top = '-9999px'
+        textarea.style.left = '-9999px'
+        textarea.setAttribute('readonly', '')
+        document.body.appendChild(textarea)
+        textarea.select()
+        textarea.setSelectionRange(0, text.length)
+        const ok = document.execCommand('copy')
+        document.body.removeChild(textarea)
+        return ok
+    } catch {
+        return false
+    }
+}

infra/dev/Dockerfile

@@ -33,6 +33,7 @@ RUN apt-get update && apt-get install -y \
         wget \
         git \
         unzip \
+        smbclient \
     && docker-php-ext-install -j$(nproc) \
             intl \
             zip \

infra/prod/Dockerfile

@@ -40,7 +40,7 @@ FROM php:8.4-fpm AS production
 
 RUN apt-get update && apt-get install -y \
         libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
-        nginx supervisor \
+        nginx supervisor smbclient \
     && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
     && rm -rf /var/lib/apt/lists/*
 

migrations/Version20260526100000.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Seed the default absence policies (Syntec / IDCC 1486 legal baseline).
+ *
+ * These rows were previously created only by AppFixtures, so they existed in
+ * dev but never in production: the "Politiques d'absence" admin screen was
+ * empty in prod. This data migration seeds the same 6 policies idempotently
+ * (ON CONFLICT on the unique `type` index), so prod gets populated and dev,
+ * where fixtures already created them, is left untouched.
+ *
+ * Values mirror AppFixtures and the legal compliance design
+ * (docs/superpowers/specs/2026-05-22-absence-legal-compliance-fixes-design.md):
+ *   - CP: 25 jours ouvrés/an, préavis 30 j, pas de justificatif.
+ *   - Mariage/PACS: 4 j/événement ; Naissance: 3 j/événement.
+ *   - Décès / Congé parental / Maladie: pas de forfait codé en dur
+ *     (montant selon lien de parenté ou suspension), justificatif requis.
+ */
+final class Version20260526100000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Seed default absence policies (Syntec IDCC 1486) idempotently for prod';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // [type, days_per_year, days_per_event, justification_required, notice_days, count_working_days_only]
+        $policies = [
+            ['cp', '25', null, 'false', 30, 'true'],
+            ['mariage_pacs', null, '4', 'true', 0, 'true'],
+            ['naissance', null, '3', 'true', 0, 'true'],
+            ['conge_parental', null, null, 'true', 30, 'true'],
+            ['deces', null, null, 'true', 0, 'true'],
+            ['maladie', null, null, 'true', 0, 'true'],
+        ];
+
+        foreach ($policies as [$type, $daysPerYear, $daysPerEvent, $justif, $notice, $workingOnly]) {
+            $daysPerYear  = null === $daysPerYear ? 'NULL' : $daysPerYear;
+            $daysPerEvent = null === $daysPerEvent ? 'NULL' : $daysPerEvent;
+
+            $this->addSql(<<<SQL
+                INSERT INTO absence_policy
+                    (type, days_per_year, days_per_event, justification_required, notice_days, count_working_days_only, active)
+                VALUES
+                    ('{$type}', {$daysPerYear}, {$daysPerEvent}, {$justif}, {$notice}, {$workingOnly}, true)
+                ON CONFLICT (type) DO NOTHING
+                SQL);
+        }
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql("DELETE FROM absence_policy WHERE type IN ('cp', 'mariage_pacs', 'naissance', 'conge_parental', 'deces', 'maladie')");
+    }
+}

migrations/Version20260526120000.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Add optional first name / last name to users.
+ */
+final class Version20260526120000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add user.first_name and user.last_name (nullable)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE "user" ADD first_name VARCHAR(100) DEFAULT NULL');
+        $this->addSql('ALTER TABLE "user" ADD last_name VARCHAR(100) DEFAULT NULL');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE "user" DROP COLUMN IF EXISTS first_name');
+        $this->addSql('ALTER TABLE "user" DROP COLUMN IF EXISTS last_name');
+    }
+}

migrations/Version20260603165850.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Add share_configuration table for SMB/Windows share explorer feature.
+ */
+final class Version20260603165850 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Create share_configuration table (SMB/Windows share explorer)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('CREATE TABLE share_configuration (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, host VARCHAR(255) DEFAULT NULL, share_name VARCHAR(255) DEFAULT NULL, base_path VARCHAR(255) DEFAULT NULL, domain VARCHAR(255) DEFAULT NULL, username VARCHAR(255) DEFAULT NULL, encrypted_password TEXT DEFAULT NULL, enabled BOOLEAN NOT NULL, PRIMARY KEY(id))');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE share_configuration');
+    }
+}

src/ApiResource/ShareSettings.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\ApiResource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\Put;
+use App\State\ShareSettingsProcessor;
+use App\State\ShareSettingsProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/settings/share',
+            normalizationContext: ['groups' => ['share_settings:read']],
+            provider: ShareSettingsProvider::class,
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+        new Put(
+            uriTemplate: '/settings/share',
+            denormalizationContext: ['groups' => ['share_settings:write']],
+            normalizationContext: ['groups' => ['share_settings:read']],
+            provider: ShareSettingsProvider::class,
+            processor: ShareSettingsProcessor::class,
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+)]
+final class ShareSettings
+{
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public ?string $host = null;
+
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public ?string $shareName = null;
+
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public ?string $basePath = null;
+
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public ?string $domain = null;
+
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public ?string $username = null;
+
+    #[Groups(['share_settings:write'])]
+    public ?string $password = null;
+
+    #[Groups(['share_settings:read', 'share_settings:write'])]
+    public bool $enabled = false;
+
+    #[Groups(['share_settings:read'])]
+    public bool $hasPassword = false;
+}

src/ApiResource/ShareTestConnection.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\ApiResource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Post;
+use App\State\ShareTestConnectionProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Post(
+            uriTemplate: '/settings/share/test',
+            input: false,
+            normalizationContext: ['groups' => ['share_test:read']],
+            provider: ShareTestConnectionProvider::class,
+            processor: ShareTestConnectionProvider::class,
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+)]
+final class ShareTestConnection
+{
+    #[Groups(['share_test:read'])]
+    public bool $success = false;
+
+    #[Groups(['share_test:read'])]
+    public ?string $message = null;
+}

src/Controller/Share/ShareBrowseController.php

@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Share;
+
+use App\Service\Share\Exception\InvalidPathException;
+use App\Service\Share\Exception\ShareConnectionException;
+use App\Service\Share\Exception\ShareNotConfiguredException;
+use App\Service\Share\FileEntry;
+use App\Service\Share\FileSource;
+use App\Service\Share\SharePathResolver;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+class ShareBrowseController extends AbstractController
+{
+    public function __construct(
+        private readonly FileSource $fileSource,
+        private readonly SharePathResolver $pathResolver,
+    ) {}
+
+    #[Route('/api/share/browse', name: 'share_browse', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(Request $request): JsonResponse
+    {
+        $rawPath = (string) $request->query->get('path', '');
+
+        try {
+            $path = $this->pathResolver->normalizeRelative($rawPath);
+        } catch (InvalidPathException) {
+            return new JsonResponse(['error' => 'Invalid path.'], 400);
+        }
+
+        try {
+            $entries = $this->fileSource->dir($path);
+        } catch (ShareNotConfiguredException) {
+            return new JsonResponse(['error' => 'Share not configured.'], 409);
+        } catch (ShareConnectionException) {
+            return new JsonResponse(['error' => 'Unable to reach the file share.'], 502);
+        }
+
+        return new JsonResponse([
+            'path'       => $path,
+            'breadcrumb' => $this->breadcrumb($path),
+            'entries'    => array_map(static fn (FileEntry $e): array => [
+                'name'       => $e->name,
+                'path'       => $e->path,
+                'isDir'      => $e->isDir,
+                'size'       => $e->size,
+                'modifiedAt' => $e->modifiedAt,
+                'mimeType'   => $e->mimeType,
+            ], $entries),
+        ]);
+    }
+
+    /**
+     * @return array<int, array{name: string, path: string}>
+     */
+    private function breadcrumb(string $path): array
+    {
+        if ('' === $path) {
+            return [];
+        }
+
+        $crumbs = [];
+        $acc    = '';
+        foreach (explode('/', $path) as $segment) {
+            $acc      = '' === $acc ? $segment : $acc.'/'.$segment;
+            $crumbs[] = ['name' => $segment, 'path' => $acc];
+        }
+
+        return $crumbs;
+    }
+}

src/Controller/Share/ShareDownloadController.php

@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Share;
+
+use App\Service\Share\Exception\InvalidPathException;
+use App\Service\Share\Exception\ShareConnectionException;
+use App\Service\Share\Exception\ShareNotConfiguredException;
+use App\Service\Share\FileSource;
+use App\Service\Share\SharePathResolver;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\HeaderUtils;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\StreamedResponse;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Mime\MimeTypes;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+use function is_resource;
+
+class ShareDownloadController extends AbstractController
+{
+    public function __construct(
+        private readonly FileSource $fileSource,
+        private readonly SharePathResolver $pathResolver,
+    ) {}
+
+    #[Route('/api/share/download', name: 'share_download', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(Request $request): Response
+    {
+        $rawPath = (string) $request->query->get('path', '');
+
+        try {
+            $path = $this->pathResolver->normalizeRelative($rawPath);
+        } catch (InvalidPathException) {
+            return new Response('Invalid path.', 400);
+        }
+
+        if ('' === $path) {
+            throw new NotFoundHttpException('No file requested.');
+        }
+
+        try {
+            $stream = $this->fileSource->read($path);
+        } catch (ShareNotConfiguredException) {
+            return new Response('Share not configured.', 409);
+        } catch (ShareConnectionException) {
+            throw new NotFoundHttpException('File not found.');
+        }
+
+        $name      = basename($path);
+        $extension = pathinfo($name, PATHINFO_EXTENSION);
+        $mime      = MimeTypes::getDefault()->getMimeTypes($extension)[0] ?? 'application/octet-stream';
+
+        // Anti-XSS : seuls des types non exécutables sont servis inline (images hors SVG, PDF).
+        // Tout le reste (HTML, SVG, octet-stream, etc.) est forcé en attachment, même si inline est demandé.
+        $inlineSafe  = ('image/svg+xml' !== $mime && str_starts_with($mime, 'image/')) || 'application/pdf' === $mime;
+        $wantInline  = 'attachment' !== $request->query->get('disposition');
+        $disposition = ($inlineSafe && $wantInline) ? HeaderUtils::DISPOSITION_INLINE : HeaderUtils::DISPOSITION_ATTACHMENT;
+
+        $response = new StreamedResponse(function () use ($stream): void {
+            if (is_resource($stream)) {
+                fpassthru($stream);
+                fclose($stream);
+            }
+        });
+        $response->headers->set('Content-Type', $mime);
+        $response->headers->set('Content-Disposition', HeaderUtils::makeDisposition($disposition, $name));
+        // Empêche le navigateur de "deviner" un type exécutable à partir du contenu.
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}

src/Controller/Share/ShareStatusController.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Share;
+
+use App\Repository\ShareConfigurationRepository;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+class ShareStatusController extends AbstractController
+{
+    public function __construct(
+        private readonly ShareConfigurationRepository $configRepository,
+    ) {}
+
+    #[Route('/api/share/status', name: 'share_status', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(): JsonResponse
+    {
+        $config = $this->configRepository->findSingleton();
+
+        return new JsonResponse(['enabled' => null !== $config && $config->isUsable()]);
+    }
+}

src/DataFixtures/AppFixtures.php

@@ -43,6 +43,8 @@ class AppFixtures extends Fixture
         // Users
         $admin = new User();
         $admin->setUsername('admin');
+        $admin->setFirstName('Alex');
+        $admin->setLastName('Martin');
         $admin->setRoles(['ROLE_ADMIN']);
         $admin->setPassword($this->passwordHasher->hashPassword($admin, 'admin'));
         $admin->setApiToken('dev-mcp-token-for-testing-only-do-not-use-in-production');
@@ -50,18 +52,24 @@ class AppFixtures extends Fixture
 
         $userAlice = new User();
         $userAlice->setUsername('alice');
+        $userAlice->setFirstName('Alice');
+        $userAlice->setLastName('Dupont');
         $userAlice->setRoles(['ROLE_USER']);
         $userAlice->setPassword($this->passwordHasher->hashPassword($userAlice, 'alice'));
         $manager->persist($userAlice);
 
         $userBob = new User();
         $userBob->setUsername('bob');
+        $userBob->setFirstName('Bob');
+        $userBob->setLastName('Leroy');
         $userBob->setRoles(['ROLE_USER']);
         $userBob->setPassword($this->passwordHasher->hashPassword($userBob, 'bob'));
         $manager->persist($userBob);
 
         $userCharlie = new User();
         $userCharlie->setUsername('charlie');
+        $userCharlie->setFirstName('Charlie');
+        $userCharlie->setLastName('Moreau');
         $userCharlie->setRoles(['ROLE_USER']);
         $userCharlie->setPassword($this->passwordHasher->hashPassword($userCharlie, 'charlie'));
         $manager->persist($userCharlie);

src/DependencyInjection/Compiler/McpSchemaGeneratorPass.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\DependencyInjection\Compiler;
+
+use App\Mcp\Schema\CoercingSchemaGenerator;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * Wires the CoercingSchemaGenerator into the MCP server builder so that
+ * generated tool input schemas accept stringified scalar arguments.
+ */
+final class McpSchemaGeneratorPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        if (!$container->hasDefinition('mcp.server.builder')) {
+            return;
+        }
+
+        $container->getDefinition('mcp.server.builder')
+            ->addMethodCall('setSchemaGenerator', [new Reference(CoercingSchemaGenerator::class)])
+        ;
+    }
+}

src/Entity/ShareConfiguration.php

@@ -0,0 +1,139 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use App\Repository\ShareConfigurationRepository;
+use Doctrine\ORM\Mapping as ORM;
+
+#[ORM\Entity(repositoryClass: ShareConfigurationRepository::class)]
+class ShareConfiguration
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $host = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $shareName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $basePath = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $domain = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    private ?string $username = null;
+
+    #[ORM\Column(type: 'text', nullable: true)]
+    private ?string $encryptedPassword = null;
+
+    #[ORM\Column(type: 'boolean')]
+    private bool $enabled = false;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getHost(): ?string
+    {
+        return $this->host;
+    }
+
+    public function setHost(?string $host): static
+    {
+        $this->host = $host;
+
+        return $this;
+    }
+
+    public function getShareName(): ?string
+    {
+        return $this->shareName;
+    }
+
+    public function setShareName(?string $shareName): static
+    {
+        $this->shareName = $shareName;
+
+        return $this;
+    }
+
+    public function getBasePath(): ?string
+    {
+        return $this->basePath;
+    }
+
+    public function setBasePath(?string $basePath): static
+    {
+        $this->basePath = $basePath;
+
+        return $this;
+    }
+
+    public function getDomain(): ?string
+    {
+        return $this->domain;
+    }
+
+    public function setDomain(?string $domain): static
+    {
+        $this->domain = $domain;
+
+        return $this;
+    }
+
+    public function getUsername(): ?string
+    {
+        return $this->username;
+    }
+
+    public function setUsername(?string $username): static
+    {
+        $this->username = $username;
+
+        return $this;
+    }
+
+    public function getEncryptedPassword(): ?string
+    {
+        return $this->encryptedPassword;
+    }
+
+    public function setEncryptedPassword(?string $encryptedPassword): static
+    {
+        $this->encryptedPassword = $encryptedPassword;
+
+        return $this;
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->enabled;
+    }
+
+    public function setEnabled(bool $enabled): static
+    {
+        $this->enabled = $enabled;
+
+        return $this;
+    }
+
+    public function hasPassword(): bool
+    {
+        return null !== $this->encryptedPassword;
+    }
+
+    public function isUsable(): bool
+    {
+        return $this->enabled
+            && null !== $this->host && '' !== $this->host
+            && null !== $this->shareName && '' !== $this->shareName;
+    }
+}

src/Entity/TimeEntry.php

@@ -25,6 +25,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ApiResource(
     operations: [
         new GetCollection(security: "is_granted('ROLE_USER')"),
+        new GetCollection(
+            name: 'time_entries_range',
+            uriTemplate: '/time_entries/range',
+            description: 'List time entries for a bounded date range without pagination (used by the time-tracking calendar)',
+            paginationEnabled: false,
+            security: "is_granted('ROLE_USER')",
+        ),
         new GetCollection(
             name: 'active_time_entry',
             uriTemplate: '/time_entries/active',

src/Entity/User.php

@@ -55,6 +55,14 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     #[Groups(['me:read', 'task:read', 'user:list', 'user:write', 'time_entry:read', 'absence_request:read', 'absence_balance:read'])]
     private ?string $username = null;
 
+    #[ORM\Column(length: 100, nullable: true)]
+    #[Groups(['me:read', 'user:list', 'user:write'])]
+    private ?string $firstName = null;
+
+    #[ORM\Column(length: 100, nullable: true)]
+    #[Groups(['me:read', 'user:list', 'user:write'])]
+    private ?string $lastName = null;
+
     /** @var list<string> */
     #[ORM\Column]
     #[ApiProperty(security: "is_granted('ROLE_ADMIN') or object == user")]
@@ -147,6 +155,30 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
         return $this;
     }
 
+    public function getFirstName(): ?string
+    {
+        return $this->firstName;
+    }
+
+    public function setFirstName(?string $firstName): static
+    {
+        $this->firstName = $firstName;
+
+        return $this;
+    }
+
+    public function getLastName(): ?string
+    {
+        return $this->lastName;
+    }
+
+    public function setLastName(?string $lastName): static
+    {
+        $this->lastName = $lastName;
+
+        return $this;
+    }
+
     public function getUserIdentifier(): string
     {
         return (string) $this->username;

src/Kernel.php

@@ -4,10 +4,17 @@ declare(strict_types=1);
 
 namespace App;
 
+use App\DependencyInjection\Compiler\McpSchemaGeneratorPass;
 use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpKernel\Kernel as BaseKernel;
 
 class Kernel extends BaseKernel
 {
     use MicroKernelTrait;
+
+    protected function build(ContainerBuilder $container): void
+    {
+        $container->addCompilerPass(new McpSchemaGeneratorPass());
+    }
 }

src/Mcp/EventListener/CoerceJsonEncodedArgumentsListener.php

@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\EventListener;
+
+use App\Mcp\Schema\CoercingSchemaGenerator;
+use Mcp\Capability\RegistryInterface;
+use Mcp\Event\RequestEvent;
+use Mcp\Schema\Request\CallToolRequest;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Throwable;
+
+use function is_array;
+use function is_string;
+
+/**
+ * Decodes JSON-encoded structured arguments before tool calls are validated.
+ *
+ * Some MCP clients/proxies serialize array and object arguments as JSON strings
+ * (e.g. `tagIds` arrives as the string `"[3]"` instead of the array `[3]`). The
+ * SDK validates arguments against the JSON Schema BEFORE casting, so an `array`
+ * schema rejects the string with a 422, and ReferenceHandler::castToArray does
+ * not decode JSON strings either.
+ *
+ * This listener runs on the SDK RequestEvent (dispatched before any handler) and,
+ * driven by the tool's input schema, decodes string arguments whose target type
+ * is `array` or `object`. Scalar stringification is handled separately by
+ * {@see CoercingSchemaGenerator}.
+ */
+#[AsEventListener(event: RequestEvent::class)]
+final class CoerceJsonEncodedArgumentsListener
+{
+    public function __construct(
+        #[Autowire(service: 'mcp.registry')]
+        private readonly RegistryInterface $registry,
+    ) {}
+
+    public function __invoke(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        if (!$request instanceof CallToolRequest) {
+            return;
+        }
+
+        $arguments = $request->arguments;
+        if ([] === $arguments) {
+            return;
+        }
+
+        $properties = $this->toolProperties($request->name);
+        if (null === $properties) {
+            return;
+        }
+
+        $changed = false;
+        foreach ($arguments as $name => $value) {
+            if (!is_string($value) || !is_array($properties[$name] ?? null)) {
+                continue;
+            }
+
+            $types = (array) ($properties[$name]['type'] ?? []);
+            if ([] === array_intersect(['array', 'object'], $types)) {
+                continue;
+            }
+
+            $decoded = json_decode($value, true);
+            if (is_array($decoded)) {
+                $arguments[$name] = $decoded;
+                $changed          = true;
+            }
+        }
+
+        if ($changed) {
+            $event->setRequest(
+                new CallToolRequest($request->name, $arguments)
+                    ->withId($request->getId())
+                    ->withMeta($request->getMeta()),
+            );
+        }
+    }
+
+    /**
+     * @return null|array<string, mixed>
+     */
+    private function toolProperties(string $toolName): ?array
+    {
+        try {
+            $schema = $this->registry->getTool($toolName)->tool->inputSchema;
+        } catch (Throwable) {
+            return null;
+        }
+
+        $properties = $schema['properties'] ?? null;
+
+        return is_array($properties) ? $properties : null;
+    }
+}

src/Mcp/Schema/CoercingSchemaGenerator.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\Schema;
+
+use Mcp\Capability\Discovery\DocBlockParser;
+use Mcp\Capability\Discovery\SchemaGenerator;
+use Mcp\Capability\Discovery\SchemaGeneratorInterface;
+use Reflector;
+
+use function count;
+use function in_array;
+use function is_array;
+
+/**
+ * Wraps the SDK SchemaGenerator and relaxes scalar parameter schemas so that
+ * numeric/boolean parameters also accept their string representation.
+ *
+ * Rationale: some MCP clients serialize every JSON-RPC argument as a string
+ * (e.g. `"22"` instead of `22`). The SDK validates arguments against the
+ * generated JSON Schema BEFORE casting them (see CallToolHandler), so a strict
+ * `integer` schema rejects `"22"` with a 422 even though the SDK's
+ * ReferenceHandler::castArgumentType would happily coerce it afterwards.
+ *
+ * By advertising `["integer", "string"]` (resp. number/boolean) we let opis
+ * accept the stringified value; the reflected PHP type hint (`int`, `bool`, ...)
+ * still drives the actual coercion in ReferenceHandler. Non-numeric strings are
+ * rejected later with a clear "cannot cast" error.
+ */
+final class CoercingSchemaGenerator implements SchemaGeneratorInterface
+{
+    public function __construct(
+        private readonly SchemaGeneratorInterface $inner = new SchemaGenerator(new DocBlockParser()),
+    ) {}
+
+    public function generate(Reflector $reflection): array
+    {
+        $schema = $this->inner->generate($reflection);
+
+        if (isset($schema['properties']) && is_array($schema['properties'])) {
+            foreach ($schema['properties'] as $name => $property) {
+                if (is_array($property)) {
+                    $schema['properties'][$name] = $this->relaxNode($property);
+                }
+            }
+        }
+
+        return $schema;
+    }
+
+    public function generateOutputSchema(Reflector $reflection): ?array
+    {
+        return $this->inner->generateOutputSchema($reflection);
+    }
+
+    /**
+     * @param array<string, mixed> $node
+     *
+     * @return array<string, mixed>
+     */
+    private function relaxNode(array $node): array
+    {
+        if (isset($node['type'])) {
+            $node['type'] = $this->relaxType($node['type']);
+        }
+
+        // Relax array element types too (stringified IDs inside tagIds, etc.).
+        if (isset($node['items']) && is_array($node['items'])) {
+            $node['items'] = $this->relaxNode($node['items']);
+        }
+
+        return $node;
+    }
+
+    /**
+     * Adds "string" to a type definition that allows integer/number/boolean.
+     *
+     * @param string|string[] $type
+     *
+     * @return string|string[]
+     */
+    private function relaxType(array|string $type): array|string
+    {
+        $types = (array) $type;
+
+        $isNumericOrBool = in_array('integer', $types, true)
+            || in_array('number', $types, true)
+            || in_array('boolean', $types, true);
+
+        if ($isNumericOrBool && !in_array('string', $types, true)) {
+            $types[] = 'string';
+        }
+
+        return 1 === count($types) ? $types[0] : array_values($types);
+    }
+}

src/Mcp/Tool/Task/AddTaskDocumentTool.php

@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\Tool\Task;
+
+use App\Entity\TaskDocument;
+use App\Repository\TaskRepository;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Uid\Uuid;
+
+use function sprintf;
+use function strlen;
+
+#[McpTool(name: 'add-task-document', description: 'Attach a text document (Markdown by default) to a task by passing its raw content. Optimized for Markdown reports/notes: the content is written verbatim as a UTF-8 file, no base64 needed. The MIME type is inferred from the fileName extension (.md, .txt, .csv, .json, .xml), defaulting to text/markdown.')]
+class AddTaskDocumentTool
+{
+    private const MAX_CONTENT_SIZE = 5 * 1024 * 1024; // 5 MB of text
+
+    private const EXTENSION_TO_MIME = [
+        'md'       => 'text/markdown',
+        'markdown' => 'text/markdown',
+        'txt'      => 'text/plain',
+        'csv'      => 'text/csv',
+        'json'     => 'application/json',
+        'xml'      => 'text/xml',
+    ];
+
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly TaskRepository $taskRepository,
+        private readonly Security $security,
+        private readonly string $uploadDir,
+    ) {}
+
+    /**
+     * @param int    $taskId   ID of the task to attach the document to
+     * @param string $content  Raw text content of the document (e.g. Markdown)
+     * @param string $fileName Display name of the document, including extension (defaults to "document.md")
+     */
+    public function __invoke(
+        int $taskId,
+        string $content,
+        string $fileName = 'document.md',
+    ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $task = $this->taskRepository->find($taskId);
+        if (null === $task) {
+            throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
+        }
+
+        if ('' === $content) {
+            throw new InvalidArgumentException('Document content cannot be empty.');
+        }
+
+        $size = strlen($content);
+        if ($size > self::MAX_CONTENT_SIZE) {
+            throw new InvalidArgumentException('Content size exceeds 5 MB limit.');
+        }
+
+        $originalName = '' !== trim($fileName) ? trim($fileName) : 'document.md';
+
+        $extension = strtolower(pathinfo($originalName, PATHINFO_EXTENSION));
+        $mimeType  = self::EXTENSION_TO_MIME[$extension] ?? 'text/markdown';
+        if ('' === $extension) {
+            $originalName .= '.md';
+            $extension = 'md';
+        }
+
+        $storedName = Uuid::v4()->toRfc4122().'.'.$extension;
+
+        if (!is_dir($this->uploadDir) && !mkdir($this->uploadDir, 0o775, true) && !is_dir($this->uploadDir)) {
+            throw new InvalidArgumentException(sprintf('Upload directory "%s" could not be created.', $this->uploadDir));
+        }
+
+        if (false === file_put_contents($this->uploadDir.'/'.$storedName, $content)) {
+            throw new InvalidArgumentException('Failed to write document to disk.');
+        }
+
+        $document = new TaskDocument();
+        $document->setTask($task);
+        $document->setOriginalName($originalName);
+        $document->setFileName($storedName);
+        $document->setMimeType($mimeType);
+        $document->setSize($size);
+        $document->setCreatedAt(new DateTimeImmutable());
+        $document->setUploadedBy($this->security->getUser());
+
+        $this->entityManager->persist($document);
+        $this->entityManager->flush();
+
+        return json_encode([
+            'id'           => $document->getId(),
+            'taskId'       => $task->getId(),
+            'originalName' => $document->getOriginalName(),
+            'mimeType'     => $document->getMimeType(),
+            'size'         => $document->getSize(),
+            'createdAt'    => $document->getCreatedAt()?->format('c'),
+            'uploadedBy'   => $document->getUploadedBy()?->getUsername(),
+        ]);
+    }
+}

src/Mcp/Tool/Task/CreateTaskTool.php

@@ -41,6 +41,10 @@ class CreateTaskTool
         private readonly CalDavService $calDavService,
     ) {}
 
+    /**
+     * @param int[] $tagIds          IDs of the tags to attach
+     * @param int[] $collaboratorIds IDs of the collaborators to attach
+     */
     public function __invoke(
         int $projectId,
         string $title,

src/Mcp/Tool/Task/DeleteTaskDocumentTool.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\Tool\Task;
+
+use App\Entity\TaskDocument;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'delete-task-document', description: 'Delete a document attached to a task, permanently. The underlying file is also removed from disk.')]
+class DeleteTaskDocumentTool
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    /**
+     * @param int $id ID of the task document to delete
+     */
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $document = $this->entityManager->find(TaskDocument::class, $id);
+        if (null === $document) {
+            throw new InvalidArgumentException(sprintf('Task document with ID %d not found.', $id));
+        }
+
+        $taskId       = $document->getTask()?->getId();
+        $originalName = $document->getOriginalName();
+
+        $this->entityManager->remove($document);
+        $this->entityManager->flush();
+
+        return json_encode([
+            'success'      => true,
+            'message'      => sprintf('Document "%s" (ID %d) deleted.', $originalName, $id),
+            'id'           => $id,
+            'taskId'       => $taskId,
+            'originalName' => $originalName,
+        ]);
+    }
+}

src/Mcp/Tool/Task/ListTasksTool.php

@@ -18,6 +18,9 @@ class ListTasksTool
         private readonly Security $security,
     ) {}
 
+    /**
+     * @param int[] $tagIds IDs of the tags to filter by
+     */
     public function __invoke(
         ?int $projectId = null,
         ?int $statusId = null,

src/Mcp/Tool/Task/UpdateTaskDocumentTool.php

@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\Tool\Task;
+
+use App\Entity\TaskDocument;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+use function strlen;
+
+#[McpTool(name: 'update-task-document', description: 'Update a document attached to a task: replace its text content and/or rename it. Pass the new raw content (verbatim UTF-8) and/or a new fileName. The MIME type is re-inferred from the fileName extension. At least one of content or fileName must be provided.')]
+class UpdateTaskDocumentTool
+{
+    private const MAX_CONTENT_SIZE = 5 * 1024 * 1024; // 5 MB of text
+
+    private const EXTENSION_TO_MIME = [
+        'md'       => 'text/markdown',
+        'markdown' => 'text/markdown',
+        'txt'      => 'text/plain',
+        'csv'      => 'text/csv',
+        'json'     => 'application/json',
+        'xml'      => 'text/xml',
+    ];
+
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+        private readonly string $uploadDir,
+    ) {}
+
+    /**
+     * @param int         $id       ID of the task document to update
+     * @param null|string $content  New raw text content of the document (e.g. Markdown). Omit to keep the current content.
+     * @param null|string $fileName New display name of the document, including extension. Omit to keep the current name.
+     */
+    public function __invoke(
+        int $id,
+        ?string $content = null,
+        ?string $fileName = null,
+    ): string {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        if (null === $content && null === $fileName) {
+            throw new InvalidArgumentException('At least one of content or fileName must be provided.');
+        }
+
+        $document = $this->entityManager->find(TaskDocument::class, $id);
+        if (null === $document) {
+            throw new InvalidArgumentException(sprintf('Task document with ID %d not found.', $id));
+        }
+
+        // Rename: update the display name and re-infer the MIME type from its extension.
+        if (null !== $fileName) {
+            $originalName = trim($fileName);
+            if ('' === $originalName) {
+                throw new InvalidArgumentException('fileName cannot be empty.');
+            }
+
+            $extension = strtolower(pathinfo($originalName, PATHINFO_EXTENSION));
+            if ('' === $extension) {
+                $originalName .= '.md';
+                $extension = 'md';
+            }
+
+            $document->setOriginalName($originalName);
+            $document->setMimeType(self::EXTENSION_TO_MIME[$extension] ?? 'text/markdown');
+        }
+
+        // Replace content: overwrite the stored file in place and refresh its size.
+        if (null !== $content) {
+            if ('' === $content) {
+                throw new InvalidArgumentException('Document content cannot be empty.');
+            }
+
+            $size = strlen($content);
+            if ($size > self::MAX_CONTENT_SIZE) {
+                throw new InvalidArgumentException('Content size exceeds 5 MB limit.');
+            }
+
+            $filePath = $this->uploadDir.'/'.$document->getFileName();
+            if (false === file_put_contents($filePath, $content)) {
+                throw new InvalidArgumentException('Failed to write document to disk.');
+            }
+
+            $document->setSize($size);
+        }
+
+        $this->entityManager->flush();
+
+        return json_encode([
+            'id'           => $document->getId(),
+            'taskId'       => $document->getTask()?->getId(),
+            'originalName' => $document->getOriginalName(),
+            'mimeType'     => $document->getMimeType(),
+            'size'         => $document->getSize(),
+            'createdAt'    => $document->getCreatedAt()?->format('c'),
+            'uploadedBy'   => $document->getUploadedBy()?->getUsername(),
+        ]);
+    }
+}

src/Mcp/Tool/Task/UpdateTaskTool.php

@@ -38,6 +38,10 @@ class UpdateTaskTool
         private readonly CalDavService $calDavService,
     ) {}
 
+    /**
+     * @param int[] $tagIds          IDs of the tags to attach
+     * @param int[] $collaboratorIds IDs of the collaborators to attach
+     */
     public function __invoke(
         int $id,
         ?string $title = null,

src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php

@@ -33,6 +33,9 @@ class CreateTimeEntryTool
         private readonly Security $security,
     ) {}
 
+    /**
+     * @param int[] $tagIds IDs of the tags to attach
+     */
     public function __invoke(
         int $userId,
         string $startedAt,

src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php

@@ -30,6 +30,9 @@ class UpdateTimeEntryTool
         private readonly Security $security,
     ) {}
 
+    /**
+     * @param int[] $tagIds IDs of the tags to attach
+     */
     public function __invoke(
         int $id,
         ?string $title = null,

src/Repository/ShareConfigurationRepository.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\ShareConfiguration;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+class ShareConfigurationRepository extends ServiceEntityRepository
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ShareConfiguration::class);
+    }
+
+    public function findSingleton(): ?ShareConfiguration
+    {
+        return $this->createQueryBuilder('s')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getOneOrNullResult()
+        ;
+    }
+}

src/Service/Share/Exception/InvalidPathException.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share\Exception;
+
+use RuntimeException;
+
+final class InvalidPathException extends RuntimeException {}

src/Service/Share/Exception/ShareConnectionException.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share\Exception;
+
+use RuntimeException;
+
+final class ShareConnectionException extends RuntimeException {}

src/Service/Share/Exception/ShareNotConfiguredException.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share\Exception;
+
+use RuntimeException;
+
+final class ShareNotConfiguredException extends RuntimeException {}

src/Service/Share/FileEntry.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+final readonly class FileEntry
+{
+    public function __construct(
+        public string $name,
+        public string $path,
+        public bool $isDir,
+        public int $size,
+        public ?int $modifiedAt,
+        public string $mimeType,
+    ) {}
+}

src/Service/Share/FileSource.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+interface FileSource
+{
+    /**
+     * @return FileEntry[] dossiers d'abord, puis fichiers, triés par nom
+     */
+    public function dir(string $relativePath): array;
+
+    /**
+     * @return resource flux binaire en lecture
+     */
+    public function read(string $relativePath);
+
+    public function test(): ShareTestResult;
+}

src/Service/Share/SharePathResolver.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+use App\Service\Share\Exception\InvalidPathException;
+
+final class SharePathResolver
+{
+    /**
+     * Normalise un chemin relatif et rejette toute tentative de sortie de racine.
+     */
+    public function normalizeRelative(string $path): string
+    {
+        $path     = str_replace('\\', '/', $path);
+        $segments = [];
+
+        foreach (explode('/', $path) as $segment) {
+            if ('' === $segment || '.' === $segment) {
+                continue;
+            }
+            if ('..' === $segment) {
+                throw new InvalidPathException('Path traversal is not allowed.');
+            }
+            $segments[] = $segment;
+        }
+
+        return implode('/', $segments);
+    }
+
+    /**
+     * Construit le chemin SMB absolu (toujours sous basePath).
+     */
+    public function fullPath(string $basePath, string $relativePath): string
+    {
+        $base     = trim(str_replace('\\', '/', $basePath), '/');
+        $relative = $this->normalizeRelative($relativePath);
+
+        $parts = array_values(array_filter([$base, $relative], static fn (string $p): bool => '' !== $p));
+
+        return '/'.implode('/', $parts);
+    }
+}

src/Service/Share/ShareTestResult.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+final readonly class ShareTestResult
+{
+    public function __construct(
+        public bool $success,
+        public ?string $message = null,
+    ) {}
+}

src/Service/Share/SmbFileSource.php

@@ -0,0 +1,132 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+use App\Entity\ShareConfiguration;
+use App\Repository\ShareConfigurationRepository;
+use App\Service\Share\Exception\ShareConnectionException;
+use App\Service\Share\Exception\ShareNotConfiguredException;
+use App\Service\TokenEncryptor;
+use Icewind\SMB\BasicAuth;
+use Icewind\SMB\IFileInfo;
+use Icewind\SMB\IShare;
+use Icewind\SMB\ServerFactory;
+use Symfony\Component\Mime\MimeTypes;
+use Throwable;
+
+final class SmbFileSource implements FileSource
+{
+    public function __construct(
+        private readonly ShareConfigurationRepository $configRepository,
+        private readonly TokenEncryptor $tokenEncryptor,
+        private readonly SharePathResolver $pathResolver,
+    ) {}
+
+    public function dir(string $relativePath): array
+    {
+        $config = $this->requireUsableConfig();
+        $share  = $this->connect($config);
+        $full   = $this->pathResolver->fullPath((string) $config->getBasePath(), $relativePath);
+
+        try {
+            $infos = $share->dir($full);
+        } catch (Throwable $e) {
+            throw new ShareConnectionException($e->getMessage(), 0, $e);
+        }
+
+        $entries = array_map(fn (IFileInfo $i): FileEntry => $this->toEntry($i, $relativePath), $infos);
+
+        usort($entries, static function (FileEntry $a, FileEntry $b): int {
+            if ($a->isDir !== $b->isDir) {
+                return $a->isDir ? -1 : 1;
+            }
+
+            return strcasecmp($a->name, $b->name);
+        });
+
+        return $entries;
+    }
+
+    public function read(string $relativePath)
+    {
+        $config = $this->requireUsableConfig();
+        $share  = $this->connect($config);
+        $full   = $this->pathResolver->fullPath((string) $config->getBasePath(), $relativePath);
+
+        try {
+            return $share->read($full);
+        } catch (Throwable $e) {
+            throw new ShareConnectionException($e->getMessage(), 0, $e);
+        }
+    }
+
+    public function test(): ShareTestResult
+    {
+        try {
+            $config = $this->requireUsableConfig();
+            $share  = $this->connect($config);
+            $share->dir($this->pathResolver->fullPath((string) $config->getBasePath(), ''));
+
+            return new ShareTestResult(true);
+        } catch (ShareNotConfiguredException $e) {
+            return new ShareTestResult(false, 'Configuration incomplète ou désactivée.');
+        } catch (Throwable $e) {
+            return new ShareTestResult(false, $e->getMessage());
+        }
+    }
+
+    private function requireUsableConfig(): ShareConfiguration
+    {
+        $config = $this->configRepository->findSingleton();
+
+        if (null === $config || !$config->isUsable()) {
+            throw new ShareNotConfiguredException('Share is not configured or disabled.');
+        }
+
+        return $config;
+    }
+
+    private function connect(ShareConfiguration $config): IShare
+    {
+        $password = null !== $config->getEncryptedPassword()
+            ? $this->tokenEncryptor->decrypt($config->getEncryptedPassword())
+            : '';
+
+        $auth = new BasicAuth(
+            (string) $config->getUsername(),
+            $config->getDomain() ?: 'WORKGROUP',
+            $password,
+        );
+        $server = new ServerFactory()->createServer((string) $config->getHost(), $auth);
+
+        try {
+            return $server->getShare((string) $config->getShareName());
+        } catch (Throwable $e) {
+            throw new ShareConnectionException($e->getMessage(), 0, $e);
+        }
+    }
+
+    private function toEntry(IFileInfo $info, string $parentRelative): FileEntry
+    {
+        $parent = '' === $parentRelative ? '' : rtrim($parentRelative, '/').'/';
+        $path   = $parent.$info->getName();
+        $isDir  = $info->isDirectory();
+
+        $mime = 'application/octet-stream';
+        if (!$isDir) {
+            $guessed = MimeTypes::getDefault()->getMimeTypes(pathinfo($info->getName(), PATHINFO_EXTENSION));
+            $mime    = $guessed[0] ?? 'application/octet-stream';
+        }
+
+        return new FileEntry(
+            name: $info->getName(),
+            path: $path,
+            isDir: $isDir,
+            size: $isDir ? 0 : $info->getSize(),
+            modifiedAt: $info->getMTime(),
+            mimeType: $mime,
+        );
+    }
+}

src/State/ShareSettingsProcessor.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\ApiResource\ShareSettings;
+use App\Entity\ShareConfiguration;
+use App\Repository\ShareConfigurationRepository;
+use App\Service\TokenEncryptor;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class ShareSettingsProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private ShareConfigurationRepository $configRepository,
+        private TokenEncryptor $tokenEncryptor,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ShareSettings
+    {
+        assert($data instanceof ShareSettings);
+
+        $config = $this->configRepository->findSingleton() ?? new ShareConfiguration();
+
+        $config->setHost($data->host);
+        $config->setShareName($data->shareName);
+        $config->setBasePath($data->basePath);
+        $config->setDomain($data->domain);
+        $config->setUsername($data->username);
+        $config->setEnabled($data->enabled);
+
+        if (null !== $data->password && '' !== $data->password) {
+            $config->setEncryptedPassword($this->tokenEncryptor->encrypt($data->password));
+        }
+
+        $this->em->persist($config);
+        $this->em->flush();
+
+        $result              = new ShareSettings();
+        $result->host        = $config->getHost();
+        $result->shareName   = $config->getShareName();
+        $result->basePath    = $config->getBasePath();
+        $result->domain      = $config->getDomain();
+        $result->username    = $config->getUsername();
+        $result->enabled     = $config->isEnabled();
+        $result->hasPassword = $config->hasPassword();
+
+        return $result;
+    }
+}

src/State/ShareSettingsProvider.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\ApiResource\ShareSettings;
+use App\Repository\ShareConfigurationRepository;
+
+final readonly class ShareSettingsProvider implements ProviderInterface
+{
+    public function __construct(
+        private ShareConfigurationRepository $configRepository,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ShareSettings
+    {
+        $config = $this->configRepository->findSingleton();
+        $dto    = new ShareSettings();
+
+        if (null !== $config) {
+            $dto->host        = $config->getHost();
+            $dto->shareName   = $config->getShareName();
+            $dto->basePath    = $config->getBasePath();
+            $dto->domain      = $config->getDomain();
+            $dto->username    = $config->getUsername();
+            $dto->enabled     = $config->isEnabled();
+            $dto->hasPassword = $config->hasPassword();
+        }
+
+        return $dto;
+    }
+}

src/State/ShareTestConnectionProvider.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use ApiPlatform\State\ProviderInterface;
+use App\ApiResource\ShareTestConnection;
+use App\Service\Share\FileSource;
+
+final readonly class ShareTestConnectionProvider implements ProviderInterface, ProcessorInterface
+{
+    public function __construct(
+        private FileSource $fileSource,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ShareTestConnection
+    {
+        return new ShareTestConnection();
+    }
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ShareTestConnection
+    {
+        $result = $this->fileSource->test();
+
+        $dto          = new ShareTestConnection();
+        $dto->success = $result->success;
+        $dto->message = $result->message;
+
+        return $dto;
+    }
+}

symfony.lock

@@ -184,6 +184,18 @@
     "symfony/mcp-bundle": {
         "version": "v0.6.0"
     },
+    "symfony/messenger": {
+        "version": "8.0",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "6.0",
+            "ref": "d8936e2e2230637ef97e5eecc0eea074eecae58b"
+        },
+        "files": [
+            "config/packages/messenger.yaml"
+        ]
+    },
     "symfony/monolog-bundle": {
         "version": "4.0",
         "recipe": {

tests/Functional/Controller/ShareBrowseTest.php

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ShareBrowseTest extends WebTestCase
+{
+    public function testBrowseRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/share/browse?path=/');
+
+        self::assertSame(401, $client->getResponse()->getStatusCode());
+    }
+
+    public function testBrowseRejectsPathTraversal(): void
+    {
+        $client = self::createClient();
+        $this->login($client);
+
+        $client->request('GET', '/api/share/browse?path='.urlencode('../etc'));
+
+        self::assertSame(400, $client->getResponse()->getStatusCode());
+    }
+
+    public function testBrowseReturns409WhenNotConfigured(): void
+    {
+        $client = self::createClient();
+        $this->login($client);
+
+        $client->request('GET', '/api/share/browse?path=');
+
+        self::assertSame(409, $client->getResponse()->getStatusCode());
+    }
+
+    public function testStatusReturnsDisabledByDefault(): void
+    {
+        $client = self::createClient();
+        $this->login($client);
+
+        $client->request('GET', '/api/share/status');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertFalse($data['enabled']);
+    }
+
+    private function login(KernelBrowser $client): void
+    {
+        $em   = self::getContainer()->get('doctrine.orm.entity_manager');
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+    }
+}

tests/Functional/Controller/ShareSettingsTest.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Controller;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+class ShareSettingsTest extends WebTestCase
+{
+    public function testGetSettingsReturns401WhenNotAuthenticated(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/settings/share');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testGetSettingsReturns403ForRoleUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/settings/share');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanReadSettingsWithoutPasswordLeak(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        $client->loginUser($admin);
+
+        $client->request('GET', '/api/settings/share');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('hasPassword', $data);
+        self::assertArrayNotHasKey('password', $data);
+        self::assertArrayNotHasKey('encryptedPassword', $data);
+    }
+}

tests/Unit/Mcp/CoerceJsonEncodedArgumentsListenerTest.php

@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Mcp;
+
+use App\Mcp\EventListener\CoerceJsonEncodedArgumentsListener;
+use Mcp\Capability\Registry\ToolReference;
+use Mcp\Capability\RegistryInterface;
+use Mcp\Event\RequestEvent;
+use Mcp\Schema\Request\CallToolRequest;
+use Mcp\Schema\Tool;
+use Mcp\Server\Session\SessionInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+class CoerceJsonEncodedArgumentsListenerTest extends TestCase
+{
+    private const SCHEMA = [
+        'type'       => 'object',
+        'properties' => [
+            'id'              => ['type' => ['integer', 'string']],
+            'title'           => ['type' => 'string'],
+            'tagIds'          => ['type' => ['array', 'null'], 'items' => ['type' => ['integer', 'string']]],
+            'collaboratorIds' => ['type' => ['array', 'null'], 'items' => ['type' => ['integer', 'string']]],
+        ],
+    ];
+
+    public function testDecodesJsonStringArrayForArrayTypedParam(): void
+    {
+        $result = $this->handle(['tagIds' => '[3]', 'collaboratorIds' => '[5,6]']);
+
+        self::assertSame([3], $result->arguments['tagIds']);
+        self::assertSame([5, 6], $result->arguments['collaboratorIds']);
+    }
+
+    public function testLeavesRealArrayUntouched(): void
+    {
+        $result = $this->handle(['tagIds' => [3]]);
+
+        self::assertSame([3], $result->arguments['tagIds']);
+    }
+
+    public function testDoesNotTouchStringTypedParamEvenIfItLooksLikeJson(): void
+    {
+        $result = $this->handle(['title' => '[1,2]']);
+
+        // title is schema-typed string -> must stay the literal string.
+        self::assertSame('[1,2]', $result->arguments['title']);
+    }
+
+    public function testLeavesScalarTypedParamUntouched(): void
+    {
+        // id is integer/string typed -> not an array/object, handled by the schema
+        // relaxation + SDK cast, not by this listener.
+        $result = $this->handle(['id' => '463']);
+
+        self::assertSame('463', $result->arguments['id']);
+    }
+
+    public function testPreservesRequestId(): void
+    {
+        $result = $this->handle(['tagIds' => '[3]']);
+
+        self::assertSame(1, $result->getId());
+    }
+
+    /**
+     * @param array<string, mixed> $arguments
+     */
+    private function handle(array $arguments): CallToolRequest
+    {
+        $tool      = new Tool('update-task', self::SCHEMA, null, null);
+        $reference = new ToolReference($tool, static fn () => null);
+
+        $registry = $this->createMock(RegistryInterface::class);
+        $registry->method('getTool')->willReturn($reference);
+
+        $request = new CallToolRequest('update-task', $arguments)->withId(1);
+        $event   = new RequestEvent($request, $this->createMock(SessionInterface::class));
+
+        (new CoerceJsonEncodedArgumentsListener($registry))($event);
+
+        $result = $event->getRequest();
+        self::assertInstanceOf(CallToolRequest::class, $result);
+
+        return $result;
+    }
+}

tests/Unit/Mcp/CoercingSchemaGeneratorTest.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Mcp;
+
+use App\Mcp\Schema\CoercingSchemaGenerator;
+use App\Mcp\Tool\Task\CreateTaskTool;
+use App\Mcp\Tool\Task\ListTasksTool;
+use PHPUnit\Framework\TestCase;
+use ReflectionMethod;
+
+/**
+ * @internal
+ */
+class CoercingSchemaGeneratorTest extends TestCase
+{
+    private CoercingSchemaGenerator $generator;
+
+    protected function setUp(): void
+    {
+        $this->generator = new CoercingSchemaGenerator();
+    }
+
+    public function testNullableIntegerScalarAlsoAcceptsString(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(ListTasksTool::class, '__invoke'));
+
+        // ?int $projectId -> ["null","integer"] relaxed with "string".
+        self::assertSame(['null', 'integer', 'string'], $schema['properties']['projectId']['type']);
+    }
+
+    public function testRequiredIntegerScalarAlsoAcceptsString(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(ListTasksTool::class, '__invoke'));
+
+        // int $limit = 100 -> "integer" relaxed to ["integer","string"].
+        self::assertSame(['integer', 'string'], $schema['properties']['limit']['type']);
+    }
+
+    public function testBooleanScalarAlsoAcceptsString(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(CreateTaskTool::class, '__invoke'));
+
+        // ?bool $syncToCalendar -> ["boolean","null"] relaxed with "string".
+        $type = $schema['properties']['syncToCalendar']['type'];
+        self::assertContains('boolean', $type);
+        self::assertContains('string', $type);
+        self::assertContains('null', $type);
+    }
+
+    public function testArrayItemTypeAlsoAcceptsString(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(CreateTaskTool::class, '__invoke'));
+
+        // int[] $tagIds -> items {type: integer} relaxed to {type: [integer, string]}.
+        self::assertSame(['integer', 'string'], $schema['properties']['tagIds']['items']['type']);
+    }
+
+    public function testStringScalarIsLeftUntouched(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(CreateTaskTool::class, '__invoke'));
+
+        // string $title stays a plain string (no spurious relaxation).
+        self::assertSame('string', $schema['properties']['title']['type']);
+    }
+
+    public function testArrayContainerTypeIsNotRelaxed(): void
+    {
+        $schema = $this->generator->generate(new ReflectionMethod(CreateTaskTool::class, '__invoke'));
+
+        // The array container itself must not gain "string".
+        self::assertSame(['array', 'null'], $schema['properties']['tagIds']['type']);
+    }
+}

tests/Unit/Service/SharePathResolverTest.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Service;
+
+use App\Service\Share\Exception\InvalidPathException;
+use App\Service\Share\SharePathResolver;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SharePathResolverTest extends TestCase
+{
+    private SharePathResolver $resolver;
+
+    protected function setUp(): void
+    {
+        $this->resolver = new SharePathResolver();
+    }
+
+    public function testNormalizeRelativeKeepsSimplePath(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('a/b'));
+    }
+
+    public function testNormalizeRelativeStripsDotsAndSlashes(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('/a/./b/'));
+    }
+
+    public function testNormalizeRelativeConvertsBackslashes(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('a\b'));
+    }
+
+    public function testNormalizeRelativeRejectsParentTraversal(): void
+    {
+        $this->expectException(InvalidPathException::class);
+        $this->resolver->normalizeRelative('a/../b');
+    }
+
+    public function testNormalizeRelativeRejectsLeadingParent(): void
+    {
+        $this->expectException(InvalidPathException::class);
+        $this->resolver->normalizeRelative('../etc/passwd');
+    }
+
+    public function testFullPathJoinsBaseAndRelative(): void
+    {
+        self::assertSame('/Projets/a/b', $this->resolver->fullPath('/Projets', 'a/b'));
+    }
+
+    public function testFullPathWithEmptyBaseAndEmptyRelativeIsRoot(): void
+    {
+        self::assertSame('/', $this->resolver->fullPath('', ''));
+    }
+
+    public function testFullPathTrimsBaseSlashes(): void
+    {
+        self::assertSame('/Projets/a', $this->resolver->fullPath('/Projets/', 'a'));
+    }
+}