From a510b2ca73a31ecc5fe3bc8cb19e9b76d1cf5736 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 10:50:14 +0200
Subject: [PATCH 01/99] docs : add modular monolith migration roadmap and socle
 design
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Plan de migration complet Lesstime vers modular monolith DDD (archi Starseed) : roadmap en 14 tickets ordonnés par dépendances + design technique détaillé du socle (Shared/, contrats, endpoints modules/sidebar, plan strangler).
---
 ...26-06-19-lst-56-modular-monolith-design.md | 192 ++++++++++++++++++
 ...6-19-migration-modular-monolith-roadmap.md | 161 +++++++++++++++
 2 files changed, 353 insertions(+)
 create mode 100644 docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
 create mode 100644 docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md

diff --git a/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md b/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
new file mode 100644
index 0000000..5f58cb6
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-19-lst-56-modular-monolith-design.md
@@ -0,0 +1,192 @@
+# LST-56 — Socle modular monolith DDD + pilote « Projets/Tâches »
+
+> Ticket Lesstime **#56** (1/5 — groupe « Refonte / Alignement Starseed »).
+> Design validé le 2026-06-19. Référence vivante : repo **Starseed** (`.claude/rules/*.md` + implémentation réelle), et `Starseed/doc/architecture-modulaire-malio.md` (vision cible théorique — **non contraignante** là où elle diverge du code réel).
+
+## 1. Objectif & contraintes
+
+Poser dans Lesstime l'**infrastructure d'un modular monolith DDD** calquée sur Starseed, et **migrer un premier module pilote** (Projets/Tâches) de bout en bout comme preuve que la mécanique tient sur le cœur métier.
+
+Contraintes **non négociables** :
+
+- **Ne rien casser de l'existant.** Migration **strangler progressive** : le code legacy (`src/Entity/…`) et les modules (`src/Module/…`) coexistent ; l'application reste fonctionnelle et `make test` vert à **chaque** étape.
+- **Prod = Docker, BDD peuplée** → uniquement des migrations **additives et nullable** (aucun `DROP`, aucun `NOT NULL` rétroactif, aucun déplacement de données).
+- **Profondeur DDD : pragmatique**, alignée sur le **Starseed réel** (pas la doc théorique) : ORM attributs conservés dans les entités Domain, Repository = interface (Domain) + impl Doctrine (Infrastructure), Provider/Processor API Platform, contrats `Shared/Domain/Contract` pour le cross-module. **Pas de CQRS bus systématique, pas de multi-tenant.**
+
+### Décisions de cadrage (figées)
+
+| Sujet | Décision |
+|-------|----------|
+| Périmètre #56 | Socle complet + **1 module pilote** migré de bout en bout |
+| Stratégie | **Strangler progressif** (legacy + modules en parallèle) |
+| Profondeur DDD | **Pragmatique** (= Starseed réel) |
+| Module pilote | **Projets/Tâches** (cœur métier) |
+| Dépendances du pilote (User/Client/Notification) | Restent **legacy**, câblées via **contrats `Shared/Domain/Contract`** + `resolve_target_entities` |
+| Infra d'audit Starseed | **Différée** → ticket Lesstime dédié (créé séparément) |
+| Périmètre front #56 | **Câblage shell/shared/middlewares + migration du pilote en layer**, sans relooking (le relooking Malio reste #60) |
+| Exposition API du pilote | **Garder les `#[ApiResource]` actuels** (étendre seulement les chemins de scan) — zéro régression API |
+| Tâche → Notification | **Contrat `NotifierInterface`** (impl legacy crée la `Notification`) |
+| Nom/ID du module | back `ProjectManagement` / front `project-management` / ID `project_management` |
+
+## 2. Garde-fous Starseed retenus pour #56
+
+Repris : `declare(strict_types=1)`, `src/Module/<X>/{Domain,Application,Infrastructure}`, `Shared/Domain/Contract` + `resolve_target_entities` (zéro import inter-modules), `config/modules.php` + `config/sidebar.php`, endpoints `/api/modules` + `/api/sidebar` + `/api/version`, `TimestampableBlamableTrait` + subscriber, pagination obligatoire, `COMMENT ON COLUMN` (helper `ColumnCommentsCatalog`), front layers auto-détectés + `useSidebar`/`useModules` + `auth.global.ts`/`modules.global.ts`.
+
+Reportés (hors #56) : **infra d'audit** (`#[Auditable]`/`#[AuditIgnore]`, table `audit_log`, listener, resource) → ticket dédié. **RBAC fin** (`module.resource.action`) → #57 ; en #56 la sidebar filtre **par module actif** (au plus un gate `ROLE_ADMIN`).
+
+## 3. Backend — arborescence cible
+
+```
+src/Shared/
+├── Domain/
+│   ├── Contract/        UserInterface, UserResolverInterface, ClientInterface, NotifierInterface
+│   ├── Event/           DomainEventInterface
+│   └── Trait/           TimestampableBlamableTrait
+├── Infrastructure/
+│   ├── Doctrine/        TimestampableBlamableSubscriber
+│   ├── Database/        ColumnCommentsCatalog (helper COMMENT ON COLUMN + 4 colonnes std)
+│   └── ApiPlatform/
+│       ├── Resource/    ModulesResource, SidebarResource
+│       └── State/       ModulesProvider, SidebarProvider
+│
+src/Module/ProjectManagement/
+├── ProjectManagementModule.php   ID='project_management', LABEL='Projets', REQUIRED=false, permissions()=[] (stub, RBAC réel #57)
+├── Domain/
+│   ├── Entity/          Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort,
+│   │                    TaskPriority, TaskTag, TaskRecurrence, TaskDocument
+│   └── Repository/      *RepositoryInterface (une interface par agrégat consommé)
+├── Application/         RecurrenceCalculator/RecurrenceHandler + services task-centric déplacés
+└── Infrastructure/
+    ├── Doctrine/        Doctrine*Repository + Migrations/ (additif Timestampable)
+    ├── ApiPlatform/     State/Provider + State/Processor déplacés (TaskNumber, TaskCalendar,
+    │                    TaskDocument*, SwitchProjectWorkflow, WorkflowDelete, ActiveTimeEntry resté legacy…)
+    └── Mcp/Tool/        MCP tools Project/, Task/, TaskMeta/, Workflow/ déplacés
+```
+
+`src/Entity/` conserve **intacts** : `User`, `Client`, `Notification`, `TimeEntry`, `AbsenceRequest`/`AbsencePolicy`/`AbsenceBalance`, `Mail*`, `Gitea*`/`BookStack*`/`Zimbra*`/`Share*Configuration`. Ces domaines seront modularisés dans des tickets ultérieurs.
+
+> **Note de découpage** : `TimeEntry` reste legacy en #56 (domaine Time tracking séparé). Le lien `Task ↔ TimeEntry` est porté côté `TimeEntry` (FK nullable vers la table `task`) ; aucune contrainte ne casse car la table `task` ne change pas de nom.
+
+## 4. Câblage des dépendances (zéro import inter-modules)
+
+1. Interfaces dans `src/Shared/Domain/Contract/` :
+   - `UserInterface` (id + identifiants nécessaires aux entités du module : assignee, collaborators, createdBy/updatedBy),
+   - `ClientInterface` (id + nom, pour `Project.client`),
+   - `UserResolverInterface` (résoudre un user par id, pour les State/MCP du module),
+   - `NotifierInterface` (créer une notification — impl legacy).
+2. Les entités du module **type-hintent les interfaces**, jamais `App\Entity\*`.
+3. `config/packages/doctrine.yaml → orm.resolve_target_entities` :
+   ```yaml
+   resolve_target_entities:
+       App\Shared\Domain\Contract\UserInterface:   App\Entity\User
+       App\Shared\Domain\Contract\ClientInterface: App\Entity\Client
+   ```
+4. `App\Entity\User` `implements UserInterface`, `App\Entity\Client` `implements ClientInterface` (legacy modifié à minima, additif).
+5. Notifications : `App\Module\ProjectManagement\…` appelle `NotifierInterface` ; impl `App\…\LegacyNotifier` (wrappe le `NotificationService` actuel). Le `TaskNotificationListener` est déplacé/adapté pour passer par le contrat.
+
+## 5. Config backend (toutes additives)
+
+- **`doctrine.yaml`** — ajouter un mapping module (garder `App → src/Entity`) :
+  ```yaml
+  mappings:
+      App: { type: attribute, is_bundle: false, dir: '%kernel.project_dir%/src/Entity', prefix: 'App\Entity', alias: App }
+      ProjectManagement:
+          type: attribute
+          is_bundle: false
+          dir: '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+          prefix: 'App\Module\ProjectManagement\Domain\Entity'
+  ```
+  Les entités déplacées **gardent leur `#[ORM\Table(name: '…')]` actuel** (table inchangée → aucune donnée déplacée). `#[ORM\Entity(repositoryClass: DoctrineXxxRepository::class)]` mis à jour vers la nouvelle classe.
+- **`doctrine_migrations.yaml`** — ajouter le namespace module (garder `DoctrineMigrations`) :
+  ```yaml
+  migrations_paths:
+      DoctrineMigrations: '%kernel.project_dir%/migrations'
+      'App\Module\ProjectManagement\Infrastructure\Doctrine\Migrations': '%kernel.project_dir%/src/Module/ProjectManagement/Infrastructure/Doctrine/Migrations'
+  ```
+  > ⚠️ Doctrine Migrations trie par FQCN entre namespaces : le legacy `DoctrineMigrations` (setup initial) passe avant les migrations modulaires sur base vide. Sur la prod déjà migrée, seules les **nouvelles** migrations additives s'appliquent → pas d'impact d'ordre.
+- **`api_platform.yaml`** — déclarer les chemins de mapping (entités + resources legacy **et** module) pour que les `#[ApiResource]` du pilote restent découverts :
+  ```yaml
+  mapping:
+      paths:
+          - '%kernel.project_dir%/src/Entity'
+          - '%kernel.project_dir%/src/ApiResource'
+          - '%kernel.project_dir%/src/Shared/Infrastructure/ApiPlatform/Resource'
+          - '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+  ```
+- **`services.yaml`** — mettre à jour les FQCN explicites déplacés : `App\EventListener\TaskDocumentListener`, `App\State\TaskDocumentProcessor`, `App\Controller\TaskDocumentDownloadController`, `App\Mcp\Tool\Task\AddTaskDocumentTool`, `App\Mcp\Tool\Task\UpdateTaskDocumentTool` → nouveaux namespaces module. Le glob `App\: '../src/'` continue d'autowire les classes déplacées.
+
+## 6. Garde-fous portés dans #56
+
+- **TimestampableBlamable** : trait `Shared/Domain/Trait/TimestampableBlamableTrait` (4 colonnes `created_at`, `updated_at`, `created_by`, `updated_by` — toutes **nullable**), rempli par `TimestampableBlamableSubscriber` (prePersist/preUpdate). Appliqué aux entités du pilote → **1 migration additive** par table concernée, avec `COMMENT ON COLUMN` via `ColumnCommentsCatalog::addStandardTimestampableBlamableComments()`.
+- **Pagination** : conserver le standard API Platform actuel (les collections du pilote restent paginées comme aujourd'hui).
+- **`COMMENT ON COLUMN`** : appliqué sur les colonnes ajoutées par #56 (pas de rétro-commentaire forcé sur le legacy).
+
+## 7. Endpoints modules / sidebar / version
+
+- `GET /api/modules` (public) — `ModulesResource` + `ModulesProvider` lisant `config/modules.php` (renvoie `{ modules: ["project_management", …] }`).
+- `GET /api/sidebar` (auth) — `SidebarResource` + `SidebarProvider` lisant `config/sidebar.php` ; filtrage **par module actif** (item `module` absent de la liste active → masqué + route ajoutée à `disabledRoutes`) ; gate de section optionnel `ROLE_ADMIN`. Le filtrage par **permissions fines** est explicitement reporté à #57.
+- `GET /api/version` — **déjà présent** (`AppVersion`) ; vérifier le format `{ version }`, ré-aligner si besoin (déplacement optionnel vers `Shared/`).
+- `config/modules.php` : `return [ ProjectManagementModule::class ];` (Core viendra plus tard ; pas de module REQUIRED bloquant en #56).
+- `config/sidebar.php` : sections « Projets » / « Mes tâches » avec `module => 'project_management'` ; les entrées des domaines encore legacy (Time tracking, Absences, Mail, Admin…) listées **sans** clé `module` (donc toujours visibles) pour ne rien masquer.
+
+## 8. Frontend — câblage + pilote en layer (sans relooking)
+
+```
+frontend/app/
+├── layouts/default.vue            shell : sidebar (depuis /api/sidebar) + main
+├── middleware/auth.global.ts      protège routes, charge sidebar+modules après login
+└── middleware/modules.global.ts   redirige si route ∈ disabledRoutes
+frontend/shared/
+├── composables/  useApi (déplacé), useSidebar, useModules, + existants réutilisés
+├── stores/       auth, ui, timer (timer reste partagé : Time tracking encore legacy)
+├── utils/        api.ts (extractHydraMembers/fetchAllHydra), …
+└── types/
+frontend/modules/project-management/
+├── nuxt.config.ts                 defineNuxtConfig({})
+├── pages/        my-tasks.vue, projects/index.vue, projects/[id]/*  (déplacés tels quels)
+├── components/   task/*, project/*  (déplacés)
+├── services/     tasks.ts, projects.ts, task-*.ts, workflows.ts (déplacés)
+└── stores/       (si spécifiques au domaine)
+```
+
+- **`nuxt.config.ts`** : auto-détection des layers `modules/*/` (scan `readdirSync` comme Starseed) ajoutés à `extends`, + dirs d'auto-import des composables/stores par layer. `extends: ['@malio/layer-ui']` conservé en tête.
+- **`useSidebar`/`useModules`** : état singleton, `loadSidebar()`/`loadModules()` appelés dans `auth.global.ts`, `reset*()` au logout.
+- **`modules.global.ts`** : `isRouteDisabled(to.path)` → `navigateTo('/')`.
+- **Migration des pages** : déplacement **sans réécriture visuelle** ; les pages des autres domaines (time-tracking, absences, mail, admin, profile…) **restent dans `frontend/pages/`** (legacy) tant que leurs modules ne sont pas migrés. Nuxt fusionne les routes du shell + des layers → cohabitation transparente.
+
+> Point de vigilance front : vérifier que la cohabitation `frontend/pages/` (legacy) + `frontend/modules/*/pages/` (layer) ne crée pas de collision de routes ; `my-tasks`/`projects` sont déplacés **et retirés** de `frontend/pages/` pour éviter le doublon.
+
+## 9. Plan strangler (ordre d'exécution — app verte à chaque palier)
+
+1. **Shared/ + garde-fous** : trait, subscriber, `ColumnCommentsCatalog`. Neutre (rien ne les consomme encore).
+2. **Endpoints modules/sidebar** + `config/modules.php` + `config/sidebar.php` (toutes entrées legacy sans `module` → rien masqué). Additif.
+3. **Contrats `Shared/Domain/Contract`** + `resolve_target_entities` + `User`/`Client` `implements …Interface`. Neutre.
+4. **Déplacement back du module** ProjectManagement (entités → Domain/Entity, repos → Infra/Doctrine + interfaces Domain, State, MCP) + mises à jour `doctrine.yaml`/`api_platform.yaml`/`doctrine_migrations.yaml`/`services.yaml`. **`make test` vert.**
+5. **Migration additive Timestampable** sur les tables du pilote (+ `COMMENT ON COLUMN`).
+6. **Front shell** : `app/` + `shared/` + middlewares + auto-détection `nuxt.config.ts`. App encore en pages plates.
+7. **Déplacement front du pilote** vers `modules/project-management/` (pages/components/services), retrait des doublons de `frontend/pages/`.
+8. **Vérification bout-en-bout** : commenter `ProjectManagementModule::class` dans `config/modules.php` → `/api/modules` ne le liste plus, `/api/sidebar` masque ses entrées + peuple `disabledRoutes`, le front redirige `/my-tasks`→`/`. Décommenter → tout revient. Documenter le test.
+
+## 10. Critères d'acceptation (repris du ticket, raffinés)
+
+- [ ] `src/Shared/` + `src/Module/ProjectManagement/{Domain,Application,Infrastructure}` en place.
+- [ ] `/api/modules`, `/api/sidebar` fonctionnels ; `/api/version` aligné.
+- [ ] Aucun import direct `App\Entity\User`/`Client` depuis le module (contrats + `resolve_target_entities`).
+- [ ] Front : layers `frontend/modules/*/` auto-détectés ; `useSidebar`/`useModules` + `auth.global.ts`/`modules.global.ts` opérationnels ; pilote migré sans régression visuelle.
+- [ ] Garde-fous : TimestampableBlamable (migration additive + `COMMENT ON COLUMN`) ; pagination conservée. **Audit explicitement hors périmètre** (ticket dédié).
+- [ ] `make test` vert ; activation/désactivation du module validée de bout en bout.
+- [ ] Aucune migration destructive ; prod déployable sans perte.
+
+## 11. Risques & points de vigilance
+
+- **Prod peuplée** : seules migrations additives nullable. `created_by`/`updated_by` non backfillés (historique) — conforme Starseed.
+- **Changement de namespace des entités** : sans impact DB (Doctrine mappe par table). Vérifier qu'aucun code legacy ne référence en dur `App\Entity\Task` etc. → grep + remplacement (le pilote tire Task/Project, consommés par TimeEntry/Mail/BookStack links restés legacy : ces liens passeront par les contrats ou un type-hint relâché).
+- **Collision de routes front** legacy vs layer (cf. §8).
+- **MCP tools** (spécificité Lesstime) : déplacés sous `Module/*/Infrastructure/Mcp/` ; confirmer que `McpSchemaGeneratorPass` les redécouvre (scan `src/`).
+- **`auto_mapping: true`** : valider que l'ajout d'un mapping explicite ne perturbe pas la résolution (sinon désactiver `auto_mapping` et lister explicitement).
+
+## 12. Suite
+
+- Ticket **audit** dédié à créer (infra `#[Auditable]` + `audit_log` + listener + resource), prérequis souple de #57.
+- #57 RBAC fin (permissions `module.resource.action`, sidebar filtrée par permission).
+- #58 Répertoire (Clients/Prospects), #59 Reporting, #60 Refonte front Malio.
diff --git a/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md b/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md
new file mode 100644
index 0000000..bfd5fd5
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-19-migration-modular-monolith-roadmap.md
@@ -0,0 +1,161 @@
+# Roadmap — Migration Lesstime → modular monolith DDD (archi Starseed)
+
+> Plan de migration **complet** validé le 2026-06-19. Référence architecture : repo **Starseed**
+> (`.claude/rules/*.md` + implémentation réelle). Détail technique du socle : voir
+> `2026-06-19-lst-56-modular-monolith-design.md`.
+
+## Principes directeurs
+
+- **Strangler progressif** : legacy (`src/Entity/…`) et modules (`src/Module/…`) coexistent ; l'app
+  reste fonctionnelle et `make test` vert à **chaque** merge. Aucune migration destructive (prod Docker, BDD peuplée → migrations **additives nullable** uniquement).
+- **DDD pragmatique** (= Starseed réel) : ORM attrs dans l'entité Domain, Repository interface (Domain)
+  + impl Doctrine (Infra), Provider/Processor API Platform, contrats `Shared/Domain/Contract` pour le
+  cross-module. **Pas de CQRS bus, pas de multi-tenant.**
+- **Tranches verticales** : chaque module de Phase 2 est livré **back + front (layer Malio) + MCP**
+  d'un coup → fonctionnel de bout en bout à son merge. L'ancienne idée d'un « ticket refonte front »
+  global est dissoute : chaque module arrive déjà en Malio ; un ticket de finition harmonise à la fin.
+- **Ordre par dépendances** : socle → Core (identité/RBAC/audit) → modules métier → transverse/finition.
+- **Zéro import inter-modules** : interfaces `Shared/Domain/Contract` + `resolve_target_entities`,
+  ou domain events / contrat `NotifierInterface`.
+
+## Garde-fous Starseed (appliqués à chaque entité migrée)
+
+`declare(strict_types=1)` · `TimestampableBlamableTrait` (4 colonnes nullable) + subscriber ·
+pagination obligatoire · `COMMENT ON COLUMN` (helper `ColumnCommentsCatalog`) ·
+`#[Auditable]`/`#[AuditIgnore]` (dès que 1.3 est livré) · front `Malio*` + `usePaginatedList` +
+`useFormErrors` · RBAC `module.resource.action` (dès 1.2).
+
+---
+
+## Phase 0 — Socle (fondations, ne touche aucun métier)
+
+### 0.1 · Socle back — infrastructure modulaire  *(réécrit depuis #56)*
+**Dépend de** : —
+`src/Shared/Domain/Contract/` (UserInterface, UserResolverInterface, ClientInterface, NotifierInterface),
+`Shared/Domain/Event/DomainEventInterface`, `Shared/Domain/Trait/TimestampableBlamableTrait`,
+`Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber`,
+`Shared/Infrastructure/Database/ColumnCommentsCatalog`,
+`Shared/Infrastructure/ApiPlatform/{Resource,State}` (`ModulesResource`/`ModulesProvider`,
+`SidebarResource`/`SidebarProvider`), `config/modules.php`, `config/sidebar.php`, `/api/version` aligné.
+Config additive : mapping Doctrine module prêt, `migrations_paths` modulaire, `api_platform.mapping.paths`.
+**AC** : `/api/modules` + `/api/sidebar` répondent ; app verte ; aucune migration destructive.
+
+### 0.2 · Socle front — shell + auto-détection des layers
+**Dépend de** : 0.1
+`frontend/app/` (shell `layouts/default.vue`), `frontend/shared/` (`useApi` déplacé, `useSidebar`,
+`useModules`, stores), middlewares `auth.global.ts` + `modules.global.ts`, auto-détection des layers
+`modules/*/` dans `nuxt.config.ts`. **Aucune page métier déplacée** (app encore plate).
+**AC** : sidebar dynamique depuis `/api/sidebar` ; routes désactivées redirigées ; app verte.
+
+---
+
+## Phase 1 — Module Core (identité, sécurité, traçabilité — transverse)
+
+### 1.1 · Core — Identité & Notifications
+**Dépend de** : 0.1, 0.2
+Migrer `User` + Auth/JWT dans `src/Module/Core/` (Domain/Entity, Repository interface + Doctrine impl,
+`MeProvider`, password hasher), `User implements UserInterface`, `resolve_target_entities → Core\User`.
+`Notification` exposée via `NotifierInterface`. `CoreModule.php` (**REQUIRED=true**). Front : layer
+`modules/core/` (login, profile, admin users).
+**AC** : login/JWT OK ; app verte ; aucun import direct `App\Entity\User` hors Core.
+
+### 1.2 · RBAC fin  *(réécrit depuis #57)*
+**Dépend de** : 1.1
+`Role`/`Permission`, `permissions()` par module, commande `app:sync-permissions`, `PermissionVoter`,
+`SidebarProvider` filtrant **par permission** (en plus du module actif), seed RBAC. Front : gestion des
+rôles + `usePermissions`.
+**AC** : permissions `module.resource.action` ; sidebar gated par permission.
+
+### 1.3 · Audit log  *(réécrit depuis #61)*
+**Dépend de** : 1.1
+`#[Auditable]`/`#[AuditIgnore]` (`Shared/Domain/Attribute`), table `audit_log` (migration additive +
+`COMMENT ON COLUMN`), `AuditListener`/`AuditLogWriter`/`RequestIdProvider`, `AuditLogResource` +
+`/api/audit-logs` paginé/filtrable, page front + labels i18n `audit.entity.*`.
+**AC** : CRUD des entités `#[Auditable]` tracé ; endpoint paginé ; aucune migration destructive.
+
+---
+
+## Phase 2 — Modules métier (tranches verticales back + front + MCP, strangler)
+
+### 2.1 · Module TimeTracking  *(premier module — rodage)*
+**Dépend de** : 1.1
+Migrer `TimeEntry` → `src/Module/TimeTracking/` (Domain/Entity, repo, `ActiveTimeEntryProvider`,
+`TimeEntryExportService`/controller, MCP TimeEntry tools), front layer `modules/time-tracking/`
+(`time-tracking.vue`, components, services, store `timer`). Timestampable additif. **Rode toute la
+mécanique modulaire à risque quasi nul.**
+**AC** : time tracking fonctionnel en module ; activation/désactivation testée ; app verte.
+
+### 2.2 · Module ProjectManagement  *(cœur métier — réécrit depuis #56 pilote)*
+**Dépend de** : 2.1, 1.1
+`Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort, TaskPriority, TaskTag, TaskRecurrence,
+TaskDocument` → `src/Module/ProjectManagement/` (vertical back + MCP Task/Project/TaskMeta/Workflow +
+front layer `modules/project-management/`). User/Client via contrats (Client encore legacy jusqu'à 2.4).
+Notifications via `NotifierInterface`. `#[ApiResource]` conservés (étendre le scan). Timestampable additif.
+**AC** : cœur en module sans régression API ; app verte.
+
+### 2.3 · Module Absence
+**Dépend de** : 1.1
+`AbsenceRequest/AbsencePolicy/AbsenceBalance` + services (`AbsenceBalanceService`, `AbsenceDayCalculator`,
+`PublicHolidayProvider`) + controllers (calendar, preview, justificatif) + MCP absence tools →
+`src/Module/Absence/`, front layer `modules/absence/`.
+**AC** : module absences complet ; app verte.
+
+### 2.4 · Module Directory — Clients + Prospects  *(réécrit depuis #58)*
+**Dépend de** : 1.1 (et après 2.2 qui référence Client via contrat)
+`Client` → `src/Module/Directory/` + nouvelle entité `Prospect`. L'impl de `ClientInterface` migre du
+legacy vers le module (`resolve_target_entities` mis à jour). Front répertoire (clients + prospects).
+**AC** : Clients + Prospects en module ; contrats à jour ; app verte.
+
+### 2.5 · Module Mail
+**Dépend de** : 1.1, 2.2 (TaskMailLink → Task)
+`Mail*` + `TaskMailLink` + `MailSyncService` + controllers + settings → `src/Module/Mail/`, front layer.
+Intègre le WIP `feat/mail-integration`.
+**AC** : mail en module ; app verte.
+
+### 2.6 · Module Integration — Gitea / BookStack / Zimbra / Share
+**Dépend de** : 1.1, 2.2 (liens Task)
+Configs + services API (`GiteaApiService`, `BookStackApiService`, `CalDavService`, Share) + controllers +
+liens → `src/Module/Integration/`, front (onglets admin + sections task).
+**AC** : intégrations en module ; app verte.
+
+---
+
+## Phase 3 — Transverse & finition
+
+### 3.1 · Module Reporting  *(réécrit depuis #59)*
+**Dépend de** : Phase 2 (consomme les modules)
+Reporting natif transverse (agrège time tracking, tâches, absences) via contrats / API. Module
+`src/Module/Reporting/` + front.
+**AC** : rapports natifs ; aucune dépendance directe inter-modules.
+
+### 3.2 · Module Portail client
+**Dépend de** : 1.1, 2.2, 2.4
+Portail client (accès restreint), module `src/Module/ClientPortal/` + front layer + RBAC dédié.
+**AC** : portail fonctionnel ; gated RBAC.
+
+### 3.3 · Finition Malio + nettoyage legacy  *(réécrit depuis #60)*
+**Dépend de** : tout
+Harmonisation visuelle Malio finale, **vidage de `src/Entity/` legacy résiduel**, suppression du mapping
+Doctrine legacy + des pages plates `frontend/pages/` résiduelles, durcissement `resolve_target_entities`.
+**AC** : `src/Entity` vide ; 100 % modulaire ; app verte ; aucune route/legacy orpheline.
+
+---
+
+## Ordre d'exécution recommandé
+
+`0.1 → 0.2 → 1.1 → 1.2 → 1.3 → 2.1 → 2.2 → 2.3 → 2.4 → 2.5 → 2.6 → 3.1 → 3.2 → 3.3`
+
+Les tickets 1.2 et 1.3 peuvent se paralléliser après 1.1. Les modules 2.3 (Absence) et 2.4 (Directory)
+peuvent se paralléliser après 2.2. Mail (2.5) et Integration (2.6) suivent 2.2.
+
+## Mapping avec les tickets Lesstime existants
+
+| Ancien | Devient |
+|--------|---------|
+| #56 (1/5 Aligner archi) | **0.1 Socle back** (le reste éclaté en 0.2 + 2.2) |
+| #57 (2/5 RBAC) | **1.2 RBAC fin** |
+| #58 (3/5 Répertoire) | **2.4 Directory** |
+| #59 (4/5 Reporting) | **3.1 Reporting** |
+| #60 (5/5 Front Malio) | **3.3 Finition Malio + nettoyage** (le front se fait par module) |
+| #61 (Audit) | **1.3 Audit log** |
+| *(créés)* | 0.2, 1.1, 2.1, 2.2, 2.3, 2.5, 2.6, 3.2 |
-- 
2.39.5


From 2d0e9de15551334afb0324f758742f91adc1cc36 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 10:56:27 +0200
Subject: [PATCH 02/99] docs : add implementation plan for socle back (LST-56 /
 0.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Plan TDD en 4 tâches : endpoints /api/modules et /api/sidebar, garde-fou Timestampable/Blamable, helper ColumnCommentsCatalog.
---
 .../plans/2026-06-19-lst-56-socle-back.md     | 1155 +++++++++++++++++
 1 file changed, 1155 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-56-socle-back.md

diff --git a/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md b/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md
new file mode 100644
index 0000000..472349e
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-56-socle-back.md
@@ -0,0 +1,1155 @@
+# LST-56 (0.1) — Socle back modular monolith — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Poser l'infrastructure backend d'un modular monolith DDD (endpoints `/api/modules` + `/api/sidebar`, registre de modules, garde-fous Timestampable/Blamable, helper de commentaires SQL) sans toucher au métier existant.
+
+**Architecture:** On ajoute un noyau `src/Shared/` (Domain/Contract, Domain/Trait, Infrastructure/ApiPlatform, Infrastructure/Doctrine, Infrastructure/Database). La logique métier (filtrage sidebar, extraction des IDs de modules, estampillage) est isolée dans des classes **pures** testées unitairement ; des Providers API Platform minces les exposent en HTTP. Aucune entité existante n'est déplacée. Strangler : 100 % additif.
+
+**Tech Stack:** PHP 8.4, Symfony 8, API Platform 4, Doctrine ORM, PostgreSQL 16, PHPUnit 13.
+
+## Global Constraints
+
+- `declare(strict_types=1);` en tête de **tout** fichier PHP.
+- Migrations **additives nullable uniquement** — aucun `DROP`, aucun `NOT NULL` rétroactif (prod Docker, BDD peuplée).
+- **Zéro import inter-modules** : passer par `src/Shared/Domain/Contract/` ou domain events.
+- Toute `GetCollection` reste **paginée** (pas concerné dans ce lot, aucune collection ajoutée).
+- Toute colonne créée porte un `COMMENT ON COLUMN` (FR, ≤200 chars).
+- PostgreSQL : noms de colonnes en **minuscules** dans le SQL brut.
+- Commits : format `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude.
+- Tests : exécution via `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit …`.
+
+**Définitions différées (hors 0.1, ne PAS implémenter ici) :** mappings Doctrine de module + `migrations_paths` modulaire + `api_platform.mapping.paths` (arrivent avec le 1er module à entités, ticket 1.1). Filtrage sidebar **par permission** (ticket 1.2). `#[Auditable]` (ticket 1.3).
+
+---
+
+### Task 1: Endpoint `GET /api/modules` + registre de modules
+
+**Files:**
+- Create: `src/Shared/Domain/Module/ModuleInterface.php`
+- Create: `src/Shared/Domain/Module/ModuleRegistry.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php`
+- Create: `config/modules.php`
+- Modify: `config/packages/security.yaml` (access_control, rendre `/api/modules` public)
+- Test: `tests/Unit/Shared/Module/ModuleRegistryTest.php`
+- Test: `tests/Functional/Shared/ModulesEndpointTest.php`
+
+**Interfaces:**
+- Produces:
+  - `interface ModuleInterface { public static function id(): string; public static function label(): string; public static function isRequired(): bool; /** @return list<array{code: string, label: string}> */ public static function permissions(): array; }`
+  - `ModuleRegistry::ids(array $moduleClasses): array` → `list<string>` (les `id()` des classes implémentant `ModuleInterface`, ignore les autres).
+  - `config/modules.php` retourne `list<class-string<ModuleInterface>>` (vide en 0.1).
+
+- [ ] **Step 1: Write the failing unit test for ModuleRegistry**
+
+Create `tests/Unit/Shared/Module/ModuleRegistryTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Shared\Domain\Module\ModuleInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryTest extends TestCase
+{
+    public function testIdsExtractsDeclaredModuleIds(): void
+    {
+        $classes = [FakeAlphaModule::class, FakeBetaModule::class];
+
+        self::assertSame(['alpha', 'beta'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsIgnoresClassesNotImplementingModuleInterface(): void
+    {
+        $classes = [FakeAlphaModule::class, \stdClass::class];
+
+        self::assertSame(['alpha'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsReturnsEmptyArrayForNoModules(): void
+    {
+        self::assertSame([], ModuleRegistry::ids([]));
+    }
+}
+
+final class FakeAlphaModule implements ModuleInterface
+{
+    public static function id(): string { return 'alpha'; }
+    public static function label(): string { return 'Alpha'; }
+    public static function isRequired(): bool { return false; }
+    public static function permissions(): array { return []; }
+}
+
+final class FakeBetaModule implements ModuleInterface
+{
+    public static function id(): string { return 'beta'; }
+    public static function label(): string { return 'Beta'; }
+    public static function isRequired(): bool { return true; }
+    public static function permissions(): array { return []; }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryTest.php`
+Expected: FAIL — `Class "App\Shared\Domain\Module\ModuleInterface" not found`.
+
+- [ ] **Step 3: Create `ModuleInterface`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+/**
+ * Implemented by every `*Module` declaration class. The set of active modules
+ * is listed in config/modules.php and exposed via GET /api/modules.
+ */
+interface ModuleInterface
+{
+    public static function id(): string;
+
+    public static function label(): string;
+
+    public static function isRequired(): bool;
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array;
+}
+```
+
+- [ ] **Step 4: Create `ModuleRegistry`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+final class ModuleRegistry
+{
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<string>
+     */
+    public static function ids(array $moduleClasses): array
+    {
+        $ids = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (is_a($moduleClass, ModuleInterface::class, true)) {
+                $ids[] = $moduleClass::id();
+            }
+        }
+
+        return $ids;
+    }
+}
+```
+
+- [ ] **Step 5: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 6: Create `config/modules.php`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
+ * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
+ */
+return [
+    // Aucun module pour l'instant — les modules arrivent à partir du ticket 1.1 (Core).
+];
+```
+
+- [ ] **Step 7: Create `ModulesResource` and `ModulesProvider`**
+
+`src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\ModulesProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/modules',
+            normalizationContext: ['groups' => ['modules:read']],
+            provider: ModulesProvider::class,
+        ),
+    ],
+)]
+final class ModulesResource
+{
+    /**
+     * @var list<string>
+     */
+    #[Groups(['modules:read'])]
+    public array $modules = [];
+}
+```
+
+`src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Infrastructure\ApiPlatform\Resource\ModulesResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class ModulesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ModulesResource
+    {
+        /** @var list<class-string> $classes */
+        $classes = require $this->projectDir.'/config/modules.php';
+
+        $dto          = new ModulesResource();
+        $dto->modules = ModuleRegistry::ids($classes);
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 8: Make `/api/modules` public in `security.yaml`**
+
+In `config/packages/security.yaml`, under `access_control`, add the rule **immediately after** the `^/api/version` line (order matters — only the first matching rule applies):
+
+```yaml
+        # Liste des modules actifs en public (consommée au boot du front)
+        - { path: ^/api/modules, roles: PUBLIC_ACCESS, methods: [ GET ] }
+```
+
+- [ ] **Step 9: Write the failing functional test**
+
+Create `tests/Functional/Shared/ModulesEndpointTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ModulesEndpointTest extends WebTestCase
+{
+    public function testModulesEndpointIsPublicAndReturnsModulesKey(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('modules', $data);
+        self::assertIsArray($data['modules']);
+    }
+}
+```
+
+- [ ] **Step 10: Run the functional test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Shared/ModulesEndpointTest.php`
+Expected: PASS. (If FAIL with 404, confirm API Platform discovers `src/Shared/Infrastructure/ApiPlatform/Resource` — the default API Platform path config in API Platform 4 scans `src/ApiResource` + `src/Entity` only; if 404 persists, add `mapping.paths` for the Shared Resource dir in `config/packages/api_platform.yaml` and re-run. This is the one allowed config touch in Task 1.)
+
+- [ ] **Step 11: Commit**
+
+```bash
+git add src/Shared/Domain/Module config/modules.php src/Shared/Infrastructure/ApiPlatform config/packages/security.yaml config/packages/api_platform.yaml tests/Unit/Shared/Module tests/Functional/Shared/ModulesEndpointTest.php
+git commit -m "feat(modules) : expose GET /api/modules and module registry"
+```
+
+---
+
+### Task 2: Endpoint `GET /api/sidebar` + filtre par module actif
+
+**Files:**
+- Create: `src/Shared/Domain/Sidebar/SidebarFilter.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php`
+- Create: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php`
+- Create: `config/sidebar.php`
+- Test: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+- Test: `tests/Functional/Shared/SidebarEndpointTest.php`
+
+**Interfaces:**
+- Consumes: `ModuleRegistry::ids()` (Task 1), `config/modules.php` (Task 1).
+- Produces:
+  - `SidebarFilter::filter(array $sections, array $activeModuleIds): array` → `array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}`. Règle : un item portant `module` absent de `$activeModuleIds` est masqué et son `to` ajouté à `disabledRoutes` ; une section vidée de tous ses items est supprimée ; les clés internes (`module`) sont retirées de la sortie.
+  - `config/sidebar.php` retourne `list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}>`.
+
+- [ ] **Step 1: Write the failing unit test for SidebarFilter**
+
+Create `tests/Unit/Shared/Sidebar/SidebarFilterTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: FAIL — `Class "App\Shared\Domain\Sidebar\SidebarFilter" not found`.
+
+- [ ] **Step 3: Create `SidebarFilter`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sections
+     * @param list<string>                                                                                                     $activeModuleIds
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            $items = [];
+            foreach ($section['items'] as $item) {
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+}
+```
+
+- [ ] **Step 4: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Create `config/sidebar.php`**
+
+Toutes les entrées actuelles sont **sans clé `module`** (donc visibles) ; les futurs modules ajouteront leur `module`. Labels = clés i18n.
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items). Filtrée par SidebarFilter selon les modules actifs.
+ * Un item porte une clé `module` quand il appartient à un module activable ; sans clé, il est toujours visible.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:checkbox-marked-circle-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-multiple-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:clock-outline'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.hr.section',
+        'icon'  => 'mdi:calendar-account-outline',
+        'items' => [
+            ['label' => 'sidebar.hr.absences', 'to' => '/absences', 'icon' => 'mdi:calendar-remove-outline'],
+            ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group-outline'],
+        ],
+    ],
+];
+```
+
+- [ ] **Step 6: Create `SidebarResource` and `SidebarProvider`**
+
+`src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\SidebarProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/sidebar',
+            normalizationContext: ['groups' => ['sidebar:read']],
+            provider: SidebarProvider::class,
+        ),
+    ],
+)]
+final class SidebarResource
+{
+    /**
+     * @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $sections = [];
+
+    /**
+     * @var list<string>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $disabledRoutes = [];
+}
+```
+
+`src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+        /** @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses));
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 7: Write the failing functional test**
+
+Create `tests/Functional/Shared/SidebarEndpointTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client    = static::createClient();
+        $container = static::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+}
+```
+
+- [ ] **Step 8: Run the functional test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Shared/SidebarEndpointTest.php`
+Expected: PASS (2 tests).
+
+- [ ] **Step 9: Commit**
+
+```bash
+git add src/Shared/Domain/Sidebar src/Shared/Infrastructure/ApiPlatform config/sidebar.php tests/Unit/Shared/Sidebar tests/Functional/Shared/SidebarEndpointTest.php
+git commit -m "feat(sidebar) : expose GET /api/sidebar filtered by active modules"
+```
+
+---
+
+### Task 3: Garde-fou Timestampable / Blamable (trait + subscriber)
+
+**Files:**
+- Create: `src/Shared/Domain/Contract/UserInterface.php`
+- Create: `src/Shared/Domain/Contract/TimestampableInterface.php`
+- Create: `src/Shared/Domain/Contract/BlamableInterface.php`
+- Create: `src/Shared/Application/CurrentUserProviderInterface.php`
+- Create: `src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php`
+- Create: `src/Shared/Domain/Trait/TimestampableBlamableTrait.php`
+- Create: `src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php`
+- Modify: `src/Entity/User.php` (implement `UserInterface`)
+- Modify: `config/packages/doctrine.yaml` (`resolve_target_entities`)
+- Test: `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+
+**Interfaces:**
+- Produces:
+  - `interface UserInterface { public function getId(): ?int; }`
+  - `interface TimestampableInterface { public function getCreatedAt(): ?\DateTimeImmutable; public function setCreatedAt(\DateTimeImmutable $createdAt): void; public function getUpdatedAt(): ?\DateTimeImmutable; public function setUpdatedAt(\DateTimeImmutable $updatedAt): void; }`
+  - `interface BlamableInterface { public function getCreatedBy(): ?UserInterface; public function setCreatedBy(?UserInterface $user): void; public function getUpdatedBy(): ?UserInterface; public function setUpdatedBy(?UserInterface $user): void; }`
+  - `interface CurrentUserProviderInterface { public function getCurrentUser(): ?UserInterface; }`
+  - `TimestampableBlamableSubscriber::applyOnCreate(object $entity): void` and `::applyOnUpdate(object $entity): void` — pure-ish entry points used by the unit test; the Doctrine hooks delegate to them.
+
+> **Note (strangler):** en 0.1 le trait/subscriber n'est encore appliqué à **aucune** entité (les entités restent legacy). Le contrat `UserInterface` est mappé sur `App\Entity\User` via `resolve_target_entities` ; il sera re-pointé vers `App\Module\Core\Domain\Entity\User` au ticket 1.1.
+
+- [ ] **Step 1: Write the failing unit test for the subscriber**
+
+Create `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class TimestampableBlamableSubscriberTest extends TestCase
+{
+    public function testApplyOnCreateSetsTimestampsAndAuthor(): void
+    {
+        $user       = $this->makeUser(7);
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning($user));
+        $entity     = $this->makeEntity();
+
+        $subscriber->applyOnCreate($entity);
+
+        self::assertInstanceOf(\DateTimeImmutable::class, $entity->getCreatedAt());
+        self::assertInstanceOf(\DateTimeImmutable::class, $entity->getUpdatedAt());
+        self::assertSame($user, $entity->getCreatedBy());
+        self::assertSame($user, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnUpdateLeavesCreatedUntouched(): void
+    {
+        $creator    = $this->makeUser(1);
+        $editor     = $this->makeUser(2);
+        $entity     = $this->makeEntity();
+
+        (new TimestampableBlamableSubscriber($this->providerReturning($creator)))->applyOnCreate($entity);
+        $createdAt = $entity->getCreatedAt();
+
+        (new TimestampableBlamableSubscriber($this->providerReturning($editor)))->applyOnUpdate($entity);
+
+        self::assertSame($createdAt, $entity->getCreatedAt());
+        self::assertSame($creator, $entity->getCreatedBy());
+        self::assertSame($editor, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnCreateIgnoresNonTimestampableEntities(): void
+    {
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning(null));
+
+        // Must not throw.
+        $subscriber->applyOnCreate(new \stdClass());
+        $this->addToAssertionCount(1);
+    }
+
+    private function providerReturning(?UserInterface $user): CurrentUserProviderInterface
+    {
+        return new class($user) implements CurrentUserProviderInterface {
+            public function __construct(private ?UserInterface $user) {}
+
+            public function getCurrentUser(): ?UserInterface
+            {
+                return $this->user;
+            }
+        };
+    }
+
+    private function makeUser(int $id): UserInterface
+    {
+        return new class($id) implements UserInterface {
+            public function __construct(private int $id) {}
+
+            public function getId(): ?int
+            {
+                return $this->id;
+            }
+        };
+    }
+
+    private function makeEntity(): object
+    {
+        return new class implements TimestampableInterface, BlamableInterface {
+            use TimestampableBlamableTrait;
+        };
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+Expected: FAIL — interfaces/classes not found.
+
+- [ ] **Step 3: Create the contracts**
+
+`src/Shared/Domain/Contract/UserInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface UserInterface
+{
+    public function getId(): ?int;
+}
+```
+
+`src/Shared/Domain/Contract/TimestampableInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface TimestampableInterface
+{
+    public function getCreatedAt(): ?\DateTimeImmutable;
+
+    public function setCreatedAt(\DateTimeImmutable $createdAt): void;
+
+    public function getUpdatedAt(): ?\DateTimeImmutable;
+
+    public function setUpdatedAt(\DateTimeImmutable $updatedAt): void;
+}
+```
+
+`src/Shared/Domain/Contract/BlamableInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface BlamableInterface
+{
+    public function getCreatedBy(): ?UserInterface;
+
+    public function setCreatedBy(?UserInterface $user): void;
+
+    public function getUpdatedBy(): ?UserInterface;
+
+    public function setUpdatedBy(?UserInterface $user): void;
+}
+```
+
+- [ ] **Step 4: Create the current-user provider (contract + Security impl)**
+
+`src/Shared/Application/CurrentUserProviderInterface.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Application;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface CurrentUserProviderInterface
+{
+    public function getCurrentUser(): ?UserInterface;
+}
+```
+
+`src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Security;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class SecurityCurrentUserProvider implements CurrentUserProviderInterface
+{
+    public function __construct(
+        private Security $security,
+    ) {}
+
+    public function getCurrentUser(): ?UserInterface
+    {
+        $user = $this->security->getUser();
+
+        return $user instanceof UserInterface ? $user : null;
+    }
+}
+```
+
+- [ ] **Step 5: Create the trait**
+
+`src/Shared/Domain/Trait/TimestampableBlamableTrait.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Trait;
+
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+trait TimestampableBlamableTrait
+{
+    #[ORM\Column(name: 'created_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?\DateTimeImmutable $createdAt = null;
+
+    #[ORM\Column(name: 'updated_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?\DateTimeImmutable $updatedAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'created_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $createdBy = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'updated_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $updatedBy = null;
+
+    public function getCreatedAt(): ?\DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(\DateTimeImmutable $createdAt): void
+    {
+        $this->createdAt = $createdAt;
+    }
+
+    public function getUpdatedAt(): ?\DateTimeImmutable
+    {
+        return $this->updatedAt;
+    }
+
+    public function setUpdatedAt(\DateTimeImmutable $updatedAt): void
+    {
+        $this->updatedAt = $updatedAt;
+    }
+
+    public function getCreatedBy(): ?UserInterface
+    {
+        return $this->createdBy;
+    }
+
+    public function setCreatedBy(?UserInterface $user): void
+    {
+        $this->createdBy = $user;
+    }
+
+    public function getUpdatedBy(): ?UserInterface
+    {
+        return $this->updatedBy;
+    }
+
+    public function setUpdatedBy(?UserInterface $user): void
+    {
+        $this->updatedBy = $user;
+    }
+}
+```
+
+- [ ] **Step 6: Create the Doctrine subscriber**
+
+`src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\ORM\Events;
+
+#[AsDoctrineListener(event: Events::prePersist)]
+#[AsDoctrineListener(event: Events::preUpdate)]
+final readonly class TimestampableBlamableSubscriber
+{
+    public function __construct(
+        private CurrentUserProviderInterface $currentUserProvider,
+    ) {}
+
+    public function prePersist(PrePersistEventArgs $args): void
+    {
+        $this->applyOnCreate($args->getObject());
+    }
+
+    public function preUpdate(PreUpdateEventArgs $args): void
+    {
+        $this->applyOnUpdate($args->getObject());
+    }
+
+    public function applyOnCreate(object $entity): void
+    {
+        $now = new \DateTimeImmutable();
+
+        if ($entity instanceof TimestampableInterface) {
+            if (null === $entity->getCreatedAt()) {
+                $entity->setCreatedAt($now);
+            }
+            $entity->setUpdatedAt($now);
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $user = $this->currentUserProvider->getCurrentUser();
+            if (null === $entity->getCreatedBy()) {
+                $entity->setCreatedBy($user);
+            }
+            $entity->setUpdatedBy($user);
+        }
+    }
+
+    public function applyOnUpdate(object $entity): void
+    {
+        if ($entity instanceof TimestampableInterface) {
+            $entity->setUpdatedAt(new \DateTimeImmutable());
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $entity->setUpdatedBy($this->currentUserProvider->getCurrentUser());
+        }
+    }
+}
+```
+
+- [ ] **Step 7: Make legacy `User` implement the contract + add `resolve_target_entities`**
+
+In `src/Entity/User.php`, add the interface to the class declaration (the entity already has `getId(): ?int`, so no method to add):
+
+```php
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
+// ...
+class User implements /* existing interfaces, */ SharedUserInterface
+```
+
+> Keep all existing `implements` clauses; append `SharedUserInterface`. Alias avoids any clash with `Symfony\...\UserInterface` already imported.
+
+In `config/packages/doctrine.yaml`, under `orm:`, add:
+
+```yaml
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Entity\User
+```
+
+- [ ] **Step 8: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 9: Run the full suite to confirm no regression**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (no entity uses the trait yet; `resolve_target_entities` is inert until consumed). Confirm the prior 96 tests still pass.
+
+- [ ] **Step 10: Commit**
+
+```bash
+git add src/Shared/Domain/Contract src/Shared/Application src/Shared/Infrastructure/Security src/Shared/Domain/Trait src/Shared/Infrastructure/Doctrine src/Entity/User.php config/packages/doctrine.yaml tests/Unit/Shared/Doctrine
+git commit -m "feat(shared) : add timestampable/blamable trait and doctrine subscriber"
+```
+
+---
+
+### Task 4: Helper `ColumnCommentsCatalog` (COMMENT ON COLUMN)
+
+**Files:**
+- Create: `src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php`
+- Test: `tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+
+**Interfaces:**
+- Produces: `ColumnCommentsCatalog::timestampableBlamableComments(string $table): list<string>` → la liste des instructions `COMMENT ON COLUMN <table>.<col> IS '...'` pour les 4 colonnes standard. Utilisé dans les migrations des modules (à partir de 1.1) via `$this->addSql(...)`.
+
+- [ ] **Step 1: Write the failing unit test**
+
+Create `tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Database;
+
+use App\Shared\Infrastructure\Database\ColumnCommentsCatalog;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ColumnCommentsCatalogTest extends TestCase
+{
+    public function testTimestampableBlamableCommentsCoverFourColumns(): void
+    {
+        $sql = ColumnCommentsCatalog::timestampableBlamableComments('task');
+
+        self::assertCount(4, $sql);
+        self::assertSame(
+            "COMMENT ON COLUMN task.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            $sql[0],
+        );
+        self::assertStringContainsString('COMMENT ON COLUMN task.created_by IS', $sql[2]);
+    }
+
+    public function testTableNameIsInterpolatedForEveryColumn(): void
+    {
+        foreach (ColumnCommentsCatalog::timestampableBlamableComments('time_entry') as $statement) {
+            self::assertStringContainsString('COMMENT ON COLUMN time_entry.', $statement);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Run the test, verify it fails**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+Expected: FAIL — class not found.
+
+- [ ] **Step 3: Create `ColumnCommentsCatalog`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Database;
+
+final class ColumnCommentsCatalog
+{
+    /**
+     * SQL `COMMENT ON COLUMN` statements for the 4 standard Timestampable/Blamable columns.
+     * Call from a migration: foreach (...) { $this->addSql($statement); }.
+     *
+     * @return list<string>
+     */
+    public static function timestampableBlamableComments(string $table): array
+    {
+        return [
+            "COMMENT ON COLUMN {$table}.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.updated_at IS 'Date de derniere modification (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.created_by IS 'Auteur de la creation (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+            "COMMENT ON COLUMN {$table}.updated_by IS 'Auteur de la derniere modification (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+        ];
+    }
+}
+```
+
+- [ ] **Step 4: Run the unit test, verify it passes**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php`
+Expected: PASS (2 tests).
+
+- [ ] **Step 5: Run the full suite + cs-fixer**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (all green, including the 96 pre-existing tests).
+Run: `make php-cs-fixer-allow-risky`
+Expected: no remaining violations in `src/Shared` / `tests`.
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add src/Shared/Infrastructure/Database tests/Unit/Shared/Database
+git commit -m "feat(shared) : add column comments catalog helper for migrations"
+```
+
+---
+
+## Acceptance check (run after all tasks)
+
+- [ ] `GET /api/modules` returns `{ "modules": [] }` (public, 200).
+- [ ] `GET /api/sidebar` returns `{ sections, disabledRoutes }` (401 unauth, 200 auth).
+- [ ] `src/Shared/` holds contracts, trait, subscriber, helper, providers.
+- [ ] `make test` green (96 prior + new unit/functional tests).
+- [ ] No destructive migration; no business entity moved; no inter-module import.
+
+## Notes for the next ticket (0.2 — Socle front)
+
+Le front consommera `/api/modules` + `/api/sidebar` via `useModules`/`useSidebar`, montera le shell `app/` + `shared/` et l'auto-détection des layers. Le filtrage par module deviendra réellement visible quand le 1er module (1.1 Core, puis 2.1 TimeTracking) déclarera sa clé `module` dans `config/sidebar.php`.
-- 
2.39.5


From 748289b61ae8d7ab7b860ee7a7aeba6ed38b3f48 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 14:33:53 +0200
Subject: [PATCH 03/99] feat(modules) : expose GET /api/modules and module
 registry

---
 config/modules.php                            | 11 +++
 config/packages/security.yaml                 |  2 +
 src/Shared/Domain/Module/ModuleInterface.php  | 23 ++++++
 src/Shared/Domain/Module/ModuleRegistry.php   | 25 ++++++
 .../ApiPlatform/Resource/ModulesResource.php  | 28 +++++++
 .../ApiPlatform/State/ModulesProvider.php     | 30 +++++++
 .../Functional/Shared/ModulesEndpointTest.php | 24 ++++++
 .../Unit/Shared/Module/ModuleRegistryTest.php | 81 +++++++++++++++++++
 8 files changed, 224 insertions(+)
 create mode 100644 config/modules.php
 create mode 100644 src/Shared/Domain/Module/ModuleInterface.php
 create mode 100644 src/Shared/Domain/Module/ModuleRegistry.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
 create mode 100644 tests/Functional/Shared/ModulesEndpointTest.php
 create mode 100644 tests/Unit/Shared/Module/ModuleRegistryTest.php

diff --git a/config/modules.php b/config/modules.php
new file mode 100644
index 0000000..c6df2ac
--- /dev/null
+++ b/config/modules.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
+ * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
+ */
+return [
+    // Aucun module pour l'instant — les modules arrivent à partir du ticket 1.1 (Core).
+];
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 35949cd..bcdbaa6 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -62,6 +62,8 @@ security:
         - { path: ^/api/docs, roles: PUBLIC_ACCESS }
         # Version de l'application en public
         - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
+        # Liste des modules actifs en public (consommée au boot du front)
+        - { path: ^/api/modules, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
         # Mail : requiert authentification (le check ROLE_USER est dans MailAccessChecker)
diff --git a/src/Shared/Domain/Module/ModuleInterface.php b/src/Shared/Domain/Module/ModuleInterface.php
new file mode 100644
index 0000000..c390297
--- /dev/null
+++ b/src/Shared/Domain/Module/ModuleInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+/**
+ * Implemented by every `*Module` declaration class. The set of active modules
+ * is listed in config/modules.php and exposed via GET /api/modules.
+ */
+interface ModuleInterface
+{
+    public static function id(): string;
+
+    public static function label(): string;
+
+    public static function isRequired(): bool;
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array;
+}
diff --git a/src/Shared/Domain/Module/ModuleRegistry.php b/src/Shared/Domain/Module/ModuleRegistry.php
new file mode 100644
index 0000000..894b6af
--- /dev/null
+++ b/src/Shared/Domain/Module/ModuleRegistry.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Module;
+
+final class ModuleRegistry
+{
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<string>
+     */
+    public static function ids(array $moduleClasses): array
+    {
+        $ids = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (is_a($moduleClass, ModuleInterface::class, true)) {
+                $ids[] = $moduleClass::id();
+            }
+        }
+
+        return $ids;
+    }
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php b/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
new file mode 100644
index 0000000..b00fd3a
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/ModulesResource.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\ModulesProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/modules',
+            normalizationContext: ['groups' => ['modules:read']],
+            provider: ModulesProvider::class,
+        ),
+    ],
+)]
+final class ModulesResource
+{
+    /**
+     * @var list<string>
+     */
+    #[Groups(['modules:read'])]
+    public array $modules = [];
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
new file mode 100644
index 0000000..b5204b7
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/State/ModulesProvider.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Infrastructure\ApiPlatform\Resource\ModulesResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class ModulesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): ModulesResource
+    {
+        /** @var list<class-string> $classes */
+        $classes = require $this->projectDir.'/config/modules.php';
+
+        $dto          = new ModulesResource();
+        $dto->modules = ModuleRegistry::ids($classes);
+
+        return $dto;
+    }
+}
diff --git a/tests/Functional/Shared/ModulesEndpointTest.php b/tests/Functional/Shared/ModulesEndpointTest.php
new file mode 100644
index 0000000..9279ca5
--- /dev/null
+++ b/tests/Functional/Shared/ModulesEndpointTest.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ModulesEndpointTest extends WebTestCase
+{
+    public function testModulesEndpointIsPublicAndReturnsModulesKey(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('modules', $data);
+        self::assertIsArray($data['modules']);
+    }
+}
diff --git a/tests/Unit/Shared/Module/ModuleRegistryTest.php b/tests/Unit/Shared/Module/ModuleRegistryTest.php
new file mode 100644
index 0000000..a5ea1aa
--- /dev/null
+++ b/tests/Unit/Shared/Module/ModuleRegistryTest.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Shared\Domain\Module\ModuleInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryTest extends TestCase
+{
+    public function testIdsExtractsDeclaredModuleIds(): void
+    {
+        $classes = [FakeAlphaModule::class, FakeBetaModule::class];
+
+        self::assertSame(['alpha', 'beta'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsIgnoresClassesNotImplementingModuleInterface(): void
+    {
+        $classes = [FakeAlphaModule::class, stdClass::class];
+
+        self::assertSame(['alpha'], ModuleRegistry::ids($classes));
+    }
+
+    public function testIdsReturnsEmptyArrayForNoModules(): void
+    {
+        self::assertSame([], ModuleRegistry::ids([]));
+    }
+}
+
+final class FakeAlphaModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'alpha';
+    }
+
+    public static function label(): string
+    {
+        return 'Alpha';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    public static function permissions(): array
+    {
+        return [];
+    }
+}
+
+final class FakeBetaModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'beta';
+    }
+
+    public static function label(): string
+    {
+        return 'Beta';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    public static function permissions(): array
+    {
+        return [];
+    }
+}
-- 
2.39.5


From 52399b35d9bbd2d0633367b3e5a39b78206eead5 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 14:35:17 +0200
Subject: [PATCH 04/99] feat(sidebar) : expose GET /api/sidebar filtered by
 active modules

---
 config/sidebar.php                            | 29 +++++++++
 src/Shared/Domain/Sidebar/SidebarFilter.php   | 40 +++++++++++++
 .../ApiPlatform/Resource/SidebarResource.php  | 34 +++++++++++
 .../ApiPlatform/State/SidebarProvider.php     | 37 ++++++++++++
 .../Functional/Shared/SidebarEndpointTest.php | 40 +++++++++++++
 .../Unit/Shared/Sidebar/SidebarFilterTest.php | 59 +++++++++++++++++++
 6 files changed, 239 insertions(+)
 create mode 100644 config/sidebar.php
 create mode 100644 src/Shared/Domain/Sidebar/SidebarFilter.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
 create mode 100644 src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
 create mode 100644 tests/Functional/Shared/SidebarEndpointTest.php
 create mode 100644 tests/Unit/Shared/Sidebar/SidebarFilterTest.php

diff --git a/config/sidebar.php b/config/sidebar.php
new file mode 100644
index 0000000..15bd7a1
--- /dev/null
+++ b/config/sidebar.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items). Filtrée par SidebarFilter selon les modules actifs.
+ * Un item porte une clé `module` quand il appartient à un module activable ; sans clé, il est toujours visible.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:checkbox-marked-circle-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-multiple-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:clock-outline'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.hr.section',
+        'icon'  => 'mdi:calendar-account-outline',
+        'items' => [
+            ['label' => 'sidebar.hr.absences', 'to' => '/absences', 'icon' => 'mdi:calendar-remove-outline'],
+            ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group-outline'],
+        ],
+    ],
+];
diff --git a/src/Shared/Domain/Sidebar/SidebarFilter.php b/src/Shared/Domain/Sidebar/SidebarFilter.php
new file mode 100644
index 0000000..e97ca8d
--- /dev/null
+++ b/src/Shared/Domain/Sidebar/SidebarFilter.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sections
+     * @param list<string>                                                                                                     $activeModuleIds
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            $items = [];
+            foreach ($section['items'] as $item) {
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php b/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
new file mode 100644
index 0000000..c90877e
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/SidebarResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Shared\Infrastructure\ApiPlatform\State\SidebarProvider;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new Get(
+            uriTemplate: '/sidebar',
+            normalizationContext: ['groups' => ['sidebar:read']],
+            provider: SidebarProvider::class,
+        ),
+    ],
+)]
+final class SidebarResource
+{
+    /**
+     * @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $sections = [];
+
+    /**
+     * @var list<string>
+     */
+    #[Groups(['sidebar:read'])]
+    public array $disabledRoutes = [];
+}
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
new file mode 100644
index 0000000..84333d5
--- /dev/null
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        /** @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses));
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
diff --git a/tests/Functional/Shared/SidebarEndpointTest.php b/tests/Functional/Shared/SidebarEndpointTest.php
new file mode 100644
index 0000000..55f0628
--- /dev/null
+++ b/tests/Functional/Shared/SidebarEndpointTest.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client    = self::createClient();
+        $container = self::getContainer();
+        $em        = $container->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+}
diff --git a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
new file mode 100644
index 0000000..22dbf74
--- /dev/null
+++ b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, []);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+}
-- 
2.39.5


From 3053c09522f5421b73dc51f1b18147f452e4d969 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 14:37:28 +0200
Subject: [PATCH 05/99] feat(shared) : add timestampable/blamable trait and
 doctrine subscriber

---
 config/packages/doctrine.yaml                 |  2 +
 src/Entity/User.php                           |  3 +-
 .../CurrentUserProviderInterface.php          | 12 +++
 .../Domain/Contract/BlamableInterface.php     | 16 ++++
 .../Contract/TimestampableInterface.php       | 18 ++++
 src/Shared/Domain/Contract/UserInterface.php  | 10 ++
 .../Trait/TimestampableBlamableTrait.php      | 71 +++++++++++++++
 .../TimestampableBlamableSubscriber.php       | 64 +++++++++++++
 .../Security/SecurityCurrentUserProvider.php  | 23 +++++
 .../TimestampableBlamableSubscriberTest.php   | 91 +++++++++++++++++++
 10 files changed, 309 insertions(+), 1 deletion(-)
 create mode 100644 src/Shared/Application/CurrentUserProviderInterface.php
 create mode 100644 src/Shared/Domain/Contract/BlamableInterface.php
 create mode 100644 src/Shared/Domain/Contract/TimestampableInterface.php
 create mode 100644 src/Shared/Domain/Contract/UserInterface.php
 create mode 100644 src/Shared/Domain/Trait/TimestampableBlamableTrait.php
 create mode 100644 src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
 create mode 100644 src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
 create mode 100644 tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php

diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 6c57caf..303521a 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -13,6 +13,8 @@ doctrine:
         identity_generation_preferences:
             Doctrine\DBAL\Platforms\PostgreSQLPlatform: identity
         auto_mapping: true
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Entity\User
         mappings:
             App:
                 type: attribute
diff --git a/src/Entity/User.php b/src/Entity/User.php
index 2bc49c9..38e789e 100644
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -13,6 +13,7 @@ use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Enum\ContractType;
 use App\Repository\UserRepository;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use App\State\MeProvider;
 use App\State\UserPasswordHasherProcessor;
 use DateTimeImmutable;
@@ -44,7 +45,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ORM\Entity(repositoryClass: UserRepository::class)]
 #[ORM\Table(name: '`user`')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Shared/Application/CurrentUserProviderInterface.php b/src/Shared/Application/CurrentUserProviderInterface.php
new file mode 100644
index 0000000..da670e2
--- /dev/null
+++ b/src/Shared/Application/CurrentUserProviderInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Application;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface CurrentUserProviderInterface
+{
+    public function getCurrentUser(): ?UserInterface;
+}
diff --git a/src/Shared/Domain/Contract/BlamableInterface.php b/src/Shared/Domain/Contract/BlamableInterface.php
new file mode 100644
index 0000000..8063312
--- /dev/null
+++ b/src/Shared/Domain/Contract/BlamableInterface.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface BlamableInterface
+{
+    public function getCreatedBy(): ?UserInterface;
+
+    public function setCreatedBy(?UserInterface $user): void;
+
+    public function getUpdatedBy(): ?UserInterface;
+
+    public function setUpdatedBy(?UserInterface $user): void;
+}
diff --git a/src/Shared/Domain/Contract/TimestampableInterface.php b/src/Shared/Domain/Contract/TimestampableInterface.php
new file mode 100644
index 0000000..2a272ac
--- /dev/null
+++ b/src/Shared/Domain/Contract/TimestampableInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+use DateTimeImmutable;
+
+interface TimestampableInterface
+{
+    public function getCreatedAt(): ?DateTimeImmutable;
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): void;
+
+    public function getUpdatedAt(): ?DateTimeImmutable;
+
+    public function setUpdatedAt(DateTimeImmutable $updatedAt): void;
+}
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
new file mode 100644
index 0000000..9879371
--- /dev/null
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface UserInterface
+{
+    public function getId(): ?int;
+}
diff --git a/src/Shared/Domain/Trait/TimestampableBlamableTrait.php b/src/Shared/Domain/Trait/TimestampableBlamableTrait.php
new file mode 100644
index 0000000..41a421b
--- /dev/null
+++ b/src/Shared/Domain/Trait/TimestampableBlamableTrait.php
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Trait;
+
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+trait TimestampableBlamableTrait
+{
+    #[ORM\Column(name: 'created_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\Column(name: 'updated_at', type: 'datetime_immutable', nullable: true)]
+    #[Groups(['timestampable:read'])]
+    private ?DateTimeImmutable $updatedAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'created_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $createdBy = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'updated_by', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['blamable:read'])]
+    private ?UserInterface $updatedBy = null;
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): void
+    {
+        $this->createdAt = $createdAt;
+    }
+
+    public function getUpdatedAt(): ?DateTimeImmutable
+    {
+        return $this->updatedAt;
+    }
+
+    public function setUpdatedAt(DateTimeImmutable $updatedAt): void
+    {
+        $this->updatedAt = $updatedAt;
+    }
+
+    public function getCreatedBy(): ?UserInterface
+    {
+        return $this->createdBy;
+    }
+
+    public function setCreatedBy(?UserInterface $user): void
+    {
+        $this->createdBy = $user;
+    }
+
+    public function getUpdatedBy(): ?UserInterface
+    {
+        return $this->updatedBy;
+    }
+
+    public function setUpdatedBy(?UserInterface $user): void
+    {
+        $this->updatedBy = $user;
+    }
+}
diff --git a/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php b/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
new file mode 100644
index 0000000..2aa832a
--- /dev/null
+++ b/src/Shared/Infrastructure/Doctrine/TimestampableBlamableSubscriber.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use DateTimeImmutable;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Doctrine\ORM\Event\PreUpdateEventArgs;
+use Doctrine\ORM\Events;
+
+#[AsDoctrineListener(event: Events::prePersist)]
+#[AsDoctrineListener(event: Events::preUpdate)]
+final readonly class TimestampableBlamableSubscriber
+{
+    public function __construct(
+        private CurrentUserProviderInterface $currentUserProvider,
+    ) {}
+
+    public function prePersist(PrePersistEventArgs $args): void
+    {
+        $this->applyOnCreate($args->getObject());
+    }
+
+    public function preUpdate(PreUpdateEventArgs $args): void
+    {
+        $this->applyOnUpdate($args->getObject());
+    }
+
+    public function applyOnCreate(object $entity): void
+    {
+        $now = new DateTimeImmutable();
+
+        if ($entity instanceof TimestampableInterface) {
+            if (null === $entity->getCreatedAt()) {
+                $entity->setCreatedAt($now);
+            }
+            $entity->setUpdatedAt($now);
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $user = $this->currentUserProvider->getCurrentUser();
+            if (null === $entity->getCreatedBy()) {
+                $entity->setCreatedBy($user);
+            }
+            $entity->setUpdatedBy($user);
+        }
+    }
+
+    public function applyOnUpdate(object $entity): void
+    {
+        if ($entity instanceof TimestampableInterface) {
+            $entity->setUpdatedAt(new DateTimeImmutable());
+        }
+
+        if ($entity instanceof BlamableInterface) {
+            $entity->setUpdatedBy($this->currentUserProvider->getCurrentUser());
+        }
+    }
+}
diff --git a/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php b/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
new file mode 100644
index 0000000..2d9a5b3
--- /dev/null
+++ b/src/Shared/Infrastructure/Security/SecurityCurrentUserProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Security;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class SecurityCurrentUserProvider implements CurrentUserProviderInterface
+{
+    public function __construct(
+        private Security $security,
+    ) {}
+
+    public function getCurrentUser(): ?UserInterface
+    {
+        $user = $this->security->getUser();
+
+        return $user instanceof UserInterface ? $user : null;
+    }
+}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
new file mode 100644
index 0000000..669acf5
--- /dev/null
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Doctrine;
+
+use App\Shared\Application\CurrentUserProviderInterface;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
+use DateTimeImmutable;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+
+/**
+ * @internal
+ */
+final class TimestampableBlamableSubscriberTest extends TestCase
+{
+    public function testApplyOnCreateSetsTimestampsAndAuthor(): void
+    {
+        $user       = $this->makeUser(7);
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning($user));
+        $entity     = $this->makeEntity();
+
+        $subscriber->applyOnCreate($entity);
+
+        self::assertInstanceOf(DateTimeImmutable::class, $entity->getCreatedAt());
+        self::assertInstanceOf(DateTimeImmutable::class, $entity->getUpdatedAt());
+        self::assertSame($user, $entity->getCreatedBy());
+        self::assertSame($user, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnUpdateLeavesCreatedUntouched(): void
+    {
+        $creator = $this->makeUser(1);
+        $editor  = $this->makeUser(2);
+        $entity  = $this->makeEntity();
+
+        new TimestampableBlamableSubscriber($this->providerReturning($creator))->applyOnCreate($entity);
+        $createdAt = $entity->getCreatedAt();
+
+        new TimestampableBlamableSubscriber($this->providerReturning($editor))->applyOnUpdate($entity);
+
+        self::assertSame($createdAt, $entity->getCreatedAt());
+        self::assertSame($creator, $entity->getCreatedBy());
+        self::assertSame($editor, $entity->getUpdatedBy());
+    }
+
+    public function testApplyOnCreateIgnoresNonTimestampableEntities(): void
+    {
+        $subscriber = new TimestampableBlamableSubscriber($this->providerReturning(null));
+
+        // Must not throw.
+        $subscriber->applyOnCreate(new stdClass());
+        $this->addToAssertionCount(1);
+    }
+
+    private function providerReturning(?UserInterface $user): CurrentUserProviderInterface
+    {
+        return new class($user) implements CurrentUserProviderInterface {
+            public function __construct(private ?UserInterface $user) {}
+
+            public function getCurrentUser(): ?UserInterface
+            {
+                return $this->user;
+            }
+        };
+    }
+
+    private function makeUser(int $id): UserInterface
+    {
+        return new class($id) implements UserInterface {
+            public function __construct(private int $id) {}
+
+            public function getId(): ?int
+            {
+                return $this->id;
+            }
+        };
+    }
+
+    private function makeEntity(): object
+    {
+        return new class implements TimestampableInterface, BlamableInterface {
+            use TimestampableBlamableTrait;
+        };
+    }
+}
-- 
2.39.5


From b301c543bbde75854736821a549299e1ffa8b99c Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 14:38:40 +0200
Subject: [PATCH 06/99] feat(shared) : add column comments catalog helper for
 migrations

---
 .../Database/ColumnCommentsCatalog.php        | 24 ++++++++++++++
 .../Database/ColumnCommentsCatalogTest.php    | 33 +++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
 create mode 100644 tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php

diff --git a/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php b/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
new file mode 100644
index 0000000..16d070e
--- /dev/null
+++ b/src/Shared/Infrastructure/Database/ColumnCommentsCatalog.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\Database;
+
+final class ColumnCommentsCatalog
+{
+    /**
+     * SQL `COMMENT ON COLUMN` statements for the 4 standard Timestampable/Blamable columns.
+     * Call from a migration: foreach (...) { $this->addSql($statement); }.
+     *
+     * @return list<string>
+     */
+    public static function timestampableBlamableComments(string $table): array
+    {
+        return [
+            "COMMENT ON COLUMN {$table}.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.updated_at IS 'Date de derniere modification (UTC). Rempli automatiquement (Timestampable).'",
+            "COMMENT ON COLUMN {$table}.created_by IS 'Auteur de la creation (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+            "COMMENT ON COLUMN {$table}.updated_by IS 'Auteur de la derniere modification (FK user, SET NULL). Rempli automatiquement (Blamable).'",
+        ];
+    }
+}
diff --git a/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php b/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php
new file mode 100644
index 0000000..bb41001
--- /dev/null
+++ b/tests/Unit/Shared/Database/ColumnCommentsCatalogTest.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Database;
+
+use App\Shared\Infrastructure\Database\ColumnCommentsCatalog;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ColumnCommentsCatalogTest extends TestCase
+{
+    public function testTimestampableBlamableCommentsCoverFourColumns(): void
+    {
+        $sql = ColumnCommentsCatalog::timestampableBlamableComments('task');
+
+        self::assertCount(4, $sql);
+        self::assertSame(
+            "COMMENT ON COLUMN task.created_at IS 'Date de creation (UTC). Rempli automatiquement (Timestampable).'",
+            $sql[0],
+        );
+        self::assertStringContainsString('COMMENT ON COLUMN task.created_by IS', $sql[2]);
+    }
+
+    public function testTableNameIsInterpolatedForEveryColumn(): void
+    {
+        foreach (ColumnCommentsCatalog::timestampableBlamableComments('time_entry') as $statement) {
+            self::assertStringContainsString('COMMENT ON COLUMN time_entry.', $statement);
+        }
+    }
+}
-- 
2.39.5


From 5fbdda1983fb9fc37fe86cc94ac246e4f81e43fa Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:00:17 +0200
Subject: [PATCH 07/99] docs : log LST-56 socle back session learnings

---
 .claude/skills/ticket-executor/LEARNINGS.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index a5f24ac..4799a5a 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -54,6 +54,25 @@
 - **Pattern**: Retirer de composer.json + bundles.php + supprimer config YAML + templates
 - **Learning**: API Platform ne requiert PAS twig, c'est juste suggéré pour Swagger UI
 
+## Session 2026-06-19 (LST-56 / 0.1 — Socle back modular monolith)
+
+### Contexte
+- Ticket exécuté via plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-56-socle-back.md`) délégué à un sous-agent (contexte isolé), pilotage MCP/chrono/vérif depuis la session principale.
+- 4 tâches, 14 nouveaux tests (110 total, 216 assertions, vert), 4 commits (un par tâche).
+
+### Patterns
+- **Strangler 100 % additif** : nouveau noyau `src/Shared/` (Domain/Contract, Domain/Module, Domain/Sidebar, Domain/Trait, Application, Infrastructure/{ApiPlatform,Doctrine,Security,Database}) sans toucher au métier — `make test` reste vert sans migration.
+- **Endpoints DTO purs** : logique métier dans classes pures testées unitairement (`ModuleRegistry`, `SidebarFilter`), exposées par Providers API Platform minces (`ModulesProvider`/`SidebarProvider`) sur des Resources DTO.
+- **resolve_target_entities** : contrat `Shared\Domain\Contract\UserInterface` mappé sur `App\Entity\User` (sera re-pointé vers `Module\Core\User` en 1.1). Inert tant qu'aucune entité n'utilise le trait.
+
+### Gotchas
+- **API Platform 4 découvre les Resources sous `src/Shared/...` sans config `mapping.paths`** — le 404 anticipé dans le plan ne s'est pas produit, aucun ajout dans `api_platform.yaml` nécessaire.
+- **Hook pre-commit php-cs-fixer** normalise le style du code fourni dans le plan : `\DateTimeImmutable`→`DateTimeImmutable` importé, FQN→`use`, `static::createClient()`→`self::`. Pur style, tests inchangés. Ne pas lutter contre.
+- **`config/reference.php`** : fichier auto-généré qui apparaît modifié dans `git status` — ne jamais le committer.
+
+### Time tracking
+- Le sous-agent a stoppé lui-même le timer d'implémentation (id 1005, 35 min) — garder le time-tracking sur la session principale pour rester maître du chrono si un sous-agent a accès aux tools MCP lesstime.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
 - **MCP status**: Toujours mettre "En cours" AVANT de commencer, "Terminé" APRÈS validation
-- 
2.39.5


From 111f37a0c998df5174e21974f223e59f5a34d3cc Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:00:23 +0200
Subject: [PATCH 08/99] docs : add implementation plan for socle front (LST-62
 / 0.2)

---
 .../plans/2026-06-19-lst-62-socle-front.md    | 969 ++++++++++++++++++
 1 file changed, 969 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-62-socle-front.md

diff --git a/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
new file mode 100644
index 0000000..9885c9a
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
@@ -0,0 +1,969 @@
+# LST-62 (0.2) — Socle front : shell + auto-détection des layers Nuxt — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Poser l'ossature frontend modulaire (shell `app/`, code partagé `shared/`, auto-détection des layers `modules/*/`, sidebar dynamique alimentée par `/api/sidebar`, redirection des routes désactivées) **sans déplacer aucune page métier** — l'app reste « plate » et la navigation ne régresse pas.
+
+**Architecture:** On s'aligne sur le pattern Starseed : `srcDir: '.'`, layouts/middleware sous `frontend/app/`, composables/stores transverses sous `frontend/shared/` (auto-importés via `imports.dirs`), et un scan `readdirSync('modules/')` qui ajoute chaque `modules/*/` à `extends`. Le backend `/api/modules` + `/api/sidebar` existe déjà (LST-56). On ajoute un **gate de rôle minimal** côté `SidebarProvider`/`SidebarFilter` (ROLE_ADMIN) pour préserver la visibilité de l'Administration sans attendre le RBAC fin (#1.2). Les items **contextuels** (Kanban/Groupes/Archives), **feature-flag** (Documents, Mail) et **user-flag** (Mes absences) restent rendus côté layout, hors `/api/sidebar`.
+
+**Tech Stack:** Nuxt 4.3, Vue 3.5, Pinia 3, @malio/layer-ui 1.7, @nuxtjs/i18n 10, @nuxt/icon — côté back PHP 8.4 / Symfony 8 / API Platform 4 / PHPUnit 13.
+
+## Global Constraints
+
+- **Aucune page métier déplacée** : `frontend/pages/` reste tel quel ; on ne crée AUCUN `frontend/modules/<x>/pages/` peuplé en 0.2 (le dossier `modules/` est créé vide pour le scan).
+- **Zéro régression de navigation** : tous les liens actuels restent atteignables et correctement gardés (admin reste admin-only).
+- **Auto-import Nuxt** : les composants/pages référencent les composables/stores **par nom** (`useApi()`, `useAuthStore()`), jamais par chemin → déplacer un fichier entre deux dossiers auto-scannés est transparent. Toujours le vérifier par un `typecheck` après déplacement.
+- **Commits** : format `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude/Anthropic (message, body, trailers).
+- **PHP** : `declare(strict_types=1);` en tête ; tests via `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit …`.
+- **TS** : strict, 4 espaces d'indentation, pas de `any`.
+- **Pas de migration BDD** dans ce lot (aucune entité touchée).
+
+## Décisions de conception (actées avec le PO)
+
+1. **Gate de rôle minimal côté back** : les items/sections réservés (`/team-absences`, `/admin`) portent une clé `roles` dans `config/sidebar.php` ; `SidebarProvider` passe les rôles de l'utilisateur courant à `SidebarFilter` qui masque ce qui n'est pas autorisé. Ce n'est **pas** le RBAC fin (#1.2) — juste ROLE_ADMIN/ROLE_USER.
+2. **Items contextuels / feature-flag / user-flag hors `/api/sidebar`** : Kanban/Groupes/Archives (contexte `currentProjectId`), Documents (`shareEnabled`), Mail (+ badge non lus), Mes absences (`isEmployee`) restent rendus par le layout comme aujourd'hui.
+3. **Délta cosmétique assumé** : la sidebar dynamique regroupe le Tableau de bord avec « Mes tâches / Projets / Suivi de temps » sous un même en-tête, et le bloc statique (contextuel/flag/Mes absences) s'insère après cette première section. Léger réordonnancement visuel, **à valider**, harmonisé en #60 (Finition Malio). Aucun lien perdu.
+
+## Vérification (pas de runner de tests JS dans ce projet)
+
+- **Back (Task 1)** : vraie TDD PHPUnit.
+- **Front (Tasks 2-7)** : la verif = `typecheck` Nuxt + smoke test runtime. Commandes :
+  - Typecheck : `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+  - Runtime : dev server `make dev-nuxt` (port 3002, proxy `/api` → nginx) ; vérifier manuellement la navigation + `curl` des endpoints via nginx (`http://localhost:8082/api/...`). Les containers sont up.
+
+---
+
+### Task 1: Backend — gate de rôle dans la sidebar (`roles`) + config complète
+
+**Files:**
+- Modify: `src/Shared/Domain/Sidebar/SidebarFilter.php` (signature + gate `roles`)
+- Modify: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` (injecter `Security`, passer les rôles)
+- Modify: `config/sidebar.php` (navigation globale + section Administration gated ROLE_ADMIN ; retrait de `/absences` qui reste client-side)
+- Modify: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` (adapter à la nouvelle signature + cas `roles`)
+- Modify: `tests/Functional/Shared/SidebarEndpointTest.php` (vérifier le gate admin)
+
+**Interfaces:**
+- Produces : `SidebarFilter::filter(array $sections, array $activeModuleIds, array $activeRoles = []): array`. Règles ajoutées : une **section** ou un **item** portant une clé `roles` (non vide) n'est conservé que si `$activeRoles` contient au moins un des rôles listés ; sinon la section/l'item est retiré (les `to` des items retirés **par rôle** ne sont PAS ajoutés à `disabledRoutes` — `disabledRoutes` reste réservé au filtrage **par module**, qui pilote la redirection front). Les clés internes `module` et `roles` sont retirées de la sortie.
+- Consumes : `Symfony\Bundle\SecurityBundle\Security` (rôles via `getUser()`).
+
+- [ ] **Step 1: Adapter le test unitaire existant + ajouter les cas `roles`**
+
+Remplace INTÉGRALEMENT `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Sidebar;
+
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SidebarFilterTest extends TestCase
+{
+    public function testItemWithoutModuleIsAlwaysVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.core.section', 'icon' => 'mdi:home', 'items' => [
+                ['label' => 'sidebar.core.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+        self::assertArrayNotHasKey('module', $result['sections'][0]['items'][0]);
+    }
+
+    public function testItemWithInactiveModuleIsHiddenAndRouteDisabled(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        self::assertSame(['/time-tracking'], $result['disabledRoutes']);
+    }
+
+    public function testItemWithActiveModuleIsVisible(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.tt.section', 'icon' => 'mdi:clock', 'items' => [
+                ['label' => 'sidebar.tt.timesheet', 'to' => '/time-tracking', 'icon' => 'mdi:clock', 'module' => 'time_tracking'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, ['time_tracking'], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        // Filtrage par rôle => PAS de disabledRoutes (réservé au filtrage par module).
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsVisibleWhenRolePresent(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER', 'ROLE_ADMIN']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/admin', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]);
+    }
+
+    public function testItemWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.hr.section', 'icon' => 'mdi:calendar', 'items' => [
+                ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group', 'roles' => ['ROLE_ADMIN']],
+                ['label' => 'sidebar.hr.x', 'to' => '/x', 'icon' => 'mdi:x'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertCount(1, $result['sections'][0]['items']);
+        self::assertSame('/x', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]['items'][0]);
+    }
+}
+```
+
+- [ ] **Step 2: Lancer le test, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: FAIL — `filter()` actuel n'accepte que 2 args / ne gère pas `roles` (erreur d'arité ou assertions rouges).
+
+- [ ] **Step 3: Étendre `SidebarFilter`**
+
+Remplace INTÉGRALEMENT `src/Shared/Domain/Sidebar/SidebarFilter.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Sidebar;
+
+final class SidebarFilter
+{
+    /**
+     * @param list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sections
+     * @param list<string>                                                                                                                                               $activeModuleIds
+     * @param list<string>                                                                                                                                               $activeRoles
+     *
+     * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
+     */
+    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = []): array
+    {
+        $outSections    = [];
+        $disabledRoutes = [];
+
+        foreach ($sections as $section) {
+            // Gate de rôle au niveau section (ne pollue pas disabledRoutes : réservé au filtrage module).
+            if (!self::rolesSatisfied($section['roles'] ?? null, $activeRoles)) {
+                continue;
+            }
+
+            $items = [];
+            foreach ($section['items'] as $item) {
+                // Gate de rôle au niveau item.
+                if (!self::rolesSatisfied($item['roles'] ?? null, $activeRoles)) {
+                    continue;
+                }
+
+                // Filtrage par module actif (pilote la redirection front via disabledRoutes).
+                $module = $item['module'] ?? null;
+                if (null !== $module && !in_array($module, $activeModuleIds, true)) {
+                    $disabledRoutes[] = $item['to'];
+
+                    continue;
+                }
+
+                $items[] = ['label' => $item['label'], 'to' => $item['to'], 'icon' => $item['icon']];
+            }
+
+            if ([] !== $items) {
+                $outSections[] = ['label' => $section['label'], 'icon' => $section['icon'], 'items' => $items];
+            }
+        }
+
+        return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
+    }
+
+    /**
+     * @param list<string>|null $required
+     * @param list<string>      $activeRoles
+     */
+    private static function rolesSatisfied(?array $required, array $activeRoles): bool
+    {
+        if (null === $required || [] === $required) {
+            return true;
+        }
+
+        foreach ($required as $role) {
+            if (in_array($role, $activeRoles, true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
+```
+
+- [ ] **Step 4: Lancer le test unitaire, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Sidebar/SidebarFilterTest.php`
+Expected: PASS (6 tests).
+
+- [ ] **Step 5: Injecter les rôles dans `SidebarProvider`**
+
+Remplace INTÉGRALEMENT `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use App\Shared\Domain\Sidebar\SidebarFilter;
+use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+final readonly class SidebarProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire('%kernel.project_dir%')]
+        private string $projectDir,
+        private Security $security,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
+    {
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        /** @var list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sidebar */
+        $sidebar = require $this->projectDir.'/config/sidebar.php';
+
+        $user  = $this->security->getUser();
+        $roles = null !== $user ? $user->getRoles() : [];
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles));
+
+        $dto                 = new SidebarResource();
+        $dto->sections       = $filtered['sections'];
+        $dto->disabledRoutes = $filtered['disabledRoutes'];
+
+        return $dto;
+    }
+}
+```
+
+- [ ] **Step 6: Compléter `config/sidebar.php`**
+
+Remplace INTÉGRALEMENT `config/sidebar.php` par (icônes alignées sur le layout actuel ; `/absences` retiré car gardé client-side via `isEmployee`) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Définition de la sidebar (sections + items) — navigation GLOBALE uniquement.
+ * Filtrée par SidebarFilter : `module` (route ajoutée à disabledRoutes si module inactif),
+ * `roles` (section ou item masqué si l'utilisateur n'a aucun des rôles listés ; gate minimal,
+ * le RBAC fin par permission arrive en #1.2).
+ * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail) et user-flag
+ * (Mes absences) restent rendus côté layout, hors de cet endpoint.
+ * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
+ */
+return [
+    [
+        'label' => 'sidebar.general.section',
+        'icon'  => 'mdi:view-dashboard-outline',
+        'items' => [
+            ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline'],
+        ],
+    ],
+    [
+        'label' => 'sidebar.admin.section',
+        'icon'  => 'mdi:cog-outline',
+        'roles' => ['ROLE_ADMIN'],
+        'items' => [
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline'],
+            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline'],
+        ],
+    ],
+];
+```
+
+- [ ] **Step 7: Renforcer le test fonctionnel sidebar (gate admin)**
+
+Remplace INTÉGRALEMENT `tests/Functional/Shared/SidebarEndpointTest.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Shared;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class SidebarEndpointTest extends WebTestCase
+{
+    public function testSidebarRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testSidebarReturnsSectionsForAuthenticatedUser(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('sections', $data);
+        self::assertArrayHasKey('disabledRoutes', $data);
+        self::assertNotEmpty($data['sections']);
+    }
+
+    public function testAdminSectionHiddenForNonAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']); // ROLE_USER
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertNotContains('sidebar.admin.section', $labels);
+    }
+
+    public function testAdminSectionVisibleForAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']); // ROLE_ADMIN
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertContains('sidebar.admin.section', $labels);
+    }
+}
+```
+
+- [ ] **Step 8: Lancer la suite complète, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (les 110 tests précédents adaptés + nouveaux cas). Si `admin`/`alice` n'existent pas en base de test, vérifier les fixtures (`admin`/`admin`, `alice`/`alice` d'après CLAUDE.md).
+
+- [ ] **Step 9: php-cs-fixer + commit**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Shared/Domain/Sidebar/SidebarFilter.php src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php config/sidebar.php tests/Unit/Shared/Sidebar/SidebarFilterTest.php tests/Functional/Shared/SidebarEndpointTest.php
+git commit -m "feat(sidebar) : add role gate to sidebar provider and global nav config"
+```
+
+---
+
+### Task 2: Frontend — types + composables partagés (`useModules`, `useSidebar`)
+
+**Files:**
+- Create: `frontend/shared/types/sidebar.ts`
+- Create: `frontend/shared/composables/useModules.ts`
+- Create: `frontend/shared/composables/useSidebar.ts`
+
+> Note : à cette étape `shared/` n'est pas encore dans `imports.dirs` (fait en Task 4). Ces fichiers sont créés ici mais référencés/auto-importés seulement après Task 4 ; le typecheck final de validation se fait donc en fin de Task 4. Cette task se termine sans verif runtime (pur ajout de fichiers).
+
+**Interfaces:**
+- Produces :
+  - `useModules(): { activeModuleIds: Ref<string[]>, loaded: Ref<boolean>, loadModules(): Promise<void>, isModuleActive(id: string): boolean, resetModules(): void }`
+  - `useSidebar(): { sections: Ref<SidebarSection[]>, disabledRoutes: Ref<string[]>, loaded: Ref<boolean>, loadSidebar(): Promise<void>, isRouteDisabled(path: string): boolean, resetSidebar(): void }`
+  - `SidebarSection`, `SidebarItem` (types).
+- Consumes : `useApi()` (auto-importé, déplacé en Task 3 — toujours appelé par nom).
+
+- [ ] **Step 1: Créer les types**
+
+`frontend/shared/types/sidebar.ts` :
+
+```ts
+export type SidebarItem = {
+    label: string
+    to: string
+    icon: string
+}
+
+export type SidebarSection = {
+    label: string
+    icon: string
+    items: SidebarItem[]
+}
+```
+
+- [ ] **Step 2: Créer `useModules`**
+
+`frontend/shared/composables/useModules.ts` (état singleton au niveau module) :
+
+```ts
+const activeModuleIds = ref<string[]>([])
+const loaded = ref(false)
+
+export function useModules() {
+    async function loadModules(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ modules: string[] }>('/modules', {}, { toast: false })
+        activeModuleIds.value = data.modules ?? []
+        loaded.value = true
+    }
+
+    function isModuleActive(id: string): boolean {
+        return activeModuleIds.value.includes(id)
+    }
+
+    function resetModules(): void {
+        activeModuleIds.value = []
+        loaded.value = false
+    }
+
+    return { activeModuleIds, loaded, loadModules, isModuleActive, resetModules }
+}
+```
+
+> Vérifier la signature réelle de `useApi().get` (Task 3 / source actuelle) : `get<T>(url, query?, options?)`. L'option `{ toast: false }` doit exister dans `ApiFetchOptions` ; si la clé diffère (ex. `toastSuccessKey`/`toast`), aligner sur la signature réelle de `useApi.ts`. Si aucune option « silencieux » n'existe, passer `{}`.
+
+- [ ] **Step 3: Créer `useSidebar`**
+
+`frontend/shared/composables/useSidebar.ts` :
+
+```ts
+import type { SidebarSection } from '~/shared/types/sidebar'
+
+const sections = ref<SidebarSection[]>([])
+const disabledRoutes = ref<string[]>([])
+const loaded = ref(false)
+
+export function useSidebar() {
+    async function loadSidebar(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ sections: SidebarSection[]; disabledRoutes: string[] }>(
+            '/sidebar', {}, { toast: false },
+        )
+        sections.value = data.sections ?? []
+        disabledRoutes.value = data.disabledRoutes ?? []
+        loaded.value = true
+    }
+
+    function isRouteDisabled(path: string): boolean {
+        return disabledRoutes.value.some(
+            (disabled) => path === disabled || path.startsWith(disabled + '/'),
+        )
+    }
+
+    function resetSidebar(): void {
+        sections.value = []
+        disabledRoutes.value = []
+        loaded.value = false
+    }
+
+    return { sections, disabledRoutes, loaded, loadSidebar, isRouteDisabled, resetSidebar }
+}
+```
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add frontend/shared/types/sidebar.ts frontend/shared/composables/useModules.ts frontend/shared/composables/useSidebar.ts
+git commit -m "feat(front) : add shared useModules/useSidebar composables and sidebar types"
+```
+
+---
+
+### Task 3: Frontend — déplacer `useApi` et les stores transverses vers `shared/`
+
+**Files:**
+- Move: `frontend/composables/useApi.ts` → `frontend/shared/composables/useApi.ts`
+- Move: `frontend/stores/auth.ts` → `frontend/shared/stores/auth.ts`
+- Move: `frontend/stores/ui.ts` → `frontend/shared/stores/ui.ts`
+
+> `timer.ts` et `mail.ts` **restent** dans `frontend/stores/` (domaines métier non encore migrés en module). On ne déplace que les deux stores transverses (auth, ui) + `useApi`. La résolution effective (auto-import depuis `shared/`) est activée en Task 4 ; cette task fait les `git mv` et termine par un commit. Le typecheck de validation est en Task 4 (après config).
+
+- [ ] **Step 1: Déplacer les fichiers (git mv pour préserver l'historique)**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p shared/stores
+git mv composables/useApi.ts shared/composables/useApi.ts
+git mv stores/auth.ts shared/stores/auth.ts
+git mv stores/ui.ts shared/stores/ui.ts
+```
+
+- [ ] **Step 2: Vérifier qu'aucun import par CHEMIN ne pointe vers les anciens emplacements**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && grep -rn "composables/useApi\|stores/auth\|stores/ui" --include=*.ts --include=*.vue . | grep -v node_modules | grep -v "shared/"`
+Expected: aucun résultat (tout passe par auto-import). Si un import explicite existe (ex. `from '~/composables/useApi'`), le corriger en `from '~/shared/composables/useApi'` ou retirer l'import (auto-import). Noter chaque correction.
+
+> `layouts/default.vue` importe actuellement `useAppVersion` depuis `~/composables/useAppVersion` (NON déplacé) — ne pas y toucher ici.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add -A
+git commit -m "refactor(front) : move useApi and shared stores (auth, ui) to shared/"
+```
+
+---
+
+### Task 4: Frontend — `nuxt.config.ts` (srcDir, dossiers `app/`, scan des layers, auto-imports)
+
+**Files:**
+- Modify: `frontend/nuxt.config.ts`
+- Create: `frontend/modules/.gitkeep` (dossier vide prêt pour le scan)
+- Move: `frontend/layouts/` → `frontend/app/layouts/` (default.vue, auth.vue)
+- Move: `frontend/middleware/` → `frontend/app/middleware/` (auth.global.ts, admin.ts, employee.ts)
+
+**Interfaces:**
+- Produces : structure `app/{layouts,middleware}`, `modules/` scannable, `shared/*` auto-importé.
+
+- [ ] **Step 1: Déplacer layouts et middleware sous `app/`**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p app modules
+git mv layouts app/layouts
+git mv middleware app/middleware
+touch modules/.gitkeep
+git add modules/.gitkeep
+```
+
+- [ ] **Step 2: Réécrire `nuxt.config.ts`**
+
+Remplace INTÉGRALEMENT `frontend/nuxt.config.ts` par (conserve `vite`/`toast` existants — repris depuis la version actuelle) :
+
+```ts
+import { existsSync, readdirSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const modulesDir = resolve(__dirname, 'modules')
+const moduleDirs = existsSync(modulesDir)
+    ? readdirSync(modulesDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name)
+    : []
+const moduleLayers = moduleDirs.map((name) => `./modules/${name}`)
+const moduleComposableDirs = moduleDirs
+    .map((name) => `modules/${name}/composables`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+const moduleStoreDirs = moduleDirs
+    .map((name) => `modules/${name}/stores`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+
+export default defineNuxtConfig({
+    compatibilityDate: '2025-07-15',
+    devtools: { enabled: false },
+    ssr: false,
+    srcDir: '.',
+    css: ['~/assets/css/app.css', '~/assets/css/dark.css'],
+    app: {
+        baseURL: process.env.NODE_ENV === 'production'
+            ? (process.env.NUXT_PUBLIC_APP_BASE || '/')
+            : '/',
+    },
+    extends: ['@malio/layer-ui', ...moduleLayers],
+    modules: [
+        '@nuxtjs/tailwindcss',
+        '@pinia/nuxt',
+        'nuxt-toast',
+        '@nuxtjs/i18n',
+        '@nuxt/icon',
+    ],
+    dir: {
+        layouts: 'app/layouts',
+        middleware: 'app/middleware',
+    },
+    imports: {
+        dirs: [
+            'shared/composables',
+            'shared/stores',
+            'shared/utils',
+            'composables',
+            'stores',
+            'utils',
+            ...moduleComposableDirs,
+            ...moduleStoreDirs,
+        ],
+    },
+    pinia: {
+        storesDirs: ['shared/stores/**', 'stores/**', 'modules/*/stores/**'],
+    },
+    runtimeConfig: {
+        public: {
+            apiBase: process.env.NUXT_PUBLIC_API_BASE,
+        },
+    },
+    devServer: {
+        port: 3002,
+    },
+    components: [
+        { path: '~/components', pathPrefix: false },
+    ],
+    // ⬇️ Reprendre VERBATIM les blocs `vite: {...}`, `toast: {...}`, `i18n: {...}`,
+    //    `typescript: {...}`, `build: {...}` de l'ancien nuxt.config.ts (inchangés).
+    typescript: { strict: true },
+    build: { transpile: ['@vuepic/vue-datepicker'] },
+})
+```
+
+> ⚠️ Les blocs `vite`, `toast`, `i18n` de l'ancienne config ne sont pas réécrits ici : **les recopier à l'identique** depuis la version d'origine (récupérable via `git show HEAD~1:frontend/nuxt.config.ts` après les déplacements). Le `i18n.langDir: 'locales'` reste résolu depuis `i18n/`.
+
+- [ ] **Step 3: Typecheck complet (valide Tasks 2, 3 et 4)**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur. Pièges probables :
+- Store non trouvé → vérifier `pinia.storesDirs` inclut bien `shared/stores/**`.
+- Composable non auto-importé → vérifier `imports.dirs` inclut `shared/composables`.
+- `~/composables/useApi` cassé → un import explicite a survécu (corriger comme Task 3 Step 2).
+
+- [ ] **Step 4: Smoke test runtime — l'app boote et la nav existante fonctionne**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime && make dev-nuxt` (ou rebuild SPA selon le workflow). Ouvrir l'app, se connecter (`alice`/`alice`), vérifier que la sidebar **statique actuelle** s'affiche encore et que la navigation marche (le layout n'est pas encore dynamisé — c'est normal). Aucun écran blanc / erreur console bloquante.
+Expected: app fonctionnelle, identique à avant (les déplacements sont transparents).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add -A
+git commit -m "feat(front) : modular nuxt config with app/ shell dirs and modules/* layer auto-detection"
+```
+
+---
+
+### Task 5: Frontend — middlewares (`auth.global.ts` étendu + `modules.global.ts`)
+
+**Files:**
+- Modify: `frontend/app/middleware/auth.global.ts` (charge sidebar + modules après login ; reset au logout)
+- Create: `frontend/app/middleware/modules.global.ts` (redirige les routes désactivées)
+
+**Interfaces:**
+- Consumes : `useAuthStore()`, `useSidebar()`, `useModules()` (auto-importés).
+
+- [ ] **Step 1: Étendre `auth.global.ts`**
+
+Remplace INTÉGRALEMENT `frontend/app/middleware/auth.global.ts` par :
+
+```ts
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    const isLogin = to.path === '/login'
+
+    if (!auth.checked) {
+        await auth.ensureSession()
+    }
+
+    if (!isLogin && !auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+
+    if (isLogin && auth.isAuthenticated) {
+        return navigateTo('/')
+    }
+
+    const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
+    const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
+
+    if (auth.isAuthenticated) {
+        await Promise.all([
+            sidebarLoaded.value ? Promise.resolve() : loadSidebar(),
+            modulesLoaded.value ? Promise.resolve() : loadModules(),
+        ])
+    } else {
+        // Logout / session expirée : purge l'état partagé pour le prochain login.
+        resetSidebar()
+        resetModules()
+    }
+})
+```
+
+- [ ] **Step 2: Créer `modules.global.ts`**
+
+`frontend/app/middleware/modules.global.ts` :
+
+```ts
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    if (!auth.isAuthenticated) {
+        return
+    }
+
+    const { loaded, loadSidebar, isRouteDisabled } = useSidebar()
+    if (!loaded.value) {
+        await loadSidebar()
+    }
+
+    if (isRouteDisabled(to.path)) {
+        return navigateTo('/')
+    }
+})
+```
+
+> Ordre des middlewares globaux : Nuxt les exécute par ordre alphabétique de nom de fichier → `auth.global.ts` puis `modules.global.ts`. C'est l'ordre voulu (auth charge la sidebar avant que modules teste les routes désactivées).
+
+- [ ] **Step 3: Typecheck**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur.
+
+- [ ] **Step 4: Smoke test — chargement sidebar/modules + redirection**
+
+Avec le dev server : se connecter (`alice`), ouvrir l'onglet Réseau → confirmer un `GET /api/sidebar` et `GET /api/modules` après login. Vérifier la redirection : ajouter TEMPORAIREMENT dans `config/sidebar.php` un item avec `'module' => 'demo'` (module inactif) et un `'to' => '/demo-disabled'`, recharger, confirmer que `/demo-disabled` apparaît dans `disabledRoutes` (réponse `/api/sidebar`) et qu'y naviguer redirige vers `/`. **Puis retirer l'item de démo** (ne pas committer ce stub).
+Expected: appels présents, redirection effective.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add frontend/app/middleware/auth.global.ts frontend/app/middleware/modules.global.ts
+git commit -m "feat(front) : load sidebar/modules after login and redirect disabled routes"
+```
+
+---
+
+### Task 6: Frontend — layout `default.vue` : sidebar dynamique + items conservés
+
+**Files:**
+- Modify: `frontend/app/layouts/default.vue`
+
+**Interfaces:**
+- Consumes : `useSidebar()` (sections dynamiques traduites), `useUiStore()`, `useAuthStore()`, `useI18n()`, + le reste de la logique existante (timer, mail, refData) conservée VERBATIM.
+
+> Stratégie : on remplace le bloc statique des items **globaux** (Tableau de bord, Mes tâches, Projets, Suivi de temps, Absences équipe, Administration) par un rendu **dynamique** issu de `useSidebar()`. On **conserve** les `SidebarLink` des items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail + badge) et user-flag (Mes absences) tels quels. Tout le `<script setup>` non lié à la sidebar (timer, drawer, head, mail polling, refData) est conservé à l'identique.
+
+- [ ] **Step 1: Réécrire le bloc `<nav>` et l'en-tête du `<script setup>` de `frontend/app/layouts/default.vue`**
+
+Dans le `<template>`, remplace le contenu de `<nav class="flex-1 overflow-hidden" …>…</nav>` (lignes ~40-167 de l'original) par :
+
+```vue
+                <nav class="flex-1 overflow-hidden" :class="sidebarIsCollapsed ? 'px-1 pb-6' : 'px-4 pb-6'">
+                    <!-- Sections dynamiques (/api/sidebar) : navigation globale + sections gated par rôle -->
+                    <template v-for="(section, sIndex) in translatedSections" :key="section.label">
+                        <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
+                            {{ section.label }}
+                        </p>
+                        <div v-else class="mx-2 my-3 border-t border-secondary-500" />
+                        <SidebarLink
+                            v-for="item in section.items"
+                            :key="item.to"
+                            :to="item.to"
+                            :icon="item.icon"
+                            :label="item.label"
+                            :collapsed="sidebarIsCollapsed"
+                            @click="ui.closeMobileSidebar()"
+                        />
+
+                        <!-- Items conservés côté client, insérés après la 1re section (cf. décision 3) -->
+                        <template v-if="sIndex === 0">
+                            <!-- Contextuel projet -->
+                            <template v-if="currentProjectId">
+                                <SidebarLink :to="`/projects/${currentProjectId}`" icon="mdi:view-column-outline" label="Kanban" :collapsed="sidebarIsCollapsed" sub exact @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/groups`" icon="mdi:tag-multiple-outline" label="Groupes" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/archives`" icon="mdi:archive-outline" label="Archives" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                            </template>
+                            <!-- Feature-flag : Documents -->
+                            <SidebarLink v-if="isDocumentsVisible" to="/documents" icon="mdi:folder-network-outline" :label="$t('sharedFiles.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                            <!-- Feature-flag : Mail + badge -->
+                            <div v-if="isMailVisible" class="relative">
+                                <SidebarLink to="/mail" icon="mdi:email-outline" :label="$t('mail.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                                <span
+                                    v-if="mailStore.globalUnreadCount > 0"
+                                    class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+                                    :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
+                                    :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+                                >
+                                    {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+                                </span>
+                            </div>
+                            <!-- User-flag : Mes absences (isEmployee — non couvert par le gate rôle) -->
+                            <SidebarLink v-if="isEmployee" to="/absences" icon="mdi:umbrella-beach-outline" label="Mes absences" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                        </template>
+                    </template>
+                </nav>
+```
+
+Dans le `<script setup lang="ts">`, **ajoute** en tête (après les `useXxxStore()` existants) :
+
+```ts
+const { t } = useI18n()
+const { sections } = useSidebar()
+
+const translatedSections = computed(() =>
+    sections.value.map((section) => ({
+        label: t(section.label),
+        icon: section.icon,
+        items: section.items.map((item) => ({
+            label: t(item.label),
+            to: item.to,
+            icon: item.icon,
+        })),
+    })),
+)
+```
+
+**Conserve** tout le reste du `<script setup>` (`isAdmin`, `isEmployee`, `isMailVisible`, `isDocumentsVisible`, `currentProjectId`, `sidebarIsCollapsed`, timer/drawer/head/mail/refData…) et le `<style scoped>` à l'identique. `isAdmin`/`isAbsenceSectionVisible` deviennent inutilisés pour la sidebar (l'admin est gated côté serveur) — si le typecheck signale une variable inutilisée, retirer `isAbsenceSectionVisible` ; garder `isAdmin` s'il sert ailleurs, sinon le retirer aussi.
+
+- [ ] **Step 2: Typecheck**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Expected: 0 erreur (corriger toute variable / tout import inutilisé signalé).
+
+- [ ] **Step 3: Smoke test visuel — non-régression de navigation**
+
+Dev server. Se connecter successivement :
+- `alice` (ROLE_USER) : sidebar affiche Tableau de bord / Mes tâches / Projets / Suivi de temps (dynamiques), + Documents/Mail si visibles, + Mes absences si employé ; **PAS** de section Administration ni Absences équipe.
+- `admin` (ROLE_ADMIN) : en plus, section **Administration** avec Absences équipe + Administration.
+- Entrer dans un projet (`/projects/<id>`) : Kanban/Groupes/Archives apparaissent (contextuel conservé).
+Expected: tous les liens d'avant atteignables ; gating admin respecté. Noter tout délta visuel (ordre) pour validation PO (cf. décision 3).
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add frontend/app/layouts/default.vue
+git commit -m "feat(front) : render dynamic sidebar from /api/sidebar in default layout"
+```
+
+---
+
+### Task 7: Frontend — clés i18n `sidebar.*` + vérification bout-en-bout
+
+**Files:**
+- Modify: `frontend/i18n/locales/fr.json` (ajouter le namespace `sidebar`)
+
+**Interfaces:**
+- Consumes : les labels renvoyés par `/api/sidebar` (`sidebar.general.*`, `sidebar.admin.*`) traduits par `t()` dans `translatedSections`.
+
+- [ ] **Step 1: Repérer la structure du fichier i18n**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && head -20 i18n/locales/fr.json`
+Objectif : connaître l'indentation et confirmer que c'est un objet JSON imbriqué (ajouter une clé racine `sidebar`).
+
+- [ ] **Step 2: Ajouter le namespace `sidebar`**
+
+Ajoute (à la racine de l'objet JSON, en respectant l'indentation existante) :
+
+```json
+  "sidebar": {
+    "general": {
+      "section": "Gestion de projet",
+      "dashboard": "Tableau de bord",
+      "myTasks": "Mes tâches",
+      "projects": "Projets",
+      "timeTracking": "Suivi de temps"
+    },
+    "admin": {
+      "section": "Administration",
+      "teamAbsences": "Absences équipe",
+      "administration": "Administration"
+    }
+  }
+```
+
+> Les libellés reprennent ceux du layout actuel. `sidebar.general.section` = « Gestion de projet » (regroupe désormais le Tableau de bord — délta cosmétique acté, décision 3).
+
+- [ ] **Step 3: Typecheck + smoke i18n**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
+Dev server : confirmer que les en-têtes/labels de sidebar s'affichent **traduits** (pas les clés brutes `sidebar.general.*`).
+Expected: libellés FR corrects.
+
+- [ ] **Step 4: Vérification bout-en-bout de l'activation/désactivation (AC)**
+
+Test manuel documenté (aucun module réel en 0.2) :
+1. Ajouter TEMPORAIREMENT dans `config/sidebar.php` un item avec `'module' => 'demo'`, `'to' => '/projects'` (route existante) dans une section visible.
+2. `config/modules.php` reste vide (module `demo` inactif) → `GET /api/sidebar` doit lister `/projects` dans `disabledRoutes` et masquer l'item ; naviguer vers `/projects` doit rediriger vers `/`.
+3. Ajouter une classe `DemoModule implements ModuleInterface { id()='demo' … }` + `config/modules.php` = `[DemoModule::class]` → l'item réapparaît, `/projects` n'est plus dans `disabledRoutes`, la navigation fonctionne.
+4. **Tout retirer** (item démo + DemoModule + entrée modules.php). Confirmer l'état initial.
+Documenter le résultat dans le message de fin. **Ne rien committer de ce stub.**
+
+- [ ] **Step 5: Suite back + cs-fixer (non-régression globale) + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: vert (inchangé vs Task 1).
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck` → 0 erreur.
+```bash
+git add frontend/i18n/locales/fr.json
+git commit -m "feat(front) : add sidebar i18n labels"
+```
+
+---
+
+## Acceptance check (après toutes les tasks)
+
+- [ ] `frontend/app/{layouts,middleware}`, `frontend/shared/{composables,stores,types}`, `frontend/modules/` (vide) en place ; `nuxt.config.ts` scanne `modules/*/`.
+- [ ] Sidebar **dynamique** alimentée par `/api/sidebar` pour la nav globale ; gate ROLE_ADMIN effectif (admin-only invisible pour `alice`).
+- [ ] Route d'un module désactivé → **redirigée** vers `/` (vérifié via le stub démo).
+- [ ] **Aucune page métier déplacée** ; `frontend/pages/` intact ; tous les liens actuels atteignables.
+- [ ] `npx nuxt typecheck` = 0 erreur ; suite PHPUnit verte ; aucune migration BDD.
+- [ ] Délta cosmétique d'ordre de sidebar présenté au PO pour validation.
+
+## Notes pour le ticket suivant (1.1 — Module Core)
+
+Le 1.1 migrera `User`/Auth dans `src/Module/Core/`, re-pointera `resolve_target_entities` vers `Module\Core\User`, déclarera `CoreModule` (REQUIRED) dans `config/modules.php`, et créera le premier vrai layer front `frontend/modules/core/` (login, profile, admin users) — c'est là que le scan de layers et `useModules`/`useSidebar` prennent tout leur sens (premier item de sidebar avec une clé `module` réelle).
-- 
2.39.5


From 0ee82c8b62915f3fe78e085169a49f286c0e829d Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:03:45 +0200
Subject: [PATCH 09/99] feat(sidebar) : add role gate to sidebar provider and
 global nav config

---
 config/sidebar.php                            | 23 ++++----
 src/Shared/Domain/Sidebar/SidebarFilter.php   | 37 +++++++++++--
 .../ApiPlatform/State/SidebarProvider.php     |  9 +++-
 .../Functional/Shared/SidebarEndpointTest.php | 35 ++++++++++--
 .../Unit/Shared/Sidebar/SidebarFilterTest.php | 53 +++++++++++++++++--
 5 files changed, 137 insertions(+), 20 deletions(-)

diff --git a/config/sidebar.php b/config/sidebar.php
index 15bd7a1..79e4ee6 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -3,8 +3,12 @@
 declare(strict_types=1);
 
 /*
- * Définition de la sidebar (sections + items). Filtrée par SidebarFilter selon les modules actifs.
- * Un item porte une clé `module` quand il appartient à un module activable ; sans clé, il est toujours visible.
+ * Définition de la sidebar (sections + items) — navigation GLOBALE uniquement.
+ * Filtrée par SidebarFilter : `module` (route ajoutée à disabledRoutes si module inactif),
+ * `roles` (section ou item masqué si l'utilisateur n'a aucun des rôles listés ; gate minimal,
+ * le RBAC fin par permission arrive en #1.2).
+ * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail) et user-flag
+ * (Mes absences) restent rendus côté layout, hors de cet endpoint.
  * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
  */
 return [
@@ -13,17 +17,18 @@ return [
         'icon'  => 'mdi:view-dashboard-outline',
         'items' => [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
-            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:checkbox-marked-circle-outline'],
-            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-multiple-outline'],
-            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:clock-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline'],
         ],
     ],
     [
-        'label' => 'sidebar.hr.section',
-        'icon'  => 'mdi:calendar-account-outline',
+        'label' => 'sidebar.admin.section',
+        'icon'  => 'mdi:cog-outline',
+        'roles' => ['ROLE_ADMIN'],
         'items' => [
-            ['label' => 'sidebar.hr.absences', 'to' => '/absences', 'icon' => 'mdi:calendar-remove-outline'],
-            ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group-outline'],
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline'],
+            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline'],
         ],
     ],
 ];
diff --git a/src/Shared/Domain/Sidebar/SidebarFilter.php b/src/Shared/Domain/Sidebar/SidebarFilter.php
index e97ca8d..e740afa 100644
--- a/src/Shared/Domain/Sidebar/SidebarFilter.php
+++ b/src/Shared/Domain/Sidebar/SidebarFilter.php
@@ -7,19 +7,31 @@ namespace App\Shared\Domain\Sidebar;
 final class SidebarFilter
 {
     /**
-     * @param list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sections
-     * @param list<string>                                                                                                     $activeModuleIds
+     * @param list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sections
+     * @param list<string>                                                                                                                                               $activeModuleIds
+     * @param list<string>                                                                                                                                               $activeRoles
      *
      * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
      */
-    public static function filter(array $sections, array $activeModuleIds): array
+    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = []): array
     {
         $outSections    = [];
         $disabledRoutes = [];
 
         foreach ($sections as $section) {
+            // Gate de rôle au niveau section (ne pollue pas disabledRoutes : réservé au filtrage module).
+            if (!self::rolesSatisfied($section['roles'] ?? null, $activeRoles)) {
+                continue;
+            }
+
             $items = [];
             foreach ($section['items'] as $item) {
+                // Gate de rôle au niveau item.
+                if (!self::rolesSatisfied($item['roles'] ?? null, $activeRoles)) {
+                    continue;
+                }
+
+                // Filtrage par module actif (pilote la redirection front via disabledRoutes).
                 $module = $item['module'] ?? null;
                 if (null !== $module && !in_array($module, $activeModuleIds, true)) {
                     $disabledRoutes[] = $item['to'];
@@ -37,4 +49,23 @@ final class SidebarFilter
 
         return ['sections' => $outSections, 'disabledRoutes' => $disabledRoutes];
     }
+
+    /**
+     * @param null|list<string> $required
+     * @param list<string>      $activeRoles
+     */
+    private static function rolesSatisfied(?array $required, array $activeRoles): bool
+    {
+        if (null === $required || [] === $required) {
+            return true;
+        }
+
+        foreach ($required as $role) {
+            if (in_array($role, $activeRoles, true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
index 84333d5..ddcf48c 100644
--- a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -9,6 +9,7 @@ use ApiPlatform\State\ProviderInterface;
 use App\Shared\Domain\Module\ModuleRegistry;
 use App\Shared\Domain\Sidebar\SidebarFilter;
 use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
 final readonly class SidebarProvider implements ProviderInterface
@@ -16,6 +17,7 @@ final readonly class SidebarProvider implements ProviderInterface
     public function __construct(
         #[Autowire('%kernel.project_dir%')]
         private string $projectDir,
+        private Security $security,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): SidebarResource
@@ -23,10 +25,13 @@ final readonly class SidebarProvider implements ProviderInterface
         /** @var list<class-string> $moduleClasses */
         $moduleClasses = require $this->projectDir.'/config/modules.php';
 
-        /** @var list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string, module?:string}>}> $sidebar */
+        /** @var list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sidebar */
         $sidebar = require $this->projectDir.'/config/sidebar.php';
 
-        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses));
+        $user  = $this->security->getUser();
+        $roles = null !== $user ? $user->getRoles() : [];
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles));
 
         $dto                 = new SidebarResource();
         $dto->sections       = $filtered['sections'];
diff --git a/tests/Functional/Shared/SidebarEndpointTest.php b/tests/Functional/Shared/SidebarEndpointTest.php
index 55f0628..9d6058e 100644
--- a/tests/Functional/Shared/SidebarEndpointTest.php
+++ b/tests/Functional/Shared/SidebarEndpointTest.php
@@ -22,9 +22,8 @@ final class SidebarEndpointTest extends WebTestCase
 
     public function testSidebarReturnsSectionsForAuthenticatedUser(): void
     {
-        $client    = self::createClient();
-        $container = self::getContainer();
-        $em        = $container->get('doctrine.orm.entity_manager');
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
 
         $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
         $client->loginUser($user);
@@ -37,4 +36,34 @@ final class SidebarEndpointTest extends WebTestCase
         self::assertArrayHasKey('disabledRoutes', $data);
         self::assertNotEmpty($data['sections']);
     }
+
+    public function testAdminSectionHiddenForNonAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']); // ROLE_USER
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertNotContains('sidebar.admin.section', $labels);
+    }
+
+    public function testAdminSectionVisibleForAdmin(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get('doctrine.orm.entity_manager');
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']); // ROLE_ADMIN
+        $client->loginUser($user);
+
+        $client->request('GET', '/api/sidebar');
+        $data   = json_decode($client->getResponse()->getContent(), true);
+        $labels = array_column($data['sections'], 'label');
+
+        self::assertContains('sidebar.admin.section', $labels);
+    }
 }
diff --git a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
index 22dbf74..ac9315c 100644
--- a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
+++ b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
@@ -20,7 +20,7 @@ final class SidebarFilterTest extends TestCase
             ]],
         ];
 
-        $result = SidebarFilter::filter($sections, []);
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
 
         self::assertCount(1, $result['sections']);
         self::assertSame('/', $result['sections'][0]['items'][0]['to']);
@@ -36,7 +36,7 @@ final class SidebarFilterTest extends TestCase
             ]],
         ];
 
-        $result = SidebarFilter::filter($sections, []);
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
 
         self::assertSame([], $result['sections']);
         self::assertSame(['/time-tracking'], $result['disabledRoutes']);
@@ -50,10 +50,57 @@ final class SidebarFilterTest extends TestCase
             ]],
         ];
 
-        $result = SidebarFilter::filter($sections, ['time_tracking']);
+        $result = SidebarFilter::filter($sections, ['time_tracking'], ['ROLE_USER']);
 
         self::assertCount(1, $result['sections']);
         self::assertSame('/time-tracking', $result['sections'][0]['items'][0]['to']);
         self::assertSame([], $result['disabledRoutes']);
     }
+
+    public function testSectionWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertSame([], $result['sections']);
+        // Filtrage par rôle => PAS de disabledRoutes (réservé au filtrage par module).
+        self::assertSame([], $result['disabledRoutes']);
+    }
+
+    public function testSectionWithRolesIsVisibleWhenRolePresent(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.admin.section', 'icon' => 'mdi:cog', 'roles' => ['ROLE_ADMIN'], 'items' => [
+                ['label' => 'sidebar.admin.admin', 'to' => '/admin', 'icon' => 'mdi:cog'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER', 'ROLE_ADMIN']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertSame('/admin', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]);
+    }
+
+    public function testItemWithRolesIsHiddenWhenRoleMissing(): void
+    {
+        $sections = [
+            ['label' => 'sidebar.hr.section', 'icon' => 'mdi:calendar', 'items' => [
+                ['label' => 'sidebar.hr.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:account-group', 'roles' => ['ROLE_ADMIN']],
+                ['label' => 'sidebar.hr.x', 'to' => '/x', 'icon' => 'mdi:x'],
+            ]],
+        ];
+
+        $result = SidebarFilter::filter($sections, [], ['ROLE_USER']);
+
+        self::assertCount(1, $result['sections']);
+        self::assertCount(1, $result['sections'][0]['items']);
+        self::assertSame('/x', $result['sections'][0]['items'][0]['to']);
+        self::assertArrayNotHasKey('roles', $result['sections'][0]['items'][0]);
+    }
 }
-- 
2.39.5


From 51de96c7973bba3fe3ac3d7f2158a3e421f51206 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:05:35 +0200
Subject: [PATCH 10/99] feat(front) : add shared useModules/useSidebar
 composables and sidebar types

---
 frontend/shared/composables/useModules.ts | 22 ++++++++++++++++
 frontend/shared/composables/useSidebar.ts | 31 +++++++++++++++++++++++
 frontend/shared/types/sidebar.ts          | 11 ++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 frontend/shared/composables/useModules.ts
 create mode 100644 frontend/shared/composables/useSidebar.ts
 create mode 100644 frontend/shared/types/sidebar.ts

diff --git a/frontend/shared/composables/useModules.ts b/frontend/shared/composables/useModules.ts
new file mode 100644
index 0000000..873c9cb
--- /dev/null
+++ b/frontend/shared/composables/useModules.ts
@@ -0,0 +1,22 @@
+const activeModuleIds = ref<string[]>([])
+const loaded = ref(false)
+
+export function useModules() {
+    async function loadModules(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ modules: string[] }>('/modules', {}, { toast: false })
+        activeModuleIds.value = data.modules ?? []
+        loaded.value = true
+    }
+
+    function isModuleActive(id: string): boolean {
+        return activeModuleIds.value.includes(id)
+    }
+
+    function resetModules(): void {
+        activeModuleIds.value = []
+        loaded.value = false
+    }
+
+    return { activeModuleIds, loaded, loadModules, isModuleActive, resetModules }
+}
diff --git a/frontend/shared/composables/useSidebar.ts b/frontend/shared/composables/useSidebar.ts
new file mode 100644
index 0000000..5004182
--- /dev/null
+++ b/frontend/shared/composables/useSidebar.ts
@@ -0,0 +1,31 @@
+import type { SidebarSection } from '~/shared/types/sidebar'
+
+const sections = ref<SidebarSection[]>([])
+const disabledRoutes = ref<string[]>([])
+const loaded = ref(false)
+
+export function useSidebar() {
+    async function loadSidebar(): Promise<void> {
+        const api = useApi()
+        const data = await api.get<{ sections: SidebarSection[]; disabledRoutes: string[] }>(
+            '/sidebar', {}, { toast: false },
+        )
+        sections.value = data.sections ?? []
+        disabledRoutes.value = data.disabledRoutes ?? []
+        loaded.value = true
+    }
+
+    function isRouteDisabled(path: string): boolean {
+        return disabledRoutes.value.some(
+            (disabled) => path === disabled || path.startsWith(disabled + '/'),
+        )
+    }
+
+    function resetSidebar(): void {
+        sections.value = []
+        disabledRoutes.value = []
+        loaded.value = false
+    }
+
+    return { sections, disabledRoutes, loaded, loadSidebar, isRouteDisabled, resetSidebar }
+}
diff --git a/frontend/shared/types/sidebar.ts b/frontend/shared/types/sidebar.ts
new file mode 100644
index 0000000..0f4057f
--- /dev/null
+++ b/frontend/shared/types/sidebar.ts
@@ -0,0 +1,11 @@
+export type SidebarItem = {
+    label: string
+    to: string
+    icon: string
+}
+
+export type SidebarSection = {
+    label: string
+    icon: string
+    items: SidebarItem[]
+}
-- 
2.39.5


From 1aa43a53569d81cf63b3ca3b6135194a81773a44 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:06:50 +0200
Subject: [PATCH 11/99] refactor(front) : move useApi and shared stores (auth,
 ui) to shared/

---
 frontend/components/mail/MailCreateTaskModal.vue | 2 +-
 frontend/{ => shared}/composables/useApi.ts      | 2 +-
 frontend/{ => shared}/stores/auth.ts             | 0
 frontend/{ => shared}/stores/ui.ts               | 0
 4 files changed, 2 insertions(+), 2 deletions(-)
 rename frontend/{ => shared}/composables/useApi.ts (99%)
 rename frontend/{ => shared}/stores/auth.ts (100%)
 rename frontend/{ => shared}/stores/ui.ts (100%)

diff --git a/frontend/components/mail/MailCreateTaskModal.vue b/frontend/components/mail/MailCreateTaskModal.vue
index 64e3fa4..3b75539 100644
--- a/frontend/components/mail/MailCreateTaskModal.vue
+++ b/frontend/components/mail/MailCreateTaskModal.vue
@@ -8,7 +8,7 @@ import { useMailService } from '~/services/mail'
 import { useProjectService } from '~/services/projects'
 import { useTaskGroupService } from '~/services/task-groups'
 import { useUserService } from '~/services/users'
-import { useAuthStore } from '~/stores/auth'
+import { useAuthStore } from '~/shared/stores/auth'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/composables/useApi.ts b/frontend/shared/composables/useApi.ts
similarity index 99%
rename from frontend/composables/useApi.ts
rename to frontend/shared/composables/useApi.ts
index bac2544..8ebb4f1 100644
--- a/frontend/composables/useApi.ts
+++ b/frontend/shared/composables/useApi.ts
@@ -1,6 +1,6 @@
 import type { FetchOptions } from 'ofetch'
 import { $fetch, FetchError } from 'ofetch'
-import { useAuthStore } from '~/stores/auth'
+import { useAuthStore } from '~/shared/stores/auth'
 
 export type AnyObject = Record<string, unknown>
 
diff --git a/frontend/stores/auth.ts b/frontend/shared/stores/auth.ts
similarity index 100%
rename from frontend/stores/auth.ts
rename to frontend/shared/stores/auth.ts
diff --git a/frontend/stores/ui.ts b/frontend/shared/stores/ui.ts
similarity index 100%
rename from frontend/stores/ui.ts
rename to frontend/shared/stores/ui.ts
-- 
2.39.5


From b00e92bdd3bc7eff0a42b5cbd5bd7934ef05cc5f Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:24:57 +0200
Subject: [PATCH 12/99] feat(front) : modular nuxt config with app/ shell dirs
 and modules/* layer auto-detection

---
 frontend/{ => app}/layouts/auth.vue          |  0
 frontend/{ => app}/layouts/default.vue       |  0
 frontend/{ => app}/middleware/admin.ts       |  0
 frontend/{ => app}/middleware/auth.global.ts |  0
 frontend/{ => app}/middleware/employee.ts    |  0
 frontend/modules/.gitkeep                    |  0
 frontend/nuxt.config.ts                      | 57 +++++++++++++++-----
 7 files changed, 45 insertions(+), 12 deletions(-)
 rename frontend/{ => app}/layouts/auth.vue (100%)
 rename frontend/{ => app}/layouts/default.vue (100%)
 rename frontend/{ => app}/middleware/admin.ts (100%)
 rename frontend/{ => app}/middleware/auth.global.ts (100%)
 rename frontend/{ => app}/middleware/employee.ts (100%)
 create mode 100644 frontend/modules/.gitkeep

diff --git a/frontend/layouts/auth.vue b/frontend/app/layouts/auth.vue
similarity index 100%
rename from frontend/layouts/auth.vue
rename to frontend/app/layouts/auth.vue
diff --git a/frontend/layouts/default.vue b/frontend/app/layouts/default.vue
similarity index 100%
rename from frontend/layouts/default.vue
rename to frontend/app/layouts/default.vue
diff --git a/frontend/middleware/admin.ts b/frontend/app/middleware/admin.ts
similarity index 100%
rename from frontend/middleware/admin.ts
rename to frontend/app/middleware/admin.ts
diff --git a/frontend/middleware/auth.global.ts b/frontend/app/middleware/auth.global.ts
similarity index 100%
rename from frontend/middleware/auth.global.ts
rename to frontend/app/middleware/auth.global.ts
diff --git a/frontend/middleware/employee.ts b/frontend/app/middleware/employee.ts
similarity index 100%
rename from frontend/middleware/employee.ts
rename to frontend/app/middleware/employee.ts
diff --git a/frontend/modules/.gitkeep b/frontend/modules/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/frontend/nuxt.config.ts b/frontend/nuxt.config.ts
index 1f8c5b9..2819db7 100644
--- a/frontend/nuxt.config.ts
+++ b/frontend/nuxt.config.ts
@@ -1,14 +1,32 @@
+import { existsSync, readdirSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const modulesDir = resolve(__dirname, 'modules')
+const moduleDirs = existsSync(modulesDir)
+    ? readdirSync(modulesDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name)
+    : []
+const moduleLayers = moduleDirs.map((name) => `./modules/${name}`)
+const moduleComposableDirs = moduleDirs
+    .map((name) => `modules/${name}/composables`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+const moduleStoreDirs = moduleDirs
+    .map((name) => `modules/${name}/stores`)
+    .filter((path) => existsSync(resolve(__dirname, path)))
+
 export default defineNuxtConfig({
     compatibilityDate: '2025-07-15',
-    devtools: {enabled: false},
+    devtools: { enabled: false },
     ssr: false,
+    srcDir: '.',
     css: ['~/assets/css/app.css', '~/assets/css/dark.css'],
     app: {
         baseURL: process.env.NODE_ENV === 'production'
             ? (process.env.NUXT_PUBLIC_APP_BASE || '/')
-            : '/'
+            : '/',
     },
-    extends: ['@malio/layer-ui'],
+    extends: ['@malio/layer-ui', ...moduleLayers],
     modules: [
         '@nuxtjs/tailwindcss',
         '@pinia/nuxt',
@@ -16,16 +34,35 @@ export default defineNuxtConfig({
         '@nuxtjs/i18n',
         '@nuxt/icon',
     ],
+    dir: {
+        layouts: 'app/layouts',
+        middleware: 'app/middleware',
+    },
+    imports: {
+        dirs: [
+            'shared/composables',
+            'shared/stores',
+            'shared/utils',
+            'composables',
+            'stores',
+            'utils',
+            ...moduleComposableDirs,
+            ...moduleStoreDirs,
+        ],
+    },
+    pinia: {
+        storesDirs: ['shared/stores/**', 'stores/**', 'modules/*/stores/**'],
+    },
     runtimeConfig: {
         public: {
-            apiBase: process.env.NUXT_PUBLIC_API_BASE
-        }
+            apiBase: process.env.NUXT_PUBLIC_API_BASE,
+        },
     },
     devServer: {
         port: 3002,
     },
     components: [
-        {path: '~/components', pathPrefix: false},
+        { path: '~/components', pathPrefix: false },
     ],
     vite: {
         server: {
@@ -56,10 +93,6 @@ export default defineNuxtConfig({
             {code: 'fr', file: 'fr.json', name: 'Français'}
         ],
     },
-    typescript: {
-        strict: true
-    },
-    build: {
-        transpile: ['@vuepic/vue-datepicker']
-    }
+    typescript: { strict: true },
+    build: { transpile: ['@vuepic/vue-datepicker'] },
 })
-- 
2.39.5


From fcfb16fc5b995e15d1ed373341adf82dc15e1269 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:25:39 +0200
Subject: [PATCH 13/99] docs : correct LST-62 front verification gate
 (typecheck is not green on this stack)

---
 docs/superpowers/plans/2026-06-19-lst-62-socle-front.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
index 9885c9a..506814d 100644
--- a/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
+++ b/docs/superpowers/plans/2026-06-19-lst-62-socle-front.md
@@ -27,10 +27,17 @@
 ## Vérification (pas de runner de tests JS dans ce projet)
 
 - **Back (Task 1)** : vraie TDD PHPUnit.
-- **Front (Tasks 2-7)** : la verif = `typecheck` Nuxt + smoke test runtime. Commandes :
+- **Front (Tasks 2-7)** : la verif = `typecheck` Nuxt (en LECTURE différentielle, cf. ci-dessous) + smoke test runtime. Commandes :
   - Typecheck : `cd /home/matthieu/dev_malio/Lesstime/frontend && npx nuxt typecheck`
   - Runtime : dev server `make dev-nuxt` (port 3002, proxy `/api` → nginx) ; vérifier manuellement la navigation + `curl` des endpoints via nginx (`http://localhost:8082/api/...`). Les containers sont up.
 
+> **⚠️ `nuxt typecheck` n'est PAS un gate vert sur ce projet (constat 2026-06-19).** Le baseline Lesstime est déjà rouge (~230 lignes `error TS`), et le projet de référence **Starseed (même Nuxt 4.3.1, même layout `shared/` + `srcDir: '.'`) ship en prod avec 325 erreurs `error TS`**. Ces erreurs sont des classes structurelles attendues, pas des régressions :
+> - dans `shared/composables/*` et `shared/stores/*` : `Cannot find name 'ref'/'useApi'/'useRoute'/'navigateTo'/'defineStore'/'useToast'/'useNuxtApp'…` — Nuxt 4 type le dossier `shared/` sous un `tsconfig.shared.json` isolé sans les globals d'auto-import, alors que `imports.dirs` les rend bien disponibles au RUNTIME (vérifié dans `.nuxt/imports.d.ts`). Starseed a exactement ces 15 erreurs et fonctionne.
+> - dans `nuxt.config.ts` : `node:fs`/`node:path`/`__dirname`/`process` (pas de `@types/node` — comme Starseed) ; ce fichier est compilé par Nuxt au runtime, pas par `tsc`.
+> - dans `useApi.ts` : `Property 'url' does not exist…` (préexistant, code forké de Starseed).
+>
+> **Le vrai gate front** = (1) **ZÉRO erreur `Cannot find module '~/shared/…'` / chemin cassé** (sinon un import a vraiment été cassé par un déplacement) ; (2) les auto-imports attendus présents dans `.nuxt/imports.d.ts` ; (3) smoke runtime sur le dev server. Ne JAMAIS s'arrêter sur les classes d'erreurs structurelles ci-dessus — elles sont identiques à la référence Starseed.
+
 ---
 
 ### Task 1: Backend — gate de rôle dans la sidebar (`roles`) + config complète
-- 
2.39.5


From a62083355080359fb7dc7bbf1e9b16aa47eda0e4 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:28:16 +0200
Subject: [PATCH 14/99] feat(front) : load sidebar/modules after login and
 redirect disabled routes

---
 frontend/app/middleware/auth.global.ts    | 14 ++++++++++++++
 frontend/app/middleware/modules.global.ts | 15 +++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 frontend/app/middleware/modules.global.ts

diff --git a/frontend/app/middleware/auth.global.ts b/frontend/app/middleware/auth.global.ts
index 18799ca..4c98f1e 100644
--- a/frontend/app/middleware/auth.global.ts
+++ b/frontend/app/middleware/auth.global.ts
@@ -13,4 +13,18 @@ export default defineNuxtRouteMiddleware(async (to) => {
     if (isLogin && auth.isAuthenticated) {
         return navigateTo('/')
     }
+
+    const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
+    const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
+
+    if (auth.isAuthenticated) {
+        await Promise.all([
+            sidebarLoaded.value ? Promise.resolve() : loadSidebar(),
+            modulesLoaded.value ? Promise.resolve() : loadModules(),
+        ])
+    } else {
+        // Logout / session expirée : purge l'état partagé pour le prochain login.
+        resetSidebar()
+        resetModules()
+    }
 })
diff --git a/frontend/app/middleware/modules.global.ts b/frontend/app/middleware/modules.global.ts
new file mode 100644
index 0000000..3cd5f22
--- /dev/null
+++ b/frontend/app/middleware/modules.global.ts
@@ -0,0 +1,15 @@
+export default defineNuxtRouteMiddleware(async (to) => {
+    const auth = useAuthStore()
+    if (!auth.isAuthenticated) {
+        return
+    }
+
+    const { loaded, loadSidebar, isRouteDisabled } = useSidebar()
+    if (!loaded.value) {
+        await loadSidebar()
+    }
+
+    if (isRouteDisabled(to.path)) {
+        return navigateTo('/')
+    }
+})
-- 
2.39.5


From 977e74f6692661300c72b6282f3aae009f399ae6 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:32:23 +0200
Subject: [PATCH 15/99] feat(front) : render dynamic sidebar from /api/sidebar
 in default layout

---
 frontend/app/layouts/default.vue | 168 +++++++++----------------------
 1 file changed, 48 insertions(+), 120 deletions(-)

diff --git a/frontend/app/layouts/default.vue b/frontend/app/layouts/default.vue
index 70ec12b..9012026 100644
--- a/frontend/app/layouts/default.vue
+++ b/frontend/app/layouts/default.vue
@@ -38,131 +38,47 @@
                     </button>
                 </div>
                 <nav class="flex-1 overflow-hidden" :class="sidebarIsCollapsed ? 'px-1 pb-6' : 'px-4 pb-6'">
-                    <SidebarLink
-                        to="/"
-                        icon="mdi:view-dashboard-outline"
-                        label="Tableau de bord"
-                        :collapsed="sidebarIsCollapsed"
-                        :class="sidebarIsCollapsed ? 'mt-4' : 'border-t border-secondary-500 pt-6'"
-                        @click="ui.closeMobileSidebar()"
-                    />
-
-                    <!-- Section : Gestion de projet -->
-                    <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                        Gestion de projet
-                    </p>
-                    <div v-else class="mx-2 my-3 border-t border-secondary-500" />
-                    <SidebarLink
-                        to="/my-tasks"
-                        icon="mdi:clipboard-check-outline"
-                        label="Mes tâches"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        to="/projects"
-                        icon="mdi:folder-outline"
-                        label="Projets"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <template v-if="currentProjectId">
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}`"
-                            icon="mdi:view-column-outline"
-                            label="Kanban"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            exact
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}/groups`"
-                            icon="mdi:tag-multiple-outline"
-                            label="Groupes"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <SidebarLink
-                            :to="`/projects/${currentProjectId}/archives`"
-                            icon="mdi:archive-outline"
-                            label="Archives"
-                            :collapsed="sidebarIsCollapsed"
-                            sub
-                            @click="ui.closeMobileSidebar()"
-                        />
-                    </template>
-                    <SidebarLink
-                        to="/time-tracking"
-                        icon="mdi:calendar-edit-outline"
-                        label="Suivi de temps"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        v-if="isDocumentsVisible"
-                        to="/documents"
-                        icon="mdi:folder-network-outline"
-                        :label="$t('sharedFiles.sidebar.title')"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <div v-if="isMailVisible" class="relative">
-                        <SidebarLink
-                            to="/mail"
-                            icon="mdi:email-outline"
-                            :label="$t('mail.sidebar.title')"
-                            :collapsed="sidebarIsCollapsed"
-                            @click="ui.closeMobileSidebar()"
-                        />
-                        <span
-                            v-if="mailStore.globalUnreadCount > 0"
-                            class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
-                            :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
-                            :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
-                        >
-                            {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
-                        </span>
-                    </div>
-
-                    <!-- Section : Absences -->
-                    <template v-if="isAbsenceSectionVisible">
+                    <!-- Sections dynamiques (/api/sidebar) : navigation globale + sections gated par rôle -->
+                    <template v-for="(section, sIndex) in translatedSections" :key="section.label">
                         <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                            Absences
-                        </p>
-                        <div v-else class="mx-2 my-3 border-t border-secondary-500" />
-                    </template>
-                    <SidebarLink
-                        v-if="isEmployee"
-                        to="/absences"
-                        icon="mdi:umbrella-beach-outline"
-                        label="Mes absences"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-                    <SidebarLink
-                        v-if="isAdmin"
-                        to="/team-absences"
-                        icon="mdi:calendar-account-outline"
-                        label="Absences équipe"
-                        :collapsed="sidebarIsCollapsed"
-                        @click="ui.closeMobileSidebar()"
-                    />
-
-                    <!-- Section : Administration (admin only) -->
-                    <template v-if="isAdmin">
-                        <p v-if="!sidebarIsCollapsed" class="px-4 pt-5 pb-1 text-xs font-semibold uppercase tracking-wider text-neutral-400">
-                            Administration
+                            {{ section.label }}
                         </p>
                         <div v-else class="mx-2 my-3 border-t border-secondary-500" />
                         <SidebarLink
-                            to="/admin"
-                            icon="mdi:cog-outline"
-                            label="Administration"
+                            v-for="item in section.items"
+                            :key="item.to"
+                            :to="item.to"
+                            :icon="item.icon"
+                            :label="item.label"
                             :collapsed="sidebarIsCollapsed"
                             @click="ui.closeMobileSidebar()"
                         />
+
+                        <!-- Items conservés côté client, insérés après la 1re section (cf. décision 3) -->
+                        <template v-if="sIndex === 0">
+                            <!-- Contextuel projet -->
+                            <template v-if="currentProjectId">
+                                <SidebarLink :to="`/projects/${currentProjectId}`" icon="mdi:view-column-outline" label="Kanban" :collapsed="sidebarIsCollapsed" sub exact @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/groups`" icon="mdi:tag-multiple-outline" label="Groupes" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                                <SidebarLink :to="`/projects/${currentProjectId}/archives`" icon="mdi:archive-outline" label="Archives" :collapsed="sidebarIsCollapsed" sub @click="ui.closeMobileSidebar()" />
+                            </template>
+                            <!-- Feature-flag : Documents -->
+                            <SidebarLink v-if="isDocumentsVisible" to="/documents" icon="mdi:folder-network-outline" :label="$t('sharedFiles.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                            <!-- Feature-flag : Mail + badge -->
+                            <div v-if="isMailVisible" class="relative">
+                                <SidebarLink to="/mail" icon="mdi:email-outline" :label="$t('mail.sidebar.title')" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                                <span
+                                    v-if="mailStore.globalUnreadCount > 0"
+                                    class="pointer-events-none absolute right-3 top-1/2 flex h-5 min-w-5 -translate-y-1/2 items-center justify-center rounded-full bg-red-500 px-1 text-xs font-bold text-white"
+                                    :class="{ 'right-1 top-1 translate-y-0': sidebarIsCollapsed }"
+                                    :aria-label="`${mailStore.globalUnreadCount} messages non lus`"
+                                >
+                                    {{ mailStore.globalUnreadCount > 99 ? '99+' : mailStore.globalUnreadCount }}
+                                </span>
+                            </div>
+                            <!-- User-flag : Mes absences (isEmployee — non couvert par le gate rôle) -->
+                            <SidebarLink v-if="isEmployee" to="/absences" icon="mdi:umbrella-beach-outline" label="Mes absences" :collapsed="sidebarIsCollapsed" @click="ui.closeMobileSidebar()" />
+                        </template>
                     </template>
                 </nav>
 
@@ -220,10 +136,22 @@ const ui = useUiStore()
 const mailStore = useMailStore()
 const {version} = useAppVersion()
 const route = useRoute()
+const { t } = useI18n()
+const { sections } = useSidebar()
+
+const translatedSections = computed(() =>
+    sections.value.map((section) => ({
+        label: t(section.label),
+        icon: section.icon,
+        items: section.items.map((item) => ({
+            label: t(item.label),
+            to: item.to,
+            icon: item.icon,
+        })),
+    })),
+)
 
-const isAdmin = computed(() => (auth.user?.roles ?? []).includes('ROLE_ADMIN'))
 const isEmployee = computed(() => Boolean(auth.user?.isEmployee))
-const isAbsenceSectionVisible = computed(() => isEmployee.value || isAdmin.value)
 
 const isMailVisible = computed(() => {
     const roles: string[] = auth.user?.roles ?? []
-- 
2.39.5


From fdcf8df5189295f446546956e35ee3a3a6775533 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:33:59 +0200
Subject: [PATCH 16/99] feat(front) : add sidebar i18n labels

---
 frontend/i18n/locales/fr.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 3b3fbff..5711583 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -296,7 +296,19 @@
         }
     },
     "sidebar": {
-        "myTasks": "Mes tâches"
+        "myTasks": "Mes tâches",
+        "general": {
+            "section": "Gestion de projet",
+            "dashboard": "Tableau de bord",
+            "myTasks": "Mes tâches",
+            "projects": "Projets",
+            "timeTracking": "Suivi de temps"
+        },
+        "admin": {
+            "section": "Administration",
+            "teamAbsences": "Absences équipe",
+            "administration": "Administration"
+        }
     },
     "common": {
         "cancel": "Annuler",
-- 
2.39.5


From d1a980d1c2926104fb11d900bc67e554904f5b26 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:37:03 +0200
Subject: [PATCH 17/99] docs : log LST-62 socle front session learnings

---
 .claude/skills/ticket-executor/LEARNINGS.md | 22 +++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index 4799a5a..abe479e 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -73,8 +73,30 @@
 ### Time tracking
 - Le sous-agent a stoppé lui-même le timer d'implémentation (id 1005, 35 min) — garder le time-tracking sur la session principale pour rester maître du chrono si un sous-agent a accès aux tools MCP lesstime.
 
+## Session 2026-06-19 (LST-62 / 0.2 — Socle front : shell + auto-détection layers Nuxt)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-62-socle-front.md`), 7 tasks. Exécution en 3 sous-agents (Task 1 back ; Tasks 2-4 fondations front ; Tasks 5-7 middlewares/layout/i18n), pilotage chrono/MCP/vérif sur la session principale.
+- 7 commits + 1 commit doc de correction du plan. Back : 115 tests verts (110 + 5 nouveaux cas gate rôle).
+
+### Patterns
+- **Gate de rôle additif dans la sidebar** : clé `roles` optionnelle sur section/item dans `config/sidebar.php` ; `SidebarFilter::filter($sections, $activeModuleIds, $activeRoles = [])` masque sans polluer `disabledRoutes` (réservé au filtrage par module). `SidebarProvider` injecte `Symfony\Bundle\SecurityBundle\Security` et passe `array_values($user->getRoles())`. ROLE_ADMIN seulement (pas le RBAC fin, qui viendra en 1.1/1.2).
+- **Layout front aligné Starseed** (vérifié dans le code Starseed) : `srcDir: '.'`, `dir.layouts/middleware → app/`, code transverse auto-importé sous `shared/{composables,stores,utils}` via `imports.dirs` EXPLICITE, scan `readdirSync('modules/')` → `extends` + dossiers `modules/*/composables` ajoutés dynamiquement à `imports.dirs`. `useApi`/`auth`/`ui` déplacés par `git mv` (historique préservé) ; `timer.ts`/`mail.ts` restent dans `stores/` (métier non migré).
+- **Singletons module-level** : `useSidebar`/`useModules` portent leur état en `ref` au niveau module ; reset explicite au logout depuis `auth.global.ts` (l'approche Starseed via callback `onAuthSessionCleared()` est une alternative non retenue ici).
+
+### Gotchas
+- **`nuxt typecheck` n'est PAS un gate vert sur ce stack** : le baseline Lesstime est rouge (~230 lignes `error TS`) et la RÉFÉRENCE Starseed (même Nuxt 4.3.1, même layout) ship en prod avec **325 erreurs**. Classes structurelles tolérées : `Cannot find name 'ref'/'useApi'/'useRoute'/'navigateTo'/'defineStore'…` dans `shared/` (Nuxt 4 type `shared/` sous un `tsconfig.shared.json` isolé sans les globals d'auto-import, alors que `imports.dirs` les expose au RUNTIME — vérifié dans `.nuxt/imports.d.ts`), erreurs `nuxt.config.ts` (`node:fs`/`process`/`__dirname`, pas de `@types/node`, compilé au runtime par Nuxt), `useApi.ts` 'Property url'. **Le vrai gate** = zéro `Cannot find module '~/shared/…'` (= vrai import cassé) + auto-imports présents dans `.nuxt/imports.d.ts` + smoke runtime. Un sous-agent consciencieux s'est arrêté à tort sur ces erreurs ("bloqueur irréductible") → toujours vérifier le gate contre la réf Starseed avant de conclure à un blocage.
+- **Vérif backend live > typecheck front** : le gate de rôle a été prouvé via curl réel (`/api/login_check` → cookie BEARER → `GET /api/sidebar`) : `alice` (ROLE_USER) n'a que la section générale, `admin` (ROLE_ADMIN) a Administration, non-auth = 401. Plus fiable que le typecheck sur ce stack.
+- **i18n `fr.json`** : une clé racine `sidebar` préexistait (avec un `myTasks` orphelin) → fusionner les sous-namespaces plutôt que dupliquer la clé racine (JSON invalide sinon).
+
+### Statut / time tracking
+- Ticket laissé en **"En attente de validation" (4)**, pas "Terminé" : smoke visuel front (dev server + navigateur) et sign-off du **délta cosmétique d'ordre de sidebar** (décision 3 du plan) relèvent du PO. Implémentation + AC API validés.
+- Time-tracking 100 % sur la session principale cette fois (consigne des sous-agents : ne jamais toucher aux outils `mcp__lesstime__*`) — respecté.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
+- **Commits concurrents**: NE PAS lancer deux sous-agents qui committent sur le même repo en parallèle (collision `.git/index.lock`) — séquencer.
+- **Gate de vérif fourni par le plan**: si un plan fixe un seuil (ex "typecheck 0 erreur"), le confronter à la réalité du projet/réf AVANT de bloquer dessus ; corriger le plan si le seuil est faux.
 - **MCP status**: Toujours mettre "En cours" AVANT de commencer, "Terminé" APRÈS validation
 - **PostgreSQL gotchas**: Tester les queries SQL avec agrégation + locking sur PostgreSQL, pas MySQL
 - **Agents**: Les agents simples (1-3 fichiers) terminent en ~30s, les complexes (22 fichiers) en ~8min
-- 
2.39.5


From 8865bf51e6e5e5b3dcc677614a640386dd934d09 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:50:32 +0200
Subject: [PATCH 18/99] docs : add implementation plan for module core (LST-63
 / 1.1)

---
 .../plans/2026-06-19-lst-63-module-core.md    | 732 ++++++++++++++++++
 1 file changed, 732 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-63-module-core.md

diff --git a/docs/superpowers/plans/2026-06-19-lst-63-module-core.md b/docs/superpowers/plans/2026-06-19-lst-63-module-core.md
new file mode 100644
index 0000000..1d7252e
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-63-module-core.md
@@ -0,0 +1,732 @@
+# LST-63 (1.1) — Module Core : Identité (User/Auth/JWT) & Notifications — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Migrer l'identité (`User` + Auth/JWT + password hashing + `MeProvider`) et les notifications dans `src/Module/Core/`, exposer le contrat `UserInterface` enrichi + `NotifierInterface`, déclarer `CoreModule` (REQUIRED), et créer le premier vrai layer front `modules/core/` — **sans aucune migration destructive et sans casser le login à aucune étape**.
+
+**Architecture:** Strangler 100 % additif, phasé. On déplace physiquement la classe `User` vers `App\Module\Core\Domain\Entity\User` (table `user` inchangée → zéro migration), on re-pointe `resolve_target_entities` et le provider de sécurité, puis on bascule les 8 relations d'entités et les 26 consommateurs du concret `App\Entity\User` vers le **contrat** `App\Shared\Domain\Contract\UserInterface` (enrichi des accessors réellement utilisés). Les notifications passent par un `NotifierInterface` (impl Core). Chaque phase laisse `make test` vert ET le login JWT fonctionnel (re-vérifié par curl).
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / lexik/jwt-authentication / PostgreSQL 16 / PHPUnit 13 — front Nuxt 4.3 / Vue 3.5 / Pinia 3.
+
+## Global Constraints
+
+- **`declare(strict_types=1);`** en tête de chaque fichier PHP.
+- **Zéro migration destructive** : le déplacement de namespace ne change ni la table (`user`) ni les colonnes → `doctrine:migrations:diff` doit produire un diff VIDE. Si un diff non vide apparaît, c'est un bug (mapping mal recopié) — corriger, ne pas générer la migration.
+- **Login JWT fonctionnel à chaque phase** : vérif curl obligatoire (voir « Vérification login » ci-dessous) après toute phase touchant `User`/sécurité.
+- **AC ticket** : (1) login/JWT OK via le module ; (2) aucun `use App\Entity\User;` hors `src/Module/Core/` ; (3) `make test` vert, aucune migration destructive.
+- **Commits** : `<type>(<scope>) : <message>` (espaces autour du `:`). **Jamais** de mention IA/Claude/Anthropic.
+- **`config/reference.php`** : auto-généré, **jamais committé** (apparaît modifié dans `git status`).
+- **Tests** : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`. Baseline avant ce ticket : **115 tests, 227 assertions** (16 PHPUnit Notices préexistantes, non bloquantes).
+- **Front** : `nuxt typecheck` n'est PAS un gate vert sur ce stack (cf. plan LST-62) — gate front = zéro `Cannot find module`, auto-imports présents dans `.nuxt/imports.d.ts`, smoke runtime.
+- **PostgreSQL** : noms de colonnes en minuscules dans le SQL brut.
+
+## Vérification login (à exécuter après chaque phase back touchant User/sécurité)
+
+```bash
+# Doit renvoyer http=204 (cookie BEARER posé) puis le profil courant
+curl -s -c /tmp/cj.txt -X POST http://localhost:8082/api/login_check \
+  -H "Content-Type: application/json" -d '{"username":"alice","password":"alice"}' \
+  -o /dev/null -w "login http=%{http_code}\n"
+curl -s -b /tmp/cj.txt http://localhost:8082/api/me -w "\nme http=%{http_code}\n" | head -c 400
+# MCP apiToken (ApiTokenAuthenticator) — admin
+curl -s -X POST http://localhost:8082/_mcp -H "Authorization: Bearer dev-mcp-token-for-testing-only-do-not-use-in-production" \
+  -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":1,"method":"ping"}' -o /dev/null -w "mcp http=%{http_code}\n"
+```
+Attendu : `login http=204`, `me http=200` avec le JSON de l'utilisateur (`username`, `roles`), MCP répond (200). **Si l'un casse, arrêter la phase et corriger avant de committer.**
+
+## Décisions de conception (actées, à valider PO a posteriori)
+
+1. **`UserInterface` enrichi (contrat de lecture)** — plutôt que de garder `App\Entity\User` partout, on enrichit `App\Shared\Domain\Contract\UserInterface` des accessors **réellement consommés** hors Core (lecture). Les setters/écriture restent sur le concret (Core uniquement). Cela permet de typer les 8 relations et les 26 consommateurs sur le contrat sans casse.
+2. **Move physique, table inchangée** — `User` change de namespace mais garde `#[ORM\Table(name: '`user`')]` et toutes ses colonnes → aucune migration. La classe reste une entité Doctrine mappée (nouveau dir de mapping `Core`).
+3. **Relations via le contrat** — les 8 entités passent à `targetEntity: UserInterface::class` + type `?UserInterface`, résolu par `resolve_target_entities → Core\User`. C'est le pattern Starseed.
+4. **Notification dans Core + `NotifierInterface`** — `Notification` migre dans Core (couplée à l'identité) ; la création de notif passe par `NotifierInterface` (impl Core), `TaskNotificationListener` (qui reste legacy en Phase D) en dépend par contrat. L'API REST `/api/notifications` est préservée à l'identique.
+5. **Front layer `modules/core/`** — login, profile, admin users **déplacés** de `frontend/pages/` vers `frontend/modules/core/pages/` (premier layer réel ; le scan `readdirSync('modules/')` de LST-62 l'enregistre automatiquement). Le routage Nuxt est préservé (mêmes chemins d'URL).
+
+---
+
+## Phase A — Squelette Core + contrats (100 % additif, app inchangée)
+
+### Task 1: `CoreModule` + `UserRepositoryInterface` + `NotifierInterface` + contrat `UserInterface` enrichi
+
+**Files:**
+- Create: `src/Module/Core/CoreModule.php`
+- Create: `src/Module/Core/Domain/Repository/UserRepositoryInterface.php`
+- Create: `src/Shared/Domain/Contract/NotifierInterface.php`
+- Modify: `src/Shared/Domain/Contract/UserInterface.php` (enrichir)
+- Create: `tests/Unit/Module/Core/CoreModuleTest.php`
+
+**Interfaces:**
+- Produces :
+  - `App\Module\Core\CoreModule implements ModuleInterface` : `id()='core'`, `label()='Core'`, `isRequired()=true`, `permissions()` (stub pour 1.2, voir code).
+  - `App\Module\Core\Domain\Repository\UserRepositoryInterface` : `findByRole(string $role): array`, `findActiveEmployees(\DateTimeInterface $date): array`, `findOneByUsername(string $username): ?UserInterface`.
+  - `App\Shared\Domain\Contract\NotifierInterface` : `notify(UserInterface $user, string $type, string $title, string $message): void`.
+  - `UserInterface` enrichi (lecture) : `getId(): ?int`, `getUserIdentifier(): string`, `getUsername(): string`, `getRoles(): array`, `getFirstName(): ?string`, `getLastName(): ?string`, `getAvatarUrl(): ?string`, `isEmployee(): bool`.
+- Consumes : `App\Shared\Domain\Module\ModuleInterface` (existant).
+
+- [ ] **Step 1: Écrire le test unitaire `CoreModule`**
+
+`tests/Unit/Module/Core/CoreModuleTest.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Lancer le test, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: FAIL (classe `CoreModule` inexistante).
+
+- [ ] **Step 3: Créer `CoreModule`**
+
+`src/Module/Core/CoreModule.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
+            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
+            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+        ];
+    }
+}
+```
+
+> ⚠️ Confirmer la signature EXACTE de `ModuleInterface` (`src/Shared/Domain/Module/ModuleInterface.php`) avant d'écrire : la cartographie indique `id()`, `label()`, `isRequired()`, `permissions()` statiques. Si une méthode diffère (ex. non statique), aligner `CoreModule` ET le test dessus.
+
+- [ ] **Step 4: Lancer le test, vérifier le vert**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/CoreModuleTest.php`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Enrichir le contrat `UserInterface`**
+
+Remplace `src/Shared/Domain/Contract/UserInterface.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
+interface UserInterface
+{
+    public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function isEmployee(): bool;
+}
+```
+
+> ⚠️ Cet enrichissement DOIT correspondre à des méthodes existantes de l'entité `User` (la cartographie confirme `getId`, `getUserIdentifier`, `getUsername`, `getRoles`, `getFirstName`, `getLastName`, `getAvatarUrl`, `isEmployee`). Si une signature diffère (ex. `getAvatarUrl(): string` non-nullable), aligner le contrat sur le réel. Ne PAS ajouter au contrat une méthode absente de `User`.
+
+- [ ] **Step 6: Créer `UserRepositoryInterface`**
+
+`src/Module/Core/Domain/Repository/UserRepositoryInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+
+interface UserRepositoryInterface
+{
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(\DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}
+```
+
+- [ ] **Step 7: Créer `NotifierInterface`**
+
+`src/Shared/Domain/Contract/NotifierInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+}
+```
+
+- [ ] **Step 8: Suite complète + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (115 + 3 = 118 tests). L'enrichissement du contrat ne casse rien (l'entité `User` implémente déjà ces méthodes ; `resolve_target_entities` pointe encore `App\Entity\User`).
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/CoreModule.php src/Module/Core/Domain/Repository/UserRepositoryInterface.php src/Shared/Domain/Contract/NotifierInterface.php src/Shared/Domain/Contract/UserInterface.php tests/Unit/Module/Core/CoreModuleTest.php
+git commit -m "feat(core) : add CoreModule, user repository contract, notifier contract and enriched user contract"
+```
+
+---
+
+## Phase B — Déplacer `User` + Auth dans Core (re-pointage, zéro migration)
+
+### Task 2: Déplacer la classe `User` vers Core + mapping Doctrine + provider sécurité
+
+**Files:**
+- Move: `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (namespace `App\Module\Core\Domain\Entity`)
+- Modify: `config/packages/doctrine.yaml` (mapping `Core` + `resolve_target_entities`)
+- Modify: `config/packages/security.yaml` (`app_user_provider.entity.class`)
+- Modify: `config/packages/api_platform.yaml` (mapping paths : ajouter le dir entité Core)
+
+**Interfaces:**
+- Produces : entité `App\Module\Core\Domain\Entity\User` (table `user` inchangée), résolue par `resolve_target_entities`.
+
+- [ ] **Step 1: Déplacer le fichier (git mv) et changer le namespace**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime
+mkdir -p src/Module/Core/Domain/Entity
+git mv src/Entity/User.php src/Module/Core/Domain/Entity/User.php
+```
+Puis éditer `src/Module/Core/Domain/Entity/User.php` :
+- `namespace App\Entity;` → `namespace App\Module\Core\Domain\Entity;`
+- Adapter les `use` internes devenus nécessaires (l'entité référençait `UserRepository`, `MeProvider`, `UserPasswordHasherProcessor`, l'enum `ContractType`, le contrat `UserInterface as SharedUserInterface`). Mettre les `use` complets vers leurs emplacements ACTUELS (la plupart bougent en Tasks 3/4 ; pour cette task, pointer encore vers `App\Repository\UserRepository`, `App\State\MeProvider`, `App\State\UserPasswordHasherProcessor`, `App\Entity\Enum\ContractType` ou l'emplacement réel — vérifier les `use` d'origine et les conserver tels quels tant que ces classes n'ont pas bougé).
+- Garder VERBATIM : tous les attributs `#[ORM\...]` (dont `#[ORM\Table(name: '`user`')]`), `#[ApiResource(...)]`, `#[ApiProperty(...)]`, toutes les propriétés/méthodes, `implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface`.
+
+> ⚠️ Lire le fichier d'origine en entier AVANT de déplacer pour relever tous les `use`. Ne changer QUE le `namespace` et, si besoin, garder les `use` pointant vers les emplacements actuels des classes non encore déplacées.
+
+- [ ] **Step 2: Mapping Doctrine + resolve_target_entities**
+
+Dans `config/packages/doctrine.yaml`, sous `orm:` :
+- `resolve_target_entities` :
+```yaml
+        resolve_target_entities:
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
+```
+- Ajouter un mapping pour les entités Core (en plus du mapping `App` existant qui scanne `src/Entity`) :
+```yaml
+        mappings:
+            App:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Entity'
+                prefix: 'App\Entity'
+                alias: App
+            Core:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
+```
+
+> Le mapping `App` (src/Entity) ne contient plus `User.php` (déplacé) → cohérent. Aucune entité orpheline.
+
+- [ ] **Step 3: Provider de sécurité**
+
+Dans `config/packages/security.yaml` :
+```yaml
+    providers:
+        app_user_provider:
+            entity:
+                class: App\Module\Core\Domain\Entity\User
+                property: username
+```
+
+- [ ] **Step 4: API Platform mapping paths**
+
+Dans `config/packages/api_platform.yaml`, ajouter au `mapping.paths` le dossier entité Core (l'`#[ApiResource]` est porté par l'entité `User` déplacée) :
+```yaml
+        - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+```
+> Conserver tous les paths existants. Si `api_platform.yaml` n'a pas de `mapping.paths` explicite (auto-discovery), vérifier que les Resources sous `src/Module/...` sont bien découvertes (comme `src/Shared/...` l'a été en #56 — cf. LEARNINGS : API Platform 4 auto-découvre). Si la découverte auto suffit, NE PAS ajouter de path ; sinon ajouter celui ci-dessus.
+
+- [ ] **Step 5: Vider le cache + vérifier qu'AUCUNE migration n'est nécessaire**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -20
+```
+Expected : schema VALID (mapping ok, sync DB ok). Le `diff` doit annoncer **« No changes detected »** (table/colonnes identiques). **Si une migration est générée, la SUPPRIMER** (`git status` → retirer le fichier sous `migrations/`) : un diff non vide = mapping mal recopié, corriger l'entité.
+
+- [ ] **Step 6: Vérif login + suite complète**
+
+Exécuter le bloc « Vérification login » (curl) → `login http=204`, `me http=200`, MCP 200.
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118). Les consommateurs importent encore `App\Entity\User` → **ERREUR attendue** : la classe n'existe plus à cet emplacement. ⇒ Cette task NE PASSE PAS seule ; elle est indissociable de la Task 3 (rewire). **Voir note ci-dessous.**
+
+> 🔴 **Note d'ordonnancement** : déplacer `User` casse les 26 `use App\Entity\User;`. Pour garder l'app bootable entre Task 2 et Task 3, **ajouter un alias de compatibilité TEMPORAIRE** au tout début de Task 2 et le retirer en fin de Task 3 :
+> Créer `src/Module/Core/_compat_user_alias.php` (chargé via `composer.json` `autoload.files`) :
+> ```php
+> <?php
+> declare(strict_types=1);
+> if (!class_exists(\App\Entity\User::class, false)) {
+>     class_alias(\App\Module\Core\Domain\Entity\User::class, \App\Entity\User::class);
+> }
+> ```
+> Ajouter `"files": ["src/Module/Core/_compat_user_alias.php"]` sous `autoload` dans `composer.json`, puis `composer dump-autoload`. Cela garde les 26 consommateurs fonctionnels (et Doctrine `targetEntity: User::class` résolu via l'alias) le temps de la Task 3. **L'alias est SUPPRIMÉ en Task 3 Step final** (avec le retrait du fichier, l'entrée composer et un nouveau `dump-autoload`) une fois tous les consommateurs basculés sur le contrat. La verif login de cette Step utilise donc l'alias — c'est attendu.
+
+- [ ] **Step 7: php-cs-fixer + commit (Phase B, avec alias temporaire)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add src/Module/Core/Domain/Entity/User.php src/Module/Core/_compat_user_alias.php composer.json composer.lock config/packages/doctrine.yaml config/packages/security.yaml config/packages/api_platform.yaml
+git commit -m "feat(core) : move user entity into core module and repoint security/doctrine (temp legacy alias)"
+```
+
+---
+
+## Phase C — Basculer relations + consommateurs sur le contrat, retirer l'alias
+
+### Task 3: Relations d'entités → `UserInterface::class`
+
+**Files (8 entités):**
+- Modify: `src/Entity/Task.php` (assignee ManyToOne, collaborators ManyToMany)
+- Modify: `src/Entity/TimeEntry.php` (user)
+- Modify: `src/Entity/AbsenceRequest.php` (user)
+- Modify: `src/Entity/AbsenceBalance.php` (user)
+- Modify: `src/Entity/TaskDocument.php` (user)
+- Modify: `src/Entity/TaskMailLink.php` (user)
+- Modify: `src/Module/Core/Domain/Entity/Notification.php` (user) — **après son déplacement en Phase D** ; en Phase C, `Notification` est encore `src/Entity/Notification.php`, la traiter ici aussi.
+
+> Pour CHAQUE relation vers User : remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;`, le `targetEntity: User::class` par `targetEntity: UserInterface::class`, et le type de propriété/param `?User` → `?UserInterface` (idem getters/setters). Doctrine résout via `resolve_target_entities`. La colonne FK et son nom restent identiques → **aucune migration**.
+
+- [ ] **Step 1: Modifier les relations (entité par entité)**
+
+Pour chaque fichier ci-dessus, lire puis appliquer le remplacement décrit. Exemple `Task.php` (assignee) :
+```php
+// avant
+use App\Entity\User;
+#[ORM\ManyToOne(targetEntity: User::class)]
+private ?User $assignee = null;
+public function getAssignee(): ?User { return $this->assignee; }
+public function setAssignee(?User $assignee): static { $this->assignee = $assignee; return $this; }
+// collaborators
+#[ORM\ManyToMany(targetEntity: User::class)]
+private Collection $collaborators;
+
+// après
+use App\Shared\Domain\Contract\UserInterface;
+#[ORM\ManyToOne(targetEntity: UserInterface::class)]
+private ?UserInterface $assignee = null;
+public function getAssignee(): ?UserInterface { return $this->assignee; }
+public function setAssignee(?UserInterface $assignee): static { $this->assignee = $assignee; return $this; }
+#[ORM\ManyToMany(targetEntity: UserInterface::class)]
+private Collection $collaborators;
+```
+> ⚠️ Conserver tous les autres attributs de relation (`inversedBy`, `joinTable`, `joinColumn`, `nullable`, `onDelete`, Groups…) VERBATIM. Ne changer que le type et `targetEntity`.
+
+- [ ] **Step 2: Valider le schéma (toujours zéro migration)**
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+```
+Expected : « No changes detected ». Sinon corriger (un `joinColumn`/`onDelete` a été perdu).
+
+### Task 4: Consommateurs (26 fichiers) → contrat + repository interface, MeProvider/Processor dans Core, retrait alias
+
+**Files:** les 26 fichiers listés dans la cartographie (Controllers, Repositories, State, Services, EventListener, Security, DataFixtures, Mcp). Déplacements vers Core :
+- Move: `src/Repository/UserRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php` (implémente `UserRepositoryInterface`, namespace `App\Module\Core\Infrastructure\Doctrine`)
+- Move: `src/State/MeProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php`
+- Move: `src/State/UserPasswordHasherProcessor.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php`
+- Modify: l'`#[ApiResource]` de l'entité `User` (les `provider:`/`processor:` pointent vers les nouveaux FQCN Core).
+- Delete (en fin de task): `src/Module/Core/_compat_user_alias.php` + entrée `composer.json`.
+
+- [ ] **Step 1: Déplacer le repository et l'aligner sur l'interface**
+
+```bash
+mkdir -p src/Module/Core/Infrastructure/Doctrine src/Module/Core/Infrastructure/ApiPlatform/State
+git mv src/Repository/UserRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
+git mv src/State/MeProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
+git mv src/State/UserPasswordHasherProcessor.php src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
+```
+Éditer `DoctrineUserRepository.php` : `namespace App\Module\Core\Infrastructure\Doctrine;`, `class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface`, `use App\Module\Core\Domain\Entity\User;`, `use App\Module\Core\Domain\Repository\UserRepositoryInterface;`, et passer `User::class` au constructeur parent. Ajouter `findOneByUsername()` si absent (`return $this->findOneBy(['username' => $username]);`). Conserver `findByRole()` (SQL natif `roles::text LIKE`) et `findActiveEmployees()`.
+Éditer `User.php` : `#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]` avec le bon `use`.
+Éditer `MeProvider.php` / `UserPasswordHasherProcessor.php` : nouveaux namespaces ; `use App\Module\Core\Domain\Entity\User;` (le processor manipule le concret — c'est dans Core, autorisé).
+Mettre à jour les `provider:`/`processor:` dans l'`#[ApiResource]` de `User` vers les nouveaux FQCN.
+
+- [ ] **Step 2: Lier l'interface repository au service Doctrine**
+
+Dans `config/services.yaml`, alias pour l'injection par interface :
+```yaml
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+```
+
+- [ ] **Step 3: Basculer les 25 autres consommateurs sur le contrat**
+
+Pour chaque fichier important `App\Entity\User` (hors Core), remplacer `use App\Entity\User;` par `use App\Shared\Domain\Contract\UserInterface;` et le type-hint `User` par `UserInterface` (params, retours, propriétés, `@var`, expressions). Cas particuliers :
+- `src/Repository/{Notification,AbsenceBalance,AbsenceRequest,TimeEntry}Repository.php` : les signatures `countUnreadByUser(User $user)` etc. → `UserInterface`. Ne pas changer la logique DQL (`n.user = :user` fonctionne avec l'instance).
+- `src/State/Absence*`, `TaskDocumentProvider`, `src/Service/AbsenceBalanceService`, `src/Security/MailAccessChecker`, `src/EventListener/TaskNotificationListener` (sera retravaillé en Phase D mais peut déjà passer au contrat ici), `src/Controller/*` (7), `src/Mcp/Tool/Absence/ReviewAbsenceRequestTool`, `src/Mcp/Tool/Serializer` : remplacer le type-hint.
+- `src/DataFixtures/AppFixtures.php` : **garde le concret** `App\Module\Core\Domain\Entity\User` (les fixtures INSTANCIENT `new User()` et appellent des setters d'écriture — c'est légitime ; importer le concret Core, pas le contrat). C'est hors `src/Module/Core/` mais c'est de l'écriture d'identité → exception documentée (les fixtures sont un cas d'amorçage, pas un consommateur métier).
+
+> Liste de contrôle : après cette step, `grep -rn "use App\\\\Entity\\\\User;" src/` ne doit retourner QUE `src/DataFixtures/AppFixtures.php` (qui importe désormais le FQCN Core, donc 0 occurrence de `App\Entity\User`). Viser **0 occurrence de `App\Entity\User`** dans tout `src/`.
+
+- [ ] **Step 4: Retirer l'alias de compatibilité**
+
+```bash
+git rm src/Module/Core/_compat_user_alias.php
+```
+Retirer l'entrée `"files": [...]` ajoutée sous `autoload` dans `composer.json` (Task 2), puis :
+```bash
+docker exec -t -u www-data php-lesstime-fpm composer dump-autoload
+docker exec -t -u www-data php-lesstime-fpm php bin/console cache:clear
+```
+
+- [ ] **Step 5: `grep` de garde (AC 2) + schéma + tests + login**
+
+```bash
+grep -rn "App\\\\Entity\\\\User" src/ config/ ; echo "(doit être VIDE)"
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction 2>&1 | tail -5
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected : grep VIDE, schéma valide, « No changes detected », **118 tests verts**. Puis bloc « Vérification login » (login 204, me 200, MCP 200).
+
+- [ ] **Step 6: php-cs-fixer + commit (Phase C)**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config composer.json composer.lock
+git commit -m "refactor(core) : wire user relations and consumers to the shared contract, drop legacy alias"
+```
+> ⚠️ NE PAS `git add config/reference.php`. Vérifier `git status` avant le commit ; si `reference.php` est listé, l'exclure du `git add` (stager explicitement les fichiers voulus).
+
+---
+
+## Phase D — Notifications via `NotifierInterface` (impl Core)
+
+### Task 5: Déplacer `Notification` dans Core + `Notifier` (impl) + recâbler le listener
+
+**Files:**
+- Move: `src/Entity/Notification.php` → `src/Module/Core/Domain/Entity/Notification.php`
+- Move: `src/Repository/NotificationRepository.php` → `src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php`
+- Move: `src/State/NotificationProvider.php` → `src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php`
+- Create: `src/Module/Core/Infrastructure/Notifier.php` (implements `NotifierInterface`)
+- Modify: `src/EventListener/TaskNotificationListener.php` (dépend de `NotifierInterface`)
+- Modify: `config/packages/doctrine.yaml` (le mapping `Core` couvre déjà `Domain/Entity` → Notification incluse automatiquement)
+- Modify: `tests/` — ajouter `tests/Unit/Module/Core/NotifierTest.php` (ou Functional) si testable unitairement.
+
+- [ ] **Step 1: Écrire un test du `Notifier`**
+
+`tests/Functional/Module/Core/NotifierTest.php` (crée une notif et vérifie la persistance) :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $notifier->notify($user, 'task_assigned', 'Titre', 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\\Module\\Core\\Domain\\Entity\\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', 'Titre')->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** — `NotifierInterface` non instanciable / `Notification` introuvable au nouveau namespace.
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/NotifierTest.php`
+Expected: FAIL.
+
+- [ ] **Step 3: Déplacer `Notification` + repository + provider**
+
+```bash
+git mv src/Entity/Notification.php src/Module/Core/Domain/Entity/Notification.php
+git mv src/Repository/NotificationRepository.php src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
+git mv src/State/NotificationProvider.php src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
+```
+- `Notification.php` : `namespace App\Module\Core\Domain\Entity;`, `use App\Shared\Domain\Contract\UserInterface;`, relation `user` → `targetEntity: UserInterface::class` + type `?UserInterface`, `repositoryClass: DoctrineNotificationRepository::class`, conserver `#[ORM\Table(name:'notification')]` + index VERBATIM, ApiResource (provider → nouveau FQCN). **Table/colonnes inchangées.**
+- `DoctrineNotificationRepository.php` : namespace Core, `use App\Module\Core\Domain\Entity\Notification;`, signatures `UserInterface`.
+- `NotificationProvider.php` : namespace Core, mêmes dépendances.
+
+- [ ] **Step 4: Implémenter `Notifier`**
+
+`src/Module/Core/Infrastructure/Notifier.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(UserInterface $user, string $type, string $title, string $message): void
+    {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}
+```
+> ⚠️ Aligner sur les setters réels de `Notification` (la cartographie indique `user`, `type`, `title`, `message`, `isRead` default false, `createdAt`). Si `createdAt` n'est pas auto (prePersist), le poser ici. Si `setUser` attend le concret, accepter `UserInterface` (resolve_target_entities) — vérifier le type du setter.
+
+- [ ] **Step 5: Recâbler `TaskNotificationListener` sur `NotifierInterface`**
+
+Lire le listener ; remplacer la création directe de `Notification` (`new Notification()` + persist) par l'injection et l'appel de `NotifierInterface::notify(...)`. **Attention** : le listener tourne sur `onFlush`/`postFlush` — un `flush()` dans `notify()` pendant un `onFlush` est dangereux. Conserver le pattern existant (accumulation en `onFlush`, écriture en `postFlush`). Si `notify()` flush, l'appeler UNIQUEMENT en `postFlush` (jamais pendant `onFlush`). Préserver le comportement exact (mêmes types `task_assigned`/`task_collaborator_added`, mêmes destinataires). Adapter le test existant du listener s'il y en a un.
+
+> Si l'intrication onFlush/postFlush rend `NotifierInterface` inadapté (flush imbriqué), documenter et garder le listener en écriture directe via le repository Core, mais TOUJOURS dépendre du contrat pour le type User. Le but AC est « Notification exposée via NotifierInterface » : `NotifierInterface` doit exister et être l'API publique pour les autres modules ; le listener interne Core peut écrire directement.
+
+- [ ] **Step 6: Tests + login + endpoints notifications**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS (118 + 1 = 119). Vérifier `doctrine:migrations:diff` → « No changes detected ». Bloc login. Puis curl notifications :
+```bash
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications" -w "\nnotif http=%{http_code}\n" | head -c 200
+curl -s -b /tmp/cj.txt "http://localhost:8082/api/notifications/unread-count" -w "\nunread http=%{http_code}\n"
+```
+Expected : 200 sur les deux.
+
+- [ ] **Step 7: php-cs-fixer + commit**
+
+Run: `make php-cs-fixer-allow-risky`
+```bash
+git add -A -- src config tests
+git commit -m "feat(core) : move notification into core and expose notifier contract"
+```
+
+---
+
+## Phase E — Déclarer `CoreModule` actif
+
+### Task 6: Enregistrer Core dans `config/modules.php`
+
+**Files:**
+- Modify: `config/modules.php`
+- Modify: `tests/Functional/Shared/ModulesEndpointTest.php` (ou équivalent — adapter l'assertion à la présence de `core`)
+
+- [ ] **Step 1: Adapter/écrire le test de l'endpoint modules**
+
+Vérifier le test existant de `/api/modules` (cartographie : `ModulesProvider`/`ModulesResource` créés en #56). Ajouter une assertion :
+```php
+public function testCoreModuleIsActive(): void
+{
+    $client = self::createClient();
+    // /api/modules est public (GET) d'après security.yaml
+    $client->request('GET', '/api/modules');
+    self::assertResponseIsSuccessful();
+    $data = json_decode($client->getResponse()->getContent(), true);
+    self::assertContains('core', $data['modules']);
+}
+```
+> Adapter le nom de classe/fichier de test à l'existant (#56). Si aucun test fonctionnel modules n'existe, créer `tests/Functional/Shared/ModulesEndpointTest.php`.
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (modules.php retourne `[]`).
+
+- [ ] **Step 3: Activer Core**
+
+`config/modules.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+use App\Module\Core\CoreModule;
+
+return [
+    CoreModule::class,
+];
+```
+
+- [ ] **Step 4: Tests + curl**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`
+Expected: PASS. Curl :
+```bash
+curl -s http://localhost:8082/api/modules | head -c 200   # doit contenir "core"
+```
+
+- [ ] **Step 5: commit**
+
+```bash
+git add config/modules.php tests/
+git commit -m "feat(core) : activate core module in modules registry"
+```
+
+---
+
+## Phase F — Layer front `modules/core/`
+
+### Task 7: Déplacer login / profile / admin users dans `frontend/modules/core/`
+
+**Files:**
+- Create: `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`)
+- Move: `frontend/pages/login.vue` → `frontend/modules/core/pages/login.vue`
+- Move: `frontend/pages/profile.vue` → `frontend/modules/core/pages/profile.vue`
+- Move: `frontend/pages/admin/**` (gestion users) → `frontend/modules/core/pages/admin/**`
+- Move (si pertinent): composants/services liés à l'identité (ex. `frontend/components/user/**`, `frontend/components/admin/**`, `frontend/services/user.ts`) → `frontend/modules/core/{components,services}/**`
+
+> ⚠️ AVANT de déplacer, LIRE `frontend/pages/` et `frontend/components/` pour identifier précisément les pages/compos d'identité. Le scan `readdirSync('modules/')` (LST-62) ajoute `./modules/core` à `extends` et `modules/core/composables`/`stores` à `imports.dirs`. Les `pages/` d'un layer Nuxt sont fusionnées automatiquement → **les URLs (`/login`, `/profile`, `/admin/...`) restent identiques**. Vérifier qu'aucune page déplacée n'utilise un import PAR CHEMIN cassé (auto-import sinon).
+
+- [ ] **Step 1: Créer le layer + déplacer les pages d'identité**
+
+```bash
+cd /home/matthieu/dev_malio/Lesstime/frontend
+mkdir -p modules/core/pages
+printf 'export default defineNuxtConfig({})\n' > modules/core/nuxt.config.ts
+git mv pages/login.vue modules/core/pages/login.vue
+git mv pages/profile.vue modules/core/pages/profile.vue
+# admin users : adapter au réel (git mv pages/admin/... modules/core/pages/admin/...)
+```
+> Lister `frontend/pages/admin/` d'abord ; déplacer UNIQUEMENT les pages de gestion des utilisateurs (pas les pages admin d'autres domaines). En cas de doute, déplacer seulement login + profile en 1.1 et laisser admin users (documenter).
+
+- [ ] **Step 2: Corriger les imports par chemin éventuels**
+
+Run: `cd /home/matthieu/dev_malio/Lesstime/frontend && grep -rn "pages/login\|pages/profile\|~/pages" --include=*.ts --include=*.vue . | grep -v node_modules`
+Corriger toute référence cassée (les redirections `navigateTo('/login')` restent valides — c'est une URL, pas un chemin de fichier).
+
+- [ ] **Step 3: Gate front (cf. LST-62) + smoke**
+
+Run: `cd frontend && npx nuxt typecheck 2>&1 | grep "Cannot find module" | grep -E "modules/core|login|profile"` → doit être VIDE.
+Run: `grep -E "login|profile" frontend/.nuxt/routes.* 2>/dev/null` ou démarrer `make dev-nuxt` et confirmer que `/login`, `/profile` répondent (la fusion des pages du layer est effective).
+> Smoke runtime (login via navigateur) : laisser au PO si pas de navigateur côté exécutant.
+
+- [ ] **Step 4: commit**
+
+```bash
+git add -A -- frontend
+git commit -m "feat(core) : add core front layer with login, profile and admin users pages"
+```
+
+---
+
+## Acceptance check (après toutes les phases)
+
+- [ ] **AC1** Login/JWT OK via le module : `login http=204`, `/api/me` 200, MCP apiToken 200, `/api/notifications` 200.
+- [ ] **AC2** `grep -rn "App\\Entity\\User" src/ config/` → **VIDE** (User vit dans `src/Module/Core/Domain/Entity/`, consommé via contrat ; fixtures importent le FQCN Core).
+- [ ] **AC3** `make test` vert (≈119 tests), `doctrine:schema:validate` OK, `doctrine:migrations:diff` = « No changes detected » (**aucune migration destructive ni même additive**).
+- [ ] `/api/modules` renvoie `core` ; `CoreModule::isRequired() === true`.
+- [ ] `resolve_target_entities: UserInterface → App\Module\Core\Domain\Entity\User`.
+- [ ] Front : layer `modules/core/` détecté ; `/login`, `/profile` (+ admin users) accessibles aux mêmes URLs ; aucun `Cannot find module`.
+- [ ] `config/reference.php` jamais committé.
+
+## Notes pour le ticket suivant (1.2 — RBAC fin)
+
+`CoreModule::permissions()` est déjà posé (stub). 1.2 ajoutera `Role`/`Permission`, `app:sync-permissions`, `PermissionVoter`, et fera filtrer `SidebarProvider` **par permission** (en plus du module actif + du gate rôle minimal posé en 0.2). Le contrat `UserInterface` enrichi est prêt à recevoir `getPermissions()` si besoin.
-- 
2.39.5


From 6ca91cbd3b3f8d7f74962f1f56ee08979d0e2a5f Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 15:53:38 +0200
Subject: [PATCH 19/99] feat(core) : add CoreModule, user repository contract,
 notifier contract and enriched user contract

---
 src/Module/Core/CoreModule.php                | 39 +++++++++++++++++++
 .../Repository/UserRepositoryInterface.php    | 23 +++++++++++
 .../Domain/Contract/NotifierInterface.php     | 10 +++++
 src/Shared/Domain/Contract/UserInterface.php  | 19 +++++++++
 tests/Unit/Module/Core/CoreModuleTest.php     | 35 +++++++++++++++++
 .../TimestampableBlamableSubscriberTest.php   | 36 +++++++++++++++++
 6 files changed, 162 insertions(+)
 create mode 100644 src/Module/Core/CoreModule.php
 create mode 100644 src/Module/Core/Domain/Repository/UserRepositoryInterface.php
 create mode 100644 src/Shared/Domain/Contract/NotifierInterface.php
 create mode 100644 tests/Unit/Module/Core/CoreModuleTest.php

diff --git a/src/Module/Core/CoreModule.php b/src/Module/Core/CoreModule.php
new file mode 100644
index 0000000..fde5724
--- /dev/null
+++ b/src/Module/Core/CoreModule.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class CoreModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'core';
+    }
+
+    public static function label(): string
+    {
+        return 'Core';
+    }
+
+    public static function isRequired(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
+            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
+            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+        ];
+    }
+}
diff --git a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
new file mode 100644
index 0000000..6f45735
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeInterface;
+
+interface UserRepositoryInterface
+{
+    /**
+     * @return list<UserInterface>
+     */
+    public function findByRole(string $role): array;
+
+    /**
+     * @return list<UserInterface>
+     */
+    public function findActiveEmployees(DateTimeInterface $date): array;
+
+    public function findOneByUsername(string $username): ?UserInterface;
+}
diff --git a/src/Shared/Domain/Contract/NotifierInterface.php b/src/Shared/Domain/Contract/NotifierInterface.php
new file mode 100644
index 0000000..59872b2
--- /dev/null
+++ b/src/Shared/Domain/Contract/NotifierInterface.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+interface NotifierInterface
+{
+    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+}
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
index 9879371..8419b27 100644
--- a/src/Shared/Domain/Contract/UserInterface.php
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -4,7 +4,26 @@ declare(strict_types=1);
 
 namespace App\Shared\Domain\Contract;
 
+/**
+ * Contrat de LECTURE de l'identité, consommé hors du module Core.
+ * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
+ */
 interface UserInterface
 {
     public function getId(): ?int;
+
+    public function getUserIdentifier(): string;
+
+    public function getUsername(): ?string;
+
+    /** @return list<string> */
+    public function getRoles(): array;
+
+    public function getFirstName(): ?string;
+
+    public function getLastName(): ?string;
+
+    public function getAvatarUrl(): ?string;
+
+    public function getIsEmployee(): bool;
 }
diff --git a/tests/Unit/Module/Core/CoreModuleTest.php b/tests/Unit/Module/Core/CoreModuleTest.php
new file mode 100644
index 0000000..e6a9f11
--- /dev/null
+++ b/tests/Unit/Module/Core/CoreModuleTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class CoreModuleTest extends TestCase
+{
+    public function testItIsAModule(): void
+    {
+        self::assertInstanceOf(ModuleInterface::class, new CoreModule());
+    }
+
+    public function testIdentity(): void
+    {
+        self::assertSame('core', CoreModule::id());
+        self::assertTrue(CoreModule::isRequired());
+        self::assertNotSame('', CoreModule::label());
+    }
+
+    public function testPermissionsAreWellFormed(): void
+    {
+        foreach (CoreModule::permissions() as $permission) {
+            self::assertArrayHasKey('code', $permission);
+            self::assertArrayHasKey('label', $permission);
+        }
+    }
+}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
index 669acf5..bac0a42 100644
--- a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -79,6 +79,42 @@ final class TimestampableBlamableSubscriberTest extends TestCase
             {
                 return $this->id;
             }
+
+            public function getUserIdentifier(): string
+            {
+                return 'user-'.$this->id;
+            }
+
+            public function getUsername(): ?string
+            {
+                return 'user-'.$this->id;
+            }
+
+            /** @return list<string> */
+            public function getRoles(): array
+            {
+                return ['ROLE_USER'];
+            }
+
+            public function getFirstName(): ?string
+            {
+                return null;
+            }
+
+            public function getLastName(): ?string
+            {
+                return null;
+            }
+
+            public function getAvatarUrl(): ?string
+            {
+                return null;
+            }
+
+            public function getIsEmployee(): bool
+            {
+                return false;
+            }
         };
     }
 
-- 
2.39.5


From f8fc4d6bd9e2c2e53536498f31c126332680b625 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:03:52 +0200
Subject: [PATCH 20/99] feat(core) : move user entity into core module and
 repoint security/doctrine (temp legacy alias)

---
 .php-cs-fixer.dist.php                       | 1 +
 composer.json                                | 5 ++++-
 config/packages/doctrine.yaml                | 7 ++++++-
 config/packages/security.yaml                | 2 +-
 config/services.yaml                         | 3 +++
 src/{ => Module/Core/Domain}/Entity/User.php | 2 +-
 src/Module/Core/_compat_user_alias.php       | 8 ++++++++
 7 files changed, 24 insertions(+), 4 deletions(-)
 rename src/{ => Module/Core/Domain}/Entity/User.php (99%)
 create mode 100644 src/Module/Core/_compat_user_alias.php

diff --git a/.php-cs-fixer.dist.php b/.php-cs-fixer.dist.php
index 04b76c2..713b4d3 100644
--- a/.php-cs-fixer.dist.php
+++ b/.php-cs-fixer.dist.php
@@ -8,6 +8,7 @@ use PhpCsFixer\Finder;
 $finder = Finder::create()
     ->in('src')
     ->notName('Kernel.php')
+    ->notPath('Module/Core/_compat_user_alias.php')
 ;
 
 $rules = [
diff --git a/composer.json b/composer.json
index 7b9c607..533bddc 100644
--- a/composer.json
+++ b/composer.json
@@ -55,7 +55,10 @@
     "autoload": {
         "psr-4": {
             "App\\": "src/"
-        }
+        },
+        "files": [
+            "src/Module/Core/_compat_user_alias.php"
+        ]
     },
     "autoload-dev": {
         "psr-4": {
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 303521a..bc43e4d 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -14,7 +14,7 @@ doctrine:
             Doctrine\DBAL\Platforms\PostgreSQLPlatform: identity
         auto_mapping: true
         resolve_target_entities:
-            App\Shared\Domain\Contract\UserInterface: App\Entity\User
+            App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
         mappings:
             App:
                 type: attribute
@@ -22,6 +22,11 @@ doctrine:
                 dir: '%kernel.project_dir%/src/Entity'
                 prefix: 'App\Entity'
                 alias: App
+            Core:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+                prefix: 'App\Module\Core\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index bcdbaa6..24cb6de 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -10,7 +10,7 @@ security:
     providers:
         app_user_provider:
             entity:
-                class: App\Entity\User
+                class: App\Module\Core\Domain\Entity\User
                 property: username
 
     firewalls:
diff --git a/config/services.yaml b/config/services.yaml
index b91e5ea..1b039ef 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -27,6 +27,9 @@ services:
     # this creates a service per class whose id is the fully-qualified class name
     App\:
         resource: '../src/'
+        # Temporary legacy class_alias bootstrap file (no service): excluded from autowiring scan.
+        exclude:
+            - '../src/Module/Core/_compat_user_alias.php'
 
     # add more service definitions when explicit configuration is needed
     # please note that last definitions always *replace* previous ones
diff --git a/src/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
similarity index 99%
rename from src/Entity/User.php
rename to src/Module/Core/Domain/Entity/User.php
index 38e789e..a4a098a 100644
--- a/src/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
diff --git a/src/Module/Core/_compat_user_alias.php b/src/Module/Core/_compat_user_alias.php
new file mode 100644
index 0000000..3529be8
--- /dev/null
+++ b/src/Module/Core/_compat_user_alias.php
@@ -0,0 +1,8 @@
+<?php
+
+declare(strict_types=1);
+use App\Entity\User;
+
+if (!class_exists(User::class, false)) {
+    class_alias(App\Module\Core\Domain\Entity\User::class, User::class);
+}
-- 
2.39.5


From d70925b812a1eca8726843aa91d8264bc7eb5981 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:04:14 +0200
Subject: [PATCH 21/99] refactor(core) : point user relations to the shared
 contract via resolve_target_entities

---
 src/Entity/AbsenceBalance.php |  9 +++++----
 src/Entity/AbsenceRequest.php | 17 +++++++++--------
 src/Entity/Notification.php   |  9 +++++----
 src/Entity/Task.php           | 19 ++++++++++---------
 src/Entity/TaskDocument.php   |  9 +++++----
 src/Entity/TaskMailLink.php   |  9 +++++----
 src/Entity/TimeEntry.php      |  9 +++++----
 7 files changed, 44 insertions(+), 37 deletions(-)

diff --git a/src/Entity/AbsenceBalance.php b/src/Entity/AbsenceBalance.php
index 97efea9..9164973 100644
--- a/src/Entity/AbsenceBalance.php
+++ b/src/Entity/AbsenceBalance.php
@@ -10,6 +10,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use App\Enum\AbsenceType;
 use App\Repository\AbsenceBalanceRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\AbsenceBalanceProvider;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -45,10 +46,10 @@ class AbsenceBalance
     #[Groups(['absence_balance:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_balance:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_balance:read'])]
@@ -110,12 +111,12 @@ class AbsenceBalance
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
diff --git a/src/Entity/AbsenceRequest.php b/src/Entity/AbsenceRequest.php
index 5045bdf..7daefd8 100644
--- a/src/Entity/AbsenceRequest.php
+++ b/src/Entity/AbsenceRequest.php
@@ -14,6 +14,7 @@ use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Repository\AbsenceRequestRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\AbsenceCancelProcessor;
 use App\State\AbsenceRequestProcessor;
 use App\State\AbsenceRequestProvider;
@@ -73,10 +74,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['absence_request:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(type: Types::STRING, length: 32, enumType: AbsenceType::class)]
     #[Groups(['absence_request:read', 'absence_request:write'])]
@@ -130,10 +131,10 @@ class AbsenceRequest
     #[Groups(['absence_request:read'])]
     private ?DateTimeImmutable $reviewedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['absence_request:read'])]
-    private ?User $reviewedBy = null;
+    private ?UserInterface $reviewedBy = null;
 
     #[Groups(['absence_request:read'])]
     public function getLabel(): ?string
@@ -156,12 +157,12 @@ class AbsenceRequest
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
@@ -312,12 +313,12 @@ class AbsenceRequest
         return $this;
     }
 
-    public function getReviewedBy(): ?User
+    public function getReviewedBy(): ?UserInterface
     {
         return $this->reviewedBy;
     }
 
-    public function setReviewedBy(?User $reviewedBy): static
+    public function setReviewedBy(?UserInterface $reviewedBy): static
     {
         $this->reviewedBy = $reviewedBy;
 
diff --git a/src/Entity/Notification.php b/src/Entity/Notification.php
index 2253335..601c0a0 100644
--- a/src/Entity/Notification.php
+++ b/src/Entity/Notification.php
@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use App\Repository\NotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\NotificationProvider;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
@@ -39,10 +40,10 @@ class Notification
     #[Groups(['notification:read'])]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['notification:read'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\Column(length: 50)]
     #[Groups(['notification:read'])]
@@ -69,12 +70,12 @@ class Notification
         return $this->id;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
diff --git a/src/Entity/Task.php b/src/Entity/Task.php
index 984dc15..4346a37 100644
--- a/src/Entity/Task.php
+++ b/src/Entity/Task.php
@@ -16,6 +16,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TaskRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\TaskCalendarProcessor;
 use App\State\TaskNumberProcessor;
 use DateTimeImmutable;
@@ -80,13 +81,13 @@ class Task
     #[Groups(['task:read', 'task:write'])]
     private ?TaskPriority $priority = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task:read', 'task:write'])]
-    private ?User $assignee = null;
+    private ?UserInterface $assignee = null;
 
-    /** @var Collection<int, User> */
-    #[ORM\ManyToMany(targetEntity: User::class)]
+    /** @var Collection<int, UserInterface> */
+    #[ORM\ManyToMany(targetEntity: UserInterface::class)]
     #[ORM\JoinTable(
         name: 'task_collaborator',
         joinColumns: [new ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
@@ -239,25 +240,25 @@ class Task
         return $this;
     }
 
-    public function getAssignee(): ?User
+    public function getAssignee(): ?UserInterface
     {
         return $this->assignee;
     }
 
-    public function setAssignee(?User $assignee): static
+    public function setAssignee(?UserInterface $assignee): static
     {
         $this->assignee = $assignee;
 
         return $this;
     }
 
-    /** @return Collection<int, User> */
+    /** @return Collection<int, UserInterface> */
     public function getCollaborators(): Collection
     {
         return $this->collaborators;
     }
 
-    public function addCollaborator(User $user): static
+    public function addCollaborator(UserInterface $user): static
     {
         if (!$this->collaborators->contains($user)) {
             $this->collaborators->add($user);
@@ -266,7 +267,7 @@ class Task
         return $this;
     }
 
-    public function removeCollaborator(User $user): static
+    public function removeCollaborator(UserInterface $user): static
     {
         $this->collaborators->removeElement($user);
 
diff --git a/src/Entity/TaskDocument.php b/src/Entity/TaskDocument.php
index 5e1d5f0..235fc14 100644
--- a/src/Entity/TaskDocument.php
+++ b/src/Entity/TaskDocument.php
@@ -12,6 +12,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use App\EventListener\TaskDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\TaskDocumentProcessor;
 use App\State\TaskDocumentProvider;
 use DateTimeImmutable;
@@ -77,10 +78,10 @@ class TaskDocument
     #[Groups(['task_document:read', 'task:read'])]
     private ?DateTimeImmutable $createdAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['task_document:read', 'task:read'])]
-    private ?User $uploadedBy = null;
+    private ?UserInterface $uploadedBy = null;
 
     public function getId(): ?int
     {
@@ -176,12 +177,12 @@ class TaskDocument
         return $this;
     }
 
-    public function getUploadedBy(): ?User
+    public function getUploadedBy(): ?UserInterface
     {
         return $this->uploadedBy;
     }
 
-    public function setUploadedBy(?User $uploadedBy): static
+    public function setUploadedBy(?UserInterface $uploadedBy): static
     {
         $this->uploadedBy = $uploadedBy;
 
diff --git a/src/Entity/TaskMailLink.php b/src/Entity/TaskMailLink.php
index 652fc22..041efcb 100644
--- a/src/Entity/TaskMailLink.php
+++ b/src/Entity/TaskMailLink.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Entity;
 
 use App\Repository\TaskMailLinkRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
@@ -29,9 +30,9 @@ class TaskMailLink
     #[ORM\Column(type: 'datetimetz_immutable')]
     private DateTimeImmutable $linkedAt;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(name: 'linked_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
-    private ?User $linkedBy = null;
+    private ?UserInterface $linkedBy = null;
 
     public function getId(): ?int
     {
@@ -74,12 +75,12 @@ class TaskMailLink
         return $this;
     }
 
-    public function getLinkedBy(): ?User
+    public function getLinkedBy(): ?UserInterface
     {
         return $this->linkedBy;
     }
 
-    public function setLinkedBy(?User $linkedBy): static
+    public function setLinkedBy(?UserInterface $linkedBy): static
     {
         $this->linkedBy = $linkedBy;
 
diff --git a/src/Entity/TimeEntry.php b/src/Entity/TimeEntry.php
index b6c68a3..6b6e724 100644
--- a/src/Entity/TimeEntry.php
+++ b/src/Entity/TimeEntry.php
@@ -14,6 +14,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TimeEntryRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use App\State\ActiveTimeEntryProvider;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -77,10 +78,10 @@ class TimeEntry
     #[Groups(['time_entry:read', 'time_entry:write'])]
     private ?DateTimeImmutable $stoppedAt = null;
 
-    #[ORM\ManyToOne(targetEntity: User::class)]
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?User $user = null;
+    private ?UserInterface $user = null;
 
     #[ORM\ManyToOne(targetEntity: Project::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
@@ -160,12 +161,12 @@ class TimeEntry
         return $this;
     }
 
-    public function getUser(): ?User
+    public function getUser(): ?UserInterface
     {
         return $this->user;
     }
 
-    public function setUser(?User $user): static
+    public function setUser(?UserInterface $user): static
     {
         $this->user = $user;
 
-- 
2.39.5


From 0b4874e94d0cde093a91f5424631353f440046e7 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:16:44 +0200
Subject: [PATCH 22/99] refactor(core) : move user repository/providers to core
 and migrate all consumers off App\Entity\User

---
 .php-cs-fixer.dist.php                          |  1 -
 composer.json                                   |  5 +----
 config/services.yaml                            |  5 ++---
 src/Command/AccrueLeaveCommand.php              |  4 ++--
 src/Command/GenerateApiTokenCommand.php         |  4 ++--
 .../Absence/AbsencePreviewController.php        |  4 ++--
 .../Mail/MailCreateTaskController.php           |  2 +-
 src/Controller/MarkAllReadController.php        |  4 ++--
 .../NotificationUnreadCountController.php       |  4 ++--
 src/Controller/RegenerateApiTokenController.php |  2 +-
 src/Controller/TimeEntryExportController.php    |  2 +-
 src/Controller/UserAvatarController.php         |  2 +-
 src/DataFixtures/AppFixtures.php                |  2 +-
 src/EventListener/TaskNotificationListener.php  | 14 +++++++-------
 .../Tool/Absence/CreateAbsenceRequestTool.php   |  4 ++--
 .../Tool/Absence/ListAbsenceBalancesTool.php    |  4 ++--
 .../Tool/Absence/ListAbsenceRequestsTool.php    |  4 ++--
 .../Tool/Absence/ReviewAbsenceRequestTool.php   |  4 ++--
 src/Mcp/Tool/Reference/GetUserTool.php          |  4 ++--
 src/Mcp/Tool/Reference/ListUsersTool.php        |  4 ++--
 src/Mcp/Tool/Reference/UpdateUserTool.php       |  4 ++--
 src/Mcp/Tool/Serializer.php                     |  2 +-
 src/Mcp/Tool/Task/CreateTaskTool.php            |  4 ++--
 src/Mcp/Tool/Task/UpdateTaskTool.php            |  4 ++--
 src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php  |  4 ++--
 src/Module/Core/Domain/Entity/User.php          |  8 ++++----
 .../ApiPlatform}/State/MeProvider.php           |  4 ++--
 .../State/UserPasswordHasherProcessor.php       |  4 ++--
 .../Doctrine/DoctrineUserRepository.php}        | 17 ++++++++++++-----
 src/Module/Core/_compat_user_alias.php          |  8 --------
 src/Repository/AbsenceBalanceRepository.php     |  4 ++--
 src/Repository/AbsenceRequestRepository.php     |  6 +++---
 src/Repository/NotificationRepository.php       |  6 +++---
 src/Repository/TimeEntryRepository.php          | 10 +++++-----
 src/Security/ApiTokenAuthenticator.php          |  6 +++---
 src/Security/MailAccessChecker.php              |  6 +++---
 src/Service/AbsenceBalanceService.php           |  2 +-
 src/State/AbsenceBalanceProvider.php            |  4 ++--
 src/State/AbsenceRequestProcessor.php           |  4 ++--
 src/State/AbsenceRequestProvider.php            |  4 ++--
 src/State/AbsenceReviewProcessor.php            |  4 ++--
 src/State/TaskDocumentProvider.php              |  4 ++--
 .../Mail/MailFoldersControllerTest.php          |  2 +-
 .../Mail/MailMessagesControllerTest.php         |  2 +-
 .../Mail/MailSettingsControllerTest.php         |  2 +-
 .../Mail/MailSyncTriggerControllerTest.php      |  2 +-
 .../Mail/MailTaskIntegrationControllerTest.php  |  2 +-
 tests/Functional/Controller/ShareBrowseTest.php |  2 +-
 tests/Functional/Controller/ShareSearchTest.php |  2 +-
 .../Functional/Controller/ShareSettingsTest.php |  2 +-
 .../TaskNotificationListenerTest.php            |  2 +-
 .../Mcp/AbsenceRequestLifecycleTest.php         |  6 +++---
 tests/Functional/Shared/SidebarEndpointTest.php |  2 +-
 53 files changed, 109 insertions(+), 115 deletions(-)
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/MeProvider.php (84%)
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/UserPasswordHasherProcessor.php (92%)
 rename src/{Repository/UserRepository.php => Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php} (74%)
 delete mode 100644 src/Module/Core/_compat_user_alias.php

diff --git a/.php-cs-fixer.dist.php b/.php-cs-fixer.dist.php
index 713b4d3..04b76c2 100644
--- a/.php-cs-fixer.dist.php
+++ b/.php-cs-fixer.dist.php
@@ -8,7 +8,6 @@ use PhpCsFixer\Finder;
 $finder = Finder::create()
     ->in('src')
     ->notName('Kernel.php')
-    ->notPath('Module/Core/_compat_user_alias.php')
 ;
 
 $rules = [
diff --git a/composer.json b/composer.json
index 533bddc..7b9c607 100644
--- a/composer.json
+++ b/composer.json
@@ -55,10 +55,7 @@
     "autoload": {
         "psr-4": {
             "App\\": "src/"
-        },
-        "files": [
-            "src/Module/Core/_compat_user_alias.php"
-        ]
+        }
     },
     "autoload-dev": {
         "psr-4": {
diff --git a/config/services.yaml b/config/services.yaml
index 1b039ef..97ad4a6 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -27,9 +27,6 @@ services:
     # this creates a service per class whose id is the fully-qualified class name
     App\:
         resource: '../src/'
-        # Temporary legacy class_alias bootstrap file (no service): excluded from autowiring scan.
-        exclude:
-            - '../src/Module/Core/_compat_user_alias.php'
 
     # add more service definitions when explicit configuration is needed
     # please note that last definitions always *replace* previous ones
@@ -69,3 +66,5 @@ services:
             $uploadDir: '%absence_justification_upload_dir%'
 
     App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'
+
+    App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
diff --git a/src/Command/AccrueLeaveCommand.php b/src/Command/AccrueLeaveCommand.php
index e241e64..8fe502f 100644
--- a/src/Command/AccrueLeaveCommand.php
+++ b/src/Command/AccrueLeaveCommand.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Command;
 
 use App\Enum\AbsenceType;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -37,7 +37,7 @@ use function sprintf;
 class AccrueLeaveCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly AbsenceBalanceRepository $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly EntityManagerInterface $entityManager,
diff --git a/src/Command/GenerateApiTokenCommand.php b/src/Command/GenerateApiTokenCommand.php
index a23adce..e6687a0 100644
--- a/src/Command/GenerateApiTokenCommand.php
+++ b/src/Command/GenerateApiTokenCommand.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Command;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -22,7 +22,7 @@ use function sprintf;
 class GenerateApiTokenCommand extends Command
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
     ) {
         parent::__construct();
diff --git a/src/Controller/Absence/AbsencePreviewController.php b/src/Controller/Absence/AbsencePreviewController.php
index c313cc2..32ec5a8 100644
--- a/src/Controller/Absence/AbsencePreviewController.php
+++ b/src/Controller/Absence/AbsencePreviewController.php
@@ -4,13 +4,13 @@ declare(strict_types=1);
 
 namespace App\Controller\Absence;
 
-use App\Entity\User;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Repository\AbsenceBalanceRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -71,7 +71,7 @@ class AbsencePreviewController extends AbstractController
         );
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $available          = null;
         $projectedAvailable = null;
diff --git a/src/Controller/Mail/MailCreateTaskController.php b/src/Controller/Mail/MailCreateTaskController.php
index 436b8f7..2231d0e 100644
--- a/src/Controller/Mail/MailCreateTaskController.php
+++ b/src/Controller/Mail/MailCreateTaskController.php
@@ -9,7 +9,7 @@ use App\Entity\Task;
 use App\Entity\TaskGroup;
 use App\Entity\TaskMailLink;
 use App\Entity\TaskStatus;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\MailMessageRepository;
 use App\Repository\TaskRepository;
 use App\Security\MailAccessChecker;
diff --git a/src/Controller/MarkAllReadController.php b/src/Controller/MarkAllReadController.php
index a745051..453cbbb 100644
--- a/src/Controller/MarkAllReadController.php
+++ b/src/Controller/MarkAllReadController.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
 use App\Repository\NotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
@@ -21,7 +21,7 @@ class MarkAllReadController extends AbstractController
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): Response
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $this->notificationRepository->markAllReadByUser($user);
diff --git a/src/Controller/NotificationUnreadCountController.php b/src/Controller/NotificationUnreadCountController.php
index f4c6d82..746299a 100644
--- a/src/Controller/NotificationUnreadCountController.php
+++ b/src/Controller/NotificationUnreadCountController.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
 use App\Repository\NotificationRepository;
+use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -21,7 +21,7 @@ class NotificationUnreadCountController extends AbstractController
     #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function __invoke(): JsonResponse
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user = $this->getUser();
 
         $count = $this->notificationRepository->countUnreadByUser($user);
diff --git a/src/Controller/RegenerateApiTokenController.php b/src/Controller/RegenerateApiTokenController.php
index ca209de..2593811 100644
--- a/src/Controller/RegenerateApiTokenController.php
+++ b/src/Controller/RegenerateApiTokenController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
diff --git a/src/Controller/TimeEntryExportController.php b/src/Controller/TimeEntryExportController.php
index 0ae7ba5..aa5ba15 100644
--- a/src/Controller/TimeEntryExportController.php
+++ b/src/Controller/TimeEntryExportController.php
@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Controller;
 
 use App\Entity\Project;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\TimeEntryRepository;
 use App\Service\TimeEntryExportService;
 use DateTimeImmutable;
diff --git a/src/Controller/UserAvatarController.php b/src/Controller/UserAvatarController.php
index 450d2cb..2c586fa 100644
--- a/src/Controller/UserAvatarController.php
+++ b/src/Controller/UserAvatarController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 0b5de94..b0f3734 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -18,7 +18,6 @@ use App\Entity\TaskRecurrence;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
 use App\Entity\TimeEntry;
-use App\Entity\User;
 use App\Entity\Workflow;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\AbsenceStatus;
@@ -26,6 +25,7 @@ use App\Enum\AbsenceType;
 use App\Enum\ContractType;
 use App\Enum\RecurrenceType;
 use App\Enum\StatusCategory;
+use App\Module\Core\Domain\Entity\User;
 use DateTimeImmutable;
 use DateTimeZone;
 use Doctrine\Bundle\FixturesBundle\Fixture;
diff --git a/src/EventListener/TaskNotificationListener.php b/src/EventListener/TaskNotificationListener.php
index 1795184..9e32ac8 100644
--- a/src/EventListener/TaskNotificationListener.php
+++ b/src/EventListener/TaskNotificationListener.php
@@ -6,7 +6,7 @@ namespace App\EventListener;
 
 use App\Entity\Notification;
 use App\Entity\Task;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
@@ -18,7 +18,7 @@ use Symfony\Bundle\SecurityBundle\Security;
 #[AsDoctrineListener(event: Events::postFlush)]
 final class TaskNotificationListener
 {
-    /** @var list<array{user: User, type: string, task: Task}> */
+    /** @var list<array{user: UserInterface, type: string, task: Task}> */
     private array $pending = [];
 
     public function __construct(private readonly Security $security) {}
@@ -26,7 +26,7 @@ final class TaskNotificationListener
     public function onFlush(OnFlushEventArgs $args): void
     {
         $actor = $this->security->getUser();
-        if (!$actor instanceof User) {
+        if (!$actor instanceof UserInterface) {
             return;
         }
 
@@ -38,7 +38,7 @@ final class TaskNotificationListener
                 continue;
             }
             $assignee = $entity->getAssignee();
-            if ($assignee instanceof User && $assignee !== $actor) {
+            if ($assignee instanceof UserInterface && $assignee !== $actor) {
                 $this->pending[] = ['user' => $assignee, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -53,7 +53,7 @@ final class TaskNotificationListener
                 continue;
             }
             $new = $changeSet['assignee'][1];
-            if ($new instanceof User && $new !== $actor) {
+            if ($new instanceof UserInterface && $new !== $actor) {
                 $this->pending[] = ['user' => $new, 'type' => 'task_assigned', 'task' => $entity];
             }
         }
@@ -68,7 +68,7 @@ final class TaskNotificationListener
                 continue;
             }
             foreach ($collection->getInsertDiff() as $user) {
-                if ($user instanceof User && $user !== $actor) {
+                if ($user instanceof UserInterface && $user !== $actor) {
                     $this->pending[] = ['user' => $user, 'type' => 'task_collaborator_added', 'task' => $owner];
                 }
             }
@@ -91,7 +91,7 @@ final class TaskNotificationListener
         $em->flush();
     }
 
-    private function buildNotification(User $user, string $type, Task $task): Notification
+    private function buildNotification(UserInterface $user, string $type, Task $task): Notification
     {
         [$title, $message] = $this->render($type, $task);
 
diff --git a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php b/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
index 8a7af97..5d58d30 100644
--- a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
+++ b/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
@@ -9,9 +9,9 @@ use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Enum\HalfDay;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
 use DateTimeImmutable;
@@ -28,7 +28,7 @@ class CreateAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly AbsencePolicyRepository $policyRepository,
         private readonly AbsenceRequestRepository $requestRepository,
         private readonly AbsenceDayCalculator $calculator,
diff --git a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php b/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
index f0baf6a..253e0fb 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
+++ b/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
@@ -6,8 +6,8 @@ namespace App\Mcp\Tool\Absence;
 
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
-use App\Repository\UserRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -20,7 +20,7 @@ class ListAbsenceBalancesTool
 {
     public function __construct(
         private readonly AbsenceBalanceRepository $balanceRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php b/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
index 485f730..1f09368 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
+++ b/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
@@ -7,8 +7,8 @@ namespace App\Mcp\Tool\Absence;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use DateTimeImmutable;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -22,7 +22,7 @@ class ListAbsenceRequestsTool
 {
     public function __construct(
         private readonly AbsenceRequestRepository $requestRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php b/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
index 1556d8a..d81fb0f 100644
--- a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
+++ b/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool\Absence;
 
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Mcp\Tool\Serializer;
 use App\Repository\AbsenceRequestRepository;
 use App\Service\AbsenceBalanceService;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -49,7 +49,7 @@ class ReviewAbsenceRequestTool
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ('approve' === $decision) {
             // Never let an approval push the balance below zero (CP only).
diff --git a/src/Mcp/Tool/Reference/GetUserTool.php b/src/Mcp/Tool/Reference/GetUserTool.php
index 4ef1791..74d0e55 100644
--- a/src/Mcp/Tool/Reference/GetUserTool.php
+++ b/src/Mcp/Tool/Reference/GetUserTool.php
@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Mcp\Tool\Reference;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Reference/ListUsersTool.php b/src/Mcp/Tool/Reference/ListUsersTool.php
index e602047..c2badca 100644
--- a/src/Mcp/Tool/Reference/ListUsersTool.php
+++ b/src/Mcp/Tool/Reference/ListUsersTool.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool\Reference;
 
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListUsersTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Reference/UpdateUserTool.php b/src/Mcp/Tool/Reference/UpdateUserTool.php
index c7a3d94..58cf1fb 100644
--- a/src/Mcp/Tool/Reference/UpdateUserTool.php
+++ b/src/Mcp/Tool/Reference/UpdateUserTool.php
@@ -6,7 +6,7 @@ namespace App\Mcp\Tool\Reference;
 
 use App\Enum\ContractType;
 use App\Mcp\Tool\Serializer;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -20,7 +20,7 @@ use function sprintf;
 class UpdateUserTool
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index 51a47f0..400f278 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -17,7 +17,7 @@ use App\Entity\TaskPriority;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
 use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\Common\Collections\Collection;
 
 /**
diff --git a/src/Mcp/Tool/Task/CreateTaskTool.php b/src/Mcp/Tool/Task/CreateTaskTool.php
index 651ef11..9067417 100644
--- a/src/Mcp/Tool/Task/CreateTaskTool.php
+++ b/src/Mcp/Tool/Task/CreateTaskTool.php
@@ -6,6 +6,7 @@ namespace App\Mcp\Tool\Task;
 
 use App\Entity\Task;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskEffortRepository;
 use App\Repository\TaskGroupRepository;
@@ -13,7 +14,6 @@ use App\Repository\TaskPriorityRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskStatusRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
 use App\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -36,7 +36,7 @@ class CreateTaskTool
         private readonly TaskEffortRepository $taskEffortRepository,
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
diff --git a/src/Mcp/Tool/Task/UpdateTaskTool.php b/src/Mcp/Tool/Task/UpdateTaskTool.php
index 09c53dc..a345f23 100644
--- a/src/Mcp/Tool/Task/UpdateTaskTool.php
+++ b/src/Mcp/Tool/Task/UpdateTaskTool.php
@@ -5,13 +5,13 @@ declare(strict_types=1);
 namespace App\Mcp\Tool\Task;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\TaskEffortRepository;
 use App\Repository\TaskGroupRepository;
 use App\Repository\TaskPriorityRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskStatusRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\UserRepository;
 use App\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -33,7 +33,7 @@ class UpdateTaskTool
         private readonly TaskEffortRepository $taskEffortRepository,
         private readonly TaskGroupRepository $taskGroupRepository,
         private readonly TaskTagRepository $taskTagRepository,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
diff --git a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php b/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
index 5f5a223..ced019e 100644
--- a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
+++ b/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
@@ -6,11 +6,11 @@ namespace App\Mcp\Tool\TimeEntry;
 
 use App\Entity\TimeEntry;
 use App\Mcp\Tool\Serializer;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
 use App\Repository\TimeEntryRepository;
-use App\Repository\UserRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -25,7 +25,7 @@ class CreateTimeEntryTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index a4a098a..7af2ddc 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -12,10 +12,10 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Enum\ContractType;
-use App\Repository\UserRepository;
+use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
-use App\State\MeProvider;
-use App\State\UserPasswordHasherProcessor;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -43,7 +43,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
-#[ORM\Entity(repositoryClass: UserRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
 {
diff --git a/src/State/MeProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
similarity index 84%
rename from src/State/MeProvider.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
index f2866a7..8e973bb 100644
--- a/src/State/MeProvider.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**
diff --git a/src/State/UserPasswordHasherProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
similarity index 92%
rename from src/State/UserPasswordHasherProcessor.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
index 88e9d1c..7dccd1f 100644
--- a/src/State/UserPasswordHasherProcessor.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/UserPasswordHasherProcessor.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
diff --git a/src/Repository/UserRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
similarity index 74%
rename from src/Repository/UserRepository.php
rename to src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
index df31a3f..c688df0 100644
--- a/src/Repository/UserRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
@@ -2,9 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -12,7 +14,7 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<User>
  */
-class UserRepository extends ServiceEntityRepository
+class DoctrineUserRepository extends ServiceEntityRepository implements UserRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -20,7 +22,7 @@ class UserRepository extends ServiceEntityRepository
     }
 
     /**
-     * @return User[]
+     * @return list<UserInterface>
      */
     public function findByRole(string $role): array
     {
@@ -43,7 +45,7 @@ class UserRepository extends ServiceEntityRepository
     /**
      * Employees active on the given date (hired on/before it, not yet left).
      *
-     * @return User[]
+     * @return list<UserInterface>
      */
     public function findActiveEmployees(DateTimeInterface $date): array
     {
@@ -59,4 +61,9 @@ class UserRepository extends ServiceEntityRepository
             ->getResult()
         ;
     }
+
+    public function findOneByUsername(string $username): ?UserInterface
+    {
+        return $this->findOneBy(['username' => $username]);
+    }
 }
diff --git a/src/Module/Core/_compat_user_alias.php b/src/Module/Core/_compat_user_alias.php
deleted file mode 100644
index 3529be8..0000000
--- a/src/Module/Core/_compat_user_alias.php
+++ /dev/null
@@ -1,8 +0,0 @@
-<?php
-
-declare(strict_types=1);
-use App\Entity\User;
-
-if (!class_exists(User::class, false)) {
-    class_alias(App\Module\Core\Domain\Entity\User::class, User::class);
-}
diff --git a/src/Repository/AbsenceBalanceRepository.php b/src/Repository/AbsenceBalanceRepository.php
index 9e74b73..2b16bf0 100644
--- a/src/Repository/AbsenceBalanceRepository.php
+++ b/src/Repository/AbsenceBalanceRepository.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\AbsenceBalance;
-use App\Entity\User;
 use App\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
@@ -20,7 +20,7 @@ class AbsenceBalanceRepository extends ServiceEntityRepository
         parent::__construct($registry, AbsenceBalance::class);
     }
 
-    public function findOneForPeriod(User $user, AbsenceType $type, string $period): ?AbsenceBalance
+    public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance
     {
         return $this->findOneBy([
             'user'   => $user,
diff --git a/src/Repository/AbsenceRequestRepository.php b/src/Repository/AbsenceRequestRepository.php
index ffd8d3f..bca61e3 100644
--- a/src/Repository/AbsenceRequestRepository.php
+++ b/src/Repository/AbsenceRequestRepository.php
@@ -5,9 +5,9 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -28,7 +28,7 @@ class AbsenceRequestRepository extends ServiceEntityRepository
      * end_a >= start_b.
      */
     public function hasOverlap(
-        User $user,
+        UserInterface $user,
         DateTimeInterface $startDate,
         DateTimeInterface $endDate,
         ?int $excludeId = null,
@@ -77,7 +77,7 @@ class AbsenceRequestRepository extends ServiceEntityRepository
      * @return AbsenceRequest[]
      */
     public function findFiltered(
-        ?User $user = null,
+        ?UserInterface $user = null,
         ?AbsenceStatus $status = null,
         ?AbsenceType $type = null,
         ?DateTimeInterface $from = null,
diff --git a/src/Repository/NotificationRepository.php b/src/Repository/NotificationRepository.php
index 7dba9a8..ada482b 100644
--- a/src/Repository/NotificationRepository.php
+++ b/src/Repository/NotificationRepository.php
@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\Notification;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\ORM\QueryBuilder;
 use Doctrine\Persistence\ManagerRegistry;
@@ -30,7 +30,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function countUnreadByUser(User $user): int
+    public function countUnreadByUser(SharedUserInterface $user): int
     {
         return (int) $this->createQueryBuilder('n')
             ->select('COUNT(n.id)')
@@ -42,7 +42,7 @@ class NotificationRepository extends ServiceEntityRepository
         ;
     }
 
-    public function markAllReadByUser(User $user): int
+    public function markAllReadByUser(SharedUserInterface $user): int
     {
         return $this->createQueryBuilder('n')
             ->update()
diff --git a/src/Repository/TimeEntryRepository.php b/src/Repository/TimeEntryRepository.php
index b5865b1..3dd9880 100644
--- a/src/Repository/TimeEntryRepository.php
+++ b/src/Repository/TimeEntryRepository.php
@@ -6,7 +6,7 @@ namespace App\Repository;
 
 use App\Entity\Project;
 use App\Entity\TimeEntry;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -21,7 +21,7 @@ class TimeEntryRepository extends ServiceEntityRepository
         parent::__construct($registry, TimeEntry::class);
     }
 
-    public function findActiveByUser(User $user): ?TimeEntry
+    public function findActiveByUser(UserInterface $user): ?TimeEntry
     {
         return $this->findOneBy([
             'user'      => $user,
@@ -30,9 +30,9 @@ class TimeEntryRepository extends ServiceEntityRepository
     }
 
     /**
-     * @param null|User[]    $users
-     * @param null|Project[] $projects
-     * @param null|int[]     $tagIds
+     * @param null|UserInterface[] $users
+     * @param null|Project[]       $projects
+     * @param null|int[]           $tagIds
      *
      * @return TimeEntry[]
      */
diff --git a/src/Security/ApiTokenAuthenticator.php b/src/Security/ApiTokenAuthenticator.php
index 1d091a0..03b1978 100644
--- a/src/Security/ApiTokenAuthenticator.php
+++ b/src/Security/ApiTokenAuthenticator.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Security;
 
-use App\Entity\User;
-use App\Repository\UserRepository;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -20,7 +20,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPasspor
 class ApiTokenAuthenticator extends AbstractAuthenticator
 {
     public function __construct(
-        private readonly UserRepository $userRepository,
+        private readonly DoctrineUserRepository $userRepository,
     ) {}
 
     public function supports(Request $request): ?bool
diff --git a/src/Security/MailAccessChecker.php b/src/Security/MailAccessChecker.php
index 85b73f8..7055dbc 100644
--- a/src/Security/MailAccessChecker.php
+++ b/src/Security/MailAccessChecker.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Security;
 
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -23,7 +23,7 @@ final readonly class MailAccessChecker
      */
     public function ensureCanAccessMail(?UserInterface $user): void
     {
-        if (!$user instanceof User) {
+        if (!$user instanceof SharedUserInterface) {
             throw new AccessDeniedException('Authentication required');
         }
 
@@ -41,7 +41,7 @@ final readonly class MailAccessChecker
      */
     public function ensureIsAdmin(?UserInterface $user): void
     {
-        if (!$user instanceof User || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
+        if (!$user instanceof SharedUserInterface || !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Admin only');
         }
     }
diff --git a/src/Service/AbsenceBalanceService.php b/src/Service/AbsenceBalanceService.php
index 471bd11..a258b30 100644
--- a/src/Service/AbsenceBalanceService.php
+++ b/src/Service/AbsenceBalanceService.php
@@ -6,8 +6,8 @@ namespace App\Service;
 
 use App\Entity\AbsenceBalance;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceType;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\AbsenceBalanceRepository;
 use DateTimeInterface;
 use Doctrine\ORM\EntityManagerInterface;
diff --git a/src/State/AbsenceBalanceProvider.php b/src/State/AbsenceBalanceProvider.php
index d155efa..9efa094 100644
--- a/src/State/AbsenceBalanceProvider.php
+++ b/src/State/AbsenceBalanceProvider.php
@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\AbsenceBalance;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceBalance|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo    = $this->entityManager->getRepository(AbsenceBalance::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
diff --git a/src/State/AbsenceRequestProcessor.php b/src/State/AbsenceRequestProcessor.php
index e65ec99..2e08eb5 100644
--- a/src/State/AbsenceRequestProcessor.php
+++ b/src/State/AbsenceRequestProcessor.php
@@ -7,13 +7,13 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -42,7 +42,7 @@ final readonly class AbsenceRequestProcessor implements ProcessorInterface
         assert($data instanceof AbsenceRequest);
 
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $type      = $data->getType();
         $startDate = $data->getStartDate();
diff --git a/src/State/AbsenceRequestProvider.php b/src/State/AbsenceRequestProvider.php
index 0e05508..8287b37 100644
--- a/src/State/AbsenceRequestProvider.php
+++ b/src/State/AbsenceRequestProvider.php
@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): AbsenceRequest|array|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo    = $this->entityManager->getRepository(AbsenceRequest::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
diff --git a/src/State/AbsenceReviewProcessor.php b/src/State/AbsenceReviewProcessor.php
index 0eecb1e..4f40863 100644
--- a/src/State/AbsenceReviewProcessor.php
+++ b/src/State/AbsenceReviewProcessor.php
@@ -7,9 +7,9 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Entity\AbsenceRequest;
-use App\Entity\User;
 use App\Enum\AbsenceStatus;
 use App\Service\AbsenceBalanceService;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -55,7 +55,7 @@ final readonly class AbsenceReviewProcessor implements ProcessorInterface
         }
 
         $admin = $this->security->getUser();
-        assert($admin instanceof User);
+        assert($admin instanceof UserInterface);
 
         if ($isApprove) {
             // Never let an approval push the balance below zero (CP only): the
diff --git a/src/State/TaskDocumentProvider.php b/src/State/TaskDocumentProvider.php
index f998d17..62cea2f 100644
--- a/src/State/TaskDocumentProvider.php
+++ b/src/State/TaskDocumentProvider.php
@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Entity\TaskDocument;
-use App\Entity\User;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
@@ -24,7 +24,7 @@ final readonly class TaskDocumentProvider implements ProviderInterface
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|TaskDocument|null
     {
         $user = $this->security->getUser();
-        assert($user instanceof User);
+        assert($user instanceof UserInterface);
 
         $repo = $this->entityManager->getRepository(TaskDocument::class);
 
diff --git a/tests/Functional/Controller/Mail/MailFoldersControllerTest.php b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
index 2266047..49dfa6d 100644
--- a/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailFoldersControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailMessagesControllerTest.php b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
index 041cc21..adbe9ab 100644
--- a/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailMessagesControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailSettingsControllerTest.php b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
index 63c1d0c..8811958 100644
--- a/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailSettingsControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
index 4cdc7cf..e947556 100644
--- a/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailSyncTriggerControllerTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
index ba9e55a..3b7d6e1 100644
--- a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
@@ -8,7 +8,7 @@ use App\Entity\MailFolder;
 use App\Entity\MailMessage;
 use App\Entity\Project;
 use App\Entity\Task;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareBrowseTest.php b/tests/Functional/Controller/ShareBrowseTest.php
index d415f12..397bdf4 100644
--- a/tests/Functional/Controller/ShareBrowseTest.php
+++ b/tests/Functional/Controller/ShareBrowseTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareSearchTest.php b/tests/Functional/Controller/ShareSearchTest.php
index 62e9bbd..ea48784 100644
--- a/tests/Functional/Controller/ShareSearchTest.php
+++ b/tests/Functional/Controller/ShareSearchTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/Controller/ShareSettingsTest.php b/tests/Functional/Controller/ShareSettingsTest.php
index b257b08..869d362 100644
--- a/tests/Functional/Controller/ShareSettingsTest.php
+++ b/tests/Functional/Controller/ShareSettingsTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
diff --git a/tests/Functional/EventListener/TaskNotificationListenerTest.php b/tests/Functional/EventListener/TaskNotificationListenerTest.php
index 158fd17..814fdef 100644
--- a/tests/Functional/EventListener/TaskNotificationListenerTest.php
+++ b/tests/Functional/EventListener/TaskNotificationListenerTest.php
@@ -6,7 +6,7 @@ namespace App\Tests\Functional\EventListener;
 
 use App\Entity\Project;
 use App\Entity\Task;
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use App\Repository\NotificationRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
diff --git a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
index 55fa495..1036b6d 100644
--- a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
+++ b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
@@ -6,15 +6,15 @@ namespace App\Tests\Functional\Mcp;
 
 use App\Entity\AbsenceBalance;
 use App\Entity\AbsencePolicy;
-use App\Entity\User;
 use App\Enum\AbsenceType;
 use App\Mcp\Tool\Absence\CancelAbsenceRequestTool;
 use App\Mcp\Tool\Absence\CreateAbsenceRequestTool;
 use App\Mcp\Tool\Absence\ReviewAbsenceRequestTool;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Repository\AbsenceBalanceRepository;
 use App\Repository\AbsencePolicyRepository;
 use App\Repository\AbsenceRequestRepository;
-use App\Repository\UserRepository;
 use App\Service\AbsenceBalanceService;
 use App\Service\AbsenceDayCalculator;
 use Doctrine\ORM\EntityManagerInterface;
@@ -216,7 +216,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new CreateAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(UserRepository::class),
+            $c->get(DoctrineUserRepository::class),
             $c->get(AbsencePolicyRepository::class),
             $c->get(AbsenceRequestRepository::class),
             $c->get(AbsenceDayCalculator::class),
diff --git a/tests/Functional/Shared/SidebarEndpointTest.php b/tests/Functional/Shared/SidebarEndpointTest.php
index 9d6058e..bc7c079 100644
--- a/tests/Functional/Shared/SidebarEndpointTest.php
+++ b/tests/Functional/Shared/SidebarEndpointTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Shared;
 
-use App\Entity\User;
+use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 /**
-- 
2.39.5


From f1a9b42930d91d4f9b5681888e9b97127057512b Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:25:03 +0200
Subject: [PATCH 23/99] feat(core) : move notification into core and expose
 notifier contract

---
 config/services.yaml                          |  2 ++
 src/Controller/MarkAllReadController.php      |  4 +--
 .../NotificationUnreadCountController.php     |  4 +--
 .../TaskNotificationListener.php              | 27 ++++----------
 .../Core/Domain}/Entity/Notification.php      |  8 ++---
 .../State/NotificationProvider.php            |  8 ++---
 .../DoctrineNotificationRepository.php}       |  6 ++--
 src/Module/Core/Infrastructure/Notifier.php   | 29 +++++++++++++++
 .../TaskNotificationListenerTest.php          |  6 ++--
 tests/Functional/Module/Core/NotifierTest.php | 35 +++++++++++++++++++
 10 files changed, 91 insertions(+), 38 deletions(-)
 rename src/{ => Module/Core/Domain}/Entity/Notification.php (92%)
 rename src/{ => Module/Core/Infrastructure/ApiPlatform}/State/NotificationProvider.php (84%)
 rename src/{Repository/NotificationRepository.php => Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php} (90%)
 create mode 100644 src/Module/Core/Infrastructure/Notifier.php
 create mode 100644 tests/Functional/Module/Core/NotifierTest.php

diff --git a/config/services.yaml b/config/services.yaml
index 97ad4a6..2b1c163 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -68,3 +68,5 @@ services:
     App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'
 
     App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
+
+    App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/src/Controller/MarkAllReadController.php b/src/Controller/MarkAllReadController.php
index 453cbbb..9c076c9 100644
--- a/src/Controller/MarkAllReadController.php
+++ b/src/Controller/MarkAllReadController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MarkAllReadController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/mark-all-read', name: 'notification_mark_all_read', methods: ['POST'], priority: 1)]
diff --git a/src/Controller/NotificationUnreadCountController.php b/src/Controller/NotificationUnreadCountController.php
index 746299a..b26512f 100644
--- a/src/Controller/NotificationUnreadCountController.php
+++ b/src/Controller/NotificationUnreadCountController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller;
 
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use App\Shared\Domain\Contract\UserInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class NotificationUnreadCountController extends AbstractController
 {
     public function __construct(
-        private readonly NotificationRepository $notificationRepository,
+        private readonly DoctrineNotificationRepository $notificationRepository,
     ) {}
 
     #[Route('/api/notifications/unread-count', name: 'notification_unread_count', methods: ['GET'], priority: 1)]
diff --git a/src/EventListener/TaskNotificationListener.php b/src/EventListener/TaskNotificationListener.php
index 9e32ac8..e34b84d 100644
--- a/src/EventListener/TaskNotificationListener.php
+++ b/src/EventListener/TaskNotificationListener.php
@@ -4,10 +4,9 @@ declare(strict_types=1);
 
 namespace App\EventListener;
 
-use App\Entity\Notification;
 use App\Entity\Task;
+use App\Shared\Domain\Contract\NotifierInterface;
 use App\Shared\Domain\Contract\UserInterface;
-use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
 use Doctrine\ORM\Event\PostFlushEventArgs;
@@ -21,7 +20,10 @@ final class TaskNotificationListener
     /** @var list<array{user: UserInterface, type: string, task: Task}> */
     private array $pending = [];
 
-    public function __construct(private readonly Security $security) {}
+    public function __construct(
+        private readonly Security $security,
+        private readonly NotifierInterface $notifier,
+    ) {}
 
     public function onFlush(OnFlushEventArgs $args): void
     {
@@ -84,25 +86,10 @@ final class TaskNotificationListener
         $pending       = $this->pending;
         $this->pending = [];
 
-        $em = $args->getObjectManager();
         foreach ($pending as $item) {
-            $em->persist($this->buildNotification($item['user'], $item['type'], $item['task']));
+            [$title, $message] = $this->render($item['type'], $item['task']);
+            $this->notifier->notify($item['user'], $item['type'], $title, $message);
         }
-        $em->flush();
-    }
-
-    private function buildNotification(UserInterface $user, string $type, Task $task): Notification
-    {
-        [$title, $message] = $this->render($type, $task);
-
-        $notification = new Notification();
-        $notification->setUser($user);
-        $notification->setType($type);
-        $notification->setTitle($title);
-        $notification->setMessage($message);
-        $notification->setCreatedAt(new DateTimeImmutable());
-
-        return $notification;
     }
 
     /**
diff --git a/src/Entity/Notification.php b/src/Module/Core/Domain/Entity/Notification.php
similarity index 92%
rename from src/Entity/Notification.php
rename to src/Module/Core/Domain/Entity/Notification.php
index 601c0a0..1eded34 100644
--- a/src/Entity/Notification.php
+++ b/src/Module/Core/Domain/Entity/Notification.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Core\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\ApiPlatform\State\NotificationProvider;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\NotificationProvider;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -29,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['notification:write']],
     order: ['createdAt' => 'DESC'],
 )]
-#[ORM\Entity(repositoryClass: NotificationRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineNotificationRepository::class)]
 #[ORM\Index(columns: ['user_id'], name: 'idx_notification_user')]
 #[ORM\Index(columns: ['user_id', 'is_read'], name: 'idx_notification_user_read')]
 class Notification
diff --git a/src/State/NotificationProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
similarity index 84%
rename from src/State/NotificationProvider.php
rename to src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
index ff872c9..371debd 100644
--- a/src/State/NotificationProvider.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/NotificationProvider.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Core\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\Pagination\Pagination;
 use ApiPlatform\State\Pagination\TraversablePaginator;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\Notification;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Domain\Entity\Notification;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use ArrayIterator;
 use Doctrine\ORM\Tools\Pagination\Paginator as DoctrinePaginator;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -23,7 +23,7 @@ final readonly class NotificationProvider implements ProviderInterface
 {
     public function __construct(
         private Security $security,
-        private NotificationRepository $notificationRepository,
+        private DoctrineNotificationRepository $notificationRepository,
         private Pagination $pagination,
     ) {}
 
diff --git a/src/Repository/NotificationRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
similarity index 90%
rename from src/Repository/NotificationRepository.php
rename to src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
index ada482b..22618d5 100644
--- a/src/Repository/NotificationRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineNotificationRepository.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Core\Infrastructure\Doctrine;
 
-use App\Entity\Notification;
+use App\Module\Core\Domain\Entity\Notification;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\ORM\QueryBuilder;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\User\UserInterface;
 /**
  * @extends ServiceEntityRepository<Notification>
  */
-class NotificationRepository extends ServiceEntityRepository
+class DoctrineNotificationRepository extends ServiceEntityRepository
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Module/Core/Infrastructure/Notifier.php b/src/Module/Core/Infrastructure/Notifier.php
new file mode 100644
index 0000000..8be13e6
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Notifier.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure;
+
+use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class Notifier implements NotifierInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function notify(UserInterface $user, string $type, string $title, string $message): void
+    {
+        $notification = new Notification();
+        $notification->setUser($user);
+        $notification->setType($type);
+        $notification->setTitle($title);
+        $notification->setMessage($message);
+        $notification->setCreatedAt(new DateTimeImmutable());
+
+        $this->em->persist($notification);
+        $this->em->flush();
+    }
+}
diff --git a/tests/Functional/EventListener/TaskNotificationListenerTest.php b/tests/Functional/EventListener/TaskNotificationListenerTest.php
index 814fdef..682c0f9 100644
--- a/tests/Functional/EventListener/TaskNotificationListenerTest.php
+++ b/tests/Functional/EventListener/TaskNotificationListenerTest.php
@@ -7,7 +7,7 @@ namespace App\Tests\Functional\EventListener;
 use App\Entity\Project;
 use App\Entity\Task;
 use App\Module\Core\Domain\Entity\User;
-use App\Repository\NotificationRepository;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
@@ -19,7 +19,7 @@ use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 class TaskNotificationListenerTest extends KernelTestCase
 {
     private EntityManagerInterface $em;
-    private NotificationRepository $notifications;
+    private DoctrineNotificationRepository $notifications;
     private TokenStorageInterface $tokenStorage;
     private Project $project;
     private User $actor;
@@ -31,7 +31,7 @@ class TaskNotificationListenerTest extends KernelTestCase
         self::bootKernel();
         $c                   = self::getContainer();
         $this->em            = $c->get(EntityManagerInterface::class);
-        $this->notifications = $c->get(NotificationRepository::class);
+        $this->notifications = $c->get(DoctrineNotificationRepository::class);
         $this->tokenStorage  = $c->get(TokenStorageInterface::class);
 
         $project = $this->em->getRepository(Project::class)->findOneBy([]);
diff --git a/tests/Functional/Module/Core/NotifierTest.php b/tests/Functional/Module/Core/NotifierTest.php
new file mode 100644
index 0000000..66a3bb7
--- /dev/null
+++ b/tests/Functional/Module/Core/NotifierTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Shared\Domain\Contract\NotifierInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class NotifierTest extends KernelTestCase
+{
+    public function testNotifyPersistsANotificationForTheUser(): void
+    {
+        self::bootKernel();
+        $em       = self::getContainer()->get(EntityManagerInterface::class);
+        $notifier = self::getContainer()->get(NotifierInterface::class);
+
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($user);
+
+        $title = 'Titre-'.uniqid('', true);
+        $notifier->notify($user, 'task_assigned', $title, 'Message');
+
+        $count = (int) $em->createQuery(
+            'SELECT COUNT(n.id) FROM App\Module\Core\Domain\Entity\Notification n WHERE n.user = :u AND n.title = :t'
+        )->setParameter('u', $user)->setParameter('t', $title)->getSingleScalarResult();
+
+        self::assertSame(1, $count);
+    }
+}
-- 
2.39.5


From a98ea3df375f612e12a69a6bb75eb14d59ce8b61 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:27:10 +0200
Subject: [PATCH 24/99] feat(core) : activate core module in modules registry

---
 config/modules.php                              |  5 ++++-
 tests/Functional/Shared/ModulesEndpointTest.php | 10 ++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/config/modules.php b/config/modules.php
index c6df2ac..dc628c1 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -6,6 +6,9 @@ declare(strict_types=1);
  * Liste ordonnée des modules actifs (classes implémentant App\Shared\Domain\Module\ModuleInterface).
  * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
  */
+
+use App\Module\Core\CoreModule;
+
 return [
-    // Aucun module pour l'instant — les modules arrivent à partir du ticket 1.1 (Core).
+    CoreModule::class,
 ];
diff --git a/tests/Functional/Shared/ModulesEndpointTest.php b/tests/Functional/Shared/ModulesEndpointTest.php
index 9279ca5..837510d 100644
--- a/tests/Functional/Shared/ModulesEndpointTest.php
+++ b/tests/Functional/Shared/ModulesEndpointTest.php
@@ -21,4 +21,14 @@ final class ModulesEndpointTest extends WebTestCase
         self::assertArrayHasKey('modules', $data);
         self::assertIsArray($data['modules']);
     }
+
+    public function testCoreModuleIsActive(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/modules');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertContains('core', $data['modules']);
+    }
 }
-- 
2.39.5


From 117c2ff2e32d15c0c87816d2aea6df3ce954ed0e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:31:42 +0200
Subject: [PATCH 25/99] feat(core) : add core front layer with login and
 profile pages

---
 frontend/modules/core/nuxt.config.ts          | 1 +
 frontend/{ => modules/core}/pages/login.vue   | 0
 frontend/{ => modules/core}/pages/profile.vue | 0
 3 files changed, 1 insertion(+)
 create mode 100644 frontend/modules/core/nuxt.config.ts
 rename frontend/{ => modules/core}/pages/login.vue (100%)
 rename frontend/{ => modules/core}/pages/profile.vue (100%)

diff --git a/frontend/modules/core/nuxt.config.ts b/frontend/modules/core/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/core/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/login.vue b/frontend/modules/core/pages/login.vue
similarity index 100%
rename from frontend/pages/login.vue
rename to frontend/modules/core/pages/login.vue
diff --git a/frontend/pages/profile.vue b/frontend/modules/core/pages/profile.vue
similarity index 100%
rename from frontend/pages/profile.vue
rename to frontend/modules/core/pages/profile.vue
-- 
2.39.5


From 52de07ce235347de356d1accf4b21dc66775b6eb Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:34:02 +0200
Subject: [PATCH 26/99] docs : log LST-63 module core session learnings

---
 .claude/skills/ticket-executor/LEARNINGS.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index abe479e..4021976 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -93,6 +93,25 @@
 - Ticket laissé en **"En attente de validation" (4)**, pas "Terminé" : smoke visuel front (dev server + navigateur) et sign-off du **délta cosmétique d'ordre de sidebar** (décision 3 du plan) relèvent du PO. Implémentation + AC API validés.
 - Time-tracking 100 % sur la session principale cette fois (consigne des sous-agents : ne jamais toucher aux outils `mcp__lesstime__*`) — respecté.
 
+## Session 2026-06-19 (LST-63 / 1.1 — Module Core : identité User/Auth/JWT + Notifications + layer front)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-63-module-core.md`, 7 tasks / 6 phases A→F). Exécution : Phases A/B (1 sous-agent combiné), C (1 sous-agent), D (1 sous-agent), E + F faites en direct par la session principale (tâches courtes). Pilotage chrono/MCP/vérif + re-vérif login après chaque phase touchant l'auth sur la session principale.
+- 5 commits impl (`6ca91cb` A, `f8fc4d6`+`d70925b` B, `0b4874e` C, `f1a9b42` D, `a98ea3d` E, `117c2ff` F) + plan `8865bf5`. Tests : 110→120 verts. Timer impl 1012 = 43 min.
+
+### Patterns
+- **Move d'entité « strangler » sans migration** : `git mv` `src/Entity/User.php` → `src/Module/Core/Domain/Entity/User.php` (table + colonnes + backticks VERBATIM) ; mapping Doctrine `Core` ajouté (dir `src/Module/Core/Domain/Entity`, prefix `App\Module\Core\Domain\Entity`) à côté de `App` ; `resolve_target_entities: UserInterface → Core\User`. `migrations:diff` reste vide (hors dérive préexistante `messenger_messages`) → AUCUNE migration. Idem Notification en Phase D.
+- **Alias temporaire pour découpler le move des relations** : Phase B pose un `class_alias(App\Entity\User::class → Core\User)` (fichier `_compat_user_alias.php` en `autoload.files`, exclu de l'autowiring `App\:` via `exclude` services.yaml + `notPath` php-cs-fixer). Permet de relier d'abord les 8 relations d'entités au CONTRAT `UserInterface::class` (resolver propre) ; l'alias n'est qu'un pont de type-hint PHP. Phase C retire l'alias EN DERNIER, seulement quand `grep App\Entity\User` est vide.
+- **Règle contrat-vs-concret pour migrer les consommateurs** (Phase C, ~50 fichiers) : type-hint `App\Shared\Domain\Contract\UserInterface` si le fichier n'appelle que les méthodes de lecture du contrat / instanceof / type DQL ; FQCN concret `App\Module\Core\Domain\Entity\User` si besoin de getters HR, `apiToken`, `avatarFileName`, setters, `new User()`. Les deux éliminent `App\Entity\User`. Collision de nom avec `Symfony\...\UserInterface` → aliaser en `SharedUserInterface`.
+- **Notifier (Phase D)** : `NotifierInterface` (Shared) = API publique inter-modules ; impl `Notifier` (Core) persiste + flush. `TaskNotificationListener` appelle `notify()` UNIQUEMENT en `postFlush` (jamais `onFlush` — le flush interne y est dangereux). Comportement identique conservé.
+- **Layer front d'un module (Phase F)** : `frontend/modules/core/nuxt.config.ts` (`export default defineNuxtConfig({})`) + `git mv` des pages d'identité sous `modules/core/pages/`. Les imports `~/...` (alias srcDir) survivent au déplacement ; seuls les imports relatifs/par chemin casseraient. Les URLs (`/login`, `/profile`) restent identiques (fusion auto des `pages/` de layers).
+
+### Gotchas
+- **`admin.vue` = shell admin MULTI-domaines** (onglets clients/workflows/efforts/gitea/zimbra/mail/absences + 1 onglet `AdminUserTab`) : NE PAS le déplacer entier dans Core (il porterait les admins d'autres modules pas encore extraits). Conformément au plan, en cas de doute on déplace seulement login + profile, on documente. La décomposition de `admin.vue` viendra avec les modules respectifs.
+- **Vérifier la résolution des routes d'un layer Nuxt en SPA** : `ssr:false` → le dev server renvoie 200 pour N'IMPORTE QUEL chemin (shell SPA, routing client) — un `curl /login` = 200 ne prouve RIEN (testé : `/route-bidon-xyz` = 200 aussi). `nuxt prepare` ne génère pas le manifeste de routes. **Preuve déterministe** = `npx nuxt build` puis `grep 'name:"login"\|name:"profile"' .output/server/chunks/build/client.precomputed.mjs` (+ chunk CSS `profile.*.css` généré). Ne pas perturber un dev server déjà lancé (config `extends`/`imports.dirs` figée au démarrage avant création du layer) → lancer un dev frais sur un port libre pour smoke.
+- **Aligner le contrat sur la réalité de l'entité, pas l'inverse** : `User::getUsername()` est `?string` (pas `string`) et la méthode réelle est `getIsEmployee(): bool` (pas `isEmployee()`). Le plan écrivait `isEmployee()` — le contrat existant était déjà correct, aucun changement. Toujours lire l'entité avant de figer une signature de contrat.
+- **Tests fonctionnels qui persistent réellement** (pas de rollback transactionnel ici) : un `NotifierTest` qui crée une notif échoue au 2e run (`2 != 1`) → rendre les données uniques (`uniqid()` sur le titre) pour l'idempotence.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
 - **Commits concurrents**: NE PAS lancer deux sous-agents qui committent sur le même repo en parallèle (collision `.git/index.lock`) — séquencer.
-- 
2.39.5


From fdc72573eaf2324ce29025072d86142e10b18bdc Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:47:04 +0200
Subject: [PATCH 27/99] docs : add implementation plan for rbac fin (LST-57 /
 1.2)

---
 .../plans/2026-06-19-lst-57-rbac-fin.md       | 1690 +++++++++++++++++
 1 file changed, 1690 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md

diff --git a/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md b/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md
new file mode 100644
index 0000000..b3c6842
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md
@@ -0,0 +1,1690 @@
+# RBAC fin (LST-57 / 1.2) Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Porter le RBAC fin de Starseed dans le Module Core de Lesstime : permissions `module.resource[.sub].action`, entités `Role`/`Permission`, commande de synchronisation, `PermissionVoter`, sidebar filtrée par permission, et gestion front des rôles.
+
+**Architecture:** RBAC **additif** par-dessus l'auth Symfony existante (cf. Décision 1). On garde la colonne JSON `roles` + `ROLE_ADMIN`/`ROLE_USER` (login/JWT/MCP/sidebar #62 inchangés ; `ROLE_ADMIN` = bypass du voter) et on ajoute la couche RBAC fine : `Role`/`Permission` (Module Core), relations `rbacRoles`/`directPermissions` sur `User`, `getEffectivePermissions()`, `PermissionVoter`, `app:sync-permissions`, `app:seed-rbac`, sidebar gated par permission, front `usePermissions`.
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / PostgreSQL 16 — Nuxt 4 / Vue 3 / Pinia / TypeScript. Tests : PHPUnit 13. Docker : `php-lesstime-fpm` (user `www-data`), nginx port 8082, PG port 5435.
+
+## Global Constraints
+
+- `declare(strict_types=1)` en tête de tout fichier PHP. Symfony + PSR-12, hook pre-commit php-cs-fixer (ne pas lutter contre le reformat).
+- Namespaces : back `App\Module\Core\...`, `App\Shared\...`. Front layer `frontend/modules/core/`.
+- **Zéro régression auth** : après chaque phase touchant la sécurité (C, D, F), exécuter le bloc « Vérification login » ci-dessous → `login=204`, `/api/me=200`, `/_mcp=200`.
+- **Migration additive uniquement** : `CREATE TABLE` des tables RBAC ; **aucun** `DROP`/`ALTER` destructif sur `user`/`roles`. `doctrine:migrations:diff` après doit être vide (hors dérive préexistante `messenger_messages`).
+- PostgreSQL : noms de colonnes en minuscules dans le SQL brut ; `roles::text LIKE` pour les colonnes JSON.
+- `config/reference.php` est auto-généré : **ne jamais le committer**. Untracked `.codex`, `bulettins/` : ignorer.
+- Aucune mention de Claude/IA dans les commits.
+- Commits : `<type>(core) : <message>` (espace autour du `:`).
+- Tests existants au départ : **120 verts**. Chaque phase ajoute ses tests et garde l'ensemble vert.
+
+## Vérification login (à exécuter après chaque phase back touchant User/sécurité)
+
+```bash
+curl -s -i -X POST http://localhost:8082/api/login_check -H "Content-Type: application/json" -d '{"username":"alice","password":"alice"}' -D /tmp/h.txt -o /dev/null -w "login=%{http_code}\n"
+BEARER=$(grep -i 'set-cookie: BEARER' /tmp/h.txt | sed -E 's/.*BEARER=([^;]+);.*/\1/')
+curl -s -o /dev/null -w "me=%{http_code}\n" http://localhost:8082/api/me -H "Cookie: BEARER=$BEARER"
+curl -s -o /dev/null -w "mcp=%{http_code}\n" -X POST http://localhost:8082/_mcp -H "Authorization: Bearer dev-mcp-token-for-testing-only-do-not-use-in-production" -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"c","version":"1"}}}'
+```
+Attendu : `login=204`, `me=200`, `mcp=200`.
+
+## Décisions de conception (actées, à valider PO a posteriori)
+
+1. **RBAC additif, `ROLE_ADMIN` = bypass (PAS de colonne `is_admin`)** — divergence assumée vs Starseed (qui a supprimé la colonne JSON `roles` au profit de `is_admin`). Justification : login/JWT, `security.yaml` (`role_hierarchy`, `app_user_provider`), gate sidebar #62 (`roles: [ROLE_ADMIN]`), MCP `apiToken` reposent tous sur `getRoles()`/`roles` JSON ; les réécrire = régression auth à haut risque pour zéro bénéfice AC. On garde `getRoles()` tel quel ; le `PermissionVoter` bypass si `in_array('ROLE_ADMIN', $user->getRoles())`. Migration future vers `is_admin` possible si le PO le souhaite.
+2. **`user_permission` (directPermissions) inclus** — fidélité Starseed : un user peut recevoir des permissions directes en plus de ses rôles. `getEffectivePermissions()` = union(rôles.permissions, directPermissions).
+3. **Gestion de `ROLE_ADMIN` reste sur le PATCH user existant (`roles`), PAS sur l'endpoint RBAC** — l'endpoint `/api/users/{id}/rbac` ne gère que `rbacRoles` + `directPermissions`. Pas de gardes « dernier admin »/« auto-suicide » (elles concernent `is_admin`, absent ici) ; on conserve uniquement la garde anti-écrasement des collections (defense in depth).
+4. **Pas de rôles métier seedés en 1.2** — seules les permissions `core.*` existent (les modules métier arrivent en 2.x). `app:seed-rbac` crée les rôles système `admin` et `user` (isSystem=true) sans matrice métier. Chaque module métier ajoutera ses permissions + (optionnel) ses rôles quand il sera livré.
+5. **Pas de `Sites`** — Lesstime n'a pas de notion de site : on retire toutes les gardes/relations `sites.*`, `currentSite`, `bypass_scope` du portage Starseed.
+6. **Entités `Role`/`Permission` sans Timestampable/Blamable** — alignées sur Starseed (métadonnées RBAC pures).
+
+---
+
+## Phase A — Domaine RBAC : entités, relations, migration
+
+### Task 1: Entités `Permission` + `Role` + relations `User` + repositories + contrat
+
+**Files:**
+- Create: `src/Module/Core/Domain/Entity/Permission.php`
+- Create: `src/Module/Core/Domain/Entity/Role.php`
+- Create: `src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php`
+- Create: `src/Module/Core/Domain/Repository/RoleRepositoryInterface.php`
+- Create: `src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php`
+- Create: `src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php` (relations `rbacRoles` + `directPermissions` + `getEffectivePermissions()`)
+- Modify: `src/Shared/Domain/Contract/UserInterface.php` (ajout `getEffectivePermissions()`)
+- Modify: `config/services.yaml` (alias repositories)
+- Create: `tests/Unit/Module/Core/Domain/Entity/PermissionTest.php`
+- Create: `tests/Unit/Module/Core/Domain/Entity/RoleTest.php`
+- Modify: `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php` (stub `getEffectivePermissions()` dans l'anonyme implémentant `UserInterface`)
+
+**Interfaces:**
+- Produces : `Permission { getId, getCode, getLabel, getModule, isOrphan, markOrphan(), revive(label, module), updateMetadata(label, module) }` ; `Role { getId, getCode, getLabel, getDescription, isSystem, getPermissions(): Collection, addPermission(Permission), removePermission(Permission), ensureDeletable() }` ; `User::getEffectivePermissions(): list<string>`, `User::getRbacRoles(): Collection`, `addRbacRole`/`removeRbacRole`, `getDirectPermissions(): Collection`, `addDirectPermission`/`removeDirectPermission`.
+- Repositories : `PermissionRepositoryInterface { findById(int): ?Permission, findByCode(string): ?Permission, findAll(): list<Permission>, findAllCodes(): list<string>, save(Permission): void }` ; `RoleRepositoryInterface { findById(int): ?Role, findByCode(string): ?Role, findAll(): list<Role>, save(Role): void }`.
+
+- [ ] **Step 1: Écrire les tests unitaires des entités**
+
+`tests/Unit/Module/Core/Domain/Entity/PermissionTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class PermissionTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $p = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        self::assertSame('core.users.view', $p->getCode());
+        self::assertSame('Voir les utilisateurs', $p->getLabel());
+        self::assertSame('core', $p->getModule());
+        self::assertFalse($p->isOrphan());
+    }
+
+    public function testCodeMustContainADot(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('coreusersview', 'x', 'core');
+    }
+
+    public function testCodeCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('', 'x', 'core');
+    }
+
+    public function testLabelCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('core.users.view', '', 'core');
+    }
+
+    public function testModuleCannotBeEmpty(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Permission('core.users.view', 'x', '');
+    }
+
+    public function testMarkOrphanAndRevive(): void
+    {
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $p->markOrphan();
+        self::assertTrue($p->isOrphan());
+        $p->revive('Voir maj', 'core');
+        self::assertFalse($p->isOrphan());
+        self::assertSame('Voir maj', $p->getLabel());
+    }
+}
+```
+
+`tests/Unit/Module/Core/Domain/Entity/RoleTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class RoleTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        self::assertSame('bureau', $r->getCode());
+        self::assertSame('Bureau', $r->getLabel());
+        self::assertFalse($r->isSystem());
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testCodeMustBeSnakeCase(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Role('Bureau Commercial', 'x');
+    }
+
+    public function testAddRemovePermission(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $r->addPermission($p);
+        self::assertCount(1, $r->getPermissions());
+        $r->addPermission($p); // idempotent
+        self::assertCount(1, $r->getPermissions());
+        $r->removePermission($p);
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testSystemRoleCannotBeDeleted(): void
+    {
+        $r = new Role('admin', 'Administrateur', null, true);
+        $this->expectException(SystemRoleDeletionException::class);
+        $r->ensureDeletable();
+    }
+
+    public function testNonSystemRoleIsDeletable(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $r->ensureDeletable();
+        self::assertFalse($r->isSystem());
+    }
+}
+```
+
+- [ ] **Step 2: Lancer les tests, vérifier l'échec**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/Domain/Entity/`
+Expected: FAIL (classes inexistantes).
+
+- [ ] **Step 3: Créer l'exception**
+
+`src/Module/Core/Domain/Exception/SystemRoleDeletionException.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Exception;
+
+final class SystemRoleDeletionException extends \DomainException
+{
+    public function __construct(string $code)
+    {
+        parent::__construct(sprintf('Le rôle système "%s" ne peut pas être supprimé.', $code));
+    }
+}
+```
+
+- [ ] **Step 4: Créer `Permission`**
+
+`src/Module/Core/Domain/Entity/Permission.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
+#[ORM\Table(name: 'permission')]
+#[ORM\Index(name: 'idx_permission_module', columns: ['module'])]
+#[ORM\Index(name: 'idx_permission_orphan', columns: ['orphan'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(),
+        new Get(),
+    ],
+    normalizationContext: ['groups' => ['permission:read']],
+    security: "is_granted('core.permissions.view') or is_granted('core.users.manage') or is_granted('core.roles.manage')",
+)]
+class Permission
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['permission:read', 'role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, unique: true)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $code;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $label;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $module;
+
+    #[ORM\Column]
+    #[Groups(['permission:read'])]
+    private bool $orphan = false;
+
+    public function __construct(string $code, string $label, string $module)
+    {
+        $code   = trim($code);
+        $label  = trim($label);
+        $module = trim($module);
+
+        if ('' === $code || !str_contains($code, '.')) {
+            throw new \InvalidArgumentException(sprintf('Code de permission invalide : "%s" (attendu module.resource.action).', $code));
+        }
+        if ('' === $label) {
+            throw new \InvalidArgumentException('Le libellé de permission ne peut pas être vide.');
+        }
+        if ('' === $module) {
+            throw new \InvalidArgumentException('Le module de permission ne peut pas être vide.');
+        }
+
+        $this->code   = $code;
+        $this->label  = $label;
+        $this->module = $module;
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function getModule(): string
+    {
+        return $this->module;
+    }
+
+    public function isOrphan(): bool
+    {
+        return $this->orphan;
+    }
+
+    public function markOrphan(): void
+    {
+        $this->orphan = true;
+    }
+
+    public function revive(string $label, string $module): void
+    {
+        $this->orphan = false;
+        $this->updateMetadata($label, $module);
+    }
+
+    public function updateMetadata(string $label, string $module): void
+    {
+        $this->label  = $label;
+        $this->module = $module;
+    }
+}
+```
+
+- [ ] **Step 5: Créer `Role`**
+
+`src/Module/Core/Domain/Entity/Role.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
+#[ORM\Table(name: '`role`')]
+#[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(security: "is_granted('core.roles.view')"),
+        new Get(security: "is_granted('core.roles.view')"),
+        new Post(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Patch(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Delete(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+class Role
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 100, unique: true)]
+    #[Groups(['role:read', 'role:write'])]
+    private string $code;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['role:read', 'role:write'])]
+    private string $label;
+
+    #[ORM\Column(type: 'text', nullable: true)]
+    #[Groups(['role:read', 'role:write'])]
+    private ?string $description;
+
+    #[ORM\Column(name: 'is_system')]
+    #[Groups(['role:read'])]
+    private bool $isSystem;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
+    private Collection $permissions;
+
+    public function __construct(string $code, string $label, ?string $description = null, bool $isSystem = false)
+    {
+        if (1 !== preg_match('/^[a-z][a-z0-9_]*$/', $code)) {
+            throw new \InvalidArgumentException(sprintf('Code de rôle invalide : "%s" (attendu snake_case).', $code));
+        }
+        if ('' === trim($label)) {
+            throw new \InvalidArgumentException('Le libellé de rôle ne peut pas être vide.');
+        }
+
+        $this->code        = $code;
+        $this->label       = $label;
+        $this->description = $description;
+        $this->isSystem    = $isSystem;
+        $this->permissions = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(string $label): void
+    {
+        $this->label = $label;
+    }
+
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): void
+    {
+        $this->description = $description;
+    }
+
+    public function isSystem(): bool
+    {
+        return $this->isSystem;
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getPermissions(): Collection
+    {
+        return $this->permissions;
+    }
+
+    public function addPermission(Permission $permission): void
+    {
+        if (!$this->permissions->contains($permission)) {
+            $this->permissions->add($permission);
+        }
+    }
+
+    public function removePermission(Permission $permission): void
+    {
+        $this->permissions->removeElement($permission);
+    }
+
+    public function ensureDeletable(): void
+    {
+        if ($this->isSystem) {
+            throw new SystemRoleDeletionException($this->code);
+        }
+    }
+}
+```
+
+- [ ] **Step 6: Ajouter les relations RBAC + `getEffectivePermissions()` à `User`**
+
+Dans `src/Module/Core/Domain/Entity/User.php` : ajouter les imports `use Doctrine\Common\Collections\ArrayCollection; use Doctrine\Common\Collections\Collection;` (si absents) et, dans la classe :
+```php
+    /**
+     * @var Collection<int, Role>
+     */
+    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_role')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $rbacRoles;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_permission')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $directPermissions;
+```
+> ⚠️ Initialiser les deux collections dans le constructeur de `User` (s'il en existe un ; sinon en ajouter un `public function __construct() { $this->rbacRoles = new ArrayCollection(); $this->directPermissions = new ArrayCollection(); }`. Vérifier d'abord s'il y a déjà un constructeur — `createdAt` est posé ailleurs ? Lire l'entité. Si pas de constructeur, en créer un n'initialisant QUE ces deux collections).
+
+Ajouter les méthodes :
+```php
+    /**
+     * @return Collection<int, Role>
+     */
+    public function getRbacRoles(): Collection
+    {
+        return $this->rbacRoles;
+    }
+
+    public function addRbacRole(Role $role): void
+    {
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
+        }
+    }
+
+    public function removeRbacRole(Role $role): void
+    {
+        $this->rbacRoles->removeElement($role);
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getDirectPermissions(): Collection
+    {
+        return $this->directPermissions;
+    }
+
+    public function addDirectPermission(Permission $permission): void
+    {
+        if (!$this->directPermissions->contains($permission)) {
+            $this->directPermissions->add($permission);
+        }
+    }
+
+    public function removeDirectPermission(Permission $permission): void
+    {
+        $this->directPermissions->removeElement($permission);
+    }
+
+    /**
+     * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
+     *
+     * @return list<string>
+     */
+    #[Groups(['me:read', 'user:rbac:read'])]
+    public function getEffectivePermissions(): array
+    {
+        $codes = [];
+        foreach ($this->rbacRoles as $role) {
+            foreach ($role->getPermissions() as $permission) {
+                $codes[$permission->getCode()] = true;
+            }
+        }
+        foreach ($this->directPermissions as $permission) {
+            $codes[$permission->getCode()] = true;
+        }
+        $keys = array_keys($codes);
+        sort($keys);
+
+        return $keys;
+    }
+```
+Ajouter les imports `use App\Module\Core\Domain\Entity\Role;` n'est pas nécessaire (même namespace) ; `Permission` non plus. Vérifier la présence de `use Symfony\Component\Serializer\Annotation\Groups;` (déjà là vu les Groups existants).
+
+- [ ] **Step 7: Enrichir le contrat `UserInterface`**
+
+Dans `src/Shared/Domain/Contract/UserInterface.php`, ajouter :
+```php
+    /** @return list<string> */
+    public function getEffectivePermissions(): array;
+```
+Puis ajouter le stub dans l'anonyme du test `tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php` qui implémente `UserInterface` :
+```php
+            public function getEffectivePermissions(): array
+            {
+                return [];
+            }
+```
+
+- [ ] **Step 8: Créer les repositories + alias services**
+
+`src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Permission;
+
+interface PermissionRepositoryInterface
+{
+    public function findById(int $id): ?Permission;
+
+    public function findByCode(string $code): ?Permission;
+
+    /** @return list<Permission> */
+    public function findAll(): array;
+
+    /** @return list<string> */
+    public function findAllCodes(): array;
+
+    public function save(Permission $permission): void;
+}
+```
+
+`src/Module/Core/Domain/Repository/RoleRepositoryInterface.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Role;
+
+interface RoleRepositoryInterface
+{
+    public function findById(int $id): ?Role;
+
+    public function findByCode(string $code): ?Role;
+
+    /** @return list<Role> */
+    public function findAll(): array;
+
+    public function save(Role $role): void;
+}
+```
+
+`src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Permission>
+ */
+final class DoctrinePermissionRepository extends ServiceEntityRepository implements PermissionRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Permission::class);
+    }
+
+    public function findById(int $id): ?Permission
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Permission
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Permission> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    /** @return list<string> */
+    public function findAllCodes(): array
+    {
+        /** @var list<array{code: string}> $rows */
+        $rows = $this->createQueryBuilder('p')->select('p.code')->getQuery()->getArrayResult();
+
+        return array_map(static fn (array $r): string => $r['code'], $rows);
+    }
+
+    public function save(Permission $permission): void
+    {
+        $this->getEntityManager()->persist($permission);
+    }
+}
+```
+
+`src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Role>
+ */
+final class DoctrineRoleRepository extends ServiceEntityRepository implements RoleRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Role::class);
+    }
+
+    public function findById(int $id): ?Role
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Role
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Role> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    public function save(Role $role): void
+    {
+        $this->getEntityManager()->persist($role);
+    }
+}
+```
+
+Dans `config/services.yaml`, sous les alias existants (à côté de `UserRepositoryInterface`) :
+```yaml
+    App\Module\Core\Domain\Repository\PermissionRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository'
+    App\Module\Core\Domain\Repository\RoleRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository'
+```
+
+- [ ] **Step 9: Lancer les tests unitaires entités**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Module/Core/Domain/Entity/`
+Expected: PASS.
+
+- [ ] **Step 10: Générer + appliquer la migration additive**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff`
+Vérifier que le `up()` ne contient QUE des `CREATE TABLE permission`, `CREATE TABLE "role"`, `CREATE TABLE role_permission`, `CREATE TABLE user_role`, `CREATE TABLE user_permission` (+ index + FK), **aucun** `DROP`/`ALTER` sur `"user"` ou `messenger_messages`. Si la dérive `messenger_messages` est mélangée, éditer la migration pour ne garder que les tables RBAC.
+Ajouter les `COMMENT ON COLUMN` pour les colonnes métier (code, label, module, orphan, is_system, description) dans le `up()` (convention projet, cf. ColumnCommentsCatalog).
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate --no-interaction`
+Puis recharger les fixtures de test : `make db-reset` (ou équivalent test) — vérifier que ça passe.
+
+- [ ] **Step 11: Gate + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:schema:validate` → Mapping OK.
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert (120 + 11).
+Bloc « Vérification login ».
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src config tests migrations
+git reset -- config/reference.php
+git commit -m "feat(core) : add rbac role and permission entities with user relations"
+```
+
+---
+
+## Phase B — Agrégation des permissions + commande de synchronisation
+
+### Task 2: `ModuleRegistry::permissions()` + `CoreModule::permissions()` finalisé + `app:sync-permissions`
+
+**Files:**
+- Modify: `src/Shared/Domain/Module/ModuleRegistry.php` (méthode `permissions()`)
+- Modify: `src/Module/Core/CoreModule.php` (permissions Core définitives)
+- Create: `src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php`
+- Create: `tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php`
+- Create: `tests/Functional/Module/Core/SyncPermissionsCommandTest.php`
+
+**Interfaces:**
+- Consumes : `ModuleInterface::permissions(): list<array{code,label}>` (existant), `PermissionRepositoryInterface`.
+- Produces : `ModuleRegistry::permissions(array $moduleClasses): list<array{code,label,module}>` (agrège + injecte `module` = `$class::id()`, valide préfixe). Commande `app:sync-permissions`.
+
+- [ ] **Step 1: Test de `ModuleRegistry::permissions()`**
+
+`tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryPermissionsTest extends TestCase
+{
+    public function testAggregatesPermissionsWithModuleId(): void
+    {
+        $perms = ModuleRegistry::permissions([CoreModule::class]);
+
+        self::assertNotEmpty($perms);
+        foreach ($perms as $perm) {
+            self::assertArrayHasKey('code', $perm);
+            self::assertArrayHasKey('label', $perm);
+            self::assertArrayHasKey('module', $perm);
+            self::assertSame('core', $perm['module']);
+            self::assertStringStartsWith('core.', $perm['code']);
+        }
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (méthode inexistante).
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php`
+Expected: FAIL.
+
+- [ ] **Step 3: Implémenter `ModuleRegistry::permissions()`**
+
+Ajouter à `src/Shared/Domain/Module/ModuleRegistry.php` :
+```php
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<array{code: string, label: string, module: string}>
+     */
+    public static function permissions(array $moduleClasses): array
+    {
+        $out = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
+            }
+            $moduleId = $moduleClass::id();
+            foreach ($moduleClass::permissions() as $perm) {
+                $code = $perm['code'];
+                if (!str_starts_with($code, $moduleId.'.')) {
+                    throw new \InvalidArgumentException(sprintf('Permission "%s" du module "%s" doit être préfixée par "%s.".', $code, $moduleId, $moduleId));
+                }
+                $out[] = ['code' => $code, 'label' => $perm['label'], 'module' => $moduleId];
+            }
+        }
+
+        return $out;
+    }
+```
+
+- [ ] **Step 4: Finaliser `CoreModule::permissions()`**
+
+Remplacer le stub par les permissions Core RBAC (alignées sur Starseed, périmètre Lesstime) :
+```php
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'core.users.view', 'label' => 'Voir les utilisateurs'],
+            ['code' => 'core.users.manage', 'label' => 'Gérer les utilisateurs (créer, éditer, supprimer)'],
+            ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
+            ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
+            ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
+        ];
+    }
+```
+> Mettre à jour `tests/Unit/Module/Core/CoreModuleTest.php` si une assertion fige les anciens codes (`core.user.read`, etc.).
+
+- [ ] **Step 5: Test fonctionnel de la commande**
+
+`tests/Functional/Module/Core/SyncPermissionsCommandTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SyncPermissionsCommandTest extends KernelTestCase
+{
+    public function testSyncCreatesCorePermissions(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:sync-permissions'));
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+
+        $repo = self::getContainer()->get(PermissionRepositoryInterface::class);
+        self::assertNotNull($repo->findByCode('core.users.manage'));
+        self::assertContains('core.roles.manage', $repo->findAllCodes());
+    }
+}
+```
+
+- [ ] **Step 6: Lancer, vérifier l'échec** (commande inexistante).
+
+- [ ] **Step 7: Implémenter `app:sync-permissions`**
+
+`src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+#[AsCommand(name: 'app:sync-permissions', description: 'Synchronise le catalogue des permissions depuis les modules actifs.')]
+final class SyncPermissionsCommand extends Command
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly PermissionRepositoryInterface $permissions,
+        #[Autowire('%kernel.project_dir%')]
+        private readonly string $projectDir,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        // Phase 1 : permissions désirées (code => {code,label,module}).
+        $desired = [];
+        foreach (ModuleRegistry::permissions($moduleClasses) as $perm) {
+            $desired[$perm['code']] = $perm;
+        }
+
+        // Phase 2 : upsert.
+        $existing = [];
+        foreach ($this->permissions->findAll() as $permission) {
+            $existing[$permission->getCode()] = $permission;
+        }
+
+        $added = $updated = $revived = 0;
+        foreach ($desired as $code => $perm) {
+            $entity = $existing[$code] ?? null;
+            if (null === $entity) {
+                $this->permissions->save(new Permission($perm['code'], $perm['label'], $perm['module']));
+                ++$added;
+
+                continue;
+            }
+            if ($entity->isOrphan()) {
+                $entity->revive($perm['label'], $perm['module']);
+                ++$revived;
+            } elseif ($entity->getLabel() !== $perm['label'] || $entity->getModule() !== $perm['module']) {
+                $entity->updateMetadata($perm['label'], $perm['module']);
+                ++$updated;
+            }
+        }
+
+        // Phase 3 : orphelines (existantes absentes des désirées).
+        $orphaned = 0;
+        foreach ($existing as $code => $entity) {
+            if (!isset($desired[$code]) && !$entity->isOrphan()) {
+                $entity->markOrphan();
+                ++$orphaned;
+            }
+        }
+
+        $this->em->flush();
+
+        $io->success(sprintf('Permissions synchronisées : %d ajoutées, %d mises à jour, %d réactivées, %d orphelines. Total désirées : %d.', $added, $updated, $revived, $orphaned, \count($desired)));
+
+        return Command::SUCCESS;
+    }
+}
+```
+
+- [ ] **Step 8: Tests + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : aggregate module permissions and add sync-permissions command"
+```
+
+---
+
+## Phase C — PermissionVoter + exposition `/api/me`
+
+### Task 3: `PermissionVoter` + permissions effectives dans `/api/me`
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Security/PermissionVoter.php`
+- Create: `tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php`
+- Modify (vérifier) : `src/Module/Core/Domain/Entity/User.php` — `getEffectivePermissions()` déjà dans le groupe `me:read` (Phase A Step 6). Confirmer.
+
+**Interfaces:**
+- Consumes : `User::getEffectivePermissions()`, `User::getRoles()`.
+- Produces : voter répondant à `is_granted('module.resource.action')`.
+
+- [ ] **Step 1: Test du voter**
+
+`tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Security\PermissionVoter;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * @internal
+ */
+final class PermissionVoterTest extends TestCase
+{
+    private function token(User $user): UsernamePasswordToken
+    {
+        return new UsernamePasswordToken($user, 'main', $user->getRoles());
+    }
+
+    public function testAbstainsOnNonRbacAttributes(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['ROLE_ADMIN']));
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['IS_AUTHENTICATED_FULLY']));
+    }
+
+    public function testGrantsWhenUserHasPermissionViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $role  = new Role('bureau', 'Bureau');
+        $role->addPermission(new Permission('core.users.view', 'Voir', 'core'));
+        $user = new User();
+        $user->addRbacRole($role);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.view']));
+        self::assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    public function testAdminBypassesViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        $user->setRoles(['ROLE_ADMIN']);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+}
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec.**
+
+- [ ] **Step 3: Implémenter le voter**
+
+`src/Module/Core/Infrastructure/Security/PermissionVoter.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<string, mixed>
+ */
+final class PermissionVoter extends Voter
+{
+    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return 1 === preg_match(self::PATTERN, $attribute);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $user = $token->getUser();
+        if (!$user instanceof User) {
+            return false;
+        }
+
+        // ROLE_ADMIN = bypass total (cf. Décision 1).
+        if (in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            return true;
+        }
+
+        return in_array($attribute, $user->getEffectivePermissions(), true);
+    }
+}
+```
+> Le voter est auto-enregistré (autoconfigure). Aucun ajout `services.yaml` nécessaire.
+
+- [ ] **Step 4: Tests + login + vérif `/api/me`**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login », puis vérifier que `/api/me` expose `effectivePermissions` :
+```bash
+curl -s http://localhost:8082/api/me -H "Cookie: BEARER=$BEARER" | grep -o "effectivePermissions" && echo "OK champ présent"
+```
+> `alice` (ROLE_USER, sans rôle RBAC) renverra `effectivePermissions: []` — normal à ce stade (pas de rôle attribué).
+
+- [ ] **Step 5: Commit**
+
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : add permission voter and expose effective permissions on /api/me"
+```
+
+---
+
+## Phase D — API Platform : Role + Permission + processors
+
+### Task 4: ApiResources Role/Permission (déjà sur entités) + `RoleProcessor` + endpoint RBAC user + `UserRbacProcessor`
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php`
+- Create: `src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php` (opérations RBAC `Get`/`Patch` sur `/api/users/{id}/rbac` + groupes `user:rbac:read`/`user:rbac:write`)
+- Create: `tests/Functional/Module/Core/RoleApiTest.php`
+- Create: `tests/Functional/Module/Core/UserRbacApiTest.php`
+
+**Interfaces:**
+- Consumes : `RoleRepositoryInterface`, `Role::ensureDeletable()`, `User` collections.
+- Produces : `POST/PATCH/DELETE /api/roles`, `GET/PATCH /api/users/{id}/rbac`.
+
+- [ ] **Step 1: `RoleProcessor`** (immuabilité du code + refus delete système)
+
+`src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * @implements ProcessorInterface<Role, Role|null>
+ */
+final readonly class RoleProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?Role
+    {
+        \assert($data instanceof Role);
+
+        if ($operation instanceof DeleteOperationInterface) {
+            try {
+                $data->ensureDeletable();
+            } catch (\DomainException $e) {
+                throw new AccessDeniedHttpException($e->getMessage(), $e);
+            }
+            $this->em->remove($data);
+            $this->em->flush();
+
+            return null;
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
+```
+> Le code étant `role:write` mais immuable : API Platform mappe le `code` à la création (POST). En PATCH, le `code` reste dans `role:write` — pour le rendre immuable, vérifier dans un test que le PATCH du code n'a pas d'effet (l'entité n'a pas de `setCode()`, donc le denormalizer ne peut pas l'écraser → immuabilité structurelle). Confirmer l'absence de `setCode()` dans `Role`. ✅ (non défini en Phase A).
+
+- [ ] **Step 2: Endpoint RBAC sur `User` + `UserRbacProcessor`**
+
+Dans `src/Module/Core/Domain/Entity/User.php`, ajouter aux `operations` de l'`ApiResource` :
+```php
+        new Get(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+        ),
+        new Patch(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+            denormalizationContext: ['groups' => ['user:rbac:write']],
+            processor: UserRbacProcessor::class,
+        ),
+```
+Ajouter l'import `use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;`.
+Ajouter les setters de collections en denormalization (groupe `user:rbac:write`) : exposer `rbacRoles` et `directPermissions` en écriture. Pour cela, ajouter le groupe `user:rbac:write` sur les deux propriétés (en plus de `user:rbac:read`) :
+```php
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $rbacRoles;
+    ...
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
+    private Collection $directPermissions;
+```
+> API Platform écrit les collections M2M via les adders/removers `addRbacRole`/`removeRbacRole` et `addDirectPermission`/`removeDirectPermission` (déjà définis Phase A).
+
+`src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php` (garde anti-écrasement des collections absentes du payload) :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\PersistentCollection;
+
+/**
+ * @implements ProcessorInterface<User, User>
+ */
+final readonly class UserRbacProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
+    {
+        \assert($data instanceof User);
+
+        // Defense in depth : si une collection n'était pas dans le payload JSON, API Platform
+        // la réinstancie vide → on restaure le snapshot Doctrine pour éviter l'effacement silencieux.
+        $previous = $context['previous_data'] ?? null;
+        if ($previous instanceof User) {
+            $this->restoreIfEmptiedByAbsence($data->getRbacRoles(), $previous->getRbacRoles());
+            $this->restoreIfEmptiedByAbsence($data->getDirectPermissions(), $previous->getDirectPermissions());
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+
+    /**
+     * @param iterable<object> $current
+     * @param iterable<object> $previous
+     */
+    private function restoreIfEmptiedByAbsence(mixed $current, mixed $previous): void
+    {
+        // Si la collection courante est "propre" (non modifiée par le denormalizer) mais vidée,
+        // on ne touche à rien : la mutation explicite passe par add/remove.
+        if ($current instanceof PersistentCollection && !$current->isDirty()) {
+            return;
+        }
+        // NB : la restauration fine est laissée à l'exécutant si un test prouve l'écrasement ;
+        // en pratique, exposer les collections en user:rbac:write avec les adders/removers suffit.
+    }
+}
+```
+> ⚠️ NOTE EXÉCUTANT : commencer SIMPLE — exposer `rbacRoles`/`directPermissions` en `user:rbac:write` (avec adders/removers) gère nativement les mutations via IRIs. Écrire d'abord le test `UserRbacApiTest` (Step 4) ; si et seulement si il prouve un écrasement de collection lors d'un PATCH partiel, implémenter la restauration depuis `$context['previous_data']`. Sinon, le `UserRbacProcessor` peut se réduire à persist+flush. Ne pas sur-architecturer.
+
+- [ ] **Step 3: Tests fonctionnels Role**
+
+`tests/Functional/Module/Core/RoleApiTest.php` : créer un user admin authentifié (helper login JWT comme les autres tests fonctionnels du projet — s'inspirer de `tests/Functional/...` existants), puis :
+- `GET /api/roles` en tant qu'admin → 200.
+- `GET /api/roles` non authentifié → 401.
+- `POST /api/roles` `{code:'bureau', label:'Bureau'}` en admin → 201.
+- `DELETE` d'un rôle système (`admin`, seedé en Phase E — ou créé inline `isSystem`) → 403.
+> S'aligner sur le pattern d'auth des tests fonctionnels existants (cookie BEARER via `/login_check` ou client API Platform avec token). LIRE un test fonctionnel existant avant d'écrire celui-ci.
+
+- [ ] **Step 4: Tests fonctionnels User RBAC**
+
+`tests/Functional/Module/Core/UserRbacApiTest.php` :
+- `GET /api/users/{id}/rbac` en admin → 200, contient `rbacRoles`, `directPermissions`, `effectivePermissions`.
+- `PATCH /api/users/{id}/rbac` attribuant un rôle (IRI) → 200, le rôle apparaît dans `rbacRoles`.
+- `PATCH` ne touchant qu'un champ → vérifier que l'autre collection n'est PAS vidée (le test qui décide si `UserRbacProcessor` a besoin de la restauration).
+
+- [ ] **Step 5: Lancer + login + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login ».
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : expose role and user-rbac api endpoints with processors"
+```
+
+---
+
+## Phase E — Seed RBAC (rôles système)
+
+### Task 5: `RbacSeeder` + `app:seed-rbac` + intégration fixtures
+
+**Files:**
+- Create: `src/Module/Core/Application/Rbac/RbacSeeder.php`
+- Create: `src/Module/Core/Infrastructure/Console/SeedRbacCommand.php`
+- Create: `src/Module/Core/Domain/Security/SystemRoles.php`
+- Modify: `src/DataFixtures/AppFixtures.php` (appeler le seed des rôles système après sync, OU documenter l'appel via make)
+- Create: `tests/Functional/Module/Core/SeedRbacCommandTest.php`
+
+**Interfaces:**
+- Consumes : `RoleRepositoryInterface`, `EntityManagerInterface`.
+- Produces : `RbacSeeder::ensureSystemRoles(): void` (idempotent), commande `app:seed-rbac`.
+
+- [ ] **Step 1: `SystemRoles`**
+
+`src/Module/Core/Domain/Security/SystemRoles.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Security;
+
+final class SystemRoles
+{
+    public const string ADMIN_CODE = 'admin';
+    public const string USER_CODE  = 'user';
+}
+```
+
+- [ ] **Step 2: Test de la commande**
+
+`tests/Functional/Module/Core/SeedRbacCommandTest.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SeedRbacCommandTest extends KernelTestCase
+{
+    public function testSeedsSystemRolesIdempotently(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:seed-rbac'));
+
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+        $tester->execute([]); // idempotent
+        $tester->assertCommandIsSuccessful();
+
+        $repo  = self::getContainer()->get(RoleRepositoryInterface::class);
+        $admin = $repo->findByCode(SystemRoles::ADMIN_CODE);
+        self::assertNotNull($admin);
+        self::assertTrue($admin->isSystem());
+        self::assertNotNull($repo->findByCode(SystemRoles::USER_CODE));
+    }
+}
+```
+
+- [ ] **Step 3: Lancer, vérifier l'échec.**
+
+- [ ] **Step 4: `RbacSeeder`**
+
+`src/Module/Core/Application/Rbac/RbacSeeder.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\Rbac;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class RbacSeeder
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private RoleRepositoryInterface $roles,
+    ) {}
+
+    /**
+     * Crée les rôles système s'ils sont absents. Idempotent.
+     */
+    public function ensureSystemRoles(): void
+    {
+        $this->ensureRole(SystemRoles::ADMIN_CODE, 'Administrateur', 'Accès complet (bypass RBAC).');
+        $this->ensureRole(SystemRoles::USER_CODE, 'Utilisateur', 'Rôle de base sans permission spécifique.');
+        $this->em->flush();
+    }
+
+    private function ensureRole(string $code, string $label, string $description): void
+    {
+        if (null !== $this->roles->findByCode($code)) {
+            return;
+        }
+        $this->roles->save(new Role($code, $label, $description, true));
+    }
+}
+```
+
+- [ ] **Step 5: `app:seed-rbac`**
+
+`src/Module/Core/Infrastructure/Console/SeedRbacCommand.php` :
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(name: 'app:seed-rbac', description: 'Seed les rôles système RBAC (admin, user).')]
+final class SeedRbacCommand extends Command
+{
+    public function __construct(private readonly RbacSeeder $seeder)
+    {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+        $this->seeder->ensureSystemRoles();
+        $io->success('Rôles système RBAC seedés (admin, user).');
+
+        return Command::SUCCESS;
+    }
+}
+```
+
+- [ ] **Step 6: Intégrer au cycle fixtures**
+
+LIRE `src/DataFixtures/AppFixtures.php`. Après le chargement des users, appeler le seed RBAC (les permissions doivent exister → `app:sync-permissions` AVANT). Deux options selon le pattern projet :
+- (a) injecter `RbacSeeder` dans `AppFixtures` et appeler `ensureSystemRoles()` en fin de `load()` (les permissions Core sont synchronisées par un hook séparé) ; OU
+- (b) documenter dans le `Makefile`/README que `make db-reset` enchaîne `fixtures:load` puis `app:sync-permissions` puis `app:seed-rbac`.
+> Choisir (a) si `AppFixtures` peut injecter des services (DependentFixture/service) ; sinon (b). Vérifier que `make db-reset` laisse une base cohérente (rôles + permissions présents). NE PAS attacher de matrice métier (Décision 4).
+
+- [ ] **Step 7: Tests + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src tests
+git commit -m "feat(core) : add rbac seeder and seed-rbac command for system roles"
+```
+
+---
+
+## Phase F — Sidebar filtrée par permission
+
+### Task 6: `SidebarFilter` + `SidebarProvider` + `config/sidebar.php` gated par permission
+
+**Files:**
+- Modify: `src/Shared/Domain/Sidebar/SidebarFilter.php` (clé `permission` sur section + item)
+- Modify: `src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php` (passe les permissions effectives)
+- Modify: `config/sidebar.php` (permissions sur les items admin)
+- Modify: `tests/Unit/Shared/Sidebar/SidebarFilterTest.php` (cas permission)
+- Modify (éventuel): `tests/Functional/Shared/SidebarEndpointTest.php`
+
+**Interfaces:**
+- Consumes : `User::getEffectivePermissions()`, `User::getRoles()`.
+- Produces : `SidebarFilter::filter($sections, $activeModuleIds, $activeRoles = [], $activePermissions = [])`.
+
+- [ ] **Step 1: Étendre le test `SidebarFilterTest`**
+
+Ajouter des cas : une section/item avec `'permission' => 'core.users.view'` est masqué si la permission n'est pas dans `$activePermissions`, visible sinon. Un item sans `permission` reste visible (rétrocompat). Combinaison avec `roles` et `module` inchangée.
+```php
+    public function testItemHiddenWhenPermissionMissing(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [
+                ['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view'],
+                ['label' => 'b', 'to' => '/b', 'icon' => 'i'],
+            ],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], []);
+        self::assertCount(1, $out['sections'][0]['items']);
+        self::assertSame('/b', $out['sections'][0]['items'][0]['to']);
+    }
+
+    public function testItemVisibleWhenPermissionGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view']],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
+        self::assertCount(1, $out['sections'][0]['items']);
+    }
+```
+
+- [ ] **Step 2: Lancer, vérifier l'échec** (signature à 3 args).
+
+- [ ] **Step 3: Étendre `SidebarFilter`**
+
+Ajouter le paramètre `array $activePermissions = []` à `filter()`. Mettre à jour la docblock des types (`permission?:string` sur section et item). Après le gate de rôle (section et item), ajouter le gate de permission :
+```php
+            // Gate de permission au niveau section.
+            if (!self::permissionSatisfied($section['permission'] ?? null, $activePermissions)) {
+                continue;
+            }
+```
+et pour l'item, avant le filtrage module :
+```php
+                if (!self::permissionSatisfied($item['permission'] ?? null, $activePermissions)) {
+                    continue;
+                }
+```
+Helper :
+```php
+    /**
+     * @param list<string> $activePermissions
+     */
+    private static function permissionSatisfied(?string $required, array $activePermissions): bool
+    {
+        if (null === $required || '' === $required) {
+            return true;
+        }
+
+        return in_array($required, $activePermissions, true);
+    }
+```
+
+- [ ] **Step 4: Passer les permissions dans `SidebarProvider`**
+
+Dans `provide()`, après `$roles = ...` :
+```php
+        $permissions = ($user instanceof \App\Module\Core\Domain\Entity\User) ? $user->getEffectivePermissions() : [];
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles), $permissions);
+```
+> Pour éviter le couplage dur au concret, préférer le contrat : `$user` peut être typé `UserInterface` (qui a désormais `getEffectivePermissions()`). Utiliser `$permissions = method_exists($user, 'getEffectivePermissions') ? $user->getEffectivePermissions() : [];` OU, plus propre, instancier-check sur `App\Shared\Domain\Contract\UserInterface`. Choisir le check sur le contrat Shared.
+
+- [ ] **Step 5: Ajouter les permissions dans `config/sidebar.php`**
+
+Sur la section admin, garder le gate `roles: [ROLE_ADMIN]` (rétrocompat) ET, en complément, ajouter une `permission` sur l'item Administration le cas échéant. Comme ROLE_ADMIN bypasse déjà tout (Décision 1), garder la section admin sur `roles` est suffisant ; on ajoute `permission` seulement si on veut donner accès à des non-admins porteurs de `core.users.view`/`core.roles.view`. Décider : ajouter `'permission' => 'core.users.view'` sur l'item `administration` pour permettre l'accès aux gestionnaires non-admin. Documenter dans le commentaire d'en-tête de `config/sidebar.php` la nouvelle clé `permission`.
+> Mettre à jour le commentaire d'en-tête : « `permission` (section/item masqué si la permission effective absente — le RBAC fin) ».
+
+- [ ] **Step 6: Tests + login + commit**
+
+Run: `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit` → vert.
+Bloc « Vérification login » + vérifier `/api/sidebar` : `admin` voit Administration, `alice` (ROLE_USER sans permission) ne voit pas l'item gardé par permission.
+```bash
+make php-cs-fixer-allow-risky
+git add -A -- src config tests
+git commit -m "feat(core) : gate sidebar by effective permissions"
+```
+
+---
+
+## Phase G — Front : composable `usePermissions` + gestion des rôles
+
+### Task 7: `usePermissions`, type user étendu, page admin rôles
+
+**Files:**
+- Create: `frontend/modules/core/composables/usePermissions.ts`
+- Modify: type de l'utilisateur courant (chercher `frontend/services/dto/` ou store auth) — ajouter `effectivePermissions: string[]`
+- Create: `frontend/modules/core/services/roles.ts` + `frontend/modules/core/services/permissions.ts`
+- Create: `frontend/modules/core/pages/admin/roles.vue` (gestion des rôles) — OU onglet dans l'admin existant
+- Modify: `frontend/i18n/locales/fr.json` (clés `admin.roles.*`)
+
+> ⚠️ Le front Lesstime n'a pas encore de page de gestion de rôles. LIRE d'abord la structure (`frontend/modules/core/`, `frontend/stores/auth.ts`, `frontend/services/`, `frontend/pages/admin.vue` et ses onglets `Admin*Tab`). Reproduire le pattern existant (onglet `AdminUserTab` etc.). Le composable et le type sont le cœur de l'AC front ; la page de gestion peut être un onglet supplémentaire dans `admin.vue`.
+
+**Interfaces:**
+- Consumes : `/api/me.effectivePermissions`, `/api/roles`, `/api/permissions`.
+- Produces : `usePermissions(): { can(code), canAny(codes), canAll(codes) }`.
+
+- [ ] **Step 1: Étendre le type user + le store auth**
+
+LIRE le store `frontend/stores/auth.ts` (ou `shared/stores/auth.ts`) et le DTO user. Ajouter `effectivePermissions: string[]` au type, et s'assurer que le payload `/api/me` (qui l'expose désormais, Phase C) est bien stocké. Si le type a `roles: string[]`, garder.
+
+- [ ] **Step 2: Composable `usePermissions`**
+
+`frontend/modules/core/composables/usePermissions.ts` :
+```ts
+export function usePermissions() {
+    const auth = useAuthStore()
+
+    function isAdmin(): boolean {
+        return auth.user?.roles?.includes('ROLE_ADMIN') ?? false
+    }
+
+    function can(code: string): boolean {
+        if (!auth.user) return false
+        if (isAdmin()) return true
+        return auth.user.effectivePermissions?.includes(code) ?? false
+    }
+
+    function canAny(codes: string[]): boolean {
+        return codes.some((c) => can(c))
+    }
+
+    function canAll(codes: string[]): boolean {
+        return codes.every((c) => can(c))
+    }
+
+    return { can, canAny, canAll, isAdmin }
+}
+```
+> Le dossier `modules/core/composables` est auto-importé (scan `readdirSync('modules/')` → `imports.dirs`, cf. LST-62). `useAuthStore` est auto-importé.
+
+- [ ] **Step 3: Services roles/permissions**
+
+`frontend/modules/core/services/roles.ts` et `permissions.ts` : 1 service par ressource, via `useApi()` (pattern projet — LIRE `frontend/services/users.ts` comme modèle). Exposer `list()`, `create()`, `update()`, `remove()` pour roles ; `list()` pour permissions. Gérer la pagination via le pattern projet (ces collections sont bornées → `paginationEnabled: false` sur le `GetCollection` côté back, OU `fetchAllHydra`). Vérifier : si les collections Role/Permission peuvent dépasser 30 items, ajouter `paginationEnabled: false` sur leur `GetCollection` (cf. CLAUDE.md piège `extractHydraMembers`). Pour Lesstime, `permission` ≈ une douzaine de codes → borné ; `role` ≈ qqs unités → borné. Ajouter `paginationEnabled: false` sur les `GetCollection` de `Role` et `Permission` (entités, Phase A/D) pour fiabiliser `extractHydraMembers`.
+
+- [ ] **Step 4: Page / onglet de gestion des rôles**
+
+Ajouter un onglet `AdminRoleTab` dans `frontend/pages/admin.vue` (ou `modules/core`), listant les rôles, permettant création/édition (label, description, permissions cochées depuis `/api/permissions` groupées par module) et suppression (désactivée pour `isSystem`). Réserver l'affichage via `v-if="can('core.roles.view')"`. LIRE un `Admin*Tab` existant pour le style.
+
+- [ ] **Step 5: i18n**
+
+Ajouter dans `frontend/i18n/locales/fr.json` les clés `admin.roles.*` (titre, colonnes, actions, messages). Fusionner dans les namespaces existants (ne pas dupliquer une clé racine).
+
+- [ ] **Step 6: Gate front + smoke**
+
+Run: `cd frontend && npx nuxt build 2>&1 | grep -iE "error|roles|permission" | tail` — build OK, pas d'erreur de module manquant.
+> Rappel LST-62 : `nuxt typecheck` n'est PAS un gate vert sur ce stack. Le vrai gate = build OK + aucun `Cannot find module` + auto-imports présents. Smoke navigateur (gestion des rôles) = PO.
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add -A -- frontend
+git commit -m "feat(core) : add usePermissions composable and rbac roles admin front"
+```
+
+---
+
+## Acceptance check (après toutes les phases)
+
+- [ ] **AC1** Permissions `module.resource.action` synchronisées via `app:sync-permissions` : la commande tourne sans erreur, `permission` contient les codes `core.*`.
+- [ ] **AC2** Sidebar gated par permission ET par module actif : `/api/sidebar` masque les items selon `effectivePermissions` (et `disabledRoutes` selon module), ROLE_ADMIN voit tout.
+- [ ] **AC3** `make test` vert (≈ 120 + nouveaux tests), `doctrine:schema:validate` mapping OK, `migrations:diff` = pas de changement RBAC (hors `messenger_messages`).
+- [ ] `/api/me` expose `effectivePermissions`.
+- [ ] `PermissionVoter` répond à `is_granted('core.*.*')` ; ROLE_ADMIN bypass.
+- [ ] `app:seed-rbac` crée les rôles système `admin`/`user` (idempotent).
+- [ ] Front : `usePermissions().can(code)` fonctionne ; gestion des rôles accessible aux porteurs de `core.roles.view`.
+- [ ] Login/JWT/MCP inchangés (`204`/`200`/`200`) à chaque phase.
+- [ ] `config/reference.php` jamais committé.
+
+## Notes pour les tickets suivants
+
+- **2.x (modules métier)** : chaque `*Module::permissions()` déclarera ses codes ; `app:sync-permissions` les upsertera ; les rôles métier (bureau/compta/…) seront seedés via une matrice étendue dans `RbacSeeder` quand les permissions existeront (Décision 4).
+- **1.3 (Audit log)** : `core.audit_log.view` pourra être ajoutée à `CoreModule::permissions()` quand l'audit sera livré.
+- **Migration `is_admin`** (optionnelle) : si le PO préfère le modèle Starseed, une phase ultérieure pourra remplacer le bypass `ROLE_ADMIN` par une colonne `is_admin` + data-migration (Décision 1).
-- 
2.39.5


From ffed22497937ef9b2216d3e4c0ff706ec093b189 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 16:56:07 +0200
Subject: [PATCH 28/99] feat(core) : add rbac role and permission entities with
 user relations

---
 config/services.yaml                          |   4 +
 migrations/Version20260619145109.php          |  74 +++++++++
 src/Module/Core/Domain/Entity/Permission.php  | 113 ++++++++++++++
 src/Module/Core/Domain/Entity/Role.php        | 145 ++++++++++++++++++
 src/Module/Core/Domain/Entity/User.php        |  85 +++++++++-
 .../Exception/SystemRoleDeletionException.php |  15 ++
 .../PermissionRepositoryInterface.php         |  22 +++
 .../Repository/RoleRepositoryInterface.php    |  19 +++
 .../State/Processor/RoleProcessor.php         |  45 ++++++
 .../Doctrine/DoctrinePermissionRepository.php |  51 ++++++
 .../Doctrine/DoctrineRoleRepository.php       |  42 +++++
 src/Shared/Domain/Contract/UserInterface.php  |   3 +
 .../Core/Domain/Entity/PermissionTest.php     |  58 +++++++
 .../Module/Core/Domain/Entity/RoleTest.php    |  58 +++++++
 .../TimestampableBlamableSubscriberTest.php   |   5 +
 15 files changed, 738 insertions(+), 1 deletion(-)
 create mode 100644 migrations/Version20260619145109.php
 create mode 100644 src/Module/Core/Domain/Entity/Permission.php
 create mode 100644 src/Module/Core/Domain/Entity/Role.php
 create mode 100644 src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
 create mode 100644 src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
 create mode 100644 src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
 create mode 100644 tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
 create mode 100644 tests/Unit/Module/Core/Domain/Entity/RoleTest.php

diff --git a/config/services.yaml b/config/services.yaml
index 2b1c163..bf453f6 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -69,4 +69,8 @@ services:
 
     App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
 
+    App\Module\Core\Domain\Repository\PermissionRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository'
+
+    App\Module\Core\Domain\Repository\RoleRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/migrations/Version20260619145109.php b/migrations/Version20260619145109.php
new file mode 100644
index 0000000..5de9930
--- /dev/null
+++ b/migrations/Version20260619145109.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * RBAC fin (LST-57) : permission, role and their many-to-many relations with user.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619145109 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add RBAC permission and role entities with user relations (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('CREATE TABLE permission (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, code VARCHAR(255) NOT NULL, label VARCHAR(255) NOT NULL, module VARCHAR(100) NOT NULL, orphan BOOLEAN NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_E04992AA77153098 ON permission (code)');
+        $this->addSql('CREATE INDEX idx_permission_module ON permission (module)');
+        $this->addSql('CREATE INDEX idx_permission_orphan ON permission (orphan)');
+        $this->addSql('COMMENT ON COLUMN permission.code IS \'Permission code (module.resource[.sub].action)\'');
+        $this->addSql('COMMENT ON COLUMN permission.label IS \'Human-readable permission label\'');
+        $this->addSql('COMMENT ON COLUMN permission.module IS \'Owning module id (e.g. core)\'');
+        $this->addSql('COMMENT ON COLUMN permission.orphan IS \'True when the permission is no longer declared by any active module\'');
+
+        $this->addSql('CREATE TABLE "role" (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, code VARCHAR(100) NOT NULL, label VARCHAR(255) NOT NULL, description TEXT DEFAULT NULL, is_system BOOLEAN NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_57698A6A77153098 ON "role" (code)');
+        $this->addSql('CREATE INDEX idx_role_is_system ON "role" (is_system)');
+        $this->addSql('COMMENT ON COLUMN "role".code IS \'Immutable role code (snake_case)\'');
+        $this->addSql('COMMENT ON COLUMN "role".label IS \'Human-readable role label\'');
+        $this->addSql('COMMENT ON COLUMN "role".description IS \'Optional role description\'');
+        $this->addSql('COMMENT ON COLUMN "role".is_system IS \'True for built-in roles that cannot be deleted\'');
+
+        $this->addSql('CREATE TABLE role_permission (role_id INT NOT NULL, permission_id INT NOT NULL, PRIMARY KEY (role_id, permission_id))');
+        $this->addSql('CREATE INDEX IDX_6F7DF886D60322AC ON role_permission (role_id)');
+        $this->addSql('CREATE INDEX IDX_6F7DF886FED90CCA ON role_permission (permission_id)');
+
+        $this->addSql('CREATE TABLE user_role (user_id INT NOT NULL, role_id INT NOT NULL, PRIMARY KEY (user_id, role_id))');
+        $this->addSql('CREATE INDEX IDX_2DE8C6A3A76ED395 ON user_role (user_id)');
+        $this->addSql('CREATE INDEX IDX_2DE8C6A3D60322AC ON user_role (role_id)');
+
+        $this->addSql('CREATE TABLE user_permission (user_id INT NOT NULL, permission_id INT NOT NULL, PRIMARY KEY (user_id, permission_id))');
+        $this->addSql('CREATE INDEX IDX_472E5446A76ED395 ON user_permission (user_id)');
+        $this->addSql('CREATE INDEX IDX_472E5446FED90CCA ON user_permission (permission_id)');
+
+        $this->addSql('ALTER TABLE role_permission ADD CONSTRAINT FK_6F7DF886D60322AC FOREIGN KEY (role_id) REFERENCES "role" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE role_permission ADD CONSTRAINT FK_6F7DF886FED90CCA FOREIGN KEY (permission_id) REFERENCES permission (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_role ADD CONSTRAINT FK_2DE8C6A3A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_role ADD CONSTRAINT FK_2DE8C6A3D60322AC FOREIGN KEY (role_id) REFERENCES "role" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_permission ADD CONSTRAINT FK_472E5446A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE');
+        $this->addSql('ALTER TABLE user_permission ADD CONSTRAINT FK_472E5446FED90CCA FOREIGN KEY (permission_id) REFERENCES permission (id) ON DELETE CASCADE');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE role_permission DROP CONSTRAINT FK_6F7DF886D60322AC');
+        $this->addSql('ALTER TABLE role_permission DROP CONSTRAINT FK_6F7DF886FED90CCA');
+        $this->addSql('ALTER TABLE user_role DROP CONSTRAINT FK_2DE8C6A3A76ED395');
+        $this->addSql('ALTER TABLE user_role DROP CONSTRAINT FK_2DE8C6A3D60322AC');
+        $this->addSql('ALTER TABLE user_permission DROP CONSTRAINT FK_472E5446A76ED395');
+        $this->addSql('ALTER TABLE user_permission DROP CONSTRAINT FK_472E5446FED90CCA');
+        $this->addSql('DROP TABLE role_permission');
+        $this->addSql('DROP TABLE user_role');
+        $this->addSql('DROP TABLE user_permission');
+        $this->addSql('DROP TABLE permission');
+        $this->addSql('DROP TABLE "role"');
+    }
+}
diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
new file mode 100644
index 0000000..5094499
--- /dev/null
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -0,0 +1,113 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use Doctrine\ORM\Mapping as ORM;
+use InvalidArgumentException;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
+#[ORM\Table(name: 'permission')]
+#[ORM\Index(name: 'idx_permission_module', columns: ['module'])]
+#[ORM\Index(name: 'idx_permission_orphan', columns: ['orphan'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(),
+        new Get(),
+    ],
+    normalizationContext: ['groups' => ['permission:read']],
+    security: "is_granted('core.permissions.view') or is_granted('core.users.manage') or is_granted('core.roles.manage')",
+)]
+class Permission
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['permission:read', 'role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, unique: true, options: ['comment' => 'Permission code (module.resource[.sub].action)'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $code;
+
+    #[ORM\Column(length: 255, options: ['comment' => 'Human-readable permission label'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $label;
+
+    #[ORM\Column(length: 100, options: ['comment' => 'Owning module id (e.g. core)'])]
+    #[Groups(['permission:read', 'role:read'])]
+    private string $module;
+
+    #[ORM\Column(options: ['comment' => 'True when the permission is no longer declared by any active module'])]
+    #[Groups(['permission:read'])]
+    private bool $orphan = false;
+
+    public function __construct(string $code, string $label, string $module)
+    {
+        $code   = trim($code);
+        $label  = trim($label);
+        $module = trim($module);
+
+        if ('' === $code || !str_contains($code, '.')) {
+            throw new InvalidArgumentException(sprintf('Code de permission invalide : "%s" (attendu module.resource.action).', $code));
+        }
+        if ('' === $label) {
+            throw new InvalidArgumentException('Le libellé de permission ne peut pas être vide.');
+        }
+        if ('' === $module) {
+            throw new InvalidArgumentException('Le module de permission ne peut pas être vide.');
+        }
+
+        $this->code   = $code;
+        $this->label  = $label;
+        $this->module = $module;
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function getModule(): string
+    {
+        return $this->module;
+    }
+
+    public function isOrphan(): bool
+    {
+        return $this->orphan;
+    }
+
+    public function markOrphan(): void
+    {
+        $this->orphan = true;
+    }
+
+    public function revive(string $label, string $module): void
+    {
+        $this->orphan = false;
+        $this->updateMetadata($label, $module);
+    }
+
+    public function updateMetadata(string $label, string $module): void
+    {
+        $this->label  = $label;
+        $this->module = $module;
+    }
+}
diff --git a/src/Module/Core/Domain/Entity/Role.php b/src/Module/Core/Domain/Entity/Role.php
new file mode 100644
index 0000000..8f15d01
--- /dev/null
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -0,0 +1,145 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
+use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\ORM\Mapping as ORM;
+use InvalidArgumentException;
+use Symfony\Component\Serializer\Annotation\Groups;
+
+#[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
+#[ORM\Table(name: '`role`')]
+#[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
+#[ApiResource(
+    operations: [
+        new GetCollection(security: "is_granted('core.roles.view')"),
+        new Get(security: "is_granted('core.roles.view')"),
+        new Post(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Patch(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+        new Delete(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
+    ],
+    normalizationContext: ['groups' => ['role:read']],
+    denormalizationContext: ['groups' => ['role:write']],
+)]
+class Role
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['role:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 100, unique: true, options: ['comment' => 'Immutable role code (snake_case)'])]
+    #[Groups(['role:read', 'role:write'])]
+    private string $code;
+
+    #[ORM\Column(length: 255, options: ['comment' => 'Human-readable role label'])]
+    #[Groups(['role:read', 'role:write'])]
+    private string $label;
+
+    #[ORM\Column(type: 'text', nullable: true, options: ['comment' => 'Optional role description'])]
+    #[Groups(['role:read', 'role:write'])]
+    private ?string $description;
+
+    #[ORM\Column(name: 'is_system', options: ['comment' => 'True for built-in roles that cannot be deleted'])]
+    #[Groups(['role:read'])]
+    private bool $isSystem;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'role_permission')]
+    #[Groups(['role:read', 'role:write'])]
+    private Collection $permissions;
+
+    public function __construct(string $code, string $label, ?string $description = null, bool $isSystem = false)
+    {
+        if (1 !== preg_match('/^[a-z][a-z0-9_]*$/', $code)) {
+            throw new InvalidArgumentException(sprintf('Code de rôle invalide : "%s" (attendu snake_case).', $code));
+        }
+        if ('' === trim($label)) {
+            throw new InvalidArgumentException('Le libellé de rôle ne peut pas être vide.');
+        }
+
+        $this->code        = $code;
+        $this->label       = $label;
+        $this->description = $description;
+        $this->isSystem    = $isSystem;
+        $this->permissions = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+    public function getLabel(): string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(string $label): void
+    {
+        $this->label = $label;
+    }
+
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): void
+    {
+        $this->description = $description;
+    }
+
+    public function isSystem(): bool
+    {
+        return $this->isSystem;
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getPermissions(): Collection
+    {
+        return $this->permissions;
+    }
+
+    public function addPermission(Permission $permission): void
+    {
+        if (!$this->permissions->contains($permission)) {
+            $this->permissions->add($permission);
+        }
+    }
+
+    public function removePermission(Permission $permission): void
+    {
+        $this->permissions->removeElement($permission);
+    }
+
+    public function ensureDeletable(): void
+    {
+        if ($this->isSystem) {
+            throw new SystemRoleDeletionException($this->code);
+        }
+    }
+}
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 7af2ddc..87794ee 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -17,6 +17,8 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
@@ -135,9 +137,27 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     #[Groups(['me:read', 'user:list', 'user:write'])]
     private float $initialLeaveBalance = 0.0;
 
+    /**
+     * @var Collection<int, Role>
+     */
+    #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_role')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $rbacRoles;
+
+    /**
+     * @var Collection<int, Permission>
+     */
+    #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
+    #[ORM\JoinTable(name: 'user_permission')]
+    #[Groups(['user:rbac:read'])]
+    private Collection $directPermissions;
+
     public function __construct()
     {
-        $this->createdAt = new DateTimeImmutable();
+        $this->createdAt         = new DateTimeImmutable();
+        $this->rbacRoles         = new ArrayCollection();
+        $this->directPermissions = new ArrayCollection();
     }
 
     public function getId(): ?int
@@ -373,4 +393,67 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
 
         return $this;
     }
+
+    /**
+     * @return Collection<int, Role>
+     */
+    public function getRbacRoles(): Collection
+    {
+        return $this->rbacRoles;
+    }
+
+    public function addRbacRole(Role $role): void
+    {
+        if (!$this->rbacRoles->contains($role)) {
+            $this->rbacRoles->add($role);
+        }
+    }
+
+    public function removeRbacRole(Role $role): void
+    {
+        $this->rbacRoles->removeElement($role);
+    }
+
+    /**
+     * @return Collection<int, Permission>
+     */
+    public function getDirectPermissions(): Collection
+    {
+        return $this->directPermissions;
+    }
+
+    public function addDirectPermission(Permission $permission): void
+    {
+        if (!$this->directPermissions->contains($permission)) {
+            $this->directPermissions->add($permission);
+        }
+    }
+
+    public function removeDirectPermission(Permission $permission): void
+    {
+        $this->directPermissions->removeElement($permission);
+    }
+
+    /**
+     * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
+     *
+     * @return list<string>
+     */
+    #[Groups(['me:read', 'user:rbac:read'])]
+    public function getEffectivePermissions(): array
+    {
+        $codes = [];
+        foreach ($this->rbacRoles as $role) {
+            foreach ($role->getPermissions() as $permission) {
+                $codes[$permission->getCode()] = true;
+            }
+        }
+        foreach ($this->directPermissions as $permission) {
+            $codes[$permission->getCode()] = true;
+        }
+        $keys = array_keys($codes);
+        sort($keys);
+
+        return $keys;
+    }
 }
diff --git a/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php b/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
new file mode 100644
index 0000000..bf33752
--- /dev/null
+++ b/src/Module/Core/Domain/Exception/SystemRoleDeletionException.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Exception;
+
+use DomainException;
+
+final class SystemRoleDeletionException extends DomainException
+{
+    public function __construct(string $code)
+    {
+        parent::__construct(sprintf('Le rôle système "%s" ne peut pas être supprimé.', $code));
+    }
+}
diff --git a/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php b/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
new file mode 100644
index 0000000..4226a38
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/PermissionRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Permission;
+
+interface PermissionRepositoryInterface
+{
+    public function findById(int $id): ?Permission;
+
+    public function findByCode(string $code): ?Permission;
+
+    /** @return list<Permission> */
+    public function findAll(): array;
+
+    /** @return list<string> */
+    public function findAllCodes(): array;
+
+    public function save(Permission $permission): void;
+}
diff --git a/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php b/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
new file mode 100644
index 0000000..adf8420
--- /dev/null
+++ b/src/Module/Core/Domain/Repository/RoleRepositoryInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Repository;
+
+use App\Module\Core\Domain\Entity\Role;
+
+interface RoleRepositoryInterface
+{
+    public function findById(int $id): ?Role;
+
+    public function findByCode(string $code): ?Role;
+
+    /** @return list<Role> */
+    public function findAll(): array;
+
+    public function save(Role $role): void;
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
new file mode 100644
index 0000000..f8b00ed
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/RoleProcessor.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\Role;
+use Doctrine\ORM\EntityManagerInterface;
+use DomainException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+use function assert;
+
+/**
+ * @implements ProcessorInterface<Role, null|Role>
+ */
+final readonly class RoleProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?Role
+    {
+        assert($data instanceof Role);
+
+        if ($operation instanceof DeleteOperationInterface) {
+            try {
+                $data->ensureDeletable();
+            } catch (DomainException $e) {
+                throw new AccessDeniedHttpException($e->getMessage(), $e);
+            }
+            $this->em->remove($data);
+            $this->em->flush();
+
+            return null;
+        }
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
new file mode 100644
index 0000000..5ce888f
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrinePermissionRepository.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Permission>
+ */
+final class DoctrinePermissionRepository extends ServiceEntityRepository implements PermissionRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Permission::class);
+    }
+
+    public function findById(int $id): ?Permission
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Permission
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Permission> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    /** @return list<string> */
+    public function findAllCodes(): array
+    {
+        /** @var list<array{code: string}> $rows */
+        $rows = $this->createQueryBuilder('p')->select('p.code')->getQuery()->getArrayResult();
+
+        return array_map(static fn (array $r): string => $r['code'], $rows);
+    }
+
+    public function save(Permission $permission): void
+    {
+        $this->getEntityManager()->persist($permission);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
new file mode 100644
index 0000000..2853629
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineRoleRepository.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Role>
+ */
+final class DoctrineRoleRepository extends ServiceEntityRepository implements RoleRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Role::class);
+    }
+
+    public function findById(int $id): ?Role
+    {
+        return $this->find($id);
+    }
+
+    public function findByCode(string $code): ?Role
+    {
+        return $this->findOneBy(['code' => $code]);
+    }
+
+    /** @return list<Role> */
+    public function findAll(): array
+    {
+        return array_values($this->findBy([]));
+    }
+
+    public function save(Role $role): void
+    {
+        $this->getEntityManager()->persist($role);
+    }
+}
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
index 8419b27..7a3e89a 100644
--- a/src/Shared/Domain/Contract/UserInterface.php
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -26,4 +26,7 @@ interface UserInterface
     public function getAvatarUrl(): ?string;
 
     public function getIsEmployee(): bool;
+
+    /** @return list<string> */
+    public function getEffectivePermissions(): array;
 }
diff --git a/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php b/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
new file mode 100644
index 0000000..5dab1c4
--- /dev/null
+++ b/tests/Unit/Module/Core/Domain/Entity/PermissionTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class PermissionTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $p = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        self::assertSame('core.users.view', $p->getCode());
+        self::assertSame('Voir les utilisateurs', $p->getLabel());
+        self::assertSame('core', $p->getModule());
+        self::assertFalse($p->isOrphan());
+    }
+
+    public function testCodeMustContainADot(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('coreusersview', 'x', 'core');
+    }
+
+    public function testCodeCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('', 'x', 'core');
+    }
+
+    public function testLabelCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('core.users.view', '', 'core');
+    }
+
+    public function testModuleCannotBeEmpty(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Permission('core.users.view', 'x', '');
+    }
+
+    public function testMarkOrphanAndRevive(): void
+    {
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $p->markOrphan();
+        self::assertTrue($p->isOrphan());
+        $p->revive('Voir maj', 'core');
+        self::assertFalse($p->isOrphan());
+        self::assertSame('Voir maj', $p->getLabel());
+    }
+}
diff --git a/tests/Unit/Module/Core/Domain/Entity/RoleTest.php b/tests/Unit/Module/Core/Domain/Entity/RoleTest.php
new file mode 100644
index 0000000..13ef824
--- /dev/null
+++ b/tests/Unit/Module/Core/Domain/Entity/RoleTest.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Domain\Entity;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class RoleTest extends TestCase
+{
+    public function testValidConstruction(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        self::assertSame('bureau', $r->getCode());
+        self::assertSame('Bureau', $r->getLabel());
+        self::assertFalse($r->isSystem());
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testCodeMustBeSnakeCase(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Role('Bureau Commercial', 'x');
+    }
+
+    public function testAddRemovePermission(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $p = new Permission('core.users.view', 'Voir', 'core');
+        $r->addPermission($p);
+        self::assertCount(1, $r->getPermissions());
+        $r->addPermission($p); // idempotent
+        self::assertCount(1, $r->getPermissions());
+        $r->removePermission($p);
+        self::assertCount(0, $r->getPermissions());
+    }
+
+    public function testSystemRoleCannotBeDeleted(): void
+    {
+        $r = new Role('admin', 'Administrateur', null, true);
+        $this->expectException(SystemRoleDeletionException::class);
+        $r->ensureDeletable();
+    }
+
+    public function testNonSystemRoleIsDeletable(): void
+    {
+        $r = new Role('bureau', 'Bureau');
+        $r->ensureDeletable();
+        self::assertFalse($r->isSystem());
+    }
+}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
index bac0a42..750e9da 100644
--- a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -115,6 +115,11 @@ final class TimestampableBlamableSubscriberTest extends TestCase
             {
                 return false;
             }
+
+            public function getEffectivePermissions(): array
+            {
+                return [];
+            }
         };
     }
 
-- 
2.39.5


From ac662e701b2e710cd230e7ebf68a204c802d2f50 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:00:14 +0200
Subject: [PATCH 29/99] feat(core) : aggregate module permissions and add
 sync-permissions command

---
 src/Module/Core/CoreModule.php                | 10 ++-
 .../Console/SyncPermissionsCommand.php        | 84 +++++++++++++++++++
 src/Shared/Domain/Module/ModuleRegistry.php   | 27 ++++++
 .../Core/SyncPermissionsCommandTest.php       | 29 +++++++
 .../Module/ModuleRegistryPermissionsTest.php  | 29 +++++++
 5 files changed, 175 insertions(+), 4 deletions(-)
 create mode 100644 src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
 create mode 100644 tests/Functional/Module/Core/SyncPermissionsCommandTest.php
 create mode 100644 tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php

diff --git a/src/Module/Core/CoreModule.php b/src/Module/Core/CoreModule.php
index fde5724..587b3db 100644
--- a/src/Module/Core/CoreModule.php
+++ b/src/Module/Core/CoreModule.php
@@ -24,16 +24,18 @@ final class CoreModule implements ModuleInterface
     }
 
     /**
-     * Permissions posées pour le RBAC fin (1.2). Inertes tant que 1.2 n'est pas livré.
+     * Permissions RBAC fin du Module Core (1.2).
      *
      * @return list<array{code: string, label: string}>
      */
     public static function permissions(): array
     {
         return [
-            ['code' => 'core.user.read', 'label' => 'Consulter les utilisateurs'],
-            ['code' => 'core.user.manage', 'label' => 'Gérer les utilisateurs'],
-            ['code' => 'core.notification.read', 'label' => 'Consulter ses notifications'],
+            ['code' => 'core.users.view', 'label' => 'Voir les utilisateurs'],
+            ['code' => 'core.users.manage', 'label' => 'Gérer les utilisateurs (créer, éditer, supprimer)'],
+            ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
+            ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
+            ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
         ];
     }
 }
diff --git a/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php b/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
new file mode 100644
index 0000000..6dd35bd
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Console/SyncPermissionsCommand.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use App\Shared\Domain\Module\ModuleRegistry;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+use function count;
+
+#[AsCommand(name: 'app:sync-permissions', description: 'Synchronise le catalogue des permissions depuis les modules actifs.')]
+final class SyncPermissionsCommand extends Command
+{
+    public function __construct(
+        private readonly EntityManagerInterface $em,
+        private readonly PermissionRepositoryInterface $permissions,
+        #[Autowire('%kernel.project_dir%')]
+        private readonly string $projectDir,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        /** @var list<class-string> $moduleClasses */
+        $moduleClasses = require $this->projectDir.'/config/modules.php';
+
+        // Phase 1 : permissions désirées (code => {code,label,module}).
+        $desired = [];
+        foreach (ModuleRegistry::permissions($moduleClasses) as $perm) {
+            $desired[$perm['code']] = $perm;
+        }
+
+        // Phase 2 : upsert.
+        $existing = [];
+        foreach ($this->permissions->findAll() as $permission) {
+            $existing[$permission->getCode()] = $permission;
+        }
+
+        $added = $updated = $revived = 0;
+        foreach ($desired as $code => $perm) {
+            $entity = $existing[$code] ?? null;
+            if (null === $entity) {
+                $this->permissions->save(new Permission($perm['code'], $perm['label'], $perm['module']));
+                ++$added;
+
+                continue;
+            }
+            if ($entity->isOrphan()) {
+                $entity->revive($perm['label'], $perm['module']);
+                ++$revived;
+            } elseif ($entity->getLabel() !== $perm['label'] || $entity->getModule() !== $perm['module']) {
+                $entity->updateMetadata($perm['label'], $perm['module']);
+                ++$updated;
+            }
+        }
+
+        // Phase 3 : orphelines (existantes absentes des désirées).
+        $orphaned = 0;
+        foreach ($existing as $code => $entity) {
+            if (!isset($desired[$code]) && !$entity->isOrphan()) {
+                $entity->markOrphan();
+                ++$orphaned;
+            }
+        }
+
+        $this->em->flush();
+
+        $io->success(sprintf('Permissions synchronisées : %d ajoutées, %d mises à jour, %d réactivées, %d orphelines. Total désirées : %d.', $added, $updated, $revived, $orphaned, count($desired)));
+
+        return Command::SUCCESS;
+    }
+}
diff --git a/src/Shared/Domain/Module/ModuleRegistry.php b/src/Shared/Domain/Module/ModuleRegistry.php
index 894b6af..6c212bb 100644
--- a/src/Shared/Domain/Module/ModuleRegistry.php
+++ b/src/Shared/Domain/Module/ModuleRegistry.php
@@ -4,6 +4,8 @@ declare(strict_types=1);
 
 namespace App\Shared\Domain\Module;
 
+use InvalidArgumentException;
+
 final class ModuleRegistry
 {
     /**
@@ -22,4 +24,29 @@ final class ModuleRegistry
 
         return $ids;
     }
+
+    /**
+     * @param list<class-string> $moduleClasses
+     *
+     * @return list<array{code: string, label: string, module: string}>
+     */
+    public static function permissions(array $moduleClasses): array
+    {
+        $out = [];
+        foreach ($moduleClasses as $moduleClass) {
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
+            }
+            $moduleId = $moduleClass::id();
+            foreach ($moduleClass::permissions() as $perm) {
+                $code = $perm['code'];
+                if (!str_starts_with($code, $moduleId.'.')) {
+                    throw new InvalidArgumentException(sprintf('Permission "%s" du module "%s" doit être préfixée par "%s.".', $code, $moduleId, $moduleId));
+                }
+                $out[] = ['code' => $code, 'label' => $perm['label'], 'module' => $moduleId];
+            }
+        }
+
+        return $out;
+    }
 }
diff --git a/tests/Functional/Module/Core/SyncPermissionsCommandTest.php b/tests/Functional/Module/Core/SyncPermissionsCommandTest.php
new file mode 100644
index 0000000..f39d44c
--- /dev/null
+++ b/tests/Functional/Module/Core/SyncPermissionsCommandTest.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SyncPermissionsCommandTest extends KernelTestCase
+{
+    public function testSyncCreatesCorePermissions(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:sync-permissions'));
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+
+        $repo = self::getContainer()->get(PermissionRepositoryInterface::class);
+        self::assertNotNull($repo->findByCode('core.users.manage'));
+        self::assertContains('core.roles.manage', $repo->findAllCodes());
+    }
+}
diff --git a/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php b/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php
new file mode 100644
index 0000000..a76de2d
--- /dev/null
+++ b/tests/Unit/Shared/Module/ModuleRegistryPermissionsTest.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Shared\Module;
+
+use App\Module\Core\CoreModule;
+use App\Shared\Domain\Module\ModuleRegistry;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ModuleRegistryPermissionsTest extends TestCase
+{
+    public function testAggregatesPermissionsWithModuleId(): void
+    {
+        $perms = ModuleRegistry::permissions([CoreModule::class]);
+
+        self::assertNotEmpty($perms);
+        foreach ($perms as $perm) {
+            self::assertArrayHasKey('code', $perm);
+            self::assertArrayHasKey('label', $perm);
+            self::assertArrayHasKey('module', $perm);
+            self::assertSame('core', $perm['module']);
+            self::assertStringStartsWith('core.', $perm['code']);
+        }
+    }
+}
-- 
2.39.5


From 5060fb689b775159610ba0764d1082619d0cb18e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:03:34 +0200
Subject: [PATCH 30/99] feat(core) : add permission voter and expose effective
 permissions on /api/me

---
 .../Security/PermissionVoter.php              | 38 +++++++++++++
 .../Security/PermissionVoterTest.php          | 53 +++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 src/Module/Core/Infrastructure/Security/PermissionVoter.php
 create mode 100644 tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php

diff --git a/src/Module/Core/Infrastructure/Security/PermissionVoter.php b/src/Module/Core/Infrastructure/Security/PermissionVoter.php
new file mode 100644
index 0000000..542e220
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Security/PermissionVoter.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @extends Voter<string, mixed>
+ */
+final class PermissionVoter extends Voter
+{
+    private const string PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return 1 === preg_match(self::PATTERN, $attribute);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+    {
+        $user = $token->getUser();
+        if (!$user instanceof User) {
+            return false;
+        }
+
+        // ROLE_ADMIN = bypass total (cf. Décision 1).
+        if (in_array('ROLE_ADMIN', $user->getRoles(), true)) {
+            return true;
+        }
+
+        return in_array($attribute, $user->getEffectivePermissions(), true);
+    }
+}
diff --git a/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php b/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php
new file mode 100644
index 0000000..c1094f9
--- /dev/null
+++ b/tests/Unit/Module/Core/Infrastructure/Security/PermissionVoterTest.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Security\PermissionVoter;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * @internal
+ */
+final class PermissionVoterTest extends TestCase
+{
+    public function testAbstainsOnNonRbacAttributes(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['ROLE_ADMIN']));
+        self::assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->token($user), null, ['IS_AUTHENTICATED_FULLY']));
+    }
+
+    public function testGrantsWhenUserHasPermissionViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $role  = new Role('bureau', 'Bureau');
+        $role->addPermission(new Permission('core.users.view', 'Voir', 'core'));
+        $user = new User();
+        $user->addRbacRole($role);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.view']));
+        self::assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    public function testAdminBypassesViaRole(): void
+    {
+        $voter = new PermissionVoter();
+        $user  = new User();
+        $user->setRoles(['ROLE_ADMIN']);
+
+        self::assertSame(VoterInterface::ACCESS_GRANTED, $voter->vote($this->token($user), null, ['core.users.manage']));
+    }
+
+    private function token(User $user): UsernamePasswordToken
+    {
+        return new UsernamePasswordToken($user, 'main', $user->getRoles());
+    }
+}
-- 
2.39.5


From 48c67a5fb95a4d58eaaab11ca15b5e574a472a35 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:16:38 +0200
Subject: [PATCH 31/99] feat(core) : expose role and user-rbac api endpoints
 with processors

---
 src/Module/Core/Domain/Entity/Permission.php  |   2 +-
 src/Module/Core/Domain/Entity/Role.php        |   8 +-
 src/Module/Core/Domain/Entity/User.php        |  17 ++-
 .../State/Processor/UserRbacProcessor.php     |  30 ++++
 tests/Functional/Module/Core/RoleApiTest.php  |  79 +++++++++++
 .../Module/Core/UserRbacApiTest.php           | 134 ++++++++++++++++++
 6 files changed, 265 insertions(+), 5 deletions(-)
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
 create mode 100644 tests/Functional/Module/Core/RoleApiTest.php
 create mode 100644 tests/Functional/Module/Core/UserRbacApiTest.php

diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
index 5094499..24e4047 100644
--- a/src/Module/Core/Domain/Entity/Permission.php
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\GetCollection;
 use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
 use Doctrine\ORM\Mapping as ORM;
 use InvalidArgumentException;
-use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
 #[ORM\Table(name: 'permission')]
diff --git a/src/Module/Core/Domain/Entity/Role.php b/src/Module/Core/Domain/Entity/Role.php
index 8f15d01..7954dad 100644
--- a/src/Module/Core/Domain/Entity/Role.php
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -17,7 +17,8 @@ use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use InvalidArgumentException;
-use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
 
 #[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
 #[ORM\Table(name: '`role`')]
@@ -54,7 +55,6 @@ class Role
     private ?string $description;
 
     #[ORM\Column(name: 'is_system', options: ['comment' => 'True for built-in roles that cannot be deleted'])]
-    #[Groups(['role:read'])]
     private bool $isSystem;
 
     /**
@@ -111,6 +111,10 @@ class Role
         $this->description = $description;
     }
 
+    // PropertyInfo strips the `is` prefix and would expose this field as `system`.
+    // An explicit SerializedName guarantees the `isSystem` key expected by API clients.
+    #[Groups(['role:read'])]
+    #[SerializedName('isSystem')]
     public function isSystem(): bool
     {
         return $this->isSystem;
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 87794ee..553e34a 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -13,6 +13,7 @@ use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Enum\ContractType;
 use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
@@ -42,6 +43,18 @@ use Symfony\Component\Serializer\Attribute\Groups;
         new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
         new Patch(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
         new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Get(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+        ),
+        new Patch(
+            uriTemplate: '/users/{id}/rbac',
+            security: "is_granted('core.users.manage')",
+            normalizationContext: ['groups' => ['user:rbac:read']],
+            denormalizationContext: ['groups' => ['user:rbac:write']],
+            processor: UserRbacProcessor::class,
+        ),
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
@@ -142,7 +155,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
      */
     #[ORM\ManyToMany(targetEntity: Role::class, fetch: 'EAGER')]
     #[ORM\JoinTable(name: 'user_role')]
-    #[Groups(['user:rbac:read'])]
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
     private Collection $rbacRoles;
 
     /**
@@ -150,7 +163,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
      */
     #[ORM\ManyToMany(targetEntity: Permission::class, fetch: 'EAGER')]
     #[ORM\JoinTable(name: 'user_permission')]
-    #[Groups(['user:rbac:read'])]
+    #[Groups(['user:rbac:read', 'user:rbac:write'])]
     private Collection $directPermissions;
 
     public function __construct()
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
new file mode 100644
index 0000000..4658423
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+
+use function assert;
+
+/**
+ * @implements ProcessorInterface<User, User>
+ */
+final readonly class UserRbacProcessor implements ProcessorInterface
+{
+    public function __construct(private EntityManagerInterface $em) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
+    {
+        assert($data instanceof User);
+
+        $this->em->persist($data);
+        $this->em->flush();
+
+        return $data;
+    }
+}
diff --git a/tests/Functional/Module/Core/RoleApiTest.php b/tests/Functional/Module/Core/RoleApiTest.php
new file mode 100644
index 0000000..8fcce1d
--- /dev/null
+++ b/tests/Functional/Module/Core/RoleApiTest.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class RoleApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanListRoles(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+    }
+
+    public function testAdminCanCreateRole(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+
+        $code = 'bureau_'.uniqid();
+        $client->request('POST', '/api/roles', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode(['code' => $code, 'label' => 'Bureau']));
+
+        self::assertResponseStatusCodeSame(201);
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertSame($code, $data['code']);
+        self::assertSame('Bureau', $data['label']);
+        self::assertFalse($data['isSystem']);
+    }
+
+    public function testDeletingSystemRoleIsForbidden(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $systemRole = new Role('sys_'.uniqid(), 'System role', 'Rôle système', true);
+        $em->persist($systemRole);
+        $em->flush();
+        $id = $systemRole->getId();
+
+        $this->loginAdmin($client);
+
+        $client->request('DELETE', '/api/roles/'.$id);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function loginAdmin(KernelBrowser $client): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Functional/Module/Core/UserRbacApiTest.php b/tests/Functional/Module/Core/UserRbacApiTest.php
new file mode 100644
index 0000000..f5623cf
--- /dev/null
+++ b/tests/Functional/Module/Core/UserRbacApiTest.php
@@ -0,0 +1,134 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class UserRbacApiTest extends WebTestCase
+{
+    public function testAdminCanReadUserRbac(): void
+    {
+        $client = self::createClient();
+        $this->loginAdmin($client);
+        $aliceId = $this->userId('alice');
+
+        $client->request('GET', '/api/users/'.$aliceId.'/rbac');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('rbacRoles', $data);
+        self::assertArrayHasKey('directPermissions', $data);
+        self::assertArrayHasKey('effectivePermissions', $data);
+    }
+
+    public function testRbacRequiresAuthentication(): void
+    {
+        $client  = self::createClient();
+        $aliceId = $this->userId('alice');
+
+        $client->request('GET', '/api/users/'.$aliceId.'/rbac');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanAssignRoleViaPatch(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $roleCode = 'reviewer_'.uniqid();
+        $role     = new Role($roleCode, 'Reviewer');
+        $em->persist($role);
+
+        $target = $this->createUser($em, 'rbac-assign-'.uniqid());
+        $em->flush();
+        $roleId   = $role->getId();
+        $targetId = $target->getId();
+
+        $this->loginAdmin($client);
+
+        $client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertCount(1, $data['rbacRoles']);
+
+        $em->clear();
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        self::assertCount(1, $reloaded->getRbacRoles());
+        self::assertSame($roleCode, $reloaded->getRbacRoles()->first()->getCode());
+    }
+
+    public function testPartialPatchDoesNotWipeOtherCollection(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'core.users.view']);
+        self::assertInstanceOf(Permission::class, $permission);
+
+        $role = new Role('auditor_'.uniqid(), 'Auditor');
+        $em->persist($role);
+
+        // Dedicated user pre-loaded with a direct permission.
+        $target = $this->createUser($em, 'rbac-partial-'.uniqid());
+        $target->addDirectPermission($permission);
+        $em->flush();
+        $roleId   = $role->getId();
+        $targetId = $target->getId();
+
+        $this->loginAdmin($client);
+
+        // PATCH only rbacRoles — directPermissions is absent from the payload.
+        $client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
+
+        self::assertResponseIsSuccessful();
+
+        $em->clear();
+        $reloaded = $em->getRepository(User::class)->find($targetId);
+        self::assertCount(1, $reloaded->getRbacRoles(), 'Role should have been assigned');
+        self::assertCount(1, $reloaded->getDirectPermissions(), 'Direct permission must not be wiped by a partial PATCH');
+    }
+
+    private function createUser(EntityManagerInterface $em, string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('x');
+        $user->setRoles(['ROLE_USER']);
+        $em->persist($user);
+
+        return $user;
+    }
+
+    private function loginAdmin(KernelBrowser $client): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+
+    private function userId(string $username): int
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+
+        return $user->getId();
+    }
+}
-- 
2.39.5


From 1a9eba93a00fcfbd3ec4a77f0ef9970f949fb40c Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:22:42 +0200
Subject: [PATCH 32/99] feat(core) : add rbac seeder and seed-rbac command for
 system roles

---
 src/DataFixtures/AppFixtures.php              |  6 ++++
 .../Core/Application/Rbac/RbacSeeder.php      | 36 +++++++++++++++++++
 .../Core/Domain/Security/SystemRoles.php      | 11 ++++++
 .../Console/SeedRbacCommand.php               | 30 ++++++++++++++++
 .../Module/Core/SeedRbacCommandTest.php       | 35 ++++++++++++++++++
 5 files changed, 118 insertions(+)
 create mode 100644 src/Module/Core/Application/Rbac/RbacSeeder.php
 create mode 100644 src/Module/Core/Domain/Security/SystemRoles.php
 create mode 100644 src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
 create mode 100644 tests/Functional/Module/Core/SeedRbacCommandTest.php

diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index b0f3734..ebe5aa6 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -25,6 +25,7 @@ use App\Enum\AbsenceType;
 use App\Enum\ContractType;
 use App\Enum\RecurrenceType;
 use App\Enum\StatusCategory;
+use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use DateTimeImmutable;
 use DateTimeZone;
@@ -36,6 +37,7 @@ class AppFixtures extends Fixture
 {
     public function __construct(
         private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly RbacSeeder $rbacSeeder,
     ) {}
 
     public function load(ObjectManager $manager): void
@@ -751,5 +753,9 @@ class AppFixtures extends Fixture
         $manager->persist($pendingMarriage);
 
         $manager->flush();
+
+        // Seed des rôles système RBAC (admin, user). Idempotent ; aucune matrice
+        // métier attachée (cf. Décision 4 : les modules métier arrivent en 2.x).
+        $this->rbacSeeder->ensureSystemRoles();
     }
 }
diff --git a/src/Module/Core/Application/Rbac/RbacSeeder.php b/src/Module/Core/Application/Rbac/RbacSeeder.php
new file mode 100644
index 0000000..22a94a1
--- /dev/null
+++ b/src/Module/Core/Application/Rbac/RbacSeeder.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\Rbac;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Doctrine\ORM\EntityManagerInterface;
+
+final readonly class RbacSeeder
+{
+    public function __construct(
+        private EntityManagerInterface $em,
+        private RoleRepositoryInterface $roles,
+    ) {}
+
+    /**
+     * Crée les rôles système s'ils sont absents. Idempotent.
+     */
+    public function ensureSystemRoles(): void
+    {
+        $this->ensureRole(SystemRoles::ADMIN_CODE, 'Administrateur', 'Accès complet (bypass RBAC).');
+        $this->ensureRole(SystemRoles::USER_CODE, 'Utilisateur', 'Rôle de base sans permission spécifique.');
+        $this->em->flush();
+    }
+
+    private function ensureRole(string $code, string $label, string $description): void
+    {
+        if (null !== $this->roles->findByCode($code)) {
+            return;
+        }
+        $this->roles->save(new Role($code, $label, $description, true));
+    }
+}
diff --git a/src/Module/Core/Domain/Security/SystemRoles.php b/src/Module/Core/Domain/Security/SystemRoles.php
new file mode 100644
index 0000000..ab02545
--- /dev/null
+++ b/src/Module/Core/Domain/Security/SystemRoles.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Security;
+
+final class SystemRoles
+{
+    public const string ADMIN_CODE = 'admin';
+    public const string USER_CODE  = 'user';
+}
diff --git a/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php b/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
new file mode 100644
index 0000000..ab795cd
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Console/SeedRbacCommand.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Console;
+
+use App\Module\Core\Application\Rbac\RbacSeeder;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(name: 'app:seed-rbac', description: 'Seed les rôles système RBAC (admin, user).')]
+final class SeedRbacCommand extends Command
+{
+    public function __construct(private readonly RbacSeeder $seeder)
+    {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+        $this->seeder->ensureSystemRoles();
+        $io->success('Rôles système RBAC seedés (admin, user).');
+
+        return Command::SUCCESS;
+    }
+}
diff --git a/tests/Functional/Module/Core/SeedRbacCommandTest.php b/tests/Functional/Module/Core/SeedRbacCommandTest.php
new file mode 100644
index 0000000..2eb6c71
--- /dev/null
+++ b/tests/Functional/Module/Core/SeedRbacCommandTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
+use App\Module\Core\Domain\Security\SystemRoles;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * @internal
+ */
+final class SeedRbacCommandTest extends KernelTestCase
+{
+    public function testSeedsSystemRolesIdempotently(): void
+    {
+        $kernel = self::bootKernel();
+        $app    = new Application($kernel);
+        $tester = new CommandTester($app->find('app:seed-rbac'));
+
+        $tester->execute([]);
+        $tester->assertCommandIsSuccessful();
+        $tester->execute([]); // idempotent
+        $tester->assertCommandIsSuccessful();
+
+        $repo  = self::getContainer()->get(RoleRepositoryInterface::class);
+        $admin = $repo->findByCode(SystemRoles::ADMIN_CODE);
+        self::assertNotNull($admin);
+        self::assertTrue($admin->isSystem());
+        self::assertNotNull($repo->findByCode(SystemRoles::USER_CODE));
+    }
+}
-- 
2.39.5


From 544d4cf44f6333c3d0b891e5e05672000c05e5c4 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:28:42 +0200
Subject: [PATCH 33/99] feat(core) : gate sidebar by effective permissions

---
 config/sidebar.php                            | 11 ++++---
 src/Shared/Domain/Sidebar/SidebarFilter.php   | 31 ++++++++++++++++---
 .../ApiPlatform/State/SidebarProvider.php     | 11 ++++++-
 .../Unit/Shared/Sidebar/SidebarFilterTest.php | 24 ++++++++++++++
 4 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/config/sidebar.php b/config/sidebar.php
index 79e4ee6..afd9826 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -4,9 +4,12 @@ declare(strict_types=1);
 
 /*
  * Définition de la sidebar (sections + items) — navigation GLOBALE uniquement.
- * Filtrée par SidebarFilter : `module` (route ajoutée à disabledRoutes si module inactif),
- * `roles` (section ou item masqué si l'utilisateur n'a aucun des rôles listés ; gate minimal,
- * le RBAC fin par permission arrive en #1.2).
+ * Filtrée par SidebarFilter :
+ *   - `module`     : route ajoutée à disabledRoutes si module inactif ;
+ *   - `roles`      : section ou item masqué si l'utilisateur n'a aucun des rôles listés (gate minimal) ;
+ *   - `permission` : section ou item masqué si la permission effective absente (RBAC fin —
+ *                    `User::getEffectivePermissions()` ; ROLE_ADMIN bypasse via le voter, mais la
+ *                    sidebar évalue les permissions effectives réelles — combiner avec `roles` au besoin).
  * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail) et user-flag
  * (Mes absences) restent rendus côté layout, hors de cet endpoint.
  * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
@@ -28,7 +31,7 @@ return [
         'roles' => ['ROLE_ADMIN'],
         'items' => [
             ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline'],
-            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline'],
+            ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
         ],
     ],
 ];
diff --git a/src/Shared/Domain/Sidebar/SidebarFilter.php b/src/Shared/Domain/Sidebar/SidebarFilter.php
index e740afa..e39f8c4 100644
--- a/src/Shared/Domain/Sidebar/SidebarFilter.php
+++ b/src/Shared/Domain/Sidebar/SidebarFilter.php
@@ -7,13 +7,14 @@ namespace App\Shared\Domain\Sidebar;
 final class SidebarFilter
 {
     /**
-     * @param list<array{label:string, icon:string, roles?:list<string>, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>}>}> $sections
-     * @param list<string>                                                                                                                                               $activeModuleIds
-     * @param list<string>                                                                                                                                               $activeRoles
+     * @param list<array{label:string, icon:string, roles?:list<string>, permission?:string, items: list<array{label:string, to:string, icon:string, module?:string, roles?:list<string>, permission?:string}>}> $sections
+     * @param list<string>                                                                                                                                                                                       $activeModuleIds
+     * @param list<string>                                                                                                                                                                                       $activeRoles
+     * @param list<string>                                                                                                                                                                                       $activePermissions
      *
      * @return array{sections: list<array{label:string, icon:string, items: list<array{label:string, to:string, icon:string}>}>, disabledRoutes: list<string>}
      */
-    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = []): array
+    public static function filter(array $sections, array $activeModuleIds, array $activeRoles = [], array $activePermissions = []): array
     {
         $outSections    = [];
         $disabledRoutes = [];
@@ -24,6 +25,11 @@ final class SidebarFilter
                 continue;
             }
 
+            // Gate de permission au niveau section (RBAC fin).
+            if (!self::permissionSatisfied($section['permission'] ?? null, $activePermissions)) {
+                continue;
+            }
+
             $items = [];
             foreach ($section['items'] as $item) {
                 // Gate de rôle au niveau item.
@@ -31,6 +37,11 @@ final class SidebarFilter
                     continue;
                 }
 
+                // Gate de permission au niveau item (RBAC fin).
+                if (!self::permissionSatisfied($item['permission'] ?? null, $activePermissions)) {
+                    continue;
+                }
+
                 // Filtrage par module actif (pilote la redirection front via disabledRoutes).
                 $module = $item['module'] ?? null;
                 if (null !== $module && !in_array($module, $activeModuleIds, true)) {
@@ -68,4 +79,16 @@ final class SidebarFilter
 
         return false;
     }
+
+    /**
+     * @param list<string> $activePermissions
+     */
+    private static function permissionSatisfied(?string $required, array $activePermissions): bool
+    {
+        if (null === $required || '' === $required) {
+            return true;
+        }
+
+        return in_array($required, $activePermissions, true);
+    }
 }
diff --git a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
index ddcf48c..8f7ee43 100644
--- a/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/SidebarProvider.php
@@ -6,6 +6,7 @@ namespace App\Shared\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use App\Shared\Domain\Module\ModuleRegistry;
 use App\Shared\Domain\Sidebar\SidebarFilter;
 use App\Shared\Infrastructure\ApiPlatform\Resource\SidebarResource;
@@ -31,7 +32,15 @@ final readonly class SidebarProvider implements ProviderInterface
         $user  = $this->security->getUser();
         $roles = null !== $user ? $user->getRoles() : [];
 
-        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles));
+        // RBAC fin : permissions effectives du contrat. ROLE_ADMIN bypasse tout (Décision 1) :
+        // on lui injecte le catalogue complet des permissions déclarées pour satisfaire les gates.
+        if (in_array('ROLE_ADMIN', $roles, true)) {
+            $permissions = array_column(ModuleRegistry::permissions($moduleClasses), 'code');
+        } else {
+            $permissions = $user instanceof UserInterface ? $user->getEffectivePermissions() : [];
+        }
+
+        $filtered = SidebarFilter::filter($sidebar, ModuleRegistry::ids($moduleClasses), array_values($roles), $permissions);
 
         $dto                 = new SidebarResource();
         $dto->sections       = $filtered['sections'];
diff --git a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
index ac9315c..939c1f1 100644
--- a/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
+++ b/tests/Unit/Shared/Sidebar/SidebarFilterTest.php
@@ -103,4 +103,28 @@ final class SidebarFilterTest extends TestCase
         self::assertSame('/x', $result['sections'][0]['items'][0]['to']);
         self::assertArrayNotHasKey('roles', $result['sections'][0]['items'][0]);
     }
+
+    public function testItemHiddenWhenPermissionMissing(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [
+                ['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view'],
+                ['label' => 'b', 'to' => '/b', 'icon' => 'i'],
+            ],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], []);
+        self::assertCount(1, $out['sections'][0]['items']);
+        self::assertSame('/b', $out['sections'][0]['items'][0]['to']);
+    }
+
+    public function testItemVisibleWhenPermissionGranted(): void
+    {
+        $sections = [[
+            'label' => 's', 'icon' => 'i',
+            'items' => [['label' => 'a', 'to' => '/a', 'icon' => 'i', 'permission' => 'core.users.view']],
+        ]];
+        $out = SidebarFilter::filter($sections, [], [], ['core.users.view']);
+        self::assertCount(1, $out['sections'][0]['items']);
+    }
 }
-- 
2.39.5


From 511353c3f5653439e642018a36f49c5eedfdf23b Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:35:51 +0200
Subject: [PATCH 34/99] feat(core) : add usePermissions composable and rbac
 roles admin front

---
 frontend/components/admin/AdminRoleTab.vue    | 116 +++++++++++
 frontend/components/admin/RoleDrawer.vue      | 186 ++++++++++++++++++
 frontend/i18n/locales/fr.json                 |  21 ++
 .../core/composables/usePermissions.ts        |  27 +++
 frontend/modules/core/services/permissions.ts |  22 +++
 frontend/modules/core/services/roles.ts       |  50 +++++
 frontend/pages/admin.vue                      |  13 +-
 frontend/services/dto/user-data.ts            |   1 +
 src/Module/Core/Domain/Entity/Permission.php  |   2 +-
 src/Module/Core/Domain/Entity/Role.php        |   2 +-
 10 files changed, 437 insertions(+), 3 deletions(-)
 create mode 100644 frontend/components/admin/AdminRoleTab.vue
 create mode 100644 frontend/components/admin/RoleDrawer.vue
 create mode 100644 frontend/modules/core/composables/usePermissions.ts
 create mode 100644 frontend/modules/core/services/permissions.ts
 create mode 100644 frontend/modules/core/services/roles.ts

diff --git a/frontend/components/admin/AdminRoleTab.vue b/frontend/components/admin/AdminRoleTab.vue
new file mode 100644
index 0000000..c36a706
--- /dev/null
+++ b/frontend/components/admin/AdminRoleTab.vue
@@ -0,0 +1,116 @@
+<template>
+    <div>
+        <div class="flex items-center justify-between">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('admin.roles.title') }}</h2>
+            <MalioButton
+                icon-name="mdi:plus"
+                icon-position="left"
+                button-class="w-auto px-4"
+                :label="$t('admin.roles.addRole')"
+                @click="openCreate"
+            />
+        </div>
+
+        <DataTable
+            :columns="columns"
+            :items="items"
+            :loading="isLoading"
+            :empty-message="$t('admin.roles.empty')"
+            @row-click="openEdit"
+        >
+            <template #cell-isSystem="{ item }">
+                <span
+                    v-if="item.isSystem"
+                    class="rounded-full bg-primary-100 px-2 py-0.5 text-xs font-semibold text-primary-600"
+                >
+                    {{ $t('admin.roles.system') }}
+                </span>
+            </template>
+            <template #cell-permissions="{ item }">
+                <span class="text-neutral-600">{{ item.permissions.length }}</span>
+            </template>
+            <template #actions="{ item }">
+                <MalioButtonIcon
+                    v-if="!item.isSystem"
+                    icon="mdi:delete-outline"
+                    :aria-label="$t('common.delete')"
+                    variant="ghost"
+                    icon-size="20"
+                    button-class="text-neutral-400 hover:text-red-500"
+                    @click.stop="handleDelete(item.id)"
+                />
+            </template>
+        </DataTable>
+
+        <RoleDrawer
+            v-model="drawerOpen"
+            :item="selectedItem"
+            :permissions="permissions"
+            @saved="onSaved"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Role } from '~/modules/core/services/roles'
+import { useRoleService } from '~/modules/core/services/roles'
+import type { Permission } from '~/modules/core/services/permissions'
+import { usePermissionService } from '~/modules/core/services/permissions'
+
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t } = useI18n()
+
+const columns = computed<DataTableColumn[]>(() => [
+    { key: 'label', label: t('admin.roles.label'), primary: true },
+    { key: 'code', label: t('admin.roles.code') },
+    { key: 'permissions', label: t('admin.roles.permissions') },
+    { key: 'isSystem', label: '' },
+])
+
+const roleService = useRoleService()
+const permissionService = usePermissionService()
+
+const items = ref<Role[]>([])
+const permissions = ref<Permission[]>([])
+const isLoading = ref(true)
+const drawerOpen = ref(false)
+const selectedItem = ref<Role | null>(null)
+
+async function loadItems() {
+    isLoading.value = true
+    try {
+        items.value = await roleService.list()
+    } finally {
+        isLoading.value = false
+    }
+}
+
+async function loadPermissions() {
+    permissions.value = await permissionService.list()
+}
+
+function openCreate() {
+    selectedItem.value = null
+    drawerOpen.value = true
+}
+
+function openEdit(item: Role) {
+    selectedItem.value = item
+    drawerOpen.value = true
+}
+
+async function handleDelete(id: number) {
+    await roleService.remove(id)
+    await loadItems()
+}
+
+async function onSaved() {
+    await loadItems()
+}
+
+onMounted(() => {
+    loadItems()
+    loadPermissions()
+})
+</script>
diff --git a/frontend/components/admin/RoleDrawer.vue b/frontend/components/admin/RoleDrawer.vue
new file mode 100644
index 0000000..4db0dc5
--- /dev/null
+++ b/frontend/components/admin/RoleDrawer.vue
@@ -0,0 +1,186 @@
+<template>
+    <MalioDrawer v-model="isOpen">
+        <template #header>
+            <h2 class="text-xl font-bold">
+                {{ isEditing ? $t('admin.roles.editRole') : $t('admin.roles.addRole') }}
+            </h2>
+        </template>
+        <form class="flex flex-col gap-3" @submit.prevent="handleSubmit">
+            <MalioInputText
+                v-model="form.code"
+                :label="$t('admin.roles.code')"
+                input-class="w-full"
+                :disabled="isEditing"
+                :hint="isEditing ? $t('admin.roles.codeImmutable') : $t('admin.roles.codeHint')"
+                :error="touched.code && !codeValid ? $t('admin.roles.codeInvalid') : ''"
+                @blur="touched.code = true"
+            />
+            <MalioInputText
+                v-model="form.label"
+                :label="$t('admin.roles.label')"
+                input-class="w-full"
+                :error="touched.label && !form.label.trim() ? $t('admin.roles.labelRequired') : ''"
+                @blur="touched.label = true"
+            />
+            <MalioInputTextArea
+                v-model="form.description"
+                :label="$t('admin.roles.description')"
+                input-class="w-full"
+            />
+
+            <div class="mt-2">
+                <label class="text-sm font-semibold text-neutral-700">
+                    {{ $t('admin.roles.permissions') }}
+                </label>
+                <p v-if="permissions.length === 0" class="mt-2 text-xs text-neutral-400">
+                    {{ $t('admin.roles.noPermissions') }}
+                </p>
+                <div
+                    v-for="group in groupedPermissions"
+                    :key="group.module"
+                    class="mt-3 rounded-lg border border-neutral-200 p-3"
+                >
+                    <p class="mb-2 text-xs font-bold uppercase tracking-wide text-neutral-500">
+                        {{ group.module }}
+                    </p>
+                    <div class="flex flex-col gap-2">
+                        <label
+                            v-for="perm in group.permissions"
+                            :key="perm.id"
+                            class="flex items-start gap-2 text-sm text-neutral-700"
+                        >
+                            <input
+                                v-model="form.permissions"
+                                type="checkbox"
+                                :value="perm['@id']"
+                                class="mt-0.5 rounded border-neutral-300"
+                            />
+                            <span>
+                                {{ perm.label }}
+                                <span class="block text-xs text-neutral-400">{{ perm.code }}</span>
+                            </span>
+                        </label>
+                    </div>
+                </div>
+            </div>
+
+            <div class="mt-4 flex justify-end">
+                <MalioButton
+                    :label="$t('common.save')"
+                    button-class="w-auto px-6"
+                    :disabled="isSubmitting"
+                    @click="handleSubmit"
+                />
+            </div>
+        </form>
+    </MalioDrawer>
+</template>
+
+<script setup lang="ts">
+import type { Role, RoleWrite } from '~/modules/core/services/roles'
+import { useRoleService } from '~/modules/core/services/roles'
+import type { Permission } from '~/modules/core/services/permissions'
+
+const props = defineProps<{
+    modelValue: boolean
+    item: Role | null
+    permissions: Permission[]
+}>()
+
+const emit = defineEmits<{
+    (e: 'update:modelValue', value: boolean): void
+    (e: 'saved'): void
+}>()
+
+const isOpen = computed({
+    get: () => props.modelValue,
+    set: (v) => emit('update:modelValue', v),
+})
+
+const isEditing = computed(() => !!props.item)
+const isSubmitting = ref(false)
+
+const form = reactive({
+    code: '',
+    label: '',
+    description: '',
+    permissions: [] as string[],
+})
+
+const touched = reactive({
+    code: false,
+    label: false,
+})
+
+const codeValid = computed(() => /^[a-z][a-z0-9_]*$/.test(form.code))
+
+const groupedPermissions = computed(() => {
+    const byModule = new Map<string, Permission[]>()
+    for (const perm of props.permissions) {
+        const list = byModule.get(perm.module) ?? []
+        list.push(perm)
+        byModule.set(perm.module, list)
+    }
+    return [...byModule.entries()]
+        .map(([module, permissions]) => ({ module, permissions }))
+        .sort((a, b) => a.module.localeCompare(b.module))
+})
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        if (props.item) {
+            form.code = props.item.code
+            form.label = props.item.label
+            form.description = props.item.description ?? ''
+            form.permissions = props.item.permissions
+                .map((p) => p['@id'])
+                .filter((iri): iri is string => !!iri)
+        } else {
+            form.code = ''
+            form.label = ''
+            form.description = ''
+            form.permissions = []
+        }
+        touched.code = false
+        touched.label = false
+    }
+})
+
+const { create, update } = useRoleService()
+
+async function handleSubmit() {
+    touched.code = true
+    touched.label = true
+    if (!form.label.trim()) {
+        return
+    }
+    if (!isEditing.value && !codeValid.value) {
+        return
+    }
+
+    isSubmitting.value = true
+    try {
+        if (isEditing.value && props.item) {
+            const payload: Partial<RoleWrite> = {
+                label: form.label.trim(),
+                description: form.description.trim() || null,
+                permissions: form.permissions,
+            }
+            await update(props.item.id, payload)
+        } else {
+            const payload: RoleWrite = {
+                code: form.code.trim(),
+                label: form.label.trim(),
+                description: form.description.trim() || null,
+                permissions: form.permissions,
+            }
+            await create(payload)
+        }
+
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 5711583..321bfed 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -195,6 +195,27 @@
         "addUser": "Ajouter un utilisateur",
         "editUser": "Modifier un utilisateur"
     },
+    "admin": {
+        "roles": {
+            "title": "Rôles",
+            "addRole": "Ajouter un rôle",
+            "editRole": "Modifier un rôle",
+            "empty": "Aucun rôle trouvé.",
+            "system": "Système",
+            "code": "Code",
+            "codeHint": "Identifiant technique en snake_case (immuable).",
+            "codeImmutable": "Le code ne peut pas être modifié après création.",
+            "codeInvalid": "Code invalide (attendu snake_case : minuscules, chiffres et underscores).",
+            "label": "Libellé",
+            "labelRequired": "Le libellé est requis.",
+            "description": "Description",
+            "permissions": "Permissions",
+            "noPermissions": "Aucune permission disponible.",
+            "created": "Rôle créé avec succès.",
+            "updated": "Rôle mis à jour avec succès.",
+            "deleted": "Rôle supprimé avec succès."
+        }
+    },
     "timeEntries": {
         "created": "Temps enregistré",
         "updated": "Temps modifié",
diff --git a/frontend/modules/core/composables/usePermissions.ts b/frontend/modules/core/composables/usePermissions.ts
new file mode 100644
index 0000000..0a9425a
--- /dev/null
+++ b/frontend/modules/core/composables/usePermissions.ts
@@ -0,0 +1,27 @@
+export function usePermissions() {
+    const auth = useAuthStore()
+
+    function isAdmin(): boolean {
+        return auth.user?.roles?.includes('ROLE_ADMIN') ?? false
+    }
+
+    function can(code: string): boolean {
+        if (!auth.user) {
+            return false
+        }
+        if (isAdmin()) {
+            return true
+        }
+        return auth.user.effectivePermissions?.includes(code) ?? false
+    }
+
+    function canAny(codes: string[]): boolean {
+        return codes.some((c) => can(c))
+    }
+
+    function canAll(codes: string[]): boolean {
+        return codes.every((c) => can(c))
+    }
+
+    return { can, canAny, canAll, isAdmin }
+}
diff --git a/frontend/modules/core/services/permissions.ts b/frontend/modules/core/services/permissions.ts
new file mode 100644
index 0000000..bcad3ea
--- /dev/null
+++ b/frontend/modules/core/services/permissions.ts
@@ -0,0 +1,22 @@
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type Permission = {
+    id: number
+    '@id'?: string
+    code: string
+    label: string
+    module: string
+    orphan?: boolean
+}
+
+export function usePermissionService() {
+    const api = useApi()
+
+    async function list(): Promise<Permission[]> {
+        const data = await api.get<HydraCollection<Permission>>('/permissions')
+        return extractHydraMembers(data)
+    }
+
+    return { list }
+}
diff --git a/frontend/modules/core/services/roles.ts b/frontend/modules/core/services/roles.ts
new file mode 100644
index 0000000..24bcdea
--- /dev/null
+++ b/frontend/modules/core/services/roles.ts
@@ -0,0 +1,50 @@
+import type { Permission } from './permissions'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type Role = {
+    id: number
+    '@id'?: string
+    code: string
+    label: string
+    description?: string | null
+    isSystem: boolean
+    permissions: Permission[]
+}
+
+export type RoleWrite = {
+    code?: string
+    label: string
+    description?: string | null
+    /** IRIs of the granted permissions (e.g. /api/permissions/3). */
+    permissions: string[]
+}
+
+export function useRoleService() {
+    const api = useApi()
+
+    async function list(): Promise<Role[]> {
+        const data = await api.get<HydraCollection<Role>>('/roles')
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: RoleWrite): Promise<Role> {
+        return api.post<Role>('/roles', payload as Record<string, unknown>, {
+            toastSuccessKey: 'admin.roles.created',
+        })
+    }
+
+    async function update(id: number, payload: Partial<RoleWrite>): Promise<Role> {
+        return api.patch<Role>(`/roles/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'admin.roles.updated',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/roles/${id}`, {}, {
+            toastSuccessKey: 'admin.roles.deleted',
+        })
+    }
+
+    return { list, create, update, remove }
+}
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index 998deac..f371f09 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -6,7 +6,7 @@
             <div class="mt-6 border-b border-neutral-200 overflow-x-auto">
                 <nav class="flex gap-4 sm:gap-6">
                     <button
-                        v-for="tab in tabs"
+                        v-for="tab in visibleTabs"
                         :key="tab.key"
                         class="whitespace-nowrap px-1 pb-3 text-sm font-semibold transition"
                         :class="activeTab === tab.key
@@ -27,6 +27,7 @@
             <AdminPriorityTab v-if="activeTab === 'priorities'" />
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
+            <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
@@ -41,6 +42,11 @@
 definePageMeta({ middleware: ['admin'] })
 useHead({ title: 'Administration' })
 
+const { can } = usePermissions()
+const { t } = useI18n()
+
+const canViewRoles = computed(() => can('core.roles.view'))
+
 const tabs = [
     { key: 'clients', label: 'Clients' },
     { key: 'workflows', label: 'Workflows' },
@@ -48,6 +54,7 @@ const tabs = [
     { key: 'priorities', label: 'Priorités' },
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
+    { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },
@@ -58,5 +65,9 @@ const tabs = [
 
 type TabKey = typeof tabs[number]['key']
 
+const visibleTabs = computed(() =>
+    tabs.filter((tab) => !('permission' in tab) || can(tab.permission)),
+)
+
 const activeTab = ref<TabKey>('clients')
 </script>
diff --git a/frontend/services/dto/user-data.ts b/frontend/services/dto/user-data.ts
index 3f5f5df..148bac0 100644
--- a/frontend/services/dto/user-data.ts
+++ b/frontend/services/dto/user-data.ts
@@ -7,6 +7,7 @@ export type UserData = {
     firstName?: string | null
     lastName?: string | null
     roles: string[]
+    effectivePermissions?: string[]
     avatarUrl?: string | null
     apiToken?: string | null
     // HR / absence management
diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
index 24e4047..bbd70a5 100644
--- a/src/Module/Core/Domain/Entity/Permission.php
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -18,7 +18,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Index(name: 'idx_permission_orphan', columns: ['orphan'])]
 #[ApiResource(
     operations: [
-        new GetCollection(),
+        new GetCollection(paginationEnabled: false),
         new Get(),
     ],
     normalizationContext: ['groups' => ['permission:read']],
diff --git a/src/Module/Core/Domain/Entity/Role.php b/src/Module/Core/Domain/Entity/Role.php
index 7954dad..e837008 100644
--- a/src/Module/Core/Domain/Entity/Role.php
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -25,7 +25,7 @@ use Symfony\Component\Serializer\Attribute\SerializedName;
 #[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
 #[ApiResource(
     operations: [
-        new GetCollection(security: "is_granted('core.roles.view')"),
+        new GetCollection(security: "is_granted('core.roles.view')", paginationEnabled: false),
         new Get(security: "is_granted('core.roles.view')"),
         new Post(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
         new Patch(security: "is_granted('core.roles.manage')", processor: RoleProcessor::class),
-- 
2.39.5


From 4760c386ed027504e2d12478c1913279b7398bf0 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 17:38:26 +0200
Subject: [PATCH 35/99] docs : log LST-57 rbac fin session learnings

---
 .claude/skills/ticket-executor/LEARNINGS.md | 26 +++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index 4021976..c833a48 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -112,6 +112,32 @@
 - **Aligner le contrat sur la réalité de l'entité, pas l'inverse** : `User::getUsername()` est `?string` (pas `string`) et la méthode réelle est `getIsEmployee(): bool` (pas `isEmployee()`). Le plan écrivait `isEmployee()` — le contrat existant était déjà correct, aucun changement. Toujours lire l'entité avant de figer une signature de contrat.
 - **Tests fonctionnels qui persistent réellement** (pas de rollback transactionnel ici) : un `NotifierTest` qui crée une notif échoue au 2e run (`2 != 1`) → rendre les données uniques (`uniqid()` sur le titre) pour l'idempotence.
 
+## Session 2026-06-19 (LST-57 / 1.2 — RBAC fin : portage Starseed)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-57-rbac-fin.md`, 7 phases A→G). Source de vérité = **implémentation RBAC de Starseed** (le brief attaché au ticket était inaccessible en local — fichier non synchronisé sur le stockage ; cartographié via un agent Explore sur `/home/matthieu/dev_malio/Starseed`). 1 sous-agent par phase, pilotage chrono/MCP/vérif/push sur la session principale.
+- 7 commits impl (A `ffed224`, B `ac662e7`, C `5060fb6`, D `48c67a5`, E `1a9eba9`, F `544d4cf`, G `511353c`) + plan `fdc7257`. Tests 131→**147 verts**. Timer impl 1014.
+
+### Décision d'architecture majeure (actée, à valider PO)
+- **RBAC additif, `ROLE_ADMIN` = bypass, PAS de colonne `is_admin`** — divergence assumée vs Starseed (qui a supprimé la colonne JSON `roles` au profit de `is_admin`). Lesstime garde `roles` JSON + `getRoles()` (login/JWT/MCP/sidebar #62 reposent dessus) ; le `PermissionVoter` bypass si `in_array('ROLE_ADMIN', $user->getRoles())`. Réécrire l'auth aurait été une régression à haut risque pour zéro bénéfice AC. Migration future vers `is_admin` possible.
+
+### Patterns
+- **RBAC = Role + Permission (M2M) + relations User** : `Role`(code snake_case immuable, label, description, isSystem, ManyToMany permissions EAGER), `Permission`(code `module.resource.action` unique, label, module, orphan), `User` reçoit `rbacRoles` (table `user_role`) + `directPermissions` (table `user_permission`), `getEffectivePermissions()` = union triée dédupliquée. Migration **100% additive** (5 CREATE TABLE, zéro DROP/ALTER sur `user`).
+- **Permissions déclaratives par module** : `ModuleInterface::permissions(): list<array{code,label}>`, agrégées par `ModuleRegistry::permissions($activeClasses)` (injecte `module=id()`, valide le préfixe). `app:sync-permissions` upsert (revive orphan / updateMetadata / create) + markOrphan des absentes. `app:seed-rbac` seede les rôles système (`admin`/`user`, isSystem) — **sans matrice métier** tant qu'aucune permission métier n'existe (les modules 2.x ajouteront leurs permissions + rôles).
+- **Voter pur + bypass applicatif** : `PermissionVoter` (regex `/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/` pour `supports`, donc abstient sur `ROLE_*`/`IS_AUTHENTICATED_*`). Le bypass admin de la **sidebar** est dans `SidebarProvider` (si ROLE_ADMIN → injecte le catalogue complet `ModuleRegistry::permissions()`), pas dans `SidebarFilter` qui reste un filtre pur (`permissionSatisfied()`). Le seed n'attachant aucune permission, sans ce bypass l'admin ne verrait rien.
+- **Front** : `usePermissions()` (`can/canAny/canAll/isAdmin`) dans `modules/core/composables/` (auto-importé) ; type `UserData` enrichi de `effectivePermissions` ; onglet `AdminRoleTab`+`RoleDrawer` dans `frontend/components/admin/` (le scan `components` Nuxt ne couvre que `~/components`, PAS les layers `modules/*` → les composants vont dans `components/`, le composable/services dans `modules/core/`).
+
+### Gotchas
+- **`Symfony\Component\Serializer\Annotation\Groups` N'EXISTE PLUS en Symfony 8** — seul `Attribute\Groups` existe. Un import `Annotation\Groups` rend tous les `#[Groups]` **no-op silencieux** (sérialisation cassée, POST en 400 car le constructeur n'est pas alimenté). Bug latent introduit en Phase A, révélé seulement par les tests fonctionnels de Phase D (TDD). Toujours utiliser `Attribute\Groups`. Vérifier la cohérence sur TOUTES les entités.
+- **`isSystem` exposé sous la clé `system`** : PropertyInfo strippe le préfixe `is`. Mettre `#[Groups]` + `#[SerializedName('isSystem')]` sur le getter pour conserver `isSystem` côté API.
+- **`options: ['comment' => ...]` sur les colonnes des entités** : sans le mapping `options.comment`, les `COMMENT ON COLUMN` de la migration créent une dérive `migrations:diff` perpétuelle (Doctrine veut les remettre à `''`). Aligner le mapping entité sur le COMMENT de la migration.
+- **`make db-reset` détruit `lesstime_test`** (`docker compose down -v` supprime le volume) — les tests tournent sur la base suffixée `_test`. Après un db-reset, recréer la base de test : `doctrine:database:create --env=test --if-not-exists` + `migrations:migrate -n --env=test` + `fixtures:load -n --env=test`. Ne jamais lancer `make db-reset` depuis un sous-agent de phase.
+- **Signature `Voter::voteOnAttribute`** : la version Symfony installée impose `voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool` (4e param). Sans lui : « Declaration must be compatible » fatal.
+
+### MR / Git
+- **MR empilées sur Gitea** (`tea pr create --base <branche-précédente>`) reflètent la chaîne de dépendances (#56→develop, #62→#56, #63→#62, #57→#63) avec des diffs propres ; Gitea re-cible la base à chaque merge. `tea pr` n'a pas d'`edit` → pour sortir une MR du brouillon (retrait `WIP:`), PATCH API Gitea `/repos/{o}/{r}/pulls/{n}` avec le token de `~/.config/tea/config.yml`.
+- **WIP en cours** : pousser la branche d'un ticket en cours + ouvrir la MR en brouillon (titre `WIP:`) sauvegarde le travail sans signaler « prêt à merger » ; re-pousser à chaque phase. Le push ne lock pas l'index → aucune contention avec un sous-agent qui committe en parallèle.
+
 ## Meta-learnings
 - **Parallélisation**: Les tickets touchant des fichiers indépendants peuvent tourner en parallèle sans problème
 - **Commits concurrents**: NE PAS lancer deux sous-agents qui committent sur le même repo en parallèle (collision `.git/index.lock`) — séquencer.
-- 
2.39.5


From fda03bd1f5385961da2fb296573f75186f0e9b56 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 20:53:36 +0200
Subject: [PATCH 36/99] docs : add LST-61 audit log implementation plan

---
 .../plans/2026-06-19-lst-61-audit-log.md      | 706 ++++++++++++++++++
 1 file changed, 706 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-19-lst-61-audit-log.md

diff --git a/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md b/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md
new file mode 100644
index 0000000..4593228
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-19-lst-61-audit-log.md
@@ -0,0 +1,706 @@
+# LST-61 (1.3) · Audit log — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Porter l'infrastructure d'audit de Starseed dans Lesstime : tracer create/update/delete des entités `#[Auditable]` dans une table append-only `audit_log`, exposée en lecture seule via `GET /api/audit-logs` (paginé + filtrable), avec une page de consultation front gated RBAC.
+
+**Architecture:** 4 couches indépendantes, additives (strangler) — (1) **marquage** déclaratif `#[Auditable]`/`#[AuditIgnore]` dans `src/Shared/Domain/Attribute/` ; (2) **capture** par un `AuditListener` Doctrine sur `onFlush`/`postFlush` (capture en mémoire puis écriture déphasée) ; (3) **écriture** via `AuditLogWriter` sur une connexion DBAL dédiée `audit` (hors transaction ORM, survit aux rollbacks) ; (4) **lecture API** via `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator`. Front Nuxt : service + page consultation gated `core.audit_log.view`.
+
+**Tech Stack:** Symfony 8, API Platform 4, Doctrine ORM/DBAL, PostgreSQL 16, PHP 8.4, PHPUnit, symfony/uid (vendoré), Nuxt 4 / Vue 3 / Pinia / @nuxtjs/i18n.
+
+## Global Constraints
+
+- **Aucune mention de Claude/Anthropic/IA** dans les écritures Git (commits, trailers, descriptions MR, merge). Messages factuels et techniques.
+- **Additif uniquement** : aucune migration destructive (pas de DROP/ALTER sur tables existantes en `up()`).
+- **PostgreSQL** : noms de colonnes toujours en minuscules snake_case dans le SQL brut.
+- **Code** : `declare(strict_types=1)`, PSR-12, patterns API Platform / Doctrine existants. Variables et commentaires en anglais.
+- **`config/reference.php`** auto-généré — NE JAMAIS committer.
+- Toujours lire un fichier avant de le modifier ; reproduire le style existant.
+- Branche : `feat/lst-61-audit-log` (empilée sur `feat/lst-57-rbac-fin`).
+- Tests Docker : `docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit`.
+
+---
+
+## File Structure
+
+**Créés :**
+- `src/Shared/Domain/Attribute/Auditable.php` — marqueur classe
+- `src/Shared/Domain/Attribute/AuditIgnore.php` — marqueur propriété
+- `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php` — écriture DBAL `audit`
+- `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php` — UUID par requête
+- `src/Module/Core/Infrastructure/Doctrine/AuditListener.php` — capture onFlush/postFlush
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+- `src/Module/Core/Application/DTO/AuditLogOutput.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+- `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+- `migrations/Version20260619XXXXXX.php` — table `audit_log`
+- `tests/Functional/Module/Core/AuditListenerTest.php`
+- `tests/Functional/Module/Core/AuditLogApiTest.php`
+- `frontend/modules/core/services/audit-logs.ts`
+- `frontend/components/admin/AdminAuditTab.vue`
+
+**Modifiés :**
+- `config/packages/doctrine.yaml` — connexion `audit` + `schema_filter` audit_log
+- `src/Module/Core/CoreModule.php` — permission `core.audit_log.view`
+- `src/Module/Core/Domain/Entity/User.php` — `#[Auditable]` + `#[AuditIgnore]` password/apiToken
+- `src/Module/Core/Domain/Entity/Role.php` — `#[Auditable]`
+- `src/Module/Core/Domain/Entity/Permission.php` — `#[Auditable]`
+- `tests/Unit/Module/Core/CoreModuleTest.php` — assert nouvelle permission
+- `frontend/pages/admin.vue` — onglet Audit gated `core.audit_log.view`
+- `frontend/i18n/locales/fr.json` — clés `admin.audit.*` + `audit.entity.*`
+
+---
+
+## Task A: Marquage + table + connexion DBAL audit
+
+**Files:**
+- Create: `src/Shared/Domain/Attribute/Auditable.php`, `src/Shared/Domain/Attribute/AuditIgnore.php`
+- Create: `migrations/Version20260619XXXXXX.php`
+- Modify: `config/packages/doctrine.yaml`
+
+**Interfaces produced:** `App\Shared\Domain\Attribute\Auditable` (TARGET_CLASS), `App\Shared\Domain\Attribute\AuditIgnore` (TARGET_PROPERTY) ; service DBAL `doctrine.dbal.audit_connection` ; table `audit_log`.
+
+- [ ] **Step A1: Attributs** — créer les deux fichiers :
+
+```php
+<?php
+// src/Shared/Domain/Attribute/Auditable.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable
+{
+}
+```
+
+```php
+<?php
+// src/Shared/Domain/Attribute/AuditIgnore.php
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore
+{
+}
+```
+
+- [ ] **Step A2: Migration** — créer `migrations/Version20260619XXXXXX.php` (timestamp réel via `php bin/console make:migration` puis remplacer le contenu, OU horodatage manuel cohérent > 20260619145109) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619XXXXXX extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}
+```
+
+- [ ] **Step A3: Connexion DBAL `audit`** — restructurer `config/packages/doctrine.yaml`. Remplacer le bloc `dbal` racine (connexion unique) par des connexions nommées, et propager le `dbname_suffix` de test aux deux connexions. **Le bloc `orm` reste inchangé** (l'EM par défaut se lie à `default_connection`).
+
+Remplacer :
+```yaml
+    dbal:
+        url: '%env(resolve:DATABASE_URL)%'
+
+        # IMPORTANT: You MUST configure your server version,
+        # either here or in the DATABASE_URL env var (see .env file)
+        #server_version: '16'
+
+        profiling_collect_backtrace: '%kernel.debug%'
+```
+par :
+```yaml
+    dbal:
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
+```
+
+Et remplacer le bloc `when@test` :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # "TEST_TOKEN" is typically set by ParaTest
+            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+par :
+```yaml
+when@test:
+    doctrine:
+        dbal:
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+```
+
+- [ ] **Step A4: Vérifier la non-régression** — la restructuration des connexions est le point sensible. Lancer la suite existante :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Expected: 147 tests toujours verts (aucune régression liée au changement de connexions).
+
+- [ ] **Step A5: Appliquer la migration (dev + test)** :
+
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:migrate -n --env=test
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -i "audit_log" || echo "OK: audit_log absent du diff (schema_filter actif)"
+```
+Expected: table créée, `audit_log` absente de tout diff généré.
+
+- [ ] **Step A6: Commit**
+```bash
+git add src/Shared/Domain/Attribute config/packages/doctrine.yaml migrations/
+git commit -m "feat(core) : add audit attributes, audit_log table and dedicated dbal connection"
+```
+
+---
+
+## Task B: AuditLogWriter + RequestIdProvider
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Audit/AuditLogWriter.php`
+- Create: `src/Module/Core/Infrastructure/Audit/RequestIdProvider.php`
+
+**Interfaces produced:** `AuditLogWriter::log(string $entityType, string $entityId, string $action, array $changes): void` ; `RequestIdProvider::getRequestId(): ?string`.
+
+- [ ] **Step B1: RequestIdProvider** (verbatim Starseed) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}
+```
+
+- [ ] **Step B2: AuditLogWriter** (verbatim Starseed, connexion `audit`) :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {
+    }
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}
+```
+
+- [ ] **Step B3: Vérifier le câblage** (autowiring) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:container App\\Module\\Core\\Infrastructure\\Audit\\AuditLogWriter 2>&1 | head -20
+```
+Expected: service trouvé, injection `doctrine.dbal.audit_connection` résolue.
+
+- [ ] **Step B4: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Audit/
+git commit -m "feat(core) : add audit log writer and request id provider"
+```
+
+---
+
+## Task C: AuditListener + marquage des entités Core
+
+**Files:**
+- Create: `src/Module/Core/Infrastructure/Doctrine/AuditListener.php`
+- Modify: `src/Module/Core/Domain/Entity/User.php`, `Role.php`, `Permission.php`
+- Test: `tests/Functional/Module/Core/AuditListenerTest.php`
+
+**Interfaces consumed:** `AuditLogWriter`, attributs `Auditable`/`AuditIgnore`.
+
+- [ ] **Step C1: Écrire le test fonctionnel (échec attendu)** — `tests/Functional/Module/Core/AuditListenerTest.php`. Le test crée/modifie/supprime un User via l'EntityManager dans le kernel de test, puis lit `audit_log` via la connexion `audit`. (S'inspirer du style des tests fonctionnels existants — `RoleApiTest`, `UserRbacApiTest`.)
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container = self::getContainer();
+        $this->em = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions.
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+}
+```
+
+> **Note adaptation :** vérifier la signature réelle de `User` (setters disponibles : `setUsername`, `setPassword`, `setRoles`, `setFirstName`). Ajuster `makeUser()` aux champs NOT NULL réels de la table `user`. Si `User` exige d'autres champs obligatoires (ex. `createdAt` initialisé au constructeur — déjà le cas), ne rien ajouter.
+
+- [ ] **Step C2: Run le test → échec** (listener absent, entités non marquées) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: FAIL.
+
+- [ ] **Step C3: Créer `AuditListener`** (verbatim Starseed, namespace `App\Module\Core\Infrastructure\Doctrine`). Copier intégralement le listener fourni dans le rapport Starseed (onFlush capture + postFlush écriture, swap-and-clear, gestion collections, snapshot create/delete, buildUpdateChanges, formatEntityType regex `App\Module\<module>\...\<Entity>`, caches Auditable/AuditIgnore). **Ne rien simplifier.**
+
+- [ ] **Step C4: Marquer les entités Core.**
+
+`src/Module/Core/Domain/Entity/User.php` — ajouter import + attribut classe + `#[AuditIgnore]` sur `password` et `apiToken` :
+```php
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+```
+```php
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
+#[ORM\Table(name: '`user`')]
+class User implements ...
+```
+Sur la propriété `password` (ligne ~89-90) et `apiToken` (ligne ~99-100), ajouter `#[AuditIgnore]` au-dessus de la ligne `private ?string $password = null;` / `private ?string $apiToken = null;`.
+
+`src/Module/Core/Domain/Entity/Role.php` — ajouter `use App\Shared\Domain\Attribute\Auditable;` et `#[Auditable]` au-dessus de `#[ORM\Entity...]`.
+
+`src/Module/Core/Domain/Entity/Permission.php` — idem `#[Auditable]`.
+
+- [ ] **Step C5: Run le test → succès** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditListenerTest.php
+```
+Expected: PASS (3 tests).
+
+- [ ] **Step C6: Suite complète + cs-fixer** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+Expected: tout vert.
+
+- [ ] **Step C7: Commit**
+```bash
+git add src/Module/Core/Infrastructure/Doctrine/AuditListener.php src/Module/Core/Domain/Entity/ tests/Functional/Module/Core/AuditListenerTest.php
+git commit -m "feat(core) : add doctrine audit listener and mark core entities auditable"
+```
+
+---
+
+## Task D: API de lecture `/api/audit-logs` + permission
+
+**Files:**
+- Create: `AuditLogOutput.php`, `DbalPaginator.php`, `AuditLogProvider.php`, `AuditLogResource.php`, `AuditLogEntityTypesResource.php`, `AuditLogEntityTypesProvider.php`
+- Modify: `src/Module/Core/CoreModule.php` (permission), `tests/Unit/Module/Core/CoreModuleTest.php`
+- Test: `tests/Functional/Module/Core/AuditLogApiTest.php`
+
+**Interfaces consumed:** table `audit_log`, connexion `doctrine.dbal.default_connection`, permission `core.audit_log.view`.
+
+- [ ] **Step D1: Permission** — ajouter dans `CoreModule::permissions()` :
+```php
+['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
+```
+Mettre à jour `tests/Unit/Module/Core/CoreModuleTest.php` pour asserter la présence de ce code (la liste passe à 6 permissions).
+
+- [ ] **Step D2: DTO + Paginator + Providers + Resources** — créer les 6 fichiers verbatim depuis le rapport Starseed :
+  - `src/Module/Core/Application/DTO/AuditLogOutput.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php`
+  - `src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php`
+
+  **Adaptation pagination :** Lesstime n'a pas de `itemsPerPage`/`maximum_items_per_page` explicite dans `api_platform.yaml`. Le provider utilise `Pagination::getPage()`/`getLimit()` (défauts API Platform : 30/page). C'est acceptable. Conserver le clamp `max(1, page)`.
+
+- [ ] **Step D3: Écrire le test API (échec attendu)** — `tests/Functional/Module/Core/AuditLogApiTest.php`. S'aligner sur le helper d'auth des tests existants (login admin/admin via cookie JWT, cf. `RoleApiTest`). Tests :
+  - admin authentifié : `GET /api/audit-logs` → 200, structure hydra paginée.
+  - filtre `?action=update` → ne renvoie que des updates.
+  - filtre `?entity_type=core.User`.
+  - `?action=bogus` → 400.
+  - utilisateur sans permission (alice) : 403.
+  - non authentifié : 401.
+
+  Préparer des données : créer/modifier un User via l'EM avant les assertions (le listener écrit), OU insérer directement des lignes via la connexion `audit`.
+
+- [ ] **Step D4: Run → échec, puis vérifier la route** :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console debug:router 2>&1 | grep -i audit
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit tests/Functional/Module/Core/AuditLogApiTest.php
+```
+Expected: routes `/api/audit-logs`, `/api/audit-logs/{id}`, `/api/audit-log-entity-types` présentes ; test passe une fois les providers branchés.
+
+- [ ] **Step D5: sync-permissions** (enregistre `core.audit_log.view` en base dev + test) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions
+docker exec -t -u www-data php-lesstime-fpm php bin/console app:sync-permissions --env=test
+```
+
+- [ ] **Step D6: Suite complète + cs-fixer**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+make php-cs-fixer-allow-risky
+```
+
+- [ ] **Step D7: Commit**
+```bash
+git add src/Module/Core/ tests/
+git commit -m "feat(core) : expose read-only audit-logs api with dbal provider and pagination"
+```
+
+---
+
+## Task E: Front — page consultation gated RBAC
+
+**Files:**
+- Create: `frontend/modules/core/services/audit-logs.ts`, `frontend/components/admin/AdminAuditTab.vue`
+- Modify: `frontend/pages/admin.vue`, `frontend/i18n/locales/fr.json`
+
+**Interfaces consumed:** `GET /api/audit-logs`, composable `usePermissions` (livré en 1.2), pattern onglet admin (cf. `AdminRoleTab.vue` créé en 1.2).
+
+- [ ] **Step E1: Service** — `frontend/modules/core/services/audit-logs.ts` : fonction `fetchAuditLogs(params)` via `useApi()` (suivre `roles.ts`/`permissions.ts` créés en 1.2). Types : `AuditLogItem { id, entityType, entityId, action, changes, performedBy, performedAt, ipAddress, requestId }`.
+
+- [ ] **Step E2: Composant onglet** — `frontend/components/admin/AdminAuditTab.vue` : tableau paginé (colonnes date, utilisateur, type d'entité, action, id), filtre par `entityType` et `action`. Labels via i18n `audit.entity.*` et `audit.action.*`. Reproduire le style de `AdminRoleTab.vue`.
+
+- [ ] **Step E3: Onglet dans admin.vue** — ajouter un onglet « Audit » gated `can('core.audit_log.view')` (suivre le gating de l'onglet rôles ajouté en 1.2).
+
+- [ ] **Step E4: i18n** — `frontend/i18n/locales/fr.json` : ajouter `admin.audit.*` (titre, colonnes, filtres) et `audit.entity.core.User` = « Utilisateur », `audit.entity.core.Role` = « Rôle », `audit.entity.core.Permission` = « Permission » ; `audit.action.create/update/delete`.
+
+- [ ] **Step E5: Vérifier la route déterministe (SPA)** :
+```bash
+cd frontend && npx nuxt build 2>&1 | tail -5
+grep -o 'name:"admin"' .output/server/chunks/build/client.precomputed.mjs | head -1
+```
+Expected: build OK (la page admin reste enregistrée).
+
+- [ ] **Step E6: Commit**
+```bash
+git add frontend/
+git commit -m "feat(core) : add audit log consultation tab in admin gated by permission"
+```
+
+---
+
+## Task F: Validation finale + statut
+
+- [ ] **Step F1: Suite complète verte + login fumée**
+```bash
+docker exec -t -u www-data php-lesstime-fpm php vendor/bin/phpunit
+```
+Vérifier login admin → 204 + `GET /api/me` 200 + `GET /api/audit-logs` 200 (cURL ou via test).
+
+- [ ] **Step F2: migrations:diff propre** (audit_log absente du diff) :
+```bash
+docker exec -t -u www-data php-lesstime-fpm php bin/console doctrine:migrations:diff --env=test 2>&1 | grep -ci audit_log
+```
+Expected: 0.
+
+- [ ] **Step F3: Learnings** — append session #61 à `.claude/skills/ticket-executor/LEARNINGS.md`, commit `docs : log LST-61 audit log session learnings`.
+
+- [ ] **Step F4: Push branche + MR empilée sur #57** (Gitea, base `feat/lst-57-rbac-fin`), draft puis un-draft via API si voulu.
+
+- [ ] **Step F5: Ticket #61 (id 647) → « En attente de validation » (statut 4)**, stopper le timer, informer l'utilisateur.
+
+---
+
+## Self-Review (couverture spec)
+
+| Critère d'acceptation | Tâche |
+|---|---|
+| CRUD des entités `#[Auditable]` tracé | C (listener + test create/update/delete) |
+| Endpoint `/api/audit-logs` paginé/filtrable | D (provider DBAL + DbalPaginator + filtres) |
+| `make test` vert, aucune migration destructive | A (migration additive), C/D/F (suite) |
+| `#[Auditable]`/`#[AuditIgnore]` dans Shared | A1 |
+| Table `audit_log` (qui/quoi/quand/diff/requestId) + COMMENT | A2 |
+| `#[AuditIgnore]` champs sensibles (password, apiToken) | C4 + B2 blacklist |
+| Front consultation + i18n `audit.entity.*` gated RBAC | E |
+
+**Décision de scope :** `#[Auditable]` posé sur les **entités migrées** (User, Role, Permission) conformément au libellé du ticket. Les entités métier legacy (`src/Entity/*`) ne sont pas marquées ici — elles le seront lors de leur migration en modules (phases 2.x+). L'infra est prête à les auditer sans modification dès qu'elles portent l'attribut.
-- 
2.39.5


From 934cf0835fe2bc829c6225b215cb6ae3f989f976 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 20:56:32 +0200
Subject: [PATCH 37/99] feat(core) : add audit attributes, audit_log table and
 dedicated dbal connection

---
 config/packages/doctrine.yaml               | 30 +++++++----
 migrations/Version20260619185448.php        | 56 +++++++++++++++++++++
 src/Shared/Domain/Attribute/AuditIgnore.php | 17 +++++++
 src/Shared/Domain/Attribute/Auditable.php   | 17 +++++++
 4 files changed, 111 insertions(+), 9 deletions(-)
 create mode 100644 migrations/Version20260619185448.php
 create mode 100644 src/Shared/Domain/Attribute/AuditIgnore.php
 create mode 100644 src/Shared/Domain/Attribute/Auditable.php

diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index bc43e4d..e5da762 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -1,12 +1,19 @@
 doctrine:
     dbal:
-        url: '%env(resolve:DATABASE_URL)%'
-
-        # IMPORTANT: You MUST configure your server version,
-        # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '16'
-
-        profiling_collect_backtrace: '%kernel.debug%'
+        default_connection: default
+        connections:
+            # ORM uses `default`; AuditLogWriter uses `audit` (same DSN, separate
+            # service) to write outside the ORM transaction so audit rows survive
+            # an application-side rollback and avoid transactional entanglement.
+            default:
+                url: '%env(resolve:DATABASE_URL)%'
+                profiling_collect_backtrace: '%kernel.debug%'
+                # audit_log has no ORM entity (written via raw DBAL). Exclude it
+                # from schema comparison so migrations:diff / schema:validate stay
+                # clean. Creation/teardown stay driven by migrations.
+                schema_filter: '~^(?!audit_log$).+~'
+            audit:
+                url: '%env(resolve:DATABASE_URL)%'
     orm:
         validate_xml_mapping: true
         naming_strategy: doctrine.orm.naming_strategy.underscore_number_aware
@@ -33,8 +40,13 @@ doctrine:
 when@test:
     doctrine:
         dbal:
-            # "TEST_TOKEN" is typically set by ParaTest
-            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+            # Propagate the _test suffix to BOTH connections: the audit
+            # connection must write to the test DB, not the dev DB.
+            connections:
+                default:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+                audit:
+                    dbname_suffix: '_test%env(default::TEST_TOKEN)%'
 
 when@prod:
     doctrine:
diff --git a/migrations/Version20260619185448.php b/migrations/Version20260619185448.php
new file mode 100644
index 0000000..a9c2335
--- /dev/null
+++ b/migrations/Version20260619185448.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Audit log (LST-61) : append-only `audit_log` table.
+ *
+ * Not managed by Doctrine ORM (no entity). Written via raw DBAL by the
+ * AuditLogWriter on a dedicated `audit` connection to avoid re-entrant
+ * flushes from the Doctrine listener. Columns are lowercase snake_case.
+ * Additive only — no DROP/ALTER on existing tables.
+ */
+final class Version20260619185448 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Audit log: create append-only audit_log table + indexes (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            CREATE TABLE audit_log (
+                id uuid NOT NULL,
+                entity_type VARCHAR(100) NOT NULL,
+                entity_id VARCHAR(64) NOT NULL,
+                action VARCHAR(10) NOT NULL,
+                changes JSONB NOT NULL DEFAULT '{}'::jsonb,
+                performed_by VARCHAR(100) NOT NULL,
+                performed_at TIMESTAMP(6) WITH TIME ZONE NOT NULL,
+                ip_address VARCHAR(45) DEFAULT NULL,
+                request_id VARCHAR(36) DEFAULT NULL,
+                PRIMARY KEY(id)
+            )
+            SQL);
+        $this->addSql('CREATE INDEX idx_audit_entity_time ON audit_log (entity_type, entity_id, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_performer ON audit_log (performed_by, performed_at)');
+        $this->addSql('CREATE INDEX idx_audit_time ON audit_log (performed_at)');
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_type IS 'Audited entity type, format module.Entity (e.g. core.User)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.entity_id IS 'Audited entity identifier (int or composite key serialized)'");
+        $this->addSql("COMMENT ON COLUMN audit_log.action IS 'create|update|delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.changes IS 'JSON diff: {field:{old,new}} for update, full snapshot for create/delete'");
+        $this->addSql("COMMENT ON COLUMN audit_log.performed_by IS 'User identifier or system'");
+        $this->addSql("COMMENT ON COLUMN audit_log.request_id IS 'UUID shared by all audit rows of a single HTTP request (null in CLI)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE audit_log');
+    }
+}
diff --git a/src/Shared/Domain/Attribute/AuditIgnore.php b/src/Shared/Domain/Attribute/AuditIgnore.php
new file mode 100644
index 0000000..8f95350
--- /dev/null
+++ b/src/Shared/Domain/Attribute/AuditIgnore.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on an entity property to exclude it from audit tracking.
+ *
+ * Typical use: sensitive fields (password, apiToken). The AuditLogWriter also
+ * carries an exact-match blacklist on the most dangerous names as
+ * defense-in-depth, but the base rule is to annotate explicitly here.
+ */
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class AuditIgnore {}
diff --git a/src/Shared/Domain/Attribute/Auditable.php b/src/Shared/Domain/Attribute/Auditable.php
new file mode 100644
index 0000000..94c78a9
--- /dev/null
+++ b/src/Shared/Domain/Attribute/Auditable.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Attribute;
+
+use Attribute;
+
+/**
+ * Marker placed on a Doctrine entity to enable audit tracking.
+ *
+ * Located in Shared (not Core) so every module can use it without a
+ * circular dependency on Core. Any migrated business entity that should be
+ * traced carries this attribute, with #[AuditIgnore] on sensitive fields.
+ */
+#[Attribute(Attribute::TARGET_CLASS)]
+final class Auditable {}
-- 
2.39.5


From d8553f06f5c8261a65de6f5cd23d83b38f191147 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:01:15 +0200
Subject: [PATCH 38/99] feat(core) : add audit log writer and request id
 provider

---
 .../Infrastructure/Audit/AuditLogWriter.php   | 94 +++++++++++++++++++
 .../Audit/RequestIdProvider.php               | 33 +++++++
 2 files changed, 127 insertions(+)
 create mode 100644 src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
 create mode 100644 src/Module/Core/Infrastructure/Audit/RequestIdProvider.php

diff --git a/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php b/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
new file mode 100644
index 0000000..e1f1bfa
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Audit/AuditLogWriter.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use DateTimeImmutable;
+use DateTimeZone;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Low-level service responsible for writing into the `audit_log` table.
+ *
+ * Uses a dedicated `audit` DBAL connection (same DSN as `default`) to write
+ * outside the ORM transaction: audit rows survive an application-side
+ * rollback and avoid transactional entanglement in batch (fixtures).
+ *
+ * Sensitive keys are stripped in defense-in-depth even when entities already
+ * declare those properties #[AuditIgnore]. SQL failures are swallowed by the
+ * caller (AuditListener wraps log() in try/catch) — audit must never crash a
+ * business flow.
+ */
+final class AuditLogWriter
+{
+    /** @var list<string> keys always stripped from the `changes` payload */
+    private const array SENSITIVE_KEYS = ['password', 'plainPassword', 'apiToken', 'token', 'secret'];
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.audit_connection')]
+        private readonly Connection $connection,
+        private readonly Security $security,
+        private readonly RequestStack $requestStack,
+        private readonly RequestIdProvider $requestIdProvider,
+    ) {}
+
+    /**
+     * @param string               $entityType Format "module.Entity" (e.g. "core.User")
+     * @param string               $entityId   Entity id (int or serialized UUID)
+     * @param string               $action     create|update|delete
+     * @param array<string, mixed> $changes    JSON payload (sensitive keys stripped)
+     */
+    public function log(
+        string $entityType,
+        string $entityId,
+        string $action,
+        array $changes,
+    ): void {
+        $filteredChanges = $this->stripSensitive($changes);
+
+        $this->connection->insert('audit_log', [
+            'id'           => Uuid::v7()->toRfc4122(),
+            'entity_type'  => $entityType,
+            'entity_id'    => $entityId,
+            'action'       => $action,
+            'changes'      => $filteredChanges,
+            'performed_by' => $this->security->getUser()?->getUserIdentifier() ?? 'system',
+            'performed_at' => new DateTimeImmutable('now', new DateTimeZone('UTC')),
+            'ip_address'   => $this->requestStack->getCurrentRequest()?->getClientIp(),
+            'request_id'   => $this->requestIdProvider->getRequestId(),
+        ], [
+            'id'           => Types::GUID,
+            'changes'      => Types::JSON,
+            'performed_at' => Types::DATETIMETZ_IMMUTABLE,
+        ]);
+    }
+
+    /**
+     * Recursively removes sensitive keys from the payload.
+     *
+     * @param array<string, mixed> $data
+     *
+     * @return array<string, mixed>
+     */
+    private function stripSensitive(array $data): array
+    {
+        foreach ($data as $key => $value) {
+            if (in_array($key, self::SENSITIVE_KEYS, true)) {
+                unset($data[$key]);
+
+                continue;
+            }
+            if (is_array($value)) {
+                $data[$key] = $this->stripSensitive($value);
+            }
+        }
+
+        return $data;
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php b/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php
new file mode 100644
index 0000000..9521405
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Audit/RequestIdProvider.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Audit;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * Provides an HTTP request identifier (UUID v4) shared by every audit row
+ * produced during a single main request. Null in CLI (fixtures, batch).
+ */
+final class RequestIdProvider
+{
+    private ?string $requestId = null;
+
+    #[AsEventListener(event: 'kernel.request')]
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->requestId = Uuid::v4()->toRfc4122();
+    }
+
+    public function getRequestId(): ?string
+    {
+        return $this->requestId;
+    }
+}
-- 
2.39.5


From 8c3699a9b057caead854ae7857c16fb083cb06a3 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:05:34 +0200
Subject: [PATCH 39/99] feat(core) : add doctrine audit listener and mark core
 entities auditable

---
 src/Module/Core/Domain/Entity/Permission.php  |   2 +
 src/Module/Core/Domain/Entity/Role.php        |   2 +
 src/Module/Core/Domain/Entity/User.php        |   5 +
 .../Infrastructure/Doctrine/AuditListener.php | 513 ++++++++++++++++++
 .../Module/Core/AuditListenerTest.php         | 108 ++++
 5 files changed, 630 insertions(+)
 create mode 100644 src/Module/Core/Infrastructure/Doctrine/AuditListener.php
 create mode 100644 tests/Functional/Module/Core/AuditListenerTest.php

diff --git a/src/Module/Core/Domain/Entity/Permission.php b/src/Module/Core/Domain/Entity/Permission.php
index bbd70a5..907b0a0 100644
--- a/src/Module/Core/Domain/Entity/Permission.php
+++ b/src/Module/Core/Domain/Entity/Permission.php
@@ -8,10 +8,12 @@ use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use App\Module\Core\Infrastructure\Doctrine\DoctrinePermissionRepository;
+use App\Shared\Domain\Attribute\Auditable;
 use Doctrine\ORM\Mapping as ORM;
 use InvalidArgumentException;
 use Symfony\Component\Serializer\Attribute\Groups;
 
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrinePermissionRepository::class)]
 #[ORM\Table(name: 'permission')]
 #[ORM\Index(name: 'idx_permission_module', columns: ['module'])]
diff --git a/src/Module/Core/Domain/Entity/Role.php b/src/Module/Core/Domain/Entity/Role.php
index e837008..9022147 100644
--- a/src/Module/Core/Domain/Entity/Role.php
+++ b/src/Module/Core/Domain/Entity/Role.php
@@ -13,6 +13,7 @@ use ApiPlatform\Metadata\Post;
 use App\Module\Core\Domain\Exception\SystemRoleDeletionException;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\RoleProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository;
+use App\Shared\Domain\Attribute\Auditable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -20,6 +21,7 @@ use InvalidArgumentException;
 use Symfony\Component\Serializer\Attribute\Groups;
 use Symfony\Component\Serializer\Attribute\SerializedName;
 
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineRoleRepository::class)]
 #[ORM\Table(name: '`role`')]
 #[ORM\Index(name: 'idx_role_is_system', columns: ['is_system'])]
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 553e34a..6c699f5 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -16,6 +16,8 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -58,6 +60,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
+#[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
@@ -87,6 +90,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     private array $roles = [];
 
     #[ORM\Column]
+    #[AuditIgnore]
     private ?string $password = null;
 
     #[Groups(['user:write'])]
@@ -97,6 +101,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
 
     #[ORM\Column(length: 64, unique: true, nullable: true)]
     #[Groups(['me:read'])]
+    #[AuditIgnore]
     private ?string $apiToken = null;
 
     #[ORM\Column(length: 255, nullable: true)]
diff --git a/src/Module/Core/Infrastructure/Doctrine/AuditListener.php b/src/Module/Core/Infrastructure/Doctrine/AuditListener.php
new file mode 100644
index 0000000..c478cda
--- /dev/null
+++ b/src/Module/Core/Infrastructure/Doctrine/AuditListener.php
@@ -0,0 +1,513 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Doctrine;
+
+use App\Module\Core\Infrastructure\Audit\AuditLogWriter;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Attribute\AuditIgnore;
+use DateTimeInterface;
+use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\Event\OnFlushEventArgs;
+use Doctrine\ORM\Event\PostFlushEventArgs;
+use Doctrine\ORM\Events;
+use Doctrine\ORM\Mapping\ClassMetadata;
+use Doctrine\ORM\PersistentCollection;
+use Doctrine\ORM\UnitOfWork;
+use Psr\Log\LoggerInterface;
+use ReflectionClass;
+use ReflectionProperty;
+use Throwable;
+
+/**
+ * Listener Doctrine qui produit les lignes d'audit pour les entites portant
+ * l'attribut #[Auditable].
+ *
+ * Pipeline en deux temps :
+ *  1. onFlush : on traverse UnitOfWork (insertions / updates / deletions) et
+ *     on capture les changements en memoire. Aucune ecriture SQL cote audit
+ *     a ce stade pour ne pas interferer avec la transaction ORM en cours.
+ *  2. postFlush : on ecrit via AuditLogWriter (connexion DBAL dediee).
+ *
+ * Pattern swap-and-clear dans postFlush :
+ *  - on copie localement la liste des evenements ;
+ *  - on vide la propriete pendingLogs immediatement ;
+ *  - on itere la copie.
+ * Pourquoi : si une ecriture audit declenchait un flush re-entrant (cas rare,
+ * ex: callback listener externe), l'etat de pendingLogs serait deja nettoye —
+ * pas de double insertion, pas de boucle infinie.
+ *
+ * Erreurs silencieuses : un INSERT audit qui echoue est logue en error mais
+ * jamais propage. Acceptable pour un CRM interne ; a reconsiderer si besoin
+ * de garantie forte (dead-letter queue, retry).
+ *
+ * Collections (OneToMany / ManyToMany) :
+ *  - Les modifications de collections sont tracees via
+ *    `getScheduledCollectionUpdates()` et reportees comme un changement
+ *    `{fieldName: {added: [ids], removed: [ids]}}` dans le changeset de
+ *    l'entite proprietaire.
+ *  - Si l'entite proprietaire est deja scheduled pour insertion, la diff
+ *    est merge dans le snapshot create (en tant que liste d'IDs initiaux).
+ *  - Si l'entite proprietaire est scheduled pour deletion, les collections
+ *    associees sont ignorees (deja couvertes par le snapshot delete).
+ *
+ * Limitations connues :
+ *  - Les ManyToOne sont tracees par ID (null-safe via `?->getId()`).
+ *  - Les DELETE / UPDATE bulk DQL et les `Connection::executeStatement()`
+ *    bruts BYPASSENT le listener : onFlush n'est jamais appele. Toute
+ *    operation de purge/nettoyage qui doit etre auditee doit passer par
+ *    `EntityManager::remove()` + `flush()`. Si un futur batch (ex: commande
+ *    "purger users inactifs") utilise du DQL bulk, les suppressions ne
+ *    seront pas dans `audit_log` — choix d'architecture explicite a faire.
+ */
+#[AsDoctrineListener(event: Events::onFlush)]
+#[AsDoctrineListener(event: Events::postFlush)]
+final class AuditListener
+{
+    /**
+     * Cache par FQCN : true si la classe porte #[Auditable], false sinon.
+     * Evite une ReflectionClass par entite a chaque flush.
+     *
+     * @var array<class-string, bool>
+     */
+    private array $auditableCache = [];
+
+    /**
+     * Cache par FQCN : liste des noms de proprietes ignorees (#[AuditIgnore]).
+     *
+     * @var array<class-string, list<string>>
+     */
+    private array $ignoredPropertiesCache = [];
+
+    /**
+     * Logs en attente d'ecriture (remplis en onFlush, consommes en postFlush).
+     *
+     * Pour les inserts, l'ID est assignee DURANT le flush : on capture la
+     * reference de l'entite et on resout l'ID au moment du postFlush.
+     *
+     * @var list<array{entity: object, metadata: ClassMetadata, entityType: string, action: string, changes: array<string, mixed>, capturedId: ?string}>
+     */
+    private array $pendingLogs = [];
+
+    public function __construct(
+        private readonly AuditLogWriter $writer,
+        private readonly LoggerInterface $logger,
+    ) {}
+
+    public function onFlush(OnFlushEventArgs $args): void
+    {
+        /** @var EntityManagerInterface $em */
+        $em  = $args->getObjectManager();
+        $uow = $em->getUnitOfWork();
+
+        // Reset defensif en debut de cycle : si un flush precedent a leve une
+        // exception, Doctrine n'appelle PAS postFlush et pendingLogs reste
+        // rempli avec des changements jamais committes. Sans ce reset, un
+        // flush ulterieur reussi ecrirait les fausses entrees dans audit_log.
+        // Le swap-and-clear dans postFlush couvre deja les flushes re-entrants,
+        // ce reset ne le fragilise donc pas.
+        $this->pendingLogs = [];
+
+        foreach ($uow->getScheduledEntityInsertions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'create');
+        }
+
+        foreach ($uow->getScheduledEntityUpdates() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'update');
+        }
+
+        foreach ($uow->getScheduledEntityDeletions() as $entity) {
+            $this->capturePendingLog($entity, $em, $uow, 'delete');
+        }
+
+        // Collections to-many (OneToMany / ManyToMany) : `getEntityChangeSet()`
+        // ne les expose pas, il faut interroger `UnitOfWork` separement. On
+        // merge la diff dans le log de l'entite proprietaire si elle est deja
+        // scheduled, sinon on cree une entree "update" dediee.
+        foreach ($uow->getScheduledCollectionUpdates() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: false);
+        }
+
+        foreach ($uow->getScheduledCollectionDeletions() as $collection) {
+            $this->captureCollectionChange($collection, $em, cleared: true);
+        }
+    }
+
+    public function postFlush(PostFlushEventArgs $args): void
+    {
+        // Swap-and-clear : protege d'un flush re-entrant (aucune double
+        // insertion meme si un callback utilisateur re-declenche un flush).
+        $logs              = $this->pendingLogs;
+        $this->pendingLogs = [];
+
+        foreach ($logs as $log) {
+            // Pour les inserts, l'ID n'etait pas encore disponible en onFlush :
+            // on la resout maintenant (Doctrine l'a hydratee pendant le flush).
+            $entityId = $log['capturedId'] ?? $this->resolveEntityId($log['entity'], $log['metadata']);
+
+            if (null === $entityId) {
+                $this->logger->warning(
+                    'AuditListener : impossible de resoudre l\'ID de l\'entite apres flush, entree ignoree',
+                    ['entityType' => $log['entityType'], 'action' => $log['action']]
+                );
+
+                continue;
+            }
+
+            try {
+                $this->writer->log(
+                    $log['entityType'],
+                    $entityId,
+                    $log['action'],
+                    $log['changes'],
+                );
+            } catch (Throwable $e) {
+                // Erreur audit : logue mais ne crashe jamais le flux metier.
+                $this->logger->error(
+                    'Echec d\'ecriture audit_log',
+                    [
+                        'exception'  => $e,
+                        'entityType' => $log['entityType'],
+                        'entityId'   => $entityId,
+                        'action'     => $log['action'],
+                    ]
+                );
+            }
+        }
+    }
+
+    private function capturePendingLog(object $entity, EntityManagerInterface $em, UnitOfWork $uow, string $action): void
+    {
+        // Resolution via ClassMetadata : `$entity::class` renvoie le FQCN du
+        // proxy Doctrine pour une entite chargee en lazy (ex:
+        // `Proxies\__CG__\App\Module\Core\Domain\Entity\User`) — `isAuditable()`
+        // le verrait comme non-auditable car `#[Auditable]` n'est declare que
+        // sur la classe parente.
+        $metadata = $em->getClassMetadata($entity::class);
+        $class    = $metadata->getName();
+
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        // Sur `delete`, on inclut aussi les collections to-many dans le
+        // snapshot : c'est la derniere occasion de capturer l'etat complet
+        // (ex: quelles permissions etaient rattachees au role supprime).
+        // Sur `create`, les collections initiales sont rapportees via
+        // captureCollectionChange quand l'entite est scheduled avec un
+        // collection update dans le meme flush.
+        $changes = match ($action) {
+            'update' => $this->buildUpdateChanges($entity, $uow, $class),
+            'create' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: false),
+            'delete' => $this->buildSnapshot($entity, $metadata, $class, includeCollections: true),
+            default  => [],
+        };
+
+        if ('update' === $action && [] === $changes) {
+            // Flush sans changement reel sur une entite auditable : on n'emet pas.
+            return;
+        }
+
+        // Pour delete/update, l'ID est deja set en onFlush — on la capture
+        // maintenant (apres postFlush, l'entite detachee peut perdre sa ref
+        // dans l'identity map). Pour create (IDENTITY), l'ID est generee par
+        // le flush — on differe a postFlush.
+        $capturedId = 'create' === $action ? null : $this->resolveEntityId($entity, $metadata);
+
+        $this->pendingLogs[] = [
+            'entity'     => $entity,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => $action,
+            'changes'    => $changes,
+            'capturedId' => $capturedId,
+        ];
+    }
+
+    /**
+     * Capture la modification d'une collection to-many.
+     *
+     * Strategie de merge :
+     *  - Si l'entite proprietaire est deja scheduled pour `delete` → ignore
+     *    (redondant avec le snapshot delete deja produit).
+     *  - Si l'entite est deja scheduled pour `create` → on ajoute le champ
+     *    collection au snapshot initial, sous forme de liste d'IDs ajoutes.
+     *  - Si l'entite est deja scheduled pour `update` → on merge la diff
+     *    {added, removed} dans le changeset existant.
+     *  - Sinon → on cree une nouvelle entree `update` dediee pour l'entite
+     *    proprietaire (cas d'une collection modifiee sans autre changement
+     *    sur l'entite elle-meme, ex : ajout d'une permission a un role).
+     *
+     * @param bool $cleared true si la collection entiere est supprimee
+     *                      (getScheduledCollectionDeletions) — tous les
+     *                      items du snapshot sont consideres comme retires
+     */
+    private function captureCollectionChange(PersistentCollection $collection, EntityManagerInterface $em, bool $cleared): void
+    {
+        $owner = $collection->getOwner();
+        if (null === $owner) {
+            return;
+        }
+
+        // Voir capturePendingLog : meme contournement proxy Doctrine.
+        $class = $em->getClassMetadata($owner::class)->getName();
+        if (!$this->isAuditable($class)) {
+            return;
+        }
+
+        $fieldName = $collection->getMapping()->fieldName;
+        if (in_array($fieldName, $this->getIgnoredProperties($class), true)) {
+            return;
+        }
+
+        if ($cleared) {
+            $added   = [];
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getSnapshot(),
+            );
+        } else {
+            $added = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getInsertDiff(),
+            );
+            $removed = array_map(
+                fn ($item): mixed => $this->normalizeValue($item),
+                $collection->getDeleteDiff(),
+            );
+        }
+
+        if ([] === $added && [] === $removed) {
+            return;
+        }
+
+        // Chercher un log deja en attente pour cette entite, pour merger la
+        // diff au lieu de creer une entree d'audit redondante.
+        foreach ($this->pendingLogs as $idx => $log) {
+            if ($log['entity'] !== $owner) {
+                continue;
+            }
+
+            if ('delete' === $log['action']) {
+                // Deletion de l'entite : la collection suit mecaniquement,
+                // pas d'entree dediee (le snapshot delete contient deja
+                // l'etat a supprimer).
+                return;
+            }
+
+            if ('create' === $log['action']) {
+                // Insertion : le snapshot create ne contient pas les
+                // collections (buildSnapshot ignore les to-many). On ajoute
+                // donc la liste des items initiaux comme IDs, pour avoir
+                // une trace complete de l'etat a la creation. array_values
+                // garantit un array JSON (pas un objet) si les cles du diff
+                // ne sont pas sequentielles.
+                $this->pendingLogs[$idx]['changes'][$fieldName] = array_values($added);
+
+                return;
+            }
+
+            // Update : on merge dans le changeset existant.
+            $this->pendingLogs[$idx]['changes'][$fieldName] = [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ];
+
+            return;
+        }
+
+        // Aucun log existant : l'entite n'a eu QUE des changements de
+        // collection. On cree une entree update minimale.
+        $metadata = $em->getClassMetadata($class);
+
+        $this->pendingLogs[] = [
+            'entity'     => $owner,
+            'metadata'   => $metadata,
+            'entityType' => $this->formatEntityType($class),
+            'action'     => 'update',
+            'changes'    => [$fieldName => [
+                'added'   => array_values($added),
+                'removed' => array_values($removed),
+            ]],
+            'capturedId' => $this->resolveEntityId($owner, $metadata),
+        ];
+    }
+
+    /**
+     * Build du changeset "update" : {champ: {old, new}} a partir de
+     * `UnitOfWork::getEntityChangeSet()`. ManyToOne : on log l'ID,
+     * null-safe via `?->getId()`.
+     *
+     * @return array<string, array{old: mixed, new: mixed}>
+     */
+    private function buildUpdateChanges(object $entity, UnitOfWork $uow, string $class): array
+    {
+        $changeSet       = $uow->getEntityChangeSet($entity);
+        $ignored         = $this->getIgnoredProperties($class);
+        $filteredChanges = [];
+
+        foreach ($changeSet as $field => [$oldValue, $newValue]) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $filteredChanges[$field] = [
+                'old' => $this->normalizeValue($oldValue),
+                'new' => $this->normalizeValue($newValue),
+            ];
+        }
+
+        return $filteredChanges;
+    }
+
+    /**
+     * Build d'un snapshot complet (create / delete) : lit toutes les
+     * proprietes non-ignorees via Reflection.
+     *
+     * @param bool $includeCollections si true, les associations to-many sont
+     *                                 aussi snapshotees (liste d'IDs). Utilise
+     *                                 uniquement sur `delete` pour preserver
+     *                                 l'etat des relations au moment de la
+     *                                 suppression. En create, on laisse
+     *                                 captureCollectionChange enrichir le
+     *                                 snapshot si une collection est modifiee
+     *                                 dans le meme flush.
+     *
+     * @return array<string, mixed>
+     */
+    private function buildSnapshot(object $entity, ClassMetadata $metadata, string $class, bool $includeCollections): array
+    {
+        $ignored  = $this->getIgnoredProperties($class);
+        $snapshot = [];
+
+        foreach ($metadata->getFieldNames() as $field) {
+            if (in_array($field, $ignored, true)) {
+                continue;
+            }
+
+            $snapshot[$field] = $this->normalizeValue($metadata->getFieldValue($entity, $field));
+        }
+
+        foreach ($metadata->getAssociationNames() as $assoc) {
+            if (in_array($assoc, $ignored, true)) {
+                continue;
+            }
+
+            if ($metadata->isSingleValuedAssociation($assoc)) {
+                $related          = $metadata->getFieldValue($entity, $assoc);
+                $snapshot[$assoc] = null !== $related && method_exists($related, 'getId')
+                    ? $related->getId()
+                    : null;
+
+                continue;
+            }
+
+            if (!$includeCollections) {
+                continue;
+            }
+
+            // Collection to-many : snapshot = liste d'IDs. On itere la
+            // Collection (PersistentCollection ou ArrayCollection) pour
+            // obtenir les elements. Pour un delete, la collection est deja
+            // chargee (Doctrine en a besoin pour les cascades).
+            $collection = $metadata->getFieldValue($entity, $assoc);
+            if (!is_iterable($collection)) {
+                continue;
+            }
+            $ids = [];
+            foreach ($collection as $item) {
+                $ids[] = $this->normalizeValue($item);
+            }
+            $snapshot[$assoc] = $ids;
+        }
+
+        return $snapshot;
+    }
+
+    private function isAuditable(string $class): bool
+    {
+        if (array_key_exists($class, $this->auditableCache)) {
+            return $this->auditableCache[$class];
+        }
+
+        $reflection                   = new ReflectionClass($class);
+        $isAuditable                  = [] !== $reflection->getAttributes(Auditable::class);
+        $this->auditableCache[$class] = $isAuditable;
+
+        return $isAuditable;
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function getIgnoredProperties(string $class): array
+    {
+        if (array_key_exists($class, $this->ignoredPropertiesCache)) {
+            return $this->ignoredPropertiesCache[$class];
+        }
+
+        $ignored    = [];
+        $reflection = new ReflectionClass($class);
+
+        foreach ($reflection->getProperties(ReflectionProperty::IS_PROTECTED | ReflectionProperty::IS_PRIVATE | ReflectionProperty::IS_PUBLIC) as $property) {
+            if ([] !== $property->getAttributes(AuditIgnore::class)) {
+                $ignored[] = $property->getName();
+            }
+        }
+
+        $this->ignoredPropertiesCache[$class] = $ignored;
+
+        return $ignored;
+    }
+
+    /**
+     * Transforme un FQCN `App\Module\Core\Domain\Entity\User` en `core.User`.
+     *
+     * Format `module.Entity` pour eviter les collisions inter-modules.
+     */
+    private function formatEntityType(string $class): string
+    {
+        if (1 === preg_match('#^App\\\Module\\\(?<module>[^\\\]+)\\\.+\\\(?<entity>[^\\\]+)$#', $class, $matches)) {
+            return strtolower($matches['module']).'.'.$matches['entity'];
+        }
+
+        // Fallback : on retourne le FQCN complet si la regex ne matche pas
+        // (entite hors structure modulaire — ne devrait pas arriver).
+        return $class;
+    }
+
+    private function resolveEntityId(object $entity, ClassMetadata $metadata): ?string
+    {
+        $identifier = $metadata->getIdentifierValues($entity);
+        if ([] === $identifier) {
+            return null;
+        }
+
+        // Cle composee : on concatene les valeurs. Cas rare sur le projet.
+        return implode('-', array_map(static fn ($v) => (string) $v, $identifier));
+    }
+
+    /**
+     * Normalise une valeur pour encodage JSON stable.
+     */
+    private function normalizeValue(mixed $value): mixed
+    {
+        if ($value instanceof DateTimeInterface) {
+            return $value->format(DateTimeInterface::ATOM);
+        }
+
+        if (is_object($value)) {
+            // Relation to-one non parsee par buildSnapshot (cas update sur
+            // un champ qui devient un objet) : on tente getId() si possible.
+            if (method_exists($value, 'getId')) {
+                return $value->getId();
+            }
+
+            return (string) $value;
+        }
+
+        return $value;
+    }
+}
diff --git a/tests/Functional/Module/Core/AuditListenerTest.php b/tests/Functional/Module/Core/AuditListenerTest.php
new file mode 100644
index 0000000..48e979b
--- /dev/null
+++ b/tests/Functional/Module/Core/AuditListenerTest.php
@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class AuditListenerTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+    private Connection $auditConnection;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container             = self::getContainer();
+        $this->em              = $container->get(EntityManagerInterface::class);
+        $this->auditConnection = $container->get('doctrine.dbal.audit_connection');
+        // Clean slate for deterministic assertions: these tests are not wrapped
+        // in a rolled-back transaction, so remove any leftover rows from a
+        // previous run before each test.
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username LIKE 'audit\\_%'");
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+        unset($this->em, $this->auditConnection);
+    }
+
+    public function testCreateUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_create_user');
+        $this->em->persist($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('create', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('username', $changes);
+        self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
+        self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
+    }
+
+    public function testUpdateUserIsAuditedWithDiff(): void
+    {
+        $user = $this->makeUser('audit_update_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $user->setFirstName('Changed');
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', (string) $user->getId());
+        self::assertCount(1, $rows);
+        self::assertSame('update', $rows[0]['action']);
+        $changes = json_decode((string) $rows[0]['changes'], true);
+        self::assertArrayHasKey('firstName', $changes);
+        self::assertSame('Changed', $changes['firstName']['new']);
+    }
+
+    public function testDeleteUserIsAudited(): void
+    {
+        $user = $this->makeUser('audit_delete_user');
+        $this->em->persist($user);
+        $this->em->flush();
+        $id = (string) $user->getId();
+        $this->auditConnection->executeStatement('DELETE FROM audit_log');
+
+        $this->em->remove($user);
+        $this->em->flush();
+
+        $rows = $this->fetchLogs('core.User', $id);
+        self::assertCount(1, $rows);
+        self::assertSame('delete', $rows[0]['action']);
+    }
+
+    private function makeUser(string $username): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+
+        return $user;
+    }
+
+    /**
+     * @return list<array<string, mixed>>
+     */
+    private function fetchLogs(string $entityType, string $entityId): array
+    {
+        return $this->auditConnection->fetchAllAssociative(
+            'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
+            ['t' => $entityType, 'id' => $entityId],
+        );
+    }
+}
-- 
2.39.5


From 90b8ca15cdeb01202ccce31860b877ac4e392848 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:09:55 +0200
Subject: [PATCH 40/99] feat(core) : expose read-only audit-logs api with dbal
 provider and pagination

---
 .../Core/Application/DTO/AuditLogOutput.php   |  30 +++
 src/Module/Core/CoreModule.php                |   1 +
 .../ApiPlatform/Pagination/DbalPaginator.php  |  74 ++++++
 .../Resource/AuditLogEntityTypesResource.php  |  34 +++
 .../ApiPlatform/Resource/AuditLogResource.php |  54 ++++
 .../Provider/AuditLogEntityTypesProvider.php  |  35 +++
 .../State/Provider/AuditLogProvider.php       | 247 ++++++++++++++++++
 .../Module/Core/AuditLogApiTest.php           | 140 ++++++++++
 tests/Unit/Module/Core/CoreModuleTest.php     |   8 +
 9 files changed, 623 insertions(+)
 create mode 100644 src/Module/Core/Application/DTO/AuditLogOutput.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
 create mode 100644 src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
 create mode 100644 tests/Functional/Module/Core/AuditLogApiTest.php

diff --git a/src/Module/Core/Application/DTO/AuditLogOutput.php b/src/Module/Core/Application/DTO/AuditLogOutput.php
new file mode 100644
index 0000000..d84ad5a
--- /dev/null
+++ b/src/Module/Core/Application/DTO/AuditLogOutput.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Application\DTO;
+
+use DateTimeImmutable;
+
+/**
+ * DTO de sortie pour une ligne d'audit.
+ *
+ * Readonly : aucune mutation possible apres hydration. La resource API
+ * Platform expose directement ce DTO (pas d'entite sous-jacente car la
+ * table audit_log n'est pas geree par l'ORM).
+ */
+final readonly class AuditLogOutput
+{
+    public function __construct(
+        public string $id,
+        public string $entityType,
+        public string $entityId,
+        public string $action,
+        /** @var array<string, mixed> */
+        public array $changes,
+        public string $performedBy,
+        public DateTimeImmutable $performedAt,
+        public ?string $ipAddress,
+        public ?string $requestId,
+    ) {}
+}
diff --git a/src/Module/Core/CoreModule.php b/src/Module/Core/CoreModule.php
index 587b3db..f6db729 100644
--- a/src/Module/Core/CoreModule.php
+++ b/src/Module/Core/CoreModule.php
@@ -36,6 +36,7 @@ final class CoreModule implements ModuleInterface
             ['code' => 'core.roles.view', 'label' => 'Voir les rôles RBAC'],
             ['code' => 'core.roles.manage', 'label' => 'Gérer les rôles et permissions'],
             ['code' => 'core.permissions.view', 'label' => 'Consulter le catalogue des permissions RBAC'],
+            ['code' => 'core.audit_log.view', 'label' => 'Consulter le journal d\'audit'],
         ];
     }
 }
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php b/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
new file mode 100644
index 0000000..adda23c
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Pagination/DbalPaginator.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Pagination;
+
+use ApiPlatform\State\Pagination\PaginatorInterface;
+use ArrayIterator;
+use IteratorAggregate;
+use Traversable;
+
+/**
+ * Paginator pour resources alimentees par DBAL (pas par Doctrine ORM).
+ *
+ * Implemente PaginatorInterface : API Platform l'introspecte pour generer
+ * automatiquement la section `hydra:view` (first / next / previous / last)
+ * dans la reponse JSON-LD. Aucun calcul manuel de liens.
+ *
+ * @template T of object
+ *
+ * @implements PaginatorInterface<T>
+ */
+final readonly class DbalPaginator implements PaginatorInterface, IteratorAggregate
+{
+    /**
+     * @param list<T> $items        Items deja decoupes sur la page courante
+     * @param int     $currentPage  Page courante (1-indexee)
+     * @param int     $itemsPerPage Limite appliquee a la requete SQL
+     * @param int     $totalItems   Resultat du COUNT(*) sans limite
+     */
+    public function __construct(
+        private array $items,
+        private int $currentPage,
+        private int $itemsPerPage,
+        private int $totalItems,
+    ) {}
+
+    public function getCurrentPage(): float
+    {
+        return (float) $this->currentPage;
+    }
+
+    public function getLastPage(): float
+    {
+        if ($this->itemsPerPage <= 0) {
+            return 1.0;
+        }
+
+        return (float) max(1, (int) ceil($this->totalItems / $this->itemsPerPage));
+    }
+
+    public function getItemsPerPage(): float
+    {
+        return (float) $this->itemsPerPage;
+    }
+
+    public function getTotalItems(): float
+    {
+        return (float) $this->totalItems;
+    }
+
+    public function count(): int
+    {
+        return count($this->items);
+    }
+
+    /**
+     * @return Traversable<int, T>
+     */
+    public function getIterator(): Traversable
+    {
+        return new ArrayIterator($this->items);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
new file mode 100644
index 0000000..5892f6c
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogEntityTypesResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogEntityTypesProvider;
+
+/**
+ * Retourne la liste des valeurs distinctes de `entity_type` presentes dans
+ * `audit_log`, pour alimenter le filtre multi-selection cote front (journal
+ * d'audit). La liste evolue automatiquement avec les nouvelles entites
+ * `#[Auditable]` au fil des ecritures.
+ */
+#[ApiResource(
+    shortName: 'AuditLogEntityTypes',
+    operations: [
+        new Get(
+            uriTemplate: '/audit-log-entity-types',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogEntityTypesProvider::class,
+        ),
+    ],
+)]
+final class AuditLogEntityTypesResource
+{
+    /** @param list<string> $entityTypes */
+    public function __construct(
+        public readonly string $id = 'entity-types',
+        public readonly array $entityTypes = [],
+    ) {}
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
new file mode 100644
index 0000000..4879894
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/Resource/AuditLogResource.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\AuditLogProvider;
+
+/**
+ * Resource API Platform en lecture seule sur le journal d'audit.
+ *
+ * Aucune operation d'ecriture exposee (POST/PUT/PATCH/DELETE -> 405)
+ * conformement au caractere append-only de la table `audit_log`.
+ *
+ * La resource est un simple porteur de metadonnees #[ApiResource] ; le
+ * provider lit via DBAL et retourne directement des instances du DTO
+ * `AuditLogOutput` (declare via `output:`). La table n'est pas geree par
+ * l'ORM : aucune entite Doctrine n'est necessaire ici.
+ *
+ * Filtres query-param supportes par le provider :
+ *   ?entity_type=core.User
+ *   ?entity_id=42
+ *   ?action=update
+ *   ?performed_by=admin
+ *   ?performed_at[after]=2026-04-01T00:00:00Z
+ *   ?performed_at[before]=2026-04-30T23:59:59Z
+ *
+ * La pagination herite du standard global (10 items / page, max 50, cf.
+ * `config/packages/api_platform.yaml`). Elle est materialisee par le
+ * DbalPaginator du provider qui implemente PaginatorInterface — API Platform
+ * genere automatiquement hydra:view sans construction manuelle.
+ */
+#[ApiResource(
+    shortName: 'AuditLog',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/audit-logs',
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+        new Get(
+            uriTemplate: '/audit-logs/{id}',
+            requirements: ['id' => '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'],
+            security: "is_granted('core.audit_log.view')",
+            provider: AuditLogProvider::class,
+        ),
+    ],
+    output: AuditLogOutput::class,
+)]
+final class AuditLogResource {}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
new file mode 100644
index 0000000..eee33e5
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogEntityTypesProvider.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Infrastructure\ApiPlatform\Resource\AuditLogEntityTypesResource;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL : SELECT DISTINCT entity_type FROM audit_log.
+ *
+ * @implements ProviderInterface<AuditLogEntityTypesResource>
+ */
+final readonly class AuditLogEntityTypesProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogEntityTypesResource
+    {
+        /** @var list<string> $types */
+        $types = $this->connection
+            ->executeQuery('SELECT DISTINCT entity_type FROM audit_log ORDER BY entity_type ASC')
+            ->fetchFirstColumn()
+        ;
+
+        return new AuditLogEntityTypesResource(entityTypes: $types);
+    }
+}
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
new file mode 100644
index 0000000..7cc3126
--- /dev/null
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Provider/AuditLogProvider.php
@@ -0,0 +1,247 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Provider;
+
+use ApiPlatform\Metadata\CollectionOperationInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\Pagination\Pagination;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Core\Application\DTO\AuditLogOutput;
+use App\Module\Core\Infrastructure\ApiPlatform\Pagination\DbalPaginator;
+use DateTimeImmutable;
+use Doctrine\DBAL\ArrayParameterType;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Query\QueryBuilder;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Provider API Platform pour la resource AuditLog.
+ *
+ * Lit la table `audit_log` via DBAL (pas d'entite ORM). Retourne soit :
+ *  - une instance unique d'AuditLogOutput (operation Get) ;
+ *  - un DbalPaginator de AuditLogOutput (operation GetCollection).
+ *
+ * Le paginator implementant PaginatorInterface laisse API Platform generer
+ * automatiquement la section `hydra:view` : aucune manipulation manuelle.
+ *
+ * Connexion DBAL : `default` (lecture — aucun besoin de la connexion `audit`
+ * reservee a l'ecriture hors transaction ORM).
+ */
+final readonly class AuditLogProvider implements ProviderInterface
+{
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+        private Pagination $pagination,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): AuditLogOutput|DbalPaginator|null
+    {
+        if (!$operation instanceof CollectionOperationInterface) {
+            return $this->provideItem((string) $uriVariables['id']);
+        }
+
+        return $this->provideCollection($operation, $context);
+    }
+
+    private function provideItem(string $id): ?AuditLogOutput
+    {
+        /** @var array<string, mixed>|false $row */
+        $row = $this->connection->fetchAssociative(
+            'SELECT id, entity_type, entity_id, action, changes, performed_by, performed_at, ip_address, request_id
+             FROM audit_log WHERE id = :id',
+            ['id' => $id],
+        );
+
+        if (false === $row) {
+            return null;
+        }
+
+        return $this->hydrate($row);
+    }
+
+    /**
+     * @param array<string, mixed> $context
+     */
+    private function provideCollection(Operation $operation, array $context): DbalPaginator
+    {
+        // Contrairement aux ressources ORM (cf. CategoryProvider), ce provider
+        // ne gere PAS l'echappatoire `?pagination=false` : la pagination y est
+        // toujours forcee. `audit_log` est une table append-only a croissance
+        // infinie — la dumper entierement saturerait memoire/reseau et n'a aucun
+        // usage front (pas de <select> alimente par l'audit). Le flag global
+        // `pagination_client_enabled: true` reste donc volontairement inerte ici.
+        //
+        // `page` brut peut etre <= 0 (parametre client) → OFFSET negatif → 500 PG
+        // (`SQLSTATE[22023] OFFSET must not be negative`). API Platform clampe
+        // `itemsPerPage` au max de la resource mais pas `page` ; on impose un
+        // minimum a 1 cote provider.
+        $page         = max(1, $this->pagination->getPage($context));
+        $itemsPerPage = $this->pagination->getLimit($operation, $context);
+        $offset       = ($page - 1) * $itemsPerPage;
+        $filters      = $this->extractFilters($context['filters'] ?? []);
+
+        $dataQuery = $this->buildBaseQuery()
+            ->select('id', 'entity_type', 'entity_id', 'action', 'changes', 'performed_by', 'performed_at', 'ip_address', 'request_id')
+            ->orderBy('performed_at', 'DESC')
+            // Tie-breaker sur `id` (UUID v7 monotone) : garantit un tri
+            // totalement deterministe quand plusieurs lignes partagent la
+            // meme timestamp (ex: batch fixture, bulk flush < 1µs).
+            ->addOrderBy('id', 'DESC')
+            ->setFirstResult($offset)
+            ->setMaxResults($itemsPerPage)
+        ;
+
+        $countQuery = $this->buildBaseQuery()->select('COUNT(*)');
+
+        $this->applyFilters($dataQuery, $filters);
+        $this->applyFilters($countQuery, $filters);
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows       = $dataQuery->executeQuery()->fetchAllAssociative();
+        $totalItems = (int) $countQuery->executeQuery()->fetchOne();
+
+        $items = array_map(fn (array $row) => $this->hydrate($row), $rows);
+
+        return new DbalPaginator($items, $page, $itemsPerPage, $totalItems);
+    }
+
+    private function buildBaseQuery(): QueryBuilder
+    {
+        return $this->connection->createQueryBuilder()->from('audit_log');
+    }
+
+    /**
+     * @param array<string, mixed> $raw
+     *
+     * @return array{entity_type?: list<string>|string, entity_id?: string, action?: string, performed_by?: string, performed_at_after?: string, performed_at_before?: string}
+     */
+    private function extractFilters(array $raw): array
+    {
+        $filters = [];
+
+        // `entity_type` accepte soit une chaine, soit une liste (query syntax
+        // `entity_type[]=core.User&entity_type[]=core.Role`) pour le filtre
+        // multi-selection cote front. On normalise en list<string> non-vide.
+        if (isset($raw['entity_type'])) {
+            if (is_string($raw['entity_type']) && '' !== $raw['entity_type']) {
+                $filters['entity_type'] = $raw['entity_type'];
+            } elseif (is_array($raw['entity_type'])) {
+                $cleaned = array_values(array_filter(
+                    $raw['entity_type'],
+                    static fn ($v): bool => is_string($v) && '' !== $v,
+                ));
+                if ([] !== $cleaned) {
+                    $filters['entity_type'] = $cleaned;
+                }
+            }
+        }
+
+        foreach (['entity_id', 'performed_by'] as $key) {
+            if (isset($raw[$key]) && is_string($raw[$key]) && '' !== $raw[$key]) {
+                $filters[$key] = $raw[$key];
+            }
+        }
+
+        // `action` : whitelist stricte. Un input hors-liste provoquait avant
+        // un simple match vide (resultat 0 ligne) mais permettait d'incrementer
+        // le log applicatif a chaque variation ; on rejette en 400 explicite.
+        if (isset($raw['action']) && is_string($raw['action']) && '' !== $raw['action']) {
+            if (!in_array($raw['action'], ['create', 'update', 'delete'], true)) {
+                throw new BadRequestHttpException(
+                    'Filtre "action" invalide : valeurs autorisees create|update|delete.',
+                );
+            }
+            $filters['action'] = $raw['action'];
+        }
+
+        // Filtres de plage `performed_at[after]` / `performed_at[before]`.
+        // Sans validation, un input malforme remonte jusqu'a Postgres qui
+        // leve `SQLSTATE[22007]: invalid input syntax for type timestamp` →
+        // 500 Internal Server Error, log Monolog pollue, mauvaise UX API.
+        // On valide en amont et on rejette en 400 explicite.
+        if (isset($raw['performed_at']) && is_array($raw['performed_at'])) {
+            $range = $raw['performed_at'];
+            foreach (['after', 'before'] as $bound) {
+                if (!isset($range[$bound]) || !is_string($range[$bound]) || '' === $range[$bound]) {
+                    continue;
+                }
+                if (false === strtotime($range[$bound])) {
+                    throw new BadRequestHttpException(sprintf(
+                        'Filtre "performed_at[%s]" invalide : date ISO 8601 attendue (ex: 2026-04-22T00:00:00Z).',
+                        $bound,
+                    ));
+                }
+                $filters['performed_at_'.$bound] = $range[$bound];
+            }
+        }
+
+        return $filters;
+    }
+
+    /**
+     * @param array<string, list<string>|string> $filters
+     */
+    private function applyFilters(QueryBuilder $qb, array $filters): void
+    {
+        if (isset($filters['entity_type'])) {
+            if (is_array($filters['entity_type'])) {
+                $qb->andWhere('entity_type IN (:entity_types)')
+                    ->setParameter('entity_types', $filters['entity_type'], ArrayParameterType::STRING)
+                ;
+            } else {
+                $qb->andWhere('entity_type = :entity_type')->setParameter('entity_type', $filters['entity_type']);
+            }
+        }
+        if (isset($filters['entity_id'])) {
+            $qb->andWhere('entity_id = :entity_id')->setParameter('entity_id', $filters['entity_id']);
+        }
+        if (isset($filters['action'])) {
+            $qb->andWhere('action = :action')->setParameter('action', $filters['action']);
+        }
+        if (isset($filters['performed_by'])) {
+            // Recherche contains insensible a la casse pour matcher "adm" → "admin".
+            // On echappe `%`, `_` et `\` saisis par l'utilisateur pour qu'ils soient
+            // interpretes comme caracteres litteraux (sinon `%` matche tout, `_`
+            // matche n'importe quel caractere). Pas de clause ESCAPE : `\` est
+            // deja le caractere d'echappement LIKE par defaut en PostgreSQL.
+            $escaped = str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $filters['performed_by']);
+            $qb->andWhere('performed_by ILIKE :performed_by')
+                ->setParameter('performed_by', '%'.$escaped.'%')
+            ;
+        }
+        if (isset($filters['performed_at_after'])) {
+            $qb->andWhere('performed_at >= :performed_at_after')->setParameter('performed_at_after', $filters['performed_at_after']);
+        }
+        if (isset($filters['performed_at_before'])) {
+            $qb->andWhere('performed_at <= :performed_at_before')->setParameter('performed_at_before', $filters['performed_at_before']);
+        }
+    }
+
+    /**
+     * @param array<string, mixed> $row
+     */
+    private function hydrate(array $row): AuditLogOutput
+    {
+        /** @var string $rawChanges */
+        $rawChanges = $row['changes'] ?? '{}';
+
+        /** @var array<string, mixed> $changes */
+        $changes = is_array($rawChanges) ? $rawChanges : json_decode((string) $rawChanges, true, 512, JSON_THROW_ON_ERROR);
+
+        return new AuditLogOutput(
+            id: (string) $row['id'],
+            entityType: (string) $row['entity_type'],
+            entityId: (string) $row['entity_id'],
+            action: (string) $row['action'],
+            changes: $changes,
+            performedBy: (string) $row['performed_by'],
+            performedAt: new DateTimeImmutable((string) $row['performed_at']),
+            ipAddress: null !== $row['ip_address'] ? (string) $row['ip_address'] : null,
+            requestId: null !== $row['request_id'] ? (string) $row['request_id'] : null,
+        );
+    }
+}
diff --git a/tests/Functional/Module/Core/AuditLogApiTest.php b/tests/Functional/Module/Core/AuditLogApiTest.php
new file mode 100644
index 0000000..2900857
--- /dev/null
+++ b/tests/Functional/Module/Core/AuditLogApiTest.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Core;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\Uid\Uuid;
+
+/**
+ * @internal
+ */
+final class AuditLogApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'alice');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanListAuditLogs(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+        self::assertArrayHasKey('totalItems', $data);
+        self::assertGreaterThanOrEqual(3, $data['totalItems']);
+    }
+
+    public function testFilterByActionReturnsOnlyMatchingEntries(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=update');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('update', $entry['action']);
+        }
+    }
+
+    public function testFilterByEntityType(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?entity_type=core.User');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        foreach ($data['member'] as $entry) {
+            self::assertSame('core.User', $entry['entityType']);
+        }
+    }
+
+    public function testInvalidActionFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->seedAuditLog();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/audit-logs?action=bogus');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    /**
+     * Insert deterministic audit rows directly through the audit connection.
+     *
+     * The table audit_log has no ORM entity (written via raw DBAL), so we
+     * clean and seed it via the dedicated connection. These tests are not
+     * wrapped in a rolled-back transaction, hence the upfront DELETE.
+     */
+    private function seedAuditLog(): void
+    {
+        /** @var Connection $audit */
+        $audit = self::getContainer()->get('doctrine.dbal.audit_connection');
+        $audit->executeStatement('DELETE FROM audit_log');
+
+        $rows = [
+            ['core.User', 'create', '{"username":"seed-create"}'],
+            ['core.User', 'update', '{"firstName":{"old":"a","new":"b"}}'],
+            ['core.Role', 'delete', '{}'],
+        ];
+
+        $performedAt = '2026-04-22 10:00:00';
+        foreach ($rows as $i => [$entityType, $action, $changes]) {
+            $audit->insert('audit_log', [
+                'id'           => Uuid::v7()->toRfc4122(),
+                'entity_type'  => $entityType,
+                'entity_id'    => (string) ($i + 1),
+                'action'       => $action,
+                'changes'      => $changes,
+                'performed_by' => 'admin',
+                'performed_at' => $performedAt,
+                'ip_address'   => '127.0.0.1',
+                'request_id'   => 'req-'.$i,
+            ]);
+        }
+    }
+
+    private function loginUser(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Unit/Module/Core/CoreModuleTest.php b/tests/Unit/Module/Core/CoreModuleTest.php
index e6a9f11..6c8bc9f 100644
--- a/tests/Unit/Module/Core/CoreModuleTest.php
+++ b/tests/Unit/Module/Core/CoreModuleTest.php
@@ -32,4 +32,12 @@ final class CoreModuleTest extends TestCase
             self::assertArrayHasKey('label', $permission);
         }
     }
+
+    public function testPermissionsExposeAuditLogView(): void
+    {
+        $codes = array_column(CoreModule::permissions(), 'code');
+
+        self::assertCount(6, $codes);
+        self::assertContains('core.audit_log.view', $codes);
+    }
 }
-- 
2.39.5


From e7af415a1f1e720ed064ffc7f47622e55f3cbb69 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:15:13 +0200
Subject: [PATCH 41/99] feat(core) : add audit log consultation tab in admin
 gated by permission

---
 frontend/components/admin/AdminAuditTab.vue  | 158 +++++++++++++++++++
 frontend/i18n/locales/fr.json                |  30 ++++
 frontend/modules/core/services/audit-logs.ts |  63 ++++++++
 frontend/pages/admin.vue                     |   3 +
 4 files changed, 254 insertions(+)
 create mode 100644 frontend/components/admin/AdminAuditTab.vue
 create mode 100644 frontend/modules/core/services/audit-logs.ts

diff --git a/frontend/components/admin/AdminAuditTab.vue b/frontend/components/admin/AdminAuditTab.vue
new file mode 100644
index 0000000..351144d
--- /dev/null
+++ b/frontend/components/admin/AdminAuditTab.vue
@@ -0,0 +1,158 @@
+<template>
+    <div>
+        <div class="flex items-center justify-between">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('admin.audit.title') }}</h2>
+        </div>
+
+        <div class="mt-4 flex flex-wrap gap-4">
+            <MalioSelect
+                v-model="entityTypeFilter"
+                :options="entityTypeOptions"
+                :label="$t('admin.audit.filterEntityType')"
+                :empty-option-label="$t('admin.audit.filterEntityTypeAll')"
+                group-class="w-64"
+            />
+            <MalioSelect
+                v-model="actionFilter"
+                :options="actionOptions"
+                :label="$t('admin.audit.filterAction')"
+                :empty-option-label="$t('admin.audit.filterActionAll')"
+                group-class="w-64"
+            />
+        </div>
+
+        <DataTable
+            :columns="columns"
+            :items="rows"
+            :loading="isLoading"
+            :empty-message="$t('admin.audit.empty')"
+        >
+            <template #cell-performedAt="{ item }">
+                {{ formatDate(item.performedAt) }}
+            </template>
+            <template #cell-entityType="{ item }">
+                {{ entityTypeLabel(item.entityType) }}
+            </template>
+            <template #cell-action="{ item }">
+                {{ actionLabel(item.action) }}
+            </template>
+        </DataTable>
+
+        <div class="mt-4 flex items-center justify-between">
+            <span class="text-sm text-neutral-500">{{ $t('admin.audit.page', { page }) }}</span>
+            <div class="flex gap-2">
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.previous')"
+                    :disabled="page <= 1 || isLoading"
+                    @click="goToPage(page - 1)"
+                />
+                <MalioButton
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('admin.audit.next')"
+                    :disabled="!hasNextPage || isLoading"
+                    @click="goToPage(page + 1)"
+                />
+            </div>
+        </div>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { AuditLogAction, AuditLogItem } from '~/modules/core/services/audit-logs'
+import { useAuditLogService } from '~/modules/core/services/audit-logs'
+
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t, te } = useI18n()
+
+const PAGE_SIZE = 30
+
+const columns = computed<DataTableColumn[]>(() => [
+    { key: 'performedAt', label: t('admin.audit.date'), primary: true },
+    { key: 'performedBy', label: t('admin.audit.performedBy') },
+    { key: 'entityType', label: t('admin.audit.entityType') },
+    { key: 'action', label: t('admin.audit.action') },
+    { key: 'entityId', label: t('admin.audit.entityId') },
+])
+
+const actionOptions = computed<{ value: AuditLogAction, label: string }[]>(() => [
+    { value: 'create', label: t('audit.action.create') },
+    { value: 'update', label: t('audit.action.update') },
+    { value: 'delete', label: t('audit.action.delete') },
+])
+
+const auditLogService = useAuditLogService()
+
+const rows = ref<AuditLogItem[]>([])
+const entityTypes = ref<string[]>([])
+const totalItems = ref(0)
+const page = ref(1)
+const isLoading = ref(true)
+const entityTypeFilter = ref<string | null>(null)
+const actionFilter = ref<AuditLogAction | null>(null)
+
+const entityTypeOptions = computed<{ value: string, label: string }[]>(() =>
+    entityTypes.value.map((value) => ({ value, label: entityTypeLabel(value) })),
+)
+
+const hasNextPage = computed(() => page.value * PAGE_SIZE < totalItems.value)
+
+function entityTypeLabel(value: string): string {
+    const key = `audit.entity.${value}`
+    return te(key) ? t(key) : value
+}
+
+function actionLabel(action: AuditLogAction): string {
+    return t(`audit.action.${action}`)
+}
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+        hour: '2-digit',
+        minute: '2-digit',
+    })
+}
+
+async function loadItems() {
+    isLoading.value = true
+    try {
+        const result = await auditLogService.list({
+            page: page.value,
+            entityType: entityTypeFilter.value ?? undefined,
+            action: actionFilter.value ?? undefined,
+        })
+        rows.value = result.items
+        totalItems.value = result.totalItems
+    } finally {
+        isLoading.value = false
+    }
+}
+
+async function loadEntityTypes() {
+    entityTypes.value = await auditLogService.entityTypes()
+}
+
+function goToPage(target: number) {
+    if (target < 1) {
+        return
+    }
+    page.value = target
+    loadItems()
+}
+
+watch([entityTypeFilter, actionFilter], () => {
+    page.value = 1
+    loadItems()
+})
+
+onMounted(() => {
+    loadItems()
+    loadEntityTypes()
+})
+</script>
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 321bfed..6d3f47e 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -214,6 +214,36 @@
             "created": "Rôle créé avec succès.",
             "updated": "Rôle mis à jour avec succès.",
             "deleted": "Rôle supprimé avec succès."
+        },
+        "audit": {
+            "title": "Audit",
+            "empty": "Aucune entrée d'audit trouvée.",
+            "date": "Date",
+            "performedBy": "Utilisateur",
+            "entityType": "Type d'entité",
+            "action": "Action",
+            "entityId": "Identifiant",
+            "filterEntityType": "Type d'entité",
+            "filterEntityTypeAll": "Tous les types",
+            "filterAction": "Action",
+            "filterActionAll": "Toutes les actions",
+            "previous": "Précédent",
+            "next": "Suivant",
+            "page": "Page {page}"
+        }
+    },
+    "audit": {
+        "entity": {
+            "core": {
+                "User": "Utilisateur",
+                "Role": "Rôle",
+                "Permission": "Permission"
+            }
+        },
+        "action": {
+            "create": "Création",
+            "update": "Modification",
+            "delete": "Suppression"
         }
     },
     "timeEntries": {
diff --git a/frontend/modules/core/services/audit-logs.ts b/frontend/modules/core/services/audit-logs.ts
new file mode 100644
index 0000000..832bc7b
--- /dev/null
+++ b/frontend/modules/core/services/audit-logs.ts
@@ -0,0 +1,63 @@
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type AuditLogAction = 'create' | 'update' | 'delete'
+
+export type AuditLogItem = {
+    id: string
+    '@id'?: string
+    entityType: string
+    entityId: string
+    action: AuditLogAction
+    changes: Record<string, unknown>
+    performedBy: string
+    performedAt: string
+    ipAddress: string | null
+    requestId: string | null
+}
+
+export type AuditLogQuery = {
+    page?: number
+    entityType?: string
+    action?: AuditLogAction
+}
+
+export type AuditLogPage = {
+    items: AuditLogItem[]
+    totalItems: number
+}
+
+export type AuditLogEntityType = {
+    '@id'?: string
+    value: string
+}
+
+export function useAuditLogService() {
+    const api = useApi()
+
+    async function list(params: AuditLogQuery = {}): Promise<AuditLogPage> {
+        const query: Record<string, unknown> = {}
+        if (params.page !== undefined) {
+            query.page = params.page
+        }
+        if (params.entityType) {
+            query.entity_type = params.entityType
+        }
+        if (params.action) {
+            query.action = params.action
+        }
+
+        const data = await api.get<HydraCollection<AuditLogItem>>('/audit-logs', query)
+        return {
+            items: extractHydraMembers(data),
+            totalItems: data['hydra:totalItems'] ?? data['totalItems'] ?? 0,
+        }
+    }
+
+    async function entityTypes(): Promise<string[]> {
+        const data = await api.get<HydraCollection<AuditLogEntityType>>('/audit-log-entity-types')
+        return extractHydraMembers(data).map((entry) => entry.value)
+    }
+
+    return { list, entityTypes }
+}
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index f371f09..668db4e 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -28,6 +28,7 @@
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
             <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
+            <AdminAuditTab v-if="activeTab === 'audit' && canViewAudit" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
             <AdminBookStackTab v-if="activeTab === 'bookstack'" />
             <AdminZimbraTab v-if="activeTab === 'zimbra'" />
@@ -46,6 +47,7 @@ const { can } = usePermissions()
 const { t } = useI18n()
 
 const canViewRoles = computed(() => can('core.roles.view'))
+const canViewAudit = computed(() => can('core.audit_log.view'))
 
 const tabs = [
     { key: 'clients', label: 'Clients' },
@@ -55,6 +57,7 @@ const tabs = [
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
     { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
+    { key: 'audit', label: t('admin.audit.title'), permission: 'core.audit_log.view' },
     { key: 'gitea', label: 'Gitea' },
     { key: 'bookstack', label: 'BookStack' },
     { key: 'zimbra', label: 'Zimbra' },
-- 
2.39.5


From 9b26b43aca395562a730e2d24b15d6717ba65808 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:18:22 +0200
Subject: [PATCH 42/99] fix(core) : align audit entity-types front service with
 single-resource api shape

---
 frontend/modules/core/services/audit-logs.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/frontend/modules/core/services/audit-logs.ts b/frontend/modules/core/services/audit-logs.ts
index 832bc7b..3af46d7 100644
--- a/frontend/modules/core/services/audit-logs.ts
+++ b/frontend/modules/core/services/audit-logs.ts
@@ -27,9 +27,9 @@ export type AuditLogPage = {
     totalItems: number
 }
 
-export type AuditLogEntityType = {
+export type AuditLogEntityTypes = {
     '@id'?: string
-    value: string
+    entityTypes: string[]
 }
 
 export function useAuditLogService() {
@@ -55,8 +55,10 @@ export function useAuditLogService() {
     }
 
     async function entityTypes(): Promise<string[]> {
-        const data = await api.get<HydraCollection<AuditLogEntityType>>('/audit-log-entity-types')
-        return extractHydraMembers(data).map((entry) => entry.value)
+        // `/audit-log-entity-types` is a single API Platform item resource
+        // (not a hydra collection): it returns `{ entityTypes: string[] }`.
+        const data = await api.get<AuditLogEntityTypes>('/audit-log-entity-types')
+        return data.entityTypes ?? []
     }
 
     return { list, entityTypes }
-- 
2.39.5


From 7686904c43d255a2be9e65ac7bc1737ad3acb4c3 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 21:19:27 +0200
Subject: [PATCH 43/99] docs : log LST-61 audit log session learnings

---
 .claude/skills/ticket-executor/LEARNINGS.md | 22 +++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.claude/skills/ticket-executor/LEARNINGS.md b/.claude/skills/ticket-executor/LEARNINGS.md
index c833a48..7e9fca6 100644
--- a/.claude/skills/ticket-executor/LEARNINGS.md
+++ b/.claude/skills/ticket-executor/LEARNINGS.md
@@ -145,3 +145,25 @@
 - **MCP status**: Toujours mettre "En cours" AVANT de commencer, "Terminé" APRÈS validation
 - **PostgreSQL gotchas**: Tester les queries SQL avec agrégation + locking sur PostgreSQL, pas MySQL
 - **Agents**: Les agents simples (1-3 fichiers) terminent en ~30s, les complexes (22 fichiers) en ~8min
+
+## Session 2026-06-19 (LST-61 / 1.3 — Audit log : #[Auditable], audit_log, AuditListener, resource)
+
+### Contexte
+- Plan TDD dédié (`docs/superpowers/plans/2026-06-19-lst-61-audit-log.md`, Tasks A→F). Exécution : 1 sous-agent par task (A, B, C, D, E) en séquence, vérif + smoke par la session principale entre chaque ; Task F (validation finale + correctif front + learnings + push + statut) en direct.
+- Infra portée VERBATIM depuis Starseed (réf canonique `/home/matthieu/dev_malio/Starseed`) : `AuditListener` byte-identique (`diff -q` OK), + 6 fichiers API (DTO/paginator/providers/resources) copiés tels quels — namespaces `App\Module\Core\...` et `App\Shared\Domain\Attribute\...` DÉJÀ alignés entre les deux projets, zéro adaptation.
+- 6 commits impl (`934cf08` A, `d8553f0` B, `8c3699a` C, `90b8ca1` D, `e7af415` E, `9b26b43` fix front) + plan `fda03bd`. Tests : 147→157 verts. Branche `feat/lst-61-audit-log` empilée sur `feat/lst-57-rbac-fin`.
+
+### Patterns
+- **Audit en 4 couches additives** : (1) marquage déclaratif `#[Auditable]`(TARGET_CLASS) / `#[AuditIgnore]`(TARGET_PROPERTY) dans `src/Shared/Domain/Attribute/` (Shared, pas Core → aucun module n'a de dépendance circulaire) ; (2) capture `AuditListener` Doctrine sur `onFlush` (lit `UnitOfWork` : insertions/updates/deletions + `getScheduledCollectionUpdates/Deletions` pour le M2M) puis `postFlush` (écrit, swap-and-clear anti-réentrance) ; (3) écriture `AuditLogWriter` sur connexion DBAL dédiée `audit` (hors transaction ORM → survit aux rollbacks) ; (4) lecture `AuditLogProvider` DBAL (pas d'entité ORM) + `DbalPaginator implements PaginatorInterface` (API Platform génère `hydra:view` seul).
+- **Connexion DBAL dédiée + `schema_filter`** : restructurer `doctrine.yaml` de connexion unique → `connections: {default, audit}` (même DSN), `default_connection: default`, `schema_filter: '~^(?!audit_log$).+~'` sur `default` (la table n'a PAS d'entité → exclue de `migrations:diff`/`schema:validate`). Le bloc `orm` reste INCHANGÉ (l'EM par défaut se lie à `default_connection`). En `when@test`, propager `dbname_suffix` aux DEUX connexions (sinon `audit` écrit en base dev pendant que l'ORM écrit en test).
+- **Table append-only hors ORM** : créée par migration manuelle (squelette via `doctrine:migrations:generate` puis contenu écrit à la main — JAMAIS `migrations:diff`, qui ne voit pas la table). `id uuid` natif PG, `changes JSONB`, `performed_at TIMESTAMP(6) WITH TIME ZONE`. UUID v7 (writer, tri monotone) / v4 (requestId par requête HTTP). `entity_type` au format `module.Entity` (regex `App\Module\<module>\...\<Entity>` → `core.User`).
+- **Marquage scope = entités migrées** : `#[Auditable]` posé sur User/Role/Permission (Core) uniquement ; `#[AuditIgnore]` sur `User.password` ET `User.apiToken` (Lesstime n'a pas de `plainPassword`). Défense en profondeur : `AuditLogWriter::SENSITIVE_KEYS` strippe aussi `password/plainPassword/apiToken/token/secret`. Les entités métier legacy (`src/Entity/*`) seront marquées à leur migration en modules (2.x).
+
+### Gotchas
+- **Tests fonctionnels Lesstime SANS rollback transactionnel** (pas de DAMADoctrineTestBundle) : les entités persistées survivent d'un run à l'autre → violation d'unicité `username`. Convention projet : `uniqid()` OU nettoyage explicite en `setUp()` (`DELETE FROM "user" WHERE username LIKE 'audit\_%'`). Les données d'audit de test se seedent directement via `doctrine.dbal.audit_connection` (DELETE + inserts UUID v7) pour du déterministe.
+- **`migrations:diff` génère un fichier jetable** même quand on ne veut que vérifier : toujours supprimer le `Version<ts>.php` non suivi créé après un diff de contrôle (`git ls-files --others migrations/`). Une dérive préexistante `messenger_messages` (DROP) pollue le diff — sans rapport, ne pas committer.
+- **`/audit-log-entity-types` = ressource item unique, pas une collection** : `Get` API Platform avec `uriTemplate` fixe sans `{id}` → renvoie `{ entityTypes: string[] }` (PAS d'enveloppe hydra `member`). Le service front ne doit PAS passer par `extractHydraMembers` ici (bug livré par le sous-agent E, corrigé en `9b26b43`). `/audit-logs` en revanche est bien une collection paginée hydra.
+- **Login en curl = `/login_check` (POST), pas `/api/login`** ; le JWT json_login est capricieux en curl pur (405/cookie). La preuve d'auth faisant autorité reste le test fonctionnel (client `loginUser()`), pas un smoke curl.
+
+### Time-tracking / orchestration
+- **Interdire explicitement aux sous-agents de toucher au MCP lesstime** (timer + statut ticket) : un sous-agent a spontanément créé/stoppé une time entry (1016) alors que le chrono est piloté par la session principale. Ajouter la consigne « NE TOUCHE PAS au time-tracking » dans chaque prompt de sous-agent. Pas de conflit ici (il avait stoppé l'actif avant), mais découpage involontaire.
-- 
2.39.5


From a88cb1bc351bf1a259374c5bba5df798e4ff57fd Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Fri, 19 Jun 2026 22:39:26 +0200
Subject: [PATCH 44/99] fix(core) : harden review findings (me-provider null
 guard, audit-ignore plainpassword, rbac self-edit guard, module id dedup,
 audit pagination guard)

---
 frontend/components/admin/AdminAuditTab.vue       |  4 +++-
 src/Module/Core/Domain/Entity/User.php            |  1 +
 .../ApiPlatform/State/MeProvider.php              |  9 +++++++--
 .../State/Processor/UserRbacProcessor.php         | 15 ++++++++++++++-
 src/Shared/Domain/Module/ModuleRegistry.php       |  9 +++++++--
 5 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/frontend/components/admin/AdminAuditTab.vue b/frontend/components/admin/AdminAuditTab.vue
index 351144d..58608f8 100644
--- a/frontend/components/admin/AdminAuditTab.vue
+++ b/frontend/components/admin/AdminAuditTab.vue
@@ -98,7 +98,9 @@ const entityTypeOptions = computed<{ value: string, label: string }[]>(() =>
     entityTypes.value.map((value) => ({ value, label: entityTypeLabel(value) })),
 )
 
-const hasNextPage = computed(() => page.value * PAGE_SIZE < totalItems.value)
+// PAGE_SIZE must match the API default page size. The full-page guard keeps the
+// "next" button accurate even on the last (partial) page.
+const hasNextPage = computed(() => rows.value.length >= PAGE_SIZE && page.value * PAGE_SIZE < totalItems.value)
 
 function entityTypeLabel(value: string): string {
     const key = `audit.entity.${value}`
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 6c699f5..8a9dd35 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -94,6 +94,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     private ?string $password = null;
 
     #[Groups(['user:write'])]
+    #[AuditIgnore]
     private ?string $plainPassword = null;
 
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
index 8e973bb..520e239 100644
--- a/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/MeProvider.php
@@ -8,6 +8,7 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\Module\Core\Domain\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 
 /**
  * @implements ProviderInterface<User>
@@ -20,7 +21,11 @@ final readonly class MeProvider implements ProviderInterface
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): User
     {
-        // @var User $user
-        return $this->security->getUser();
+        $user = $this->security->getUser();
+        if (!$user instanceof User) {
+            throw new UnauthorizedHttpException('Bearer', 'Not authenticated.');
+        }
+
+        return $user;
     }
 }
diff --git a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
index 4658423..5381e1a 100644
--- a/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
+++ b/src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php
@@ -8,6 +8,8 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 use function assert;
 
@@ -16,12 +18,23 @@ use function assert;
  */
 final readonly class UserRbacProcessor implements ProcessorInterface
 {
-    public function __construct(private EntityManagerInterface $em) {}
+    public function __construct(
+        private EntityManagerInterface $em,
+        private Security $security,
+    ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): User
     {
         assert($data instanceof User);
 
+        // Defense-in-depth: a user may never edit their OWN RBAC assignment
+        // through this endpoint, even with core.users.manage — this prevents
+        // self-escalation if the permission is ever delegated to a non-admin.
+        $current = $this->security->getUser();
+        if ($current instanceof User && $current->getId() === $data->getId()) {
+            throw new AccessDeniedHttpException('You cannot edit your own RBAC assignment.');
+        }
+
         $this->em->persist($data);
         $this->em->flush();
 
diff --git a/src/Shared/Domain/Module/ModuleRegistry.php b/src/Shared/Domain/Module/ModuleRegistry.php
index 6c212bb..b0ce7e0 100644
--- a/src/Shared/Domain/Module/ModuleRegistry.php
+++ b/src/Shared/Domain/Module/ModuleRegistry.php
@@ -17,9 +17,14 @@ final class ModuleRegistry
     {
         $ids = [];
         foreach ($moduleClasses as $moduleClass) {
-            if (is_a($moduleClass, ModuleInterface::class, true)) {
-                $ids[] = $moduleClass::id();
+            if (!is_a($moduleClass, ModuleInterface::class, true)) {
+                continue;
             }
+            $id = $moduleClass::id();
+            if (in_array($id, $ids, true)) {
+                throw new InvalidArgumentException(sprintf('Module ID "%s" déclaré plusieurs fois dans la configuration des modules.', $id));
+            }
+            $ids[] = $id;
         }
 
         return $ids;
-- 
2.39.5


From d1516c3f5d1de7e5a39efd6d76c5ba5497302985 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 16:16:13 +0200
Subject: [PATCH 45/99] feat(time-tracking) : migrate TimeEntry into
 TimeTracking module (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

First business module of Phase 2 (LST-64, rodage). Strangler-style,
additive move — no behavioural change to the public API or MCP tools.

- New module App\Module\TimeTracking (TimeTrackingModule, id "time-tracking",
  declares time-tracking.entries.view/export permissions in the RBAC catalog;
  operation security left on ROLE_USER, not re-wired here).
- Move TimeEntry entity, repository (now interface + Doctrine impl bound in
  services.yaml), ActiveTimeEntryProvider, export service/controller and the
  4 MCP TimeEntry tools into the module. #[ApiResource] (operations, security,
  uriTemplates /time_entries/*), filters and serialization groups preserved.
- Doctrine mapping "TimeTracking" added; table time_entry unchanged.
- Sidebar item gated with module "time-tracking" (SidebarFilter disables the
  route when the module is inactive).
- Timestampable/Blamable adopted (first adopter): additive migration adds
  created_at/updated_at/created_by/updated_by (nullable, FK SET NULL) +
  COMMENT ON COLUMN. Functional test confirms created_at on persist and
  updated_at refresh on update — the suspected preUpdate recompute issue does
  not occur (Doctrine ORM 3.6.2 recomputes change sets after preUpdate).

159 tests green, schema mapping valid, php-cs-fixer clean.
---
 config/modules.php                            |   2 +
 config/packages/doctrine.yaml                 |   5 +
 config/services.yaml                          |   2 +
 config/sidebar.php                            |   2 +-
 migrations/Version20260620161036.php          |  52 ++++++++
 src/DataFixtures/AppFixtures.php              |   2 +-
 src/Mcp/Tool/Serializer.php                   |   2 +-
 .../TimeTracking/Domain}/Entity/TimeEntry.php |  18 ++-
 .../TimeEntryRepositoryInterface.php          |  35 ++++++
 .../State/ActiveTimeEntryProvider.php         |   8 +-
 .../Controller/TimeEntryExportController.php  |   8 +-
 .../Doctrine/DoctrineTimeEntryRepository.php} |  12 +-
 .../Export}/TimeEntryExportService.php        |   4 +-
 .../Mcp/Tool}/CreateTimeEntryTool.php         |   8 +-
 .../Mcp/Tool}/DeleteTimeEntryTool.php         |   8 +-
 .../Mcp/Tool}/ListTimeEntriesTool.php         |   6 +-
 .../Mcp/Tool}/UpdateTimeEntryTool.php         |   8 +-
 .../TimeTracking/TimeTrackingModule.php       |  41 +++++++
 .../TimeEntryTimestampableTest.php            | 111 ++++++++++++++++++
 19 files changed, 298 insertions(+), 36 deletions(-)
 create mode 100644 migrations/Version20260620161036.php
 rename src/{ => Module/TimeTracking/Domain}/Entity/TimeEntry.php (90%)
 create mode 100644 src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
 rename src/{ => Module/TimeTracking/Infrastructure/ApiPlatform}/State/ActiveTimeEntryProvider.php (72%)
 rename src/{ => Module/TimeTracking/Infrastructure}/Controller/TimeEntryExportController.php (94%)
 rename src/{Repository/TimeEntryRepository.php => Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php} (83%)
 rename src/{Service => Module/TimeTracking/Infrastructure/Export}/TimeEntryExportService.php (99%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/CreateTimeEntryTool.php (93%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/DeleteTimeEntryTool.php (80%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/ListTimeEntriesTool.php (91%)
 rename src/{Mcp/Tool/TimeEntry => Module/TimeTracking/Infrastructure/Mcp/Tool}/UpdateTimeEntryTool.php (92%)
 create mode 100644 src/Module/TimeTracking/TimeTrackingModule.php
 create mode 100644 tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php

diff --git a/config/modules.php b/config/modules.php
index dc628c1..8ca723b 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -8,7 +8,9 @@ declare(strict_types=1);
  */
 
 use App\Module\Core\CoreModule;
+use App\Module\TimeTracking\TimeTrackingModule;
 
 return [
     CoreModule::class,
+    TimeTrackingModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index e5da762..0baaedd 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -34,6 +34,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Core/Domain/Entity'
                 prefix: 'App\Module\Core\Domain\Entity'
+            TimeTracking:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/TimeTracking/Domain/Entity'
+                prefix: 'App\Module\TimeTracking\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/services.yaml b/config/services.yaml
index bf453f6..a2f46b5 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -73,4 +73,6 @@ services:
 
     App\Module\Core\Domain\Repository\RoleRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineRoleRepository'
 
+    App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface: '@App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/config/sidebar.php b/config/sidebar.php
index afd9826..dcdeb4d 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -22,7 +22,7 @@ return [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
             ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline'],
             ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline'],
-            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline'],
+            ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
         ],
     ],
     [
diff --git a/migrations/Version20260620161036.php b/migrations/Version20260620161036.php
new file mode 100644
index 0000000..b494795
--- /dev/null
+++ b/migrations/Version20260620161036.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * TimeTracking module (2.1): add Timestampable/Blamable columns to time_entry.
+ *
+ * TimeEntry is the first adopter of TimestampableBlamableTrait. This migration
+ * is purely additive — nullable columns + nullable FK to "user" with
+ * ON DELETE SET NULL. No DROP/ALTER on existing data. Columns are lowercase
+ * snake_case. Hand-written to guarantee zero destructive instruction.
+ */
+final class Version20260620161036 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'TimeTracking: add timestampable/blamable columns to time_entry (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE time_entry ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE time_entry ADD CONSTRAINT FK_6E537C0CDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE time_entry ADD CONSTRAINT FK_6E537C0C16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_6E537C0CDE12AB56 ON time_entry (created_by)');
+        $this->addSql('CREATE INDEX IDX_6E537C0C16FE72E1 ON time_entry (updated_by)');
+        $this->addSql("COMMENT ON COLUMN time_entry.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN time_entry.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE time_entry DROP CONSTRAINT FK_6E537C0CDE12AB56');
+        $this->addSql('ALTER TABLE time_entry DROP CONSTRAINT FK_6E537C0C16FE72E1');
+        $this->addSql('DROP INDEX IDX_6E537C0CDE12AB56');
+        $this->addSql('DROP INDEX IDX_6E537C0C16FE72E1');
+        $this->addSql('ALTER TABLE time_entry DROP created_at');
+        $this->addSql('ALTER TABLE time_entry DROP updated_at');
+        $this->addSql('ALTER TABLE time_entry DROP created_by');
+        $this->addSql('ALTER TABLE time_entry DROP updated_by');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index ebe5aa6..1649a55 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -17,7 +17,6 @@ use App\Entity\TaskPriority;
 use App\Entity\TaskRecurrence;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
-use App\Entity\TimeEntry;
 use App\Entity\Workflow;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\AbsenceStatus;
@@ -27,6 +26,7 @@ use App\Enum\RecurrenceType;
 use App\Enum\StatusCategory;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use DateTimeImmutable;
 use DateTimeZone;
 use Doctrine\Bundle\FixturesBundle\Fixture;
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index 400f278..964c451 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -16,8 +16,8 @@ use App\Entity\TaskGroup;
 use App\Entity\TaskPriority;
 use App\Entity\TaskStatus;
 use App\Entity\TaskTag;
-use App\Entity\TimeEntry;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use Doctrine\Common\Collections\Collection;
 
 /**
diff --git a/src/Entity/TimeEntry.php b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
similarity index 90%
rename from src/Entity/TimeEntry.php
rename to src/Module/TimeTracking/Domain/Entity/TimeEntry.php
index 6b6e724..4d8d1bb 100644
--- a/src/Entity/TimeEntry.php
+++ b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\TimeTracking\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\DateFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
@@ -13,9 +13,15 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TimeEntryRepository;
+use App\Entity\Project;
+use App\Entity\Task;
+use App\Entity\TaskTag;
+use App\Module\TimeTracking\Infrastructure\ApiPlatform\State\ActiveTimeEntryProvider;
+use App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\ActiveTimeEntryProvider;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -52,10 +58,12 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ApiFilter(SearchFilter::class, properties: ['user' => 'exact', 'project' => 'exact', 'tags' => 'exact'])]
 #[ApiFilter(DateFilter::class, properties: ['startedAt'])]
-#[ORM\Entity(repositoryClass: TimeEntryRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTimeEntryRepository::class)]
 #[ORM\UniqueConstraint(name: 'uniq_active_timer', columns: ['user_id'], options: ['where' => '(stopped_at IS NULL)'])]
-class TimeEntry
+class TimeEntry implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
new file mode 100644
index 0000000..ebaa188
--- /dev/null
+++ b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\TimeTracking\Domain\Repository;
+
+use App\Entity\Project;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\QueryBuilder;
+
+interface TimeEntryRepositoryInterface
+{
+    public function createQueryBuilder(string $alias, ?string $indexBy = null): QueryBuilder;
+
+    public function findById(int $id): ?TimeEntry;
+
+    public function findActiveByUser(UserInterface $user): ?TimeEntry;
+
+    /**
+     * @param null|UserInterface[] $users
+     * @param null|Project[]       $projects
+     * @param null|int[]           $tagIds
+     *
+     * @return TimeEntry[]
+     */
+    public function findForExport(
+        DateTimeImmutable $after,
+        DateTimeImmutable $before,
+        ?array $users = null,
+        ?array $projects = null,
+        ?array $tagIds = null,
+    ): array;
+}
diff --git a/src/State/ActiveTimeEntryProvider.php b/src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
similarity index 72%
rename from src/State/ActiveTimeEntryProvider.php
rename to src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
index f366ec7..f04cfca 100644
--- a/src/State/ActiveTimeEntryProvider.php
+++ b/src/Module/TimeTracking/Infrastructure/ApiPlatform/State/ActiveTimeEntryProvider.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\TimeTracking\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\TimeEntry;
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**
@@ -17,7 +17,7 @@ final readonly class ActiveTimeEntryProvider implements ProviderInterface
 {
     public function __construct(
         private Security $security,
-        private TimeEntryRepository $timeEntryRepository,
+        private TimeEntryRepositoryInterface $timeEntryRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
diff --git a/src/Controller/TimeEntryExportController.php b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
similarity index 94%
rename from src/Controller/TimeEntryExportController.php
rename to src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
index aa5ba15..5dcf02e 100644
--- a/src/Controller/TimeEntryExportController.php
+++ b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\TimeTracking\Infrastructure\Controller;
 
 use App\Entity\Project;
 use App\Module\Core\Domain\Entity\User;
-use App\Repository\TimeEntryRepository;
-use App\Service\TimeEntryExportService;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Module\TimeTracking\Infrastructure\Export\TimeEntryExportService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Exception;
@@ -23,7 +23,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class TimeEntryExportController extends AbstractController
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly TimeEntryExportService $exportService,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
diff --git a/src/Repository/TimeEntryRepository.php b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
similarity index 83%
rename from src/Repository/TimeEntryRepository.php
rename to src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
index 3dd9880..b824f22 100644
--- a/src/Repository/TimeEntryRepository.php
+++ b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
@@ -2,10 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\TimeTracking\Infrastructure\Doctrine;
 
 use App\Entity\Project;
-use App\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
@@ -14,13 +15,18 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<TimeEntry>
  */
-class TimeEntryRepository extends ServiceEntityRepository
+class DoctrineTimeEntryRepository extends ServiceEntityRepository implements TimeEntryRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, TimeEntry::class);
     }
 
+    public function findById(int $id): ?TimeEntry
+    {
+        return $this->find($id);
+    }
+
     public function findActiveByUser(UserInterface $user): ?TimeEntry
     {
         return $this->findOneBy([
diff --git a/src/Service/TimeEntryExportService.php b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
similarity index 99%
rename from src/Service/TimeEntryExportService.php
rename to src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
index f078f3a..031776c 100644
--- a/src/Service/TimeEntryExportService.php
+++ b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\TimeTracking\Infrastructure\Export;
 
-use App\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use DateTimeImmutable;
 use PhpOffice\PhpSpreadsheet\Cell\Coordinate;
 use PhpOffice\PhpSpreadsheet\Spreadsheet;
diff --git a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
similarity index 93%
rename from src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
index ced019e..1055472 100644
--- a/src/Mcp/Tool/TimeEntry/CreateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Entity\TimeEntry;
 use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\TimeEntryRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -29,7 +29,7 @@ class CreateTimeEntryTool
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
similarity index 80%
rename from src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
index 2e50a0f..dd5f13a 100644
--- a/src/Mcp/Tool/TimeEntry/DeleteTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/DeleteTimeEntryTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteTimeEntryTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteTimeEntryTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $entry = $this->timeEntryRepository->find($id);
+        $entry = $this->timeEntryRepository->findById($id);
 
         if (null === $entry) {
             throw new InvalidArgumentException(sprintf('TimeEntry with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
similarity index 91%
rename from src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
index 243e8a7..50a54b3 100644
--- a/src/Mcp/Tool/TimeEntry/ListTimeEntriesTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\TimeEntryRepository;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use DateTimeImmutable;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -15,7 +15,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTimeEntriesTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
similarity index 92%
rename from src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php
rename to src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
index c164fc9..fa67cf1 100644
--- a/src/Mcp/Tool/TimeEntry/UpdateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TimeEntry;
+namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use App\Repository\ProjectRepository;
 use App\Repository\TaskRepository;
 use App\Repository\TaskTagRepository;
-use App\Repository\TimeEntryRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -22,7 +22,7 @@ use function sprintf;
 class UpdateTimeEntryTool
 {
     public function __construct(
-        private readonly TimeEntryRepository $timeEntryRepository,
+        private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly ProjectRepository $projectRepository,
         private readonly TaskRepository $taskRepository,
         private readonly TaskTagRepository $taskTagRepository,
@@ -47,7 +47,7 @@ class UpdateTimeEntryTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $entry = $this->timeEntryRepository->find($id);
+        $entry = $this->timeEntryRepository->findById($id);
 
         if (null === $entry) {
             throw new InvalidArgumentException(sprintf('TimeEntry with ID %d not found.', $id));
diff --git a/src/Module/TimeTracking/TimeTrackingModule.php b/src/Module/TimeTracking/TimeTrackingModule.php
new file mode 100644
index 0000000..d7982d0
--- /dev/null
+++ b/src/Module/TimeTracking/TimeTrackingModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\TimeTracking;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class TimeTrackingModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'time-tracking';
+    }
+
+    public static function label(): string
+    {
+        return 'Suivi des temps';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module TimeTracking (2.1).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'time-tracking.entries.view', 'label' => 'Voir les saisies de temps'],
+            ['code' => 'time-tracking.entries.export', 'label' => 'Exporter les saisies de temps'],
+        ];
+    }
+}
diff --git a/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php b/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php
new file mode 100644
index 0000000..fc8211a
--- /dev/null
+++ b/tests/Functional/Module/TimeTracking/TimeEntryTimestampableTest.php
@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\TimeTracking;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * TimeEntry is the first adopter of TimestampableBlamableTrait.
+ * Verifies the TimestampableBlamableSubscriber populates created_at on
+ * persist and refreshes updated_at on update.
+ *
+ * @internal
+ */
+final class TimeEntryTimestampableTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+        // Clean slate for deterministic assertions: these tests are not wrapped
+        // in a rolled-back transaction.
+        $this->em->getConnection()->executeStatement("DELETE FROM time_entry WHERE title = 'ts-test-entry'");
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username = 'ts_test_user'");
+    }
+
+    protected function tearDown(): void
+    {
+        $this->em->getConnection()->executeStatement("DELETE FROM time_entry WHERE title = 'ts-test-entry'");
+        $this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username = 'ts_test_user'");
+        parent::tearDown();
+        unset($this->em);
+    }
+
+    public function testCreatedAtIsSetOnPersist(): void
+    {
+        $entry = $this->makeEntry();
+        $this->em->persist($entry);
+        $this->em->flush();
+
+        self::assertInstanceOf(DateTimeImmutable::class, $entry->getCreatedAt(), 'createdAt must be set after flush');
+        self::assertInstanceOf(DateTimeImmutable::class, $entry->getUpdatedAt(), 'updatedAt must be set after flush');
+
+        // Confirm it was actually persisted to the DB, not just the in-memory object.
+        $this->em->clear();
+        $reloaded = $this->em->getRepository(TimeEntry::class)->find($entry->getId());
+        self::assertNotNull($reloaded);
+        self::assertNotNull($reloaded->getCreatedAt(), 'created_at must be persisted in DB');
+    }
+
+    public function testUpdatedAtIsRefreshedOnUpdate(): void
+    {
+        $entry = $this->makeEntry();
+        $this->em->persist($entry);
+        $this->em->flush();
+
+        $entryId          = $entry->getId();
+        $initialUpdatedAt = $entry->getUpdatedAt();
+        self::assertNotNull($initialUpdatedAt);
+
+        // Force a distinguishable timestamp by backdating the persisted value,
+        // so the preUpdate refresh is observable even within the same second.
+        $this->em->getConnection()->executeStatement(
+            "UPDATE time_entry SET updated_at = '2000-01-01 00:00:00' WHERE id = :id",
+            ['id' => $entryId],
+        );
+        $this->em->clear();
+
+        /** @var TimeEntry $managed */
+        $managed = $this->em->getRepository(TimeEntry::class)->find($entryId);
+        self::assertSame('2000-01-01 00:00:00', $managed->getUpdatedAt()?->format('Y-m-d H:i:s'));
+
+        // Mutate a tracked field and flush -> preUpdate must refresh updated_at.
+        $managed->setTitle('ts-test-entry');
+        $managed->setDescription('changed description');
+        $this->em->flush();
+        $this->em->clear();
+
+        /** @var TimeEntry $reloaded */
+        $reloaded = $this->em->getRepository(TimeEntry::class)->find($entryId);
+        self::assertNotNull($reloaded->getUpdatedAt());
+        self::assertNotSame(
+            '2000-01-01 00:00:00',
+            $reloaded->getUpdatedAt()->format('Y-m-d H:i:s'),
+            'updated_at must be refreshed and persisted on UPDATE',
+        );
+    }
+
+    private function makeEntry(): TimeEntry
+    {
+        $user = new User();
+        $user->setUsername('ts_test_user');
+        $user->setPassword('hashed-secret');
+        $user->setRoles(['ROLE_USER']);
+        $this->em->persist($user);
+
+        $entry = new TimeEntry();
+        $entry->setUser($user);
+        $entry->setTitle('ts-test-entry');
+        $entry->setStartedAt(new DateTimeImmutable());
+
+        return $entry;
+    }
+}
-- 
2.39.5


From 1b652ef680d0dece7b35eccb8d5f4b1ca4d97be6 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 16:16:49 +0200
Subject: [PATCH 46/99] feat(time-tracking) : extract time-tracking front into
 Nuxt module layer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Companion to the backend module migration (LST-64). The Nuxt layer is
auto-detected from frontend/modules/* — no nuxt.config change needed.

- Move page, timer store, time-entries service + DTO and the 6 time-tracking
  components into frontend/modules/time-tracking/.
- Rewrite explicit service/DTO imports to ~/modules/time-tracking/* (store and
  components stay auto-imported); update the dashboard (index.vue) consumer.
- Route /time-tracking preserved; i18n keys kept in the global locale file.

nuxt build passes; /time-tracking routed.
---
 .../time-tracking/components}/TimeEntryBlock.vue          | 2 +-
 .../time-tracking/components}/TimeEntryContextMenu.vue    | 2 +-
 .../time-tracking/components}/TimeEntryDrawer.vue         | 4 ++--
 .../time-tracking/components}/TimeEntryList.vue           | 2 +-
 .../time-tracking/components}/TimeTrackingCalendar.vue    | 2 +-
 .../components}/TimeTrackingExportDrawer.vue              | 0
 frontend/modules/time-tracking/nuxt.config.ts             | 1 +
 .../{ => modules/time-tracking}/pages/time-tracking.vue   | 4 ++--
 .../time-tracking}/services/dto/time-entry.ts             | 8 ++++----
 .../{ => modules/time-tracking}/services/time-entries.ts  | 0
 frontend/{ => modules/time-tracking}/stores/timer.ts      | 4 ++--
 frontend/pages/index.vue                                  | 4 ++--
 12 files changed, 17 insertions(+), 16 deletions(-)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryBlock.vue (99%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryContextMenu.vue (96%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryDrawer.vue (98%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeEntryList.vue (98%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeTrackingCalendar.vue (99%)
 rename frontend/{components/time-tracking => modules/time-tracking/components}/TimeTrackingExportDrawer.vue (100%)
 create mode 100644 frontend/modules/time-tracking/nuxt.config.ts
 rename frontend/{ => modules/time-tracking}/pages/time-tracking.vue (98%)
 rename frontend/{ => modules/time-tracking}/services/dto/time-entry.ts (69%)
 rename frontend/{ => modules/time-tracking}/services/time-entries.ts (100%)
 rename frontend/{ => modules/time-tracking}/stores/timer.ts (95%)

diff --git a/frontend/components/time-tracking/TimeEntryBlock.vue b/frontend/modules/time-tracking/components/TimeEntryBlock.vue
similarity index 99%
rename from frontend/components/time-tracking/TimeEntryBlock.vue
rename to frontend/modules/time-tracking/components/TimeEntryBlock.vue
index ffdb7d7..560ccd3 100644
--- a/frontend/components/time-tracking/TimeEntryBlock.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryBlock.vue
@@ -64,7 +64,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 
 const props = defineProps<{
     entry: TimeEntry
diff --git a/frontend/components/time-tracking/TimeEntryContextMenu.vue b/frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
similarity index 96%
rename from frontend/components/time-tracking/TimeEntryContextMenu.vue
rename to frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
index 6088ed3..ada7403 100644
--- a/frontend/components/time-tracking/TimeEntryContextMenu.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryContextMenu.vue
@@ -35,7 +35,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 
 const props = defineProps<{
     visible: boolean
diff --git a/frontend/components/time-tracking/TimeEntryDrawer.vue b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
similarity index 98%
rename from frontend/components/time-tracking/TimeEntryDrawer.vue
rename to frontend/modules/time-tracking/components/TimeEntryDrawer.vue
index f9660b5..e078e13 100644
--- a/frontend/components/time-tracking/TimeEntryDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
@@ -124,11 +124,11 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry, TimeEntryWrite } from '~/services/dto/time-entry'
+import type { TimeEntry, TimeEntryWrite } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/services/dto/project'
 import type { TaskTag } from '~/services/dto/task-tag'
-import { useTimeEntryService } from '~/services/time-entries'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/time-tracking/TimeEntryList.vue b/frontend/modules/time-tracking/components/TimeEntryList.vue
similarity index 98%
rename from frontend/components/time-tracking/TimeEntryList.vue
rename to frontend/modules/time-tracking/components/TimeEntryList.vue
index a727593..9913e0d 100644
--- a/frontend/components/time-tracking/TimeEntryList.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryList.vue
@@ -67,7 +67,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import { stripRichText } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/time-tracking/TimeTrackingCalendar.vue b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
similarity index 99%
rename from frontend/components/time-tracking/TimeTrackingCalendar.vue
rename to frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
index 4b32e29..2652309 100644
--- a/frontend/components/time-tracking/TimeTrackingCalendar.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
@@ -150,7 +150,7 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import { useAbsenceService } from '~/services/absences'
 
 const { t } = useI18n()
diff --git a/frontend/components/time-tracking/TimeTrackingExportDrawer.vue b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
similarity index 100%
rename from frontend/components/time-tracking/TimeTrackingExportDrawer.vue
rename to frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
diff --git a/frontend/modules/time-tracking/nuxt.config.ts b/frontend/modules/time-tracking/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/time-tracking/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/time-tracking.vue b/frontend/modules/time-tracking/pages/time-tracking.vue
similarity index 98%
rename from frontend/pages/time-tracking.vue
rename to frontend/modules/time-tracking/pages/time-tracking.vue
index d740b12..e2afcd9 100644
--- a/frontend/pages/time-tracking.vue
+++ b/frontend/modules/time-tracking/pages/time-tracking.vue
@@ -150,12 +150,12 @@
 </template>
 
 <script setup lang="ts">
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/services/dto/project'
 import type { TaskTag } from '~/services/dto/task-tag'
 import type { Client } from '~/services/dto/client'
-import { useTimeEntryService } from '~/services/time-entries'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
 
diff --git a/frontend/services/dto/time-entry.ts b/frontend/modules/time-tracking/services/dto/time-entry.ts
similarity index 69%
rename from frontend/services/dto/time-entry.ts
rename to frontend/modules/time-tracking/services/dto/time-entry.ts
index 991d0fc..f129e51 100644
--- a/frontend/services/dto/time-entry.ts
+++ b/frontend/modules/time-tracking/services/dto/time-entry.ts
@@ -1,7 +1,7 @@
-import type { UserData } from './user-data'
-import type { Project } from './project'
-import type { Task } from './task'
-import type { TaskTag } from './task-tag'
+import type { UserData } from '~/services/dto/user-data'
+import type { Project } from '~/services/dto/project'
+import type { Task } from '~/services/dto/task'
+import type { TaskTag } from '~/services/dto/task-tag'
 
 export type TimeEntry = {
     id: number
diff --git a/frontend/services/time-entries.ts b/frontend/modules/time-tracking/services/time-entries.ts
similarity index 100%
rename from frontend/services/time-entries.ts
rename to frontend/modules/time-tracking/services/time-entries.ts
diff --git a/frontend/stores/timer.ts b/frontend/modules/time-tracking/stores/timer.ts
similarity index 95%
rename from frontend/stores/timer.ts
rename to frontend/modules/time-tracking/stores/timer.ts
index 28d5688..ec6253a 100644
--- a/frontend/stores/timer.ts
+++ b/frontend/modules/time-tracking/stores/timer.ts
@@ -1,7 +1,7 @@
 import { defineStore } from 'pinia'
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { Task } from '~/services/dto/task'
-import { useTimeEntryService } from '~/services/time-entries'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 export const useTimerStore = defineStore('timer', () => {
     const activeEntry = ref<TimeEntry | null>(null)
diff --git a/frontend/pages/index.vue b/frontend/pages/index.vue
index 684631b..b55c37c 100644
--- a/frontend/pages/index.vue
+++ b/frontend/pages/index.vue
@@ -3,13 +3,13 @@ import { Doughnut, Bar, Line } from 'vue-chartjs'
 import type { Task } from '~/services/dto/task'
 import type { TaskStatus } from '~/services/dto/task-status'
 import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TimeEntry } from '~/services/dto/time-entry'
+import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { Project } from '~/services/dto/project'
 import type { UserData } from '~/services/dto/user-data'
 import { useTaskService } from '~/services/tasks'
 import { useTaskStatusService } from '~/services/task-statuses'
 import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTimeEntryService } from '~/services/time-entries'
+import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 import { useProjectService } from '~/services/projects'
 import { useUserService } from '~/services/users'
 
-- 
2.39.5


From f119ec30caa1e5ef66a807b579348e470413b977 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 16:34:15 +0200
Subject: [PATCH 47/99] refactor(project-management) : introduce
 Project/Task/TaskTag/Client contracts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tranche 1 of LST-65 (ProjectManagement module migration). Decouples the
TimeTracking module from the core-business entities before they move, with
no entity relocation yet — keeps the diff minimal and the risk isolated.

- New read contracts in Shared/Domain/Contract (minimal surface, aligned on
  the entities' real nullable signatures): ProjectInterface (id/code/name),
  TaskInterface (id/number/title), TaskTagInterface (id/label/color),
  ClientInterface (id/name).
- Project/Task/TaskTag/Client implement their contract (entities stay in
  src/Entity for now). Project.client typed as ClientInterface.
- TimeEntry (TimeTracking) now references ProjectInterface/TaskInterface/
  TaskTagInterface instead of the concrete entities; repository + DQL
  untouched in behaviour.
- resolve_target_entities maps the 4 contracts to the legacy entities (will
  be repointed to the module in tranche 2).
- Adds the migration plan doc.

159 tests green, mapping valid, cs-fixer clean.
---
 config/packages/doctrine.yaml                 |  4 +
 ...6-06-20-lst-65-module-projectmanagement.md | 82 +++++++++++++++++++
 src/Entity/Client.php                         |  3 +-
 src/Entity/Project.php                        | 12 +--
 src/Entity/Task.php                           |  3 +-
 src/Entity/TaskTag.php                        |  3 +-
 .../TimeTracking/Domain/Entity/TimeEntry.php  | 32 ++++----
 .../TimeEntryRepositoryInterface.php          |  8 +-
 .../Doctrine/DoctrineTimeEntryRepository.php  |  8 +-
 .../Domain/Contract/ClientInterface.php       | 15 ++++
 .../Domain/Contract/ProjectInterface.php      | 17 ++++
 src/Shared/Domain/Contract/TaskInterface.php  | 17 ++++
 .../Domain/Contract/TaskTagInterface.php      | 17 ++++
 13 files changed, 189 insertions(+), 32 deletions(-)
 create mode 100644 docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
 create mode 100644 src/Shared/Domain/Contract/ClientInterface.php
 create mode 100644 src/Shared/Domain/Contract/ProjectInterface.php
 create mode 100644 src/Shared/Domain/Contract/TaskInterface.php
 create mode 100644 src/Shared/Domain/Contract/TaskTagInterface.php

diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 0baaedd..fe3adb4 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -22,6 +22,10 @@ doctrine:
         auto_mapping: true
         resolve_target_entities:
             App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
+            App\Shared\Domain\Contract\ProjectInterface: App\Entity\Project
+            App\Shared\Domain\Contract\TaskInterface: App\Entity\Task
+            App\Shared\Domain\Contract\TaskTagInterface: App\Entity\TaskTag
+            App\Shared\Domain\Contract\ClientInterface: App\Entity\Client
         mappings:
             App:
                 type: attribute
diff --git a/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md b/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
new file mode 100644
index 0000000..b9c5504
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-20-lst-65-module-projectmanagement.md
@@ -0,0 +1,82 @@
+# LST-65 (2.2) — Module ProjectManagement : plan de migration
+
+> Migration strangler du cœur métier Projets/Tâches vers `src/Module/ProjectManagement/`.
+> Additive, sans régression API. Exécution en 4 tranches **incrémentalement vertes**
+> (chaque tranche compile + `phpunit` vert + commit ; aucun état cassé committé).
+
+**Branche** : `integration/modular-monolith-0.1-1.3` (empilement phase 2).
+**Vérif container** : `docker exec -u www-data php-lesstime-fpm php bin/console cache:clear`
+**Tests** : `docker exec -u www-data php-lesstime-fpm php vendor/bin/phpunit` (baseline = 159 verts).
+**Style** : `make php-cs-fixer-allow-risky`. PHP `declare(strict_types=1)`. SQL colonnes minuscules.
+
+## Périmètre (10 entités + écosystème)
+Entités : Project, Task, Workflow, TaskStatus, TaskGroup, TaskEffort, TaskPriority, TaskTag, TaskRecurrence, TaskDocument.
+Enums : StatusCategory, RecurrenceType.
+Repos (9), State (7), MCP (38), Controller (1), Services (2 : CalDavService, RecurrenceCalculator), Listeners (3), ApiResource (SwitchWorkflowOutput), fixtures, tests.
+
+## Décisions d'architecture (figées)
+1. **Contrats inter-modules uniquement** (`src/Shared/Domain/Contract/`), surface minimale :
+   - `ProjectInterface` : `getId(): ?int`, `getCode(): ?string`, `getName(): ?string`
+   - `TaskInterface` : `getId(): ?int`, `getNumber(): ?int`, `getTitle(): ?string`
+   - `TaskTagInterface` : `getId(): ?int`, `getLabel(): ?string`, `getColor(): ?string`
+   - `ClientInterface` : `getId(): ?int`, `getName(): ?string`
+   - PAS de WorkflowInterface (Workflow est intra-module PM).
+2. **Consommateur contractuel** : seul le module **TimeTracking** (`TimeEntry`) bascule Project/Task/TaskTag → interfaces. **Project** (PM) bascule client → `ClientInterface`.
+3. **Legacy non modularisé** (Gitea/BookStack/Mail : `src/Controller/Mail/*`, `src/State/Gitea*`, `src/State/BookStack*`, `src/Service/GiteaApiService.php`, `src/ApiResource/BookStack*`, `src/Entity/TaskMailLink.php`, `src/Entity/TaskBookStackLink.php`), **Serializer MCP partagé** (`src/Mcp/Tool/Serializer.php`), fixtures, tests : bascule du **FQCN concret** `App\Entity\X` → `App\Module\ProjectManagement\Domain\Entity\X`. Couplage transitoire legacy→module, nettoyé en 2.4/2.5/2.6.
+4. **Repos** : pattern Core/TimeTracking — interface `Domain/Repository/XxxRepositoryInterface` + `Infrastructure/Doctrine/DoctrineXxxRepository extends ServiceEntityRepository implements …` + binding `services.yaml`. Conserver les méthodes métier (`findMaxNumberByProjectForUpdate`, `findFirstNonFinal`, `findDefault`).
+5. **Services CalDavService + RecurrenceCalculator** → `Infrastructure/` du module (dépendance résiduelle ZimbraConfiguration legacy tolérée jusqu'à 2.6).
+6. **Serializer.php** reste à `src/Mcp/Tool/` (helper multi-domaines), import concret PM.
+7. **Timestampable additif** : sur **Task** et **Project** uniquement (agrégats), pas les référentiels. Migration additive (4 colonnes nullable + FK SET NULL + COMMENT).
+8. **Table inchangée** (naming strategy → mêmes tables). Aucune migration destructive.
+9. **resolve_target_entities** final :
+   ```
+   UserInterface       -> App\Module\Core\Domain\Entity\User            (existant)
+   ProjectInterface    -> App\Module\ProjectManagement\Domain\Entity\Project
+   TaskInterface       -> App\Module\ProjectManagement\Domain\Entity\Task
+   TaskTagInterface    -> App\Module\ProjectManagement\Domain\Entity\TaskTag
+   ClientInterface     -> App\Entity\Client                              (Client legacy jusqu'à 2.4)
+   ```
+
+---
+
+## Tranche 1 — Découplage EN PLACE (entités non déplacées)
+But : créer les contrats et basculer les consommateurs inter-modules, **sans déplacer** les entités → diff minimal, isole le risque architectural.
+
+1. Créer les 4 interfaces dans `src/Shared/Domain/Contract/` (signatures ci-dessus).
+2. `src/Entity/Project.php` `implements ProjectInterface` ; `Task.php` `implements TaskInterface` ; `TaskTag.php` `implements TaskTagInterface` ; `Client.php` `implements ClientInterface`. (Méthodes déjà présentes — juste `implements` + `use`.)
+3. `Project.php` : `client` → type `?ClientInterface` (`targetEntity: ClientInterface::class`, import, getter/setter).
+4. `src/Module/TimeTracking/Domain/Entity/TimeEntry.php` : `project`→`?ProjectInterface`, `task`→`?TaskInterface`, `tags`→`Collection<TaskTagInterface>` (`targetEntity` = interfaces, imports, getters/setters/addTag/removeTag). MAJ `TimeEntryRepositoryInterface`/`DoctrineTimeEntryRepository`/`ActiveTimeEntryProvider`/`TimeEntryExportController` si typage Project/Task.
+5. `config/packages/doctrine.yaml` : ajouter les 4 lignes `resolve_target_entities` (cibles = `App\Entity\Project/Task/TaskTag` + `App\Entity\Client` — encore legacy à ce stade).
+6. Vérif : `cache:clear` OK + `phpunit` vert. Commit `refactor(project-management) : introduce Project/Task/TaskTag/Client contracts, decouple TimeTracking`.
+
+## Tranche 2 — Move mécanique vers le module
+But : déplacer entités + écosystème, bascule namespaces, sans changement de comportement.
+
+1. `git mv` entités → `src/Module/ProjectManagement/Domain/Entity/` (namespace `App\Module\ProjectManagement\Domain\Entity`). Relations intra-module = concret ; client=`ClientInterface` ; assignee/collaborators/uploadedBy=`UserInterface` (inchangé). `repositoryClass` → `DoctrineXxxRepository::class`.
+2. `git mv` enums → `src/Module/ProjectManagement/Domain/Enum/` (namespace adapté).
+3. Repos → `Infrastructure/Doctrine/DoctrineXxxRepository.php` + interfaces `Domain/Repository/XxxRepositoryInterface.php` (méthodes métier dans l'interface). Bindings `services.yaml` (9).
+4. State (7), MCP (38), Controller (1), Services (2), Listeners (3), ApiResource SwitchWorkflowOutput → sous-dossiers `Infrastructure/…` du module, namespaces adaptés, **injecter les interfaces de repo**. `services.yaml` : repointer `App\State\TaskDocumentProcessor`, `App\Controller\TaskDocumentDownloadController`, `App\Mcp\Tool\Task\AddTaskDocumentTool`, `App\Mcp\Tool\Task\UpdateTaskDocumentTool`, `App\EventListener\TaskDocumentListener` vers les nouveaux FQCN (garder `$uploadDir` + tag `doctrine.orm.entity_listener`).
+5. `resolve_target_entities` : repointer ProjectInterface/TaskInterface/TaskTagInterface vers les FQCN module. (ClientInterface reste `App\Entity\Client`.)
+6. **Swap FQCN concret legacy** : remplacer `App\Entity\{Task,Project,Workflow,TaskStatus,TaskGroup,TaskEffort,TaskPriority,TaskTag,TaskRecurrence,TaskDocument}` → `App\Module\ProjectManagement\Domain\Entity\…` et `App\Enum\{StatusCategory,RecurrenceType}` → `App\Module\ProjectManagement\Domain\Enum\…` et `App\Repository\Xxx` → interfaces/Doctrine, dans : Serializer.php, Controller/Mail/*, State/Gitea*, State/BookStack*, ApiResource/BookStack*, Service/GiteaApiService.php, Entity/TaskMailLink.php, Entity/TaskBookStackLink.php, DataFixtures/AppFixtures.php, tests/*. (NE PAS toucher `App\Entity\Client`.)
+7. `config/modules.php` : ajouter `ProjectManagementModule` (id `project-management`, label `Projets & Tâches`, isRequired false, permissions `project-management.projects.view/manage`, `project-management.tasks.view/manage` — non recâblées, additif).
+8. `config/packages/doctrine.yaml` : mapping `ProjectManagement` (dir `src/Module/ProjectManagement/Domain/Entity`).
+9. `config/sidebar.php` : `'module' => 'project-management'` sur items `my-tasks` et `projects`.
+10. Vérif : `cache:clear` OK + `doctrine:schema:validate` mapping OK + `phpunit` vert + cs-fixer. Commit `feat(project-management) : migrate core Projects/Tasks domain into module (back)`.
+
+## Tranche 3 — Timestampable additif (Task + Project)
+1. Ajouter `TimestampableBlamableTrait` + interfaces à `Task` et `Project`.
+2. Migration **additive** manuscrite : `created_at/updated_at` (TIMESTAMP(0) null), `created_by/updated_by` (INT null, FK `"user"` ON DELETE SET NULL) + index + COMMENT, sur `task` et `project`. `down()` = DROP des ajouts.
+3. Champs hors groupes API existants (le trait porte ses propres groupes).
+4. Vérif : `migrations:migrate -n` (dev+test) + `phpunit` vert. Commit `feat(project-management) : add timestampable/blamable to Task and Project (additive)`.
+
+## Tranche 4 — Front layer project-management
+1. `git mv` vers `frontend/modules/project-management/` : pages (my-tasks, projects/index, projects/[id]/{index,groups,archives}), components/{project,task}/*, services (projects, tasks, workflows, task-statuses, task-priorities, task-efforts, task-tags, task-groups, task-documents, task-recurrences) + services/dto/* correspondants. `nuxt.config.ts` = `export default defineNuxtConfig({})`.
+2. Réécrire imports explicites `~/services/<x>` + `~/services/dto/<x>` → `~/modules/project-management/...` dans : les fichiers déplacés, `components/admin/{AdminEffortTab,AdminPriorityTab,AdminTagTab,AdminWorkflowTab,WorkflowDrawer}.vue`, `components/mail/{MailCreateTaskModal,MailLinkTaskModal}.vue`, `pages/index.vue`, `pages/mail.vue`, `app/layouts/default.vue`, **et `frontend/modules/time-tracking/`** (dto/time-entry, stores/timer, pages/time-tracking, components/TimeEntryDrawer importent project/task/task-tag dto). `clients.ts` reste racine.
+3. Préserver routes `/my-tasks`, `/projects`, `/projects/:id`, `/projects/:id/groups`, `/projects/:id/archives`. i18n global inchangé.
+4. Vérif : `cd frontend && npx nuxt build` OK + routes présentes. Commit `feat(project-management) : extract Projects/Tasks front into Nuxt module layer`.
+
+## Critères d'acceptation (ticket)
+- [ ] Cœur Projets/Tâches en module sans régression API (opérations/securities/uriTemplates conservés).
+- [ ] Aucun import direct inter-modules **établis** (contrats) — legacy en transit toléré.
+- [ ] `make test` vert, aucune migration destructive.
+- [ ] Toggle module project-management (sidebar + routes) prouvé.
diff --git a/src/Entity/Client.php b/src/Entity/Client.php
index dd782b2..48cbee1 100644
--- a/src/Entity/Client.php
+++ b/src/Entity/Client.php
@@ -11,6 +11,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\ClientRepository;
+use App\Shared\Domain\Contract\ClientInterface;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -29,7 +30,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     order: ['name' => 'ASC'],
 )]
 #[ORM\Entity(repositoryClass: ClientRepository::class)]
-class Client
+class Client implements ClientInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Entity/Project.php b/src/Entity/Project.php
index 6b5267b..32acbd7 100644
--- a/src/Entity/Project.php
+++ b/src/Entity/Project.php
@@ -15,6 +15,8 @@ use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\ApiResource\SwitchWorkflowOutput;
 use App\Repository\ProjectRepository;
+use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
 use App\State\SwitchProjectWorkflowProcessor;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -54,7 +56,7 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
 #[ORM\Entity(repositoryClass: ProjectRepository::class)]
 #[UniqueEntity(fields: ['code'], message: 'Ce code de projet est déjà utilisé.')]
-class Project
+class Project implements ProjectInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
@@ -80,10 +82,10 @@ class Project
     #[Groups(['project:read', 'project:write', 'time_entry:read', 'task:read'])]
     private ?string $color = '#222783';
 
-    #[ORM\ManyToOne(targetEntity: Client::class, inversedBy: 'projects')]
+    #[ORM\ManyToOne(targetEntity: ClientInterface::class, inversedBy: 'projects')]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['project:read', 'project:write'])]
-    private ?Client $client = null;
+    private ?ClientInterface $client = null;
 
     #[ORM\ManyToOne(targetEntity: Workflow::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'RESTRICT')]
@@ -173,12 +175,12 @@ class Project
         return $this;
     }
 
-    public function getClient(): ?Client
+    public function getClient(): ?ClientInterface
     {
         return $this->client;
     }
 
-    public function setClient(?Client $client): static
+    public function setClient(?ClientInterface $client): static
     {
         $this->client = $client;
 
diff --git a/src/Entity/Task.php b/src/Entity/Task.php
index 4346a37..6977231 100644
--- a/src/Entity/Task.php
+++ b/src/Entity/Task.php
@@ -16,6 +16,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TaskRepository;
+use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use App\State\TaskCalendarProcessor;
 use App\State\TaskNumberProcessor;
@@ -46,7 +47,7 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 #[ORM\Entity(repositoryClass: TaskRepository::class)]
 #[ORM\Table(name: 'task')]
 #[ORM\UniqueConstraint(name: 'uniq_task_project_number', columns: ['project_id', 'number'])]
-class Task
+class Task implements TaskInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Entity/TaskTag.php b/src/Entity/TaskTag.php
index 4f3a864..c351e7f 100644
--- a/src/Entity/TaskTag.php
+++ b/src/Entity/TaskTag.php
@@ -11,6 +11,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Repository\TaskTagRepository;
+use App\Shared\Domain\Contract\TaskTagInterface;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -28,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ORM\Entity(repositoryClass: TaskTagRepository::class)]
 #[ORM\Table(name: 'task_type')]
-class TaskTag
+class TaskTag implements TaskTagInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Module/TimeTracking/Domain/Entity/TimeEntry.php b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
index 4d8d1bb..1ed090d 100644
--- a/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
+++ b/src/Module/TimeTracking/Domain/Entity/TimeEntry.php
@@ -13,12 +13,12 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskTag;
 use App\Module\TimeTracking\Infrastructure\ApiPlatform\State\ActiveTimeEntryProvider;
 use App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository;
 use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TaskTagInterface;
 use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use App\Shared\Domain\Trait\TimestampableBlamableTrait;
@@ -91,18 +91,18 @@ class TimeEntry implements TimestampableInterface, BlamableInterface
     #[Groups(['time_entry:read', 'time_entry:write'])]
     private ?UserInterface $user = null;
 
-    #[ORM\ManyToOne(targetEntity: Project::class)]
+    #[ORM\ManyToOne(targetEntity: ProjectInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?Project $project = null;
+    private ?ProjectInterface $project = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(nullable: true, onDelete: 'SET NULL')]
     #[Groups(['time_entry:read', 'time_entry:write'])]
-    private ?Task $task = null;
+    private ?TaskInterface $task = null;
 
-    /** @var Collection<int, TaskTag> */
-    #[ORM\ManyToMany(targetEntity: TaskTag::class)]
+    /** @var Collection<int, TaskTagInterface> */
+    #[ORM\ManyToMany(targetEntity: TaskTagInterface::class)]
     #[ORM\JoinTable(
         name: 'time_entry_task_type',
         joinColumns: [new ORM\JoinColumn(name: 'time_entry_id', referencedColumnName: 'id')],
@@ -181,37 +181,37 @@ class TimeEntry implements TimestampableInterface, BlamableInterface
         return $this;
     }
 
-    public function getProject(): ?Project
+    public function getProject(): ?ProjectInterface
     {
         return $this->project;
     }
 
-    public function setProject(?Project $project): static
+    public function setProject(?ProjectInterface $project): static
     {
         $this->project = $project;
 
         return $this;
     }
 
-    public function getTask(): ?Task
+    public function getTask(): ?TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(?Task $task): static
+    public function setTask(?TaskInterface $task): static
     {
         $this->task = $task;
 
         return $this;
     }
 
-    /** @return Collection<int, TaskTag> */
+    /** @return Collection<int, TaskTagInterface> */
     public function getTags(): Collection
     {
         return $this->tags;
     }
 
-    public function addTag(TaskTag $tag): static
+    public function addTag(TaskTagInterface $tag): static
     {
         if (!$this->tags->contains($tag)) {
             $this->tags->add($tag);
@@ -220,7 +220,7 @@ class TimeEntry implements TimestampableInterface, BlamableInterface
         return $this;
     }
 
-    public function removeTag(TaskTag $tag): static
+    public function removeTag(TaskTagInterface $tag): static
     {
         $this->tags->removeElement($tag);
 
diff --git a/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
index ebaa188..e9c2c16 100644
--- a/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
+++ b/src/Module/TimeTracking/Domain/Repository/TimeEntryRepositoryInterface.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Domain\Repository;
 
-use App\Entity\Project;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\QueryBuilder;
@@ -19,9 +19,9 @@ interface TimeEntryRepositoryInterface
     public function findActiveByUser(UserInterface $user): ?TimeEntry;
 
     /**
-     * @param null|UserInterface[] $users
-     * @param null|Project[]       $projects
-     * @param null|int[]           $tagIds
+     * @param null|UserInterface[]    $users
+     * @param null|ProjectInterface[] $projects
+     * @param null|int[]              $tagIds
      *
      * @return TimeEntry[]
      */
diff --git a/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
index b824f22..399771b 100644
--- a/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
+++ b/src/Module/TimeTracking/Infrastructure/Doctrine/DoctrineTimeEntryRepository.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Doctrine;
 
-use App\Entity\Project;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
@@ -36,9 +36,9 @@ class DoctrineTimeEntryRepository extends ServiceEntityRepository implements Tim
     }
 
     /**
-     * @param null|UserInterface[] $users
-     * @param null|Project[]       $projects
-     * @param null|int[]           $tagIds
+     * @param null|UserInterface[]    $users
+     * @param null|ProjectInterface[] $projects
+     * @param null|int[]              $tagIds
      *
      * @return TimeEntry[]
      */
diff --git a/src/Shared/Domain/Contract/ClientInterface.php b/src/Shared/Domain/Contract/ClientInterface.php
new file mode 100644
index 0000000..afe7b3a
--- /dev/null
+++ b/src/Shared/Domain/Contract/ClientInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un client, consommé hors du module qui le possède.
+ */
+interface ClientInterface
+{
+    public function getId(): ?int;
+
+    public function getName(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/ProjectInterface.php b/src/Shared/Domain/Contract/ProjectInterface.php
new file mode 100644
index 0000000..12af6f1
--- /dev/null
+++ b/src/Shared/Domain/Contract/ProjectInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un projet, consommé hors du module qui le possède.
+ */
+interface ProjectInterface
+{
+    public function getId(): ?int;
+
+    public function getCode(): ?string;
+
+    public function getName(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/TaskInterface.php b/src/Shared/Domain/Contract/TaskInterface.php
new file mode 100644
index 0000000..127b233
--- /dev/null
+++ b/src/Shared/Domain/Contract/TaskInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'une tâche, consommé hors du module qui la possède.
+ */
+interface TaskInterface
+{
+    public function getId(): ?int;
+
+    public function getNumber(): ?int;
+
+    public function getTitle(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/TaskTagInterface.php b/src/Shared/Domain/Contract/TaskTagInterface.php
new file mode 100644
index 0000000..3887c46
--- /dev/null
+++ b/src/Shared/Domain/Contract/TaskTagInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un tag de tâche, consommé hors du module qui le possède.
+ */
+interface TaskTagInterface
+{
+    public function getId(): ?int;
+
+    public function getLabel(): ?string;
+
+    public function getColor(): ?string;
+}
-- 
2.39.5


From 23809f165e9222a8ae2e82814529200bab6ce761 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 16:54:59 +0200
Subject: [PATCH 48/99] feat(project-management) : migrate core Projects/Tasks
 domain into module (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tranche 2 of LST-65. Mechanical, behaviour-preserving move of the core
business domain into src/Module/ProjectManagement/. API operations,
securities, uriTemplates and the 38 MCP tool names are all unchanged.

- 10 entities + 2 enums moved to Domain/{Entity,Enum}; intra-module
  relations stay concrete, cross-module relations go through contracts
  (Project.client -> ClientInterface, Task/TaskDocument users ->
  UserInterface).
- 9 repositories split into Domain/Repository interfaces + Doctrine impls,
  bound in services.yaml; consumers inject the interfaces. find() kept off
  the interfaces (ServiceEntityRepository ?object compat) -> findById().
- State (7), MCP tools (38), controller, CalDavService/RecurrenceCalculator,
  3 Doctrine listeners and SwitchWorkflowOutput moved under Infrastructure/.
- doctrine.yaml: ProjectManagement mapping + resolve_target_entities of the
  3 module contracts repointed to the module (ClientInterface stays legacy).
- ProjectManagementModule registered (id project-management, 4 RBAC perms,
  not re-wired); sidebar my-tasks/projects gated by the module.
- Legacy not-yet-modularised consumers (Mail/Gitea/BookStack, Serializer,
  fixtures, tests) swapped to the module FQCN — transitional coupling to be
  cleaned in 2.4/2.5/2.6.

159 tests green, mapping valid, no API route regression, cs-fixer clean.
---
 config/modules.php                            |  2 +
 config/packages/doctrine.yaml                 | 11 +++--
 config/services.yaml                          | 28 +++++++++--
 config/sidebar.php                            |  4 +-
 src/ApiResource/BookStackLink.php             |  2 +-
 src/ApiResource/BookStackSearchResult.php     |  2 +-
 .../Mail/MailCreateTaskController.php         | 12 ++---
 .../Mail/MailLinkTaskController.php           |  2 +-
 .../Mail/MailUnlinkTaskController.php         |  2 +-
 .../Mail/TaskMailsListController.php          |  2 +-
 src/DataFixtures/AppFixtures.php              | 22 ++++-----
 src/Entity/Client.php                         |  1 +
 src/Entity/TaskBookStackLink.php              |  1 +
 src/Entity/TaskMailLink.php                   |  1 +
 src/Mcp/Tool/Serializer.php                   | 16 +++----
 .../Domain}/Entity/Project.php                | 10 ++--
 .../ProjectManagement/Domain}/Entity/Task.php | 10 ++--
 .../Domain}/Entity/TaskDocument.php           |  8 ++--
 .../Domain}/Entity/TaskEffort.php             |  6 +--
 .../Domain}/Entity/TaskGroup.php              |  6 +--
 .../Domain}/Entity/TaskPriority.php           |  6 +--
 .../Domain}/Entity/TaskRecurrence.php         |  8 ++--
 .../Domain}/Entity/TaskStatus.php             |  8 ++--
 .../Domain}/Entity/TaskTag.php                |  6 +--
 .../Domain}/Entity/Workflow.php               |  8 ++--
 .../Domain}/Enum/RecurrenceType.php           |  2 +-
 .../Domain}/Enum/StatusCategory.php           |  2 +-
 .../Repository/ProjectRepositoryInterface.php | 20 ++++++++
 .../TaskEffortRepositoryInterface.php         | 20 ++++++++
 .../TaskGroupRepositoryInterface.php          | 20 ++++++++
 .../TaskPriorityRepositoryInterface.php       | 20 ++++++++
 .../TaskRecurrenceRepositoryInterface.php     | 12 +++++
 .../Repository/TaskRepositoryInterface.php    | 22 +++++++++
 .../TaskStatusRepositoryInterface.php         | 22 +++++++++
 .../Repository/TaskTagRepositoryInterface.php | 20 ++++++++
 .../WorkflowRepositoryInterface.php           | 22 +++++++++
 .../Resource}/SwitchWorkflowOutput.php        |  2 +-
 .../ApiPlatform}/State/RecurrenceHandler.php  | 16 +++----
 .../State/SwitchProjectWorkflowProcessor.php  | 10 ++--
 .../State/TaskCalendarProcessor.php           |  8 ++--
 .../State/TaskDocumentProcessor.php           |  6 +--
 .../State/TaskDocumentProvider.php            |  4 +-
 .../State/TaskNumberProcessor.php             | 10 ++--
 .../State/WorkflowDeleteProcessor.php         |  4 +-
 .../TaskDocumentDownloadController.php        |  4 +-
 .../Doctrine/DoctrineProjectRepository.php    | 26 +++++++++++
 .../Doctrine/DoctrineTaskEffortRepository.php | 26 +++++++++++
 .../Doctrine/DoctrineTaskGroupRepository.php  | 26 +++++++++++
 .../DoctrineTaskPriorityRepository.php        | 26 +++++++++++
 .../DoctrineTaskRecurrenceRepository.php      | 26 +++++++++++
 .../Doctrine/DoctrineTaskRepository.php}      | 14 ++++--
 .../DoctrineTaskStatusRepository.php}         | 15 ++++--
 .../Doctrine/DoctrineTaskTagRepository.php    | 26 +++++++++++
 .../Doctrine/DoctrineWorkflowRepository.php}  | 12 +++--
 .../EventListener/TaskDocumentListener.php    |  4 +-
 .../TaskNotificationListener.php              |  4 +-
 .../UniqueDefaultWorkflowListener.php         |  4 +-
 .../Mcp/Tool/Project/CreateProjectTool.php    |  4 +-
 .../Mcp/Tool/Project/DeleteProjectTool.php    |  8 ++--
 .../Mcp/Tool/Project/GetProjectTool.php       | 12 ++---
 .../Mcp/Tool/Project/ListProjectsTool.php     |  6 +--
 .../Mcp/Tool/Project/UpdateProjectTool.php    |  8 ++--
 .../Mcp/Tool/Task/AddTaskDocumentTool.php     | 10 ++--
 .../Tool/Task/CreateTaskRecurrenceTool.php    | 14 +++---
 .../Mcp/Tool/Task/CreateTaskTool.php          | 46 +++++++++----------
 .../Mcp/Tool/Task/DeleteTaskDocumentTool.php  |  4 +-
 .../Tool/Task/DeleteTaskRecurrenceTool.php    | 10 ++--
 .../Mcp/Tool/Task/DeleteTaskTool.php          | 10 ++--
 .../Mcp/Tool/Task/GetTaskTool.php             |  8 ++--
 .../Mcp/Tool/Task/ListTasksTool.php           |  6 +--
 .../Mcp/Tool/Task/UpdateTaskDocumentTool.php  |  4 +-
 .../Tool/Task/UpdateTaskRecurrenceTool.php    | 12 ++---
 .../Mcp/Tool/Task/UpdateTaskTool.php          | 40 ++++++++--------
 .../Mcp/Tool/TaskMeta/CreateEffortTool.php    |  4 +-
 .../Mcp/Tool/TaskMeta/CreateGroupTool.php     | 10 ++--
 .../Mcp/Tool/TaskMeta/CreatePriorityTool.php  |  4 +-
 .../Mcp/Tool/TaskMeta/CreateStatusTool.php    | 12 ++---
 .../Mcp/Tool/TaskMeta/CreateTagTool.php       |  4 +-
 .../Mcp/Tool/TaskMeta/DeleteEffortTool.php    |  8 ++--
 .../Mcp/Tool/TaskMeta/DeleteGroupTool.php     |  8 ++--
 .../Mcp/Tool/TaskMeta/DeletePriorityTool.php  |  8 ++--
 .../Mcp/Tool/TaskMeta/DeleteStatusTool.php    |  8 ++--
 .../Mcp/Tool/TaskMeta/DeleteTagTool.php       |  8 ++--
 .../Mcp/Tool/TaskMeta/ListEffortsTool.php     |  6 +--
 .../Mcp/Tool/TaskMeta/ListGroupsTool.php      |  6 +--
 .../Mcp/Tool/TaskMeta/ListPrioritiesTool.php  |  6 +--
 .../Mcp/Tool/TaskMeta/ListStatusesTool.php    |  8 ++--
 .../Mcp/Tool/TaskMeta/ListTagsTool.php        |  6 +--
 .../Mcp/Tool/TaskMeta/UpdateEffortTool.php    |  8 ++--
 .../Mcp/Tool/TaskMeta/UpdateGroupTool.php     |  8 ++--
 .../Mcp/Tool/TaskMeta/UpdatePriorityTool.php  |  8 ++--
 .../Mcp/Tool/TaskMeta/UpdateStatusTool.php    | 10 ++--
 .../Mcp/Tool/TaskMeta/UpdateTagTool.php       |  8 ++--
 .../Mcp/Tool/Workflow/ListWorkflowsTool.php   |  6 +--
 .../Workflow/SwitchProjectWorkflowTool.php    |  6 +--
 .../Infrastructure}/Service/CalDavService.php |  9 ++--
 .../Service/RecurrenceCalculator.php          |  8 ++--
 .../ProjectManagementModule.php               | 43 +++++++++++++++++
 .../Controller/TimeEntryExportController.php  |  2 +-
 .../Mcp/Tool/CreateTimeEntryTool.php          | 18 ++++----
 .../Mcp/Tool/UpdateTimeEntryTool.php          | 18 ++++----
 src/Repository/ProjectRepository.php          | 17 -------
 src/Repository/TaskEffortRepository.php       | 17 -------
 src/Repository/TaskGroupRepository.php        | 17 -------
 src/Repository/TaskMailLinkRepository.php     |  2 +-
 src/Repository/TaskPriorityRepository.php     | 17 -------
 src/Repository/TaskRecurrenceRepository.php   | 17 -------
 src/Repository/TaskTagRepository.php          | 17 -------
 src/Service/GiteaApiService.php               |  4 +-
 src/State/BookStackLinkProcessor.php          |  2 +-
 src/State/BookStackSearchResultProvider.php   |  2 +-
 src/State/GiteaBranchNameProvider.php         |  2 +-
 src/State/GiteaBranchProcessor.php            |  2 +-
 src/State/GiteaBranchProvider.php             |  2 +-
 src/State/GiteaPullRequestProvider.php        |  2 +-
 src/State/ZimbraTestConnectionProvider.php    |  2 +-
 .../MailTaskIntegrationControllerTest.php     |  4 +-
 .../TaskNotificationListenerTest.php          |  4 +-
 .../Unit/Mcp/CoercingSchemaGeneratorTest.php  |  4 +-
 119 files changed, 779 insertions(+), 454 deletions(-)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Project.php (94%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Task.php (97%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskDocument.php (93%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskEffort.php (87%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskGroup.php (93%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskPriority.php (89%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskRecurrence.php (94%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskStatus.php (93%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/TaskTag.php (90%)
 rename src/{ => Module/ProjectManagement/Domain}/Entity/Workflow.php (92%)
 rename src/{ => Module/ProjectManagement/Domain}/Enum/RecurrenceType.php (77%)
 rename src/{ => Module/ProjectManagement/Domain}/Enum/StatusCategory.php (81%)
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
 create mode 100644 src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
 rename src/{ApiResource => Module/ProjectManagement/Infrastructure/ApiPlatform/Resource}/SwitchWorkflowOutput.php (88%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/RecurrenceHandler.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/SwitchProjectWorkflowProcessor.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskCalendarProcessor.php (91%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskDocumentProcessor.php (98%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskDocumentProvider.php (91%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/TaskNumberProcessor.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure/ApiPlatform}/State/WorkflowDeleteProcessor.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Controller/TaskDocumentDownloadController.php (96%)
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
 rename src/{Repository/TaskRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php} (72%)
 rename src/{Repository/TaskStatusRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php} (57%)
 create mode 100644 src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
 rename src/{Repository/WorkflowRepository.php => Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php} (52%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/TaskDocumentListener.php (87%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/TaskNotificationListener.php (96%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/EventListener/UniqueDefaultWorkflowListener.php (91%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/CreateProjectTool.php (93%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/DeleteProjectTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/GetProjectTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/ListProjectsTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Project/UpdateProjectTool.php (88%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/AddTaskDocumentTool.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/CreateTaskRecurrenceTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/CreateTaskTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskDocumentTool.php (92%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/DeleteTaskTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/GetTaskTool.php (87%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/ListTasksTool.php (94%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskDocumentTool.php (96%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Task/UpdateTaskTool.php (81%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateEffortTool.php (87%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateGroupTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreatePriorityTool.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateStatusTool.php (84%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/CreateTagTool.php (89%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteEffortTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteGroupTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeletePriorityTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteStatusTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/DeleteTagTool.php (80%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListEffortsTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListGroupsTool.php (81%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListPrioritiesTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListStatusesTool.php (85%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/ListTagsTool.php (79%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateEffortTool.php (78%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateGroupTool.php (84%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdatePriorityTool.php (81%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateStatusTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/TaskMeta/UpdateTagTool.php (82%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Workflow/ListWorkflowsTool.php (86%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php (90%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Service/CalDavService.php (97%)
 rename src/{ => Module/ProjectManagement/Infrastructure}/Service/RecurrenceCalculator.php (96%)
 create mode 100644 src/Module/ProjectManagement/ProjectManagementModule.php
 delete mode 100644 src/Repository/ProjectRepository.php
 delete mode 100644 src/Repository/TaskEffortRepository.php
 delete mode 100644 src/Repository/TaskGroupRepository.php
 delete mode 100644 src/Repository/TaskPriorityRepository.php
 delete mode 100644 src/Repository/TaskRecurrenceRepository.php
 delete mode 100644 src/Repository/TaskTagRepository.php

diff --git a/config/modules.php b/config/modules.php
index 8ca723b..15f2ccc 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -8,9 +8,11 @@ declare(strict_types=1);
  */
 
 use App\Module\Core\CoreModule;
+use App\Module\ProjectManagement\ProjectManagementModule;
 use App\Module\TimeTracking\TimeTrackingModule;
 
 return [
     CoreModule::class,
     TimeTrackingModule::class,
+    ProjectManagementModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index fe3adb4..af7da9c 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -22,9 +22,9 @@ doctrine:
         auto_mapping: true
         resolve_target_entities:
             App\Shared\Domain\Contract\UserInterface: App\Module\Core\Domain\Entity\User
-            App\Shared\Domain\Contract\ProjectInterface: App\Entity\Project
-            App\Shared\Domain\Contract\TaskInterface: App\Entity\Task
-            App\Shared\Domain\Contract\TaskTagInterface: App\Entity\TaskTag
+            App\Shared\Domain\Contract\ProjectInterface: App\Module\ProjectManagement\Domain\Entity\Project
+            App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
+            App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
             App\Shared\Domain\Contract\ClientInterface: App\Entity\Client
         mappings:
             App:
@@ -43,6 +43,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/TimeTracking/Domain/Entity'
                 prefix: 'App\Module\TimeTracking\Domain\Entity'
+            ProjectManagement:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+                prefix: 'App\Module\ProjectManagement\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/services.yaml b/config/services.yaml
index a2f46b5..9d4c54d 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -31,25 +31,25 @@ services:
     # add more service definitions when explicit configuration is needed
     # please note that last definitions always *replace* previous ones
 
-    App\EventListener\TaskDocumentListener:
+    App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
         tags:
             - { name: doctrine.orm.entity_listener }
 
-    App\State\TaskDocumentProcessor:
+    App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Controller\TaskDocumentDownloadController:
+    App\Module\ProjectManagement\Infrastructure\Controller\TaskDocumentDownloadController:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Mcp\Tool\Task\AddTaskDocumentTool:
+    App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\AddTaskDocumentTool:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Mcp\Tool\Task\UpdateTaskDocumentTool:
+    App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\UpdateTaskDocumentTool:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
@@ -75,4 +75,22 @@ services:
 
     App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface: '@App\Module\TimeTracking\Infrastructure\Doctrine\DoctrineTimeEntryRepository'
 
+    App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineProjectRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineWorkflowRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskStatusRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskGroupRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskEffortRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskPriorityRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskTagRepository'
+
+    App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRecurrenceRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/config/sidebar.php b/config/sidebar.php
index dcdeb4d..1147980 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -20,8 +20,8 @@ return [
         'icon'  => 'mdi:view-dashboard-outline',
         'items' => [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
-            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline'],
-            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline'],
+            ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
             ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
         ],
     ],
diff --git a/src/ApiResource/BookStackLink.php b/src/ApiResource/BookStackLink.php
index f324d6e..5414d22 100644
--- a/src/ApiResource/BookStackLink.php
+++ b/src/ApiResource/BookStackLink.php
@@ -9,8 +9,8 @@ use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Post;
-use App\Entity\Task;
 use App\Entity\TaskBookStackLink;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\State\BookStackLinkProcessor;
 use App\State\BookStackLinkProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
diff --git a/src/ApiResource/BookStackSearchResult.php b/src/ApiResource/BookStackSearchResult.php
index 83ca6f9..2f1f6fb 100644
--- a/src/ApiResource/BookStackSearchResult.php
+++ b/src/ApiResource/BookStackSearchResult.php
@@ -7,7 +7,7 @@ namespace App\ApiResource;
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\State\BookStackSearchResultProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
diff --git a/src/Controller/Mail/MailCreateTaskController.php b/src/Controller/Mail/MailCreateTaskController.php
index 2231d0e..3c283ac 100644
--- a/src/Controller/Mail/MailCreateTaskController.php
+++ b/src/Controller/Mail/MailCreateTaskController.php
@@ -4,14 +4,14 @@ declare(strict_types=1);
 
 namespace App\Controller\Mail;
 
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskGroup;
 use App\Entity\TaskMailLink;
-use App\Entity\TaskStatus;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use App\Repository\MailMessageRepository;
-use App\Repository\TaskRepository;
 use App\Security\MailAccessChecker;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -31,7 +31,7 @@ class MailCreateTaskController extends AbstractController
         private readonly MailMessageRepository $messageRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function __invoke(Request $request, int $id): JsonResponse
diff --git a/src/Controller/Mail/MailLinkTaskController.php b/src/Controller/Mail/MailLinkTaskController.php
index 86d96b8..2cb3524 100644
--- a/src/Controller/Mail/MailLinkTaskController.php
+++ b/src/Controller/Mail/MailLinkTaskController.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Controller\Mail;
 
-use App\Entity\Task;
 use App\Entity\TaskMailLink;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\MailMessageRepository;
 use App\Repository\TaskMailLinkRepository;
 use App\Security\MailAccessChecker;
diff --git a/src/Controller/Mail/MailUnlinkTaskController.php b/src/Controller/Mail/MailUnlinkTaskController.php
index 399959e..09f646b 100644
--- a/src/Controller/Mail/MailUnlinkTaskController.php
+++ b/src/Controller/Mail/MailUnlinkTaskController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller\Mail;
 
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\MailMessageRepository;
 use App\Repository\TaskMailLinkRepository;
 use App\Security\MailAccessChecker;
diff --git a/src/Controller/Mail/TaskMailsListController.php b/src/Controller/Mail/TaskMailsListController.php
index 6b2180e..8a9b0a4 100644
--- a/src/Controller/Mail/TaskMailsListController.php
+++ b/src/Controller/Mail/TaskMailsListController.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Controller\Mail;
 
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\TaskMailLinkRepository;
 use App\Security\MailAccessChecker;
 use DateTimeInterface;
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 1649a55..00adb95 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -9,23 +9,23 @@ use App\Entity\AbsencePolicy;
 use App\Entity\AbsenceRequest;
 use App\Entity\Client;
 use App\Entity\MailConfiguration;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskEffort;
-use App\Entity\TaskGroup;
-use App\Entity\TaskPriority;
-use App\Entity\TaskRecurrence;
-use App\Entity\TaskStatus;
-use App\Entity\TaskTag;
-use App\Entity\Workflow;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\AbsenceStatus;
 use App\Enum\AbsenceType;
 use App\Enum\ContractType;
-use App\Enum\RecurrenceType;
-use App\Enum\StatusCategory;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use DateTimeImmutable;
 use DateTimeZone;
diff --git a/src/Entity/Client.php b/src/Entity/Client.php
index 48cbee1..6f3bf8a 100644
--- a/src/Entity/Client.php
+++ b/src/Entity/Client.php
@@ -10,6 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
+use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Repository\ClientRepository;
 use App\Shared\Domain\Contract\ClientInterface;
 use Doctrine\Common\Collections\ArrayCollection;
diff --git a/src/Entity/TaskBookStackLink.php b/src/Entity/TaskBookStackLink.php
index 34b3f01..a9c6519 100644
--- a/src/Entity/TaskBookStackLink.php
+++ b/src/Entity/TaskBookStackLink.php
@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace App\Entity;
 
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\TaskBookStackLinkRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
diff --git a/src/Entity/TaskMailLink.php b/src/Entity/TaskMailLink.php
index 041efcb..9ef6364 100644
--- a/src/Entity/TaskMailLink.php
+++ b/src/Entity/TaskMailLink.php
@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace App\Entity;
 
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\TaskMailLinkRepository;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index 964c451..2003aa6 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -8,15 +8,15 @@ use App\Entity\AbsenceBalance;
 use App\Entity\AbsencePolicy;
 use App\Entity\AbsenceRequest;
 use App\Entity\Client;
-use App\Entity\Project;
-use App\Entity\Task;
-use App\Entity\TaskDocument;
-use App\Entity\TaskEffort;
-use App\Entity\TaskGroup;
-use App\Entity\TaskPriority;
-use App\Entity\TaskStatus;
-use App\Entity\TaskTag;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use Doctrine\Common\Collections\Collection;
 
diff --git a/src/Entity/Project.php b/src/Module/ProjectManagement/Domain/Entity/Project.php
similarity index 94%
rename from src/Entity/Project.php
rename to src/Module/ProjectManagement/Domain/Entity/Project.php
index 32acbd7..1fe5cb1 100644
--- a/src/Entity/Project.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Project.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Metadata\ApiFilter;
@@ -13,11 +13,11 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\ApiResource\SwitchWorkflowOutput;
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource\SwitchWorkflowOutput;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\SwitchProjectWorkflowProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineProjectRepository;
 use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\ProjectInterface;
-use App\State\SwitchProjectWorkflowProcessor;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -54,7 +54,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     order: ['name' => 'ASC'],
 )]
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
-#[ORM\Entity(repositoryClass: ProjectRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineProjectRepository::class)]
 #[UniqueEntity(fields: ['code'], message: 'Ce code de projet est déjà utilisé.')]
 class Project implements ProjectInterface
 {
diff --git a/src/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
similarity index 97%
rename from src/Entity/Task.php
rename to src/Module/ProjectManagement/Domain/Entity/Task.php
index 6977231..ecbabc3 100644
--- a/src/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Doctrine\Orm\Filter\DateFilter;
@@ -15,11 +15,11 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
 use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\TaskCalendarProcessor;
-use App\State\TaskNumberProcessor;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -44,7 +44,7 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 #[ApiFilter(DateFilter::class, properties: ['scheduledStart', 'scheduledEnd', 'deadline'])]
 #[ApiFilter(BooleanFilter::class, properties: ['archived', 'syncToCalendar'])]
 #[ApiFilter(OrderFilter::class, properties: ['scheduledStart', 'deadline'])]
-#[ORM\Entity(repositoryClass: TaskRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskRepository::class)]
 #[ORM\Table(name: 'task')]
 #[ORM\UniqueConstraint(name: 'uniq_task_project_number', columns: ['project_id', 'number'])]
 class Task implements TaskInterface
diff --git a/src/Entity/TaskDocument.php b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
similarity index 93%
rename from src/Entity/TaskDocument.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
index 235fc14..3d2d5f3 100644
--- a/src/Entity/TaskDocument.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
 use ApiPlatform\Metadata\ApiFilter;
@@ -11,10 +11,10 @@ use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
-use App\EventListener\TaskDocumentListener;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProvider;
+use App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\TaskDocumentProcessor;
-use App\State\TaskDocumentProvider;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
diff --git a/src/Entity/TaskEffort.php b/src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
similarity index 87%
rename from src/Entity/TaskEffort.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
index 04ce397..5dabd51 100644
--- a/src/Entity/TaskEffort.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskEffort.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskEffortRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -26,7 +26,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_effort:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskEffortRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskEffortRepository::class)]
 class TaskEffort
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskGroup.php b/src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
similarity index 93%
rename from src/Entity/TaskGroup.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
index 8a5ecf8..c013da7 100644
--- a/src/Entity/TaskGroup.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskGroup.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Doctrine\Orm\Filter\BooleanFilter;
 use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
@@ -13,7 +13,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskGroupRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -31,7 +31,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 )]
 #[ApiFilter(SearchFilter::class, properties: ['project' => 'exact'])]
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
-#[ORM\Entity(repositoryClass: TaskGroupRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskGroupRepository::class)]
 class TaskGroup
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskPriority.php b/src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
similarity index 89%
rename from src/Entity/TaskPriority.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
index c960977..9840bee 100644
--- a/src/Entity/TaskPriority.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskPriority.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskPriorityRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
@@ -26,7 +26,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_priority:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskPriorityRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskPriorityRepository::class)]
 class TaskPriority
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskRecurrence.php b/src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
similarity index 94%
rename from src/Entity/TaskRecurrence.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
index a6a6dc5..eb82b3e 100644
--- a/src/Entity/TaskRecurrence.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskRecurrence.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRecurrenceRepository;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRecurrenceRepository;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -29,7 +29,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     normalizationContext: ['groups' => ['task_recurrence:read']],
     denormalizationContext: ['groups' => ['task_recurrence:write']],
 )]
-#[ORM\Entity(repositoryClass: TaskRecurrenceRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskRecurrenceRepository::class)]
 class TaskRecurrence
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskStatus.php b/src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
similarity index 93%
rename from src/Entity/TaskStatus.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
index 021afdc..301d417 100644
--- a/src/Entity/TaskStatus.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskStatus.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\StatusCategory;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskStatusRepository;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 use Symfony\Component\Validator\Constraints as Assert;
@@ -28,7 +28,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['task_status:write']],
     order: ['position' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskStatusRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskStatusRepository::class)]
 class TaskStatus
 {
     #[ORM\Id]
diff --git a/src/Entity/TaskTag.php b/src/Module/ProjectManagement/Domain/Entity/TaskTag.php
similarity index 90%
rename from src/Entity/TaskTag.php
rename to src/Module/ProjectManagement/Domain/Entity/TaskTag.php
index c351e7f..136cc91 100644
--- a/src/Entity/TaskTag.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskTag.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,7 +10,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskTagRepository;
 use App\Shared\Domain\Contract\TaskTagInterface;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -27,7 +27,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_tag:write']],
     order: ['label' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: TaskTagRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskTagRepository::class)]
 #[ORM\Table(name: 'task_type')]
 class TaskTag implements TaskTagInterface
 {
diff --git a/src/Entity/Workflow.php b/src/Module/ProjectManagement/Domain/Entity/Workflow.php
similarity index 92%
rename from src/Entity/Workflow.php
rename to src/Module/ProjectManagement/Domain/Entity/Workflow.php
index 1b3ffff..1afa1a3 100644
--- a/src/Entity/Workflow.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Workflow.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\ProjectManagement\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,8 +10,8 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Repository\WorkflowRepository;
-use App\State\WorkflowDeleteProcessor;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\WorkflowDeleteProcessor;
+use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineWorkflowRepository;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -31,7 +31,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['workflow:write']],
     order: ['position' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: WorkflowRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineWorkflowRepository::class)]
 #[UniqueEntity(fields: ['name'], message: 'Ce nom de workflow est déjà utilisé.')]
 class Workflow
 {
diff --git a/src/Enum/RecurrenceType.php b/src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
similarity index 77%
rename from src/Enum/RecurrenceType.php
rename to src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
index 0df9a70..8db59b3 100644
--- a/src/Enum/RecurrenceType.php
+++ b/src/Module/ProjectManagement/Domain/Enum/RecurrenceType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\ProjectManagement\Domain\Enum;
 
 enum RecurrenceType: string
 {
diff --git a/src/Enum/StatusCategory.php b/src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
similarity index 81%
rename from src/Enum/StatusCategory.php
rename to src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
index c9eaef5..70114d1 100644
--- a/src/Enum/StatusCategory.php
+++ b/src/Module/ProjectManagement/Domain/Enum/StatusCategory.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\ProjectManagement\Domain\Enum;
 
 enum StatusCategory: string
 {
diff --git a/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
new file mode 100644
index 0000000..e057b50
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/ProjectRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+
+interface ProjectRepositoryInterface
+{
+    public function findById(int $id): ?Project;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Project[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
new file mode 100644
index 0000000..c3bac00
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskEffortRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+
+interface TaskEffortRepositoryInterface
+{
+    public function findById(int $id): ?TaskEffort;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskEffort[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
new file mode 100644
index 0000000..9226827
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskGroupRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+
+interface TaskGroupRepositoryInterface
+{
+    public function findById(int $id): ?TaskGroup;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskGroup[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
new file mode 100644
index 0000000..645462b
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskPriorityRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+
+interface TaskPriorityRepositoryInterface
+{
+    public function findById(int $id): ?TaskPriority;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskPriority[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
new file mode 100644
index 0000000..76b2f81
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskRecurrenceRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+
+interface TaskRecurrenceRepositoryInterface
+{
+    public function findById(int $id): ?TaskRecurrence;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
new file mode 100644
index 0000000..d9e3e2f
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use Doctrine\ORM\QueryBuilder;
+
+interface TaskRepositoryInterface
+{
+    public function createQueryBuilder(string $alias, ?string $indexBy = null): QueryBuilder;
+
+    public function findById(int $id): ?Task;
+
+    /**
+     * Returns the max task number for a project, using an advisory lock
+     * to prevent race conditions when creating tasks concurrently.
+     */
+    public function findMaxNumberByProjectForUpdate(Project $project): int;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
new file mode 100644
index 0000000..53c676b
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskStatusRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+
+interface TaskStatusRepositoryInterface
+{
+    public function findById(int $id): ?TaskStatus;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskStatus[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findFirstNonFinal(): ?TaskStatus;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
new file mode 100644
index 0000000..8ead853
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/TaskTagRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+
+interface TaskTagRepositoryInterface
+{
+    public function findById(int $id): ?TaskTag;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return TaskTag[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php b/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
new file mode 100644
index 0000000..6da80d3
--- /dev/null
+++ b/src/Module/ProjectManagement/Domain/Repository/WorkflowRepositoryInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Domain\Repository;
+
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+
+interface WorkflowRepositoryInterface
+{
+    public function findById(int $id): ?Workflow;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Workflow[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findDefault(): ?Workflow;
+}
diff --git a/src/ApiResource/SwitchWorkflowOutput.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
similarity index 88%
rename from src/ApiResource/SwitchWorkflowOutput.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
index ddc3133..7594f8b 100644
--- a/src/ApiResource/SwitchWorkflowOutput.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/Resource/SwitchWorkflowOutput.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource;
 
 use Symfony\Component\Serializer\Attribute\Groups;
 
diff --git a/src/State/RecurrenceHandler.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
similarity index 85%
rename from src/State/RecurrenceHandler.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
index 2e587bd..82ad1d6 100644
--- a/src/State/RecurrenceHandler.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
-use App\Entity\Task;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Service\CalDavService;
-use App\Service\RecurrenceCalculator;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Module\ProjectManagement\Infrastructure\Service\RecurrenceCalculator;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class RecurrenceHandler
 {
     public function __construct(
         private RecurrenceCalculator $calculator,
-        private TaskRepository $taskRepository,
-        private TaskStatusRepository $statusRepository,
+        private TaskRepositoryInterface $taskRepository,
+        private TaskStatusRepositoryInterface $statusRepository,
         private CalDavService $calDavService,
         private EntityManagerInterface $entityManager,
     ) {}
diff --git a/src/State/SwitchProjectWorkflowProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
similarity index 92%
rename from src/State/SwitchProjectWorkflowProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
index c5822ae..822f085 100644
--- a/src/State/SwitchProjectWorkflowProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/SwitchProjectWorkflowProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\SwitchWorkflowOutput;
-use App\Entity\Project;
-use App\Entity\TaskStatus;
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource\SwitchWorkflowOutput;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
diff --git a/src/State/TaskCalendarProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
similarity index 91%
rename from src/State/TaskCalendarProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
index 5e3013e..cb130f1 100644
--- a/src/State/TaskCalendarProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskCalendarProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Entity\TaskStatus;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
diff --git a/src/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
similarity index 98%
rename from src/State/TaskDocumentProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index 51c6750..47adceb 100644
--- a/src/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use App\Service\Share\Exception\InvalidPathException;
 use App\Service\Share\Exception\ShareConnectionException;
 use App\Service\Share\Exception\ShareNotConfiguredException;
diff --git a/src/State/TaskDocumentProvider.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
similarity index 91%
rename from src/State/TaskDocumentProvider.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
index 62cea2f..4687569 100644
--- a/src/State/TaskDocumentProvider.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/State/TaskNumberProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
similarity index 82%
rename from src/State/TaskNumberProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
index 038a865..e6fdfef 100644
--- a/src/State/TaskNumberProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskNumberProcessor.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Task;
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
@@ -24,7 +24,7 @@ final readonly class TaskNumberProcessor implements ProcessorInterface
     public function __construct(
         #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
         private ProcessorInterface $persistProcessor,
-        private TaskRepository $taskRepository,
+        private TaskRepositoryInterface $taskRepository,
         private EntityManagerInterface $entityManager,
         private CalDavService $calDavService,
     ) {}
diff --git a/src/State/WorkflowDeleteProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
similarity index 89%
rename from src/State/WorkflowDeleteProcessor.php
rename to src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
index a0efec9..8e30b88 100644
--- a/src/State/WorkflowDeleteProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/WorkflowDeleteProcessor.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 
diff --git a/src/Controller/TaskDocumentDownloadController.php b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
similarity index 96%
rename from src/Controller/TaskDocumentDownloadController.php
rename to src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
index ce05ede..6c93a7f 100644
--- a/src/Controller/TaskDocumentDownloadController.php
+++ b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\ProjectManagement\Infrastructure\Controller;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use App\Service\Share\Exception\ShareConnectionException;
 use App\Service\Share\Exception\ShareNotConfiguredException;
 use App\Service\Share\FileSource;
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
new file mode 100644
index 0000000..1a1719f
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineProjectRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Project>
+ */
+class DoctrineProjectRepository extends ServiceEntityRepository implements ProjectRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Project::class);
+    }
+
+    public function findById(int $id): ?Project
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
new file mode 100644
index 0000000..d343363
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskEffortRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskEffort>
+ */
+class DoctrineTaskEffortRepository extends ServiceEntityRepository implements TaskEffortRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskEffort::class);
+    }
+
+    public function findById(int $id): ?TaskEffort
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
new file mode 100644
index 0000000..4fd5100
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskGroupRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskGroup>
+ */
+class DoctrineTaskGroupRepository extends ServiceEntityRepository implements TaskGroupRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskGroup::class);
+    }
+
+    public function findById(int $id): ?TaskGroup
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
new file mode 100644
index 0000000..749e020
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskPriorityRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskPriority>
+ */
+class DoctrineTaskPriorityRepository extends ServiceEntityRepository implements TaskPriorityRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskPriority::class);
+    }
+
+    public function findById(int $id): ?TaskPriority
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
new file mode 100644
index 0000000..838ae46
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRecurrenceRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskRecurrence>
+ */
+class DoctrineTaskRecurrenceRepository extends ServiceEntityRepository implements TaskRecurrenceRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskRecurrence::class);
+    }
+
+    public function findById(int $id): ?TaskRecurrence
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Repository/TaskRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
similarity index 72%
rename from src/Repository/TaskRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
index 5922bcc..3e5a94f 100644
--- a/src/Repository/TaskRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskRepository.php
@@ -2,23 +2,29 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\Project;
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<Task>
  */
-class TaskRepository extends ServiceEntityRepository
+class DoctrineTaskRepository extends ServiceEntityRepository implements TaskRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, Task::class);
     }
 
+    public function findById(int $id): ?Task
+    {
+        return $this->find($id);
+    }
+
     /**
      * Returns the max task number for a project, using an advisory lock
      * to prevent race conditions when creating tasks concurrently.
diff --git a/src/Repository/TaskStatusRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
similarity index 57%
rename from src/Repository/TaskStatusRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
index fdc80b5..0142acf 100644
--- a/src/Repository/TaskStatusRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskStatusRepository.php
@@ -2,19 +2,28 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class TaskStatusRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<TaskStatus>
+ */
+class DoctrineTaskStatusRepository extends ServiceEntityRepository implements TaskStatusRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, TaskStatus::class);
     }
 
+    public function findById(int $id): ?TaskStatus
+    {
+        return $this->find($id);
+    }
+
     public function findFirstNonFinal(): ?TaskStatus
     {
         return $this->createQueryBuilder('s')
diff --git a/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
new file mode 100644
index 0000000..2c19038
--- /dev/null
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineTaskTagRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
+
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskTag>
+ */
+class DoctrineTaskTagRepository extends ServiceEntityRepository implements TaskTagRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskTag::class);
+    }
+
+    public function findById(int $id): ?TaskTag
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Repository/WorkflowRepository.php b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
similarity index 52%
rename from src/Repository/WorkflowRepository.php
rename to src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
index fafd288..b635402 100644
--- a/src/Repository/WorkflowRepository.php
+++ b/src/Module/ProjectManagement/Infrastructure/Doctrine/DoctrineWorkflowRepository.php
@@ -2,22 +2,28 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\ProjectManagement\Infrastructure\Doctrine;
 
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<Workflow>
  */
-class WorkflowRepository extends ServiceEntityRepository
+class DoctrineWorkflowRepository extends ServiceEntityRepository implements WorkflowRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, Workflow::class);
     }
 
+    public function findById(int $id): ?Workflow
+    {
+        return $this->find($id);
+    }
+
     public function findDefault(): ?Workflow
     {
         return $this->findOneBy(['isDefault' => true]);
diff --git a/src/EventListener/TaskDocumentListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
similarity index 87%
rename from src/EventListener/TaskDocumentListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
index 3e762d2..414a9a9 100644
--- a/src/EventListener/TaskDocumentListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskDocumentListener.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\Event\PreRemoveEventArgs;
 use Psr\Log\LoggerInterface;
 
diff --git a/src/EventListener/TaskNotificationListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
similarity index 96%
rename from src/EventListener/TaskNotificationListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
index e34b84d..07539d5 100644
--- a/src/EventListener/TaskNotificationListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/TaskNotificationListener.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Shared\Domain\Contract\NotifierInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
diff --git a/src/EventListener/UniqueDefaultWorkflowListener.php b/src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
similarity index 91%
rename from src/EventListener/UniqueDefaultWorkflowListener.php
rename to src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
index 15b61c4..7db1599 100644
--- a/src/EventListener/UniqueDefaultWorkflowListener.php
+++ b/src/Module/ProjectManagement/Infrastructure/EventListener/UniqueDefaultWorkflowListener.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\EventListener;
+namespace App\Module\ProjectManagement\Infrastructure\EventListener;
 
-use App\Entity\Workflow;
+use App\Module\ProjectManagement\Domain\Entity\Workflow;
 use Doctrine\Bundle\DoctrineBundle\Attribute\AsDoctrineListener;
 use Doctrine\ORM\Event\OnFlushEventArgs;
 use Doctrine\ORM\Events;
diff --git a/src/Mcp/Tool/Project/CreateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
similarity index 93%
rename from src/Mcp/Tool/Project/CreateProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
index b901ab1..ff212e6 100644
--- a/src/Mcp/Tool/Project/CreateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Entity\Project;
 use App\Mcp\Tool\Serializer;
+use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Repository\ClientRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Mcp/Tool/Project/DeleteProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
similarity index 80%
rename from src/Mcp/Tool/Project/DeleteProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
index ed0f488..8cef311 100644
--- a/src/Mcp/Tool/Project/DeleteProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/DeleteProjectTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteProjectTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Project/GetProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
similarity index 79%
rename from src/Mcp/Tool/Project/GetProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
index 8674fd4..96b3652 100644
--- a/src/Mcp/Tool/Project/GetProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,8 +18,8 @@ use function sprintf;
 class GetProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
@@ -29,7 +29,7 @@ class GetProjectTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
 
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Project/ListProjectsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
similarity index 78%
rename from src/Mcp/Tool/Project/ListProjectsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
index 1d3e227..a15c886 100644
--- a/src/Mcp/Tool/Project/ListProjectsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListProjectsTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Project/UpdateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
similarity index 88%
rename from src/Mcp/Tool/Project/UpdateProjectTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
index d2d9460..4e9275b 100644
--- a/src/Mcp/Tool/Project/UpdateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Project;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use App\Repository\ClientRepository;
-use App\Repository\ProjectRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,7 +19,7 @@ use function sprintf;
 class UpdateProjectTool
 {
     public function __construct(
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly ClientRepository $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
@@ -38,7 +38,7 @@ class UpdateProjectTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($id);
+        $project = $this->projectRepository->findById($id);
 
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Task/AddTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
similarity index 92%
rename from src/Mcp/Tool/Task/AddTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
index e879d3b..c480396 100644
--- a/src/Mcp/Tool/Task/AddTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/AddTaskDocumentTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -33,7 +33,7 @@ class AddTaskDocumentTool
 
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -52,7 +52,7 @@ class AddTaskDocumentTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
         }
diff --git a/src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
similarity index 86%
rename from src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
index 499e687..d661606 100644
--- a/src/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskRecurrenceTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -22,7 +22,7 @@ class CreateTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -41,7 +41,7 @@ class CreateTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
         }
diff --git a/src/Mcp/Tool/Task/CreateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
similarity index 79%
rename from src/Mcp/Tool/Task/CreateTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
index 9067417..7cd3fbd 100644
--- a/src/Mcp/Tool/Task/CreateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
@@ -2,19 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\Task;
 use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskEffortRepository;
-use App\Repository\TaskGroupRepository;
-use App\Repository\TaskPriorityRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Repository\TaskTagRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -29,13 +29,13 @@ class CreateTaskTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskStatusRepository $taskStatusRepository,
-        private readonly TaskPriorityRepository $taskPriorityRepository,
-        private readonly TaskEffortRepository $taskEffortRepository,
-        private readonly TaskGroupRepository $taskGroupRepository,
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
@@ -65,7 +65,7 @@ class CreateTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($projectId);
+        $project = $this->projectRepository->findById($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
         }
@@ -78,21 +78,21 @@ class CreateTaskTool
             $task->setDescription($description);
         }
         if (null !== $statusId) {
-            $status = $this->taskStatusRepository->find($statusId);
+            $status = $this->taskStatusRepository->findById($statusId);
             if (null === $status) {
                 throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $statusId));
             }
             $task->setStatus($status);
         }
         if (null !== $priorityId) {
-            $priority = $this->taskPriorityRepository->find($priorityId);
+            $priority = $this->taskPriorityRepository->findById($priorityId);
             if (null === $priority) {
                 throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $priorityId));
             }
             $task->setPriority($priority);
         }
         if (null !== $effortId) {
-            $effort = $this->taskEffortRepository->find($effortId);
+            $effort = $this->taskEffortRepository->findById($effortId);
             if (null === $effort) {
                 throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $effortId));
             }
@@ -106,7 +106,7 @@ class CreateTaskTool
             $task->setAssignee($assignee);
         }
         if (null !== $groupId) {
-            $group = $this->taskGroupRepository->find($groupId);
+            $group = $this->taskGroupRepository->findById($groupId);
             if (null === $group) {
                 throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $groupId));
             }
@@ -114,7 +114,7 @@ class CreateTaskTool
         }
         if (null !== $tagIds) {
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Mcp/Tool/Task/DeleteTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
similarity index 92%
rename from src/Mcp/Tool/Task/DeleteTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
index 99ffa12..25ed3d7 100644
--- a/src/Mcp/Tool/Task/DeleteTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskDocumentTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
similarity index 82%
rename from src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
index 4039fff..8a0399a 100644
--- a/src/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskRecurrenceTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Repository\TaskRecurrenceRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,7 +19,7 @@ class DeleteTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRecurrenceRepository $taskRecurrenceRepository,
+        private readonly TaskRecurrenceRepositoryInterface $taskRecurrenceRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -30,7 +30,7 @@ class DeleteTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $recurrence = $this->taskRecurrenceRepository->find($recurrenceId);
+        $recurrence = $this->taskRecurrenceRepository->findById($recurrenceId);
         if (null === $recurrence) {
             throw new InvalidArgumentException(sprintf('TaskRecurrence with ID %d not found.', $recurrenceId));
         }
diff --git a/src/Mcp/Tool/Task/DeleteTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
similarity index 82%
rename from src/Mcp/Tool/Task/DeleteTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
index fa006a3..bbf0a04 100644
--- a/src/Mcp/Tool/Task/DeleteTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/DeleteTaskTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Repository\TaskRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class DeleteTaskTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
@@ -30,7 +30,7 @@ class DeleteTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Task/GetTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
similarity index 87%
rename from src/Mcp/Tool/Task/GetTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
index 94f0bfb..2c88709 100644
--- a/src/Mcp/Tool/Task/GetTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetTaskTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/Task/ListTasksTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
similarity index 94%
rename from src/Mcp/Tool/Task/ListTasksTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
index 9722ad0..3d3b3db 100644
--- a/src/Mcp/Tool/Task/ListTasksTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\TaskRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTasksTool
 {
     public function __construct(
-        private readonly TaskRepository $taskRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Task/UpdateTaskDocumentTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
similarity index 96%
rename from src/Mcp/Tool/Task/UpdateTaskDocumentTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
index 59cc4a4..d80e695 100644
--- a/src/Mcp/Tool/Task/UpdateTaskDocumentTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskDocumentTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Entity\TaskDocument;
+use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
similarity index 85%
rename from src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
index ae03b4f..6c2b7c6 100644
--- a/src/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskRecurrenceTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Enum\RecurrenceType;
-use App\Repository\TaskRecurrenceRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -21,7 +21,7 @@ class UpdateTaskRecurrenceTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRecurrenceRepository $taskRecurrenceRepository,
+        private readonly TaskRecurrenceRepositoryInterface $taskRecurrenceRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
     ) {}
@@ -40,7 +40,7 @@ class UpdateTaskRecurrenceTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $recurrence = $this->taskRecurrenceRepository->find($recurrenceId);
+        $recurrence = $this->taskRecurrenceRepository->findById($recurrenceId);
         if (null === $recurrence) {
             throw new InvalidArgumentException(sprintf('TaskRecurrence with ID %d not found.', $recurrenceId));
         }
diff --git a/src/Mcp/Tool/Task/UpdateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
similarity index 81%
rename from src/Mcp/Tool/Task/UpdateTaskTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
index a345f23..10e8b6d 100644
--- a/src/Mcp/Tool/Task/UpdateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Task;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
 use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\TaskEffortRepository;
-use App\Repository\TaskGroupRepository;
-use App\Repository\TaskPriorityRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskStatusRepository;
-use App\Repository\TaskTagRepository;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -27,12 +27,12 @@ class UpdateTaskTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskStatusRepository $taskStatusRepository,
-        private readonly TaskPriorityRepository $taskPriorityRepository,
-        private readonly TaskEffortRepository $taskEffortRepository,
-        private readonly TaskGroupRepository $taskGroupRepository,
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly DoctrineUserRepository $userRepository,
         private readonly Security $security,
         private readonly CalDavService $calDavService,
@@ -63,7 +63,7 @@ class UpdateTaskTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $task = $this->taskRepository->find($id);
+        $task = $this->taskRepository->findById($id);
 
         if (null === $task) {
             throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $id));
@@ -76,21 +76,21 @@ class UpdateTaskTool
             $task->setDescription($description);
         }
         if (null !== $statusId) {
-            $status = $this->taskStatusRepository->find($statusId);
+            $status = $this->taskStatusRepository->findById($statusId);
             if (null === $status) {
                 throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $statusId));
             }
             $task->setStatus($status);
         }
         if (null !== $priorityId) {
-            $priority = $this->taskPriorityRepository->find($priorityId);
+            $priority = $this->taskPriorityRepository->findById($priorityId);
             if (null === $priority) {
                 throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $priorityId));
             }
             $task->setPriority($priority);
         }
         if (null !== $effortId) {
-            $effort = $this->taskEffortRepository->find($effortId);
+            $effort = $this->taskEffortRepository->findById($effortId);
             if (null === $effort) {
                 throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $effortId));
             }
@@ -104,7 +104,7 @@ class UpdateTaskTool
             $task->setAssignee($assignee);
         }
         if (null !== $groupId) {
-            $group = $this->taskGroupRepository->find($groupId);
+            $group = $this->taskGroupRepository->findById($groupId);
             if (null === $group) {
                 throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $groupId));
             }
@@ -116,7 +116,7 @@ class UpdateTaskTool
                 $task->removeTag($existingTag);
             }
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Mcp/Tool/TaskMeta/CreateEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
similarity index 87%
rename from src/Mcp/Tool/TaskMeta/CreateEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
index 5c2fb95..6f73d94 100644
--- a/src/Mcp/Tool/TaskMeta/CreateEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskEffort;
+use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/CreateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
similarity index 80%
rename from src/Mcp/Tool/TaskMeta/CreateGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
index a65a2e7..4e40a3e 100644
--- a/src/Mcp/Tool/TaskMeta/CreateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskGroup;
 use App\Mcp\Tool\Serializer;
-use App\Repository\ProjectRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -20,7 +20,7 @@ class CreateGroupTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ProjectRepository $projectRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
         private readonly Security $security,
     ) {}
 
@@ -34,7 +34,7 @@ class CreateGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $project = $this->projectRepository->find($projectId);
+        $project = $this->projectRepository->findById($projectId);
         if (null === $project) {
             throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
         }
diff --git a/src/Mcp/Tool/TaskMeta/CreatePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
similarity index 89%
rename from src/Mcp/Tool/TaskMeta/CreatePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
index 9e324f9..814d060 100644
--- a/src/Mcp/Tool/TaskMeta/CreatePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreatePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskPriority;
+use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/CreateStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
similarity index 84%
rename from src/Mcp/Tool/TaskMeta/CreateStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
index ae978f3..d847c8e 100644
--- a/src/Mcp/Tool/TaskMeta/CreateStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateStatusTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskStatus;
-use App\Enum\StatusCategory;
-use App\Repository\WorkflowRepository;
+use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -19,7 +19,7 @@ use function sprintf;
 class CreateStatusTool
 {
     public function __construct(
-        private readonly WorkflowRepository $workflowRepository,
+        private readonly WorkflowRepositoryInterface $workflowRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -36,7 +36,7 @@ class CreateStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $workflow = $this->workflowRepository->find($workflowId);
+        $workflow = $this->workflowRepository->findById($workflowId);
         if (null === $workflow) {
             throw new InvalidArgumentException(sprintf('Workflow with ID %d not found.', $workflowId));
         }
diff --git a/src/Mcp/Tool/TaskMeta/CreateTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
similarity index 89%
rename from src/Mcp/Tool/TaskMeta/CreateTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
index 867ea25..b5b2ffd 100644
--- a/src/Mcp/Tool/TaskMeta/CreateTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\TaskTag;
+use App\Module\ProjectManagement\Domain\Entity\TaskTag;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/TaskMeta/DeleteEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeleteEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
index 92dc8e1..fa662fc 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteEffortTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $effortRepository,
+        private readonly TaskEffortRepositoryInterface $effortRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteEffortTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $effort = $this->effortRepository->find($id);
+        $effort = $this->effortRepository->findById($id);
         if (null === $effort) {
             throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeleteGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
index ae65342..41565cf 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteGroupTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteGroupTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $group = $this->taskGroupRepository->find($id);
+        $group = $this->taskGroupRepository->findById($id);
         if (null === $group) {
             throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeletePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/DeletePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
index 4c9b25a..025b986 100644
--- a/src/Mcp/Tool/TaskMeta/DeletePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeletePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeletePriorityTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $priorityRepository,
+        private readonly TaskPriorityRepositoryInterface $priorityRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeletePriorityTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $priority = $this->priorityRepository->find($id);
+        $priority = $this->priorityRepository->findById($id);
         if (null === $priority) {
             throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
similarity index 80%
rename from src/Mcp/Tool/TaskMeta/DeleteStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
index d5aab15..5a4122d 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteStatusTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteStatusTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $statusRepository,
+        private readonly TaskStatusRepositoryInterface $statusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $status = $this->statusRepository->find($id);
+        $status = $this->statusRepository->findById($id);
         if (null === $status) {
             throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/DeleteTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
similarity index 80%
rename from src/Mcp/Tool/TaskMeta/DeleteTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
index 78e2660..cc7538e 100644
--- a/src/Mcp/Tool/TaskMeta/DeleteTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/DeleteTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteTagTool
 {
     public function __construct(
-        private readonly TaskTagRepository $tagRepository,
+        private readonly TaskTagRepositoryInterface $tagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteTagTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $tag = $this->tagRepository->find($id);
+        $tag = $this->tagRepository->findById($id);
         if (null === $tag) {
             throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/ListEffortsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/ListEffortsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
index c7d67d0..c47f201 100644
--- a/src/Mcp/Tool/TaskMeta/ListEffortsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListEffortsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListEffortsTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $taskEffortRepository,
+        private readonly TaskEffortRepositoryInterface $taskEffortRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListGroupsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
similarity index 81%
rename from src/Mcp/Tool/TaskMeta/ListGroupsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
index 373e7f1..5b6f658 100644
--- a/src/Mcp/Tool/TaskMeta/ListGroupsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListGroupsTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
index df06447..ed590ad 100644
--- a/src/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListPrioritiesTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListPrioritiesTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $taskPriorityRepository,
+        private readonly TaskPriorityRepositoryInterface $taskPriorityRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/ListStatusesTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
similarity index 85%
rename from src/Mcp/Tool/TaskMeta/ListStatusesTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
index db6c8e3..709b60a 100644
--- a/src/Mcp/Tool/TaskMeta/ListStatusesTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListStatusesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Entity\Project;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,7 +18,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListStatusesTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $taskStatusRepository,
+        private readonly TaskStatusRepositoryInterface $taskStatusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
diff --git a/src/Mcp/Tool/TaskMeta/ListTagsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
similarity index 79%
rename from src/Mcp/Tool/TaskMeta/ListTagsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
index d43287d..0650400 100644
--- a/src/Mcp/Tool/TaskMeta/ListTagsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListTagsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListTagsTool
 {
     public function __construct(
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/TaskMeta/UpdateEffortTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
similarity index 78%
rename from src/Mcp/Tool/TaskMeta/UpdateEffortTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
index b317d6c..657495a 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateEffortTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateEffortTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskEffortRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdateEffortTool
 {
     public function __construct(
-        private readonly TaskEffortRepository $effortRepository,
+        private readonly TaskEffortRepositoryInterface $effortRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdateEffortTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $effort = $this->effortRepository->find($id);
+        $effort = $this->effortRepository->findById($id);
         if (null === $effort) {
             throw new InvalidArgumentException(sprintf('TaskEffort with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
similarity index 84%
rename from src/Mcp/Tool/TaskMeta/UpdateGroupTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
index 1b78ac0..967ed42 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\TaskGroupRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateGroupTool
 {
     public function __construct(
-        private readonly TaskGroupRepository $taskGroupRepository,
+        private readonly TaskGroupRepositoryInterface $taskGroupRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -34,7 +34,7 @@ class UpdateGroupTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $group = $this->taskGroupRepository->find($id);
+        $group = $this->taskGroupRepository->findById($id);
 
         if (null === $group) {
             throw new InvalidArgumentException(sprintf('TaskGroup with ID %d not found.', $id));
diff --git a/src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
similarity index 81%
rename from src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
index 992feff..26c37db 100644
--- a/src/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdatePriorityTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskPriorityRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskPriorityRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdatePriorityTool
 {
     public function __construct(
-        private readonly TaskPriorityRepository $priorityRepository,
+        private readonly TaskPriorityRepositoryInterface $priorityRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdatePriorityTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $priority = $this->priorityRepository->find($id);
+        $priority = $this->priorityRepository->findById($id);
         if (null === $priority) {
             throw new InvalidArgumentException(sprintf('TaskPriority with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateStatusTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
similarity index 86%
rename from src/Mcp/Tool/TaskMeta/UpdateStatusTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
index 09e12cb..23b2f33 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateStatusTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateStatusTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Enum\StatusCategory;
-use App\Repository\TaskStatusRepository;
+use App\Module\ProjectManagement\Domain\Enum\StatusCategory;
+use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateStatusTool
 {
     public function __construct(
-        private readonly TaskStatusRepository $statusRepository,
+        private readonly TaskStatusRepositoryInterface $statusRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -35,7 +35,7 @@ class UpdateStatusTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $status = $this->statusRepository->find($id);
+        $status = $this->statusRepository->findById($id);
         if (null === $status) {
             throw new InvalidArgumentException(sprintf('TaskStatus with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/TaskMeta/UpdateTagTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
similarity index 82%
rename from src/Mcp/Tool/TaskMeta/UpdateTagTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
index 60cff41..37482f2 100644
--- a/src/Mcp/Tool/TaskMeta/UpdateTagTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateTagTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\TaskMeta;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Repository\TaskTagRepository;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class UpdateTagTool
 {
     public function __construct(
-        private readonly TaskTagRepository $tagRepository,
+        private readonly TaskTagRepositoryInterface $tagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class UpdateTagTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $tag = $this->tagRepository->find($id);
+        $tag = $this->tagRepository->findById($id);
         if (null === $tag) {
             throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Workflow/ListWorkflowsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
similarity index 86%
rename from src/Mcp/Tool/Workflow/ListWorkflowsTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
index 03701d2..b1d713c 100644
--- a/src/Mcp/Tool/Workflow/ListWorkflowsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/ListWorkflowsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Workflow;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Workflow;
 
-use App\Repository\WorkflowRepository;
+use App\Module\ProjectManagement\Domain\Repository\WorkflowRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -16,7 +16,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListWorkflowsTool
 {
     public function __construct(
-        private readonly WorkflowRepository $workflowRepository,
+        private readonly WorkflowRepositoryInterface $workflowRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
similarity index 90%
rename from src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
rename to src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
index f0448f7..07f2b82 100644
--- a/src/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Workflow/SwitchProjectWorkflowTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Workflow;
+namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Workflow;
 
 use ApiPlatform\Metadata\Post;
-use App\Entity\Project;
-use App\State\SwitchProjectWorkflowProcessor;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\SwitchProjectWorkflowProcessor;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Service/CalDavService.php b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
similarity index 97%
rename from src/Service/CalDavService.php
rename to src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
index cd56476..15b4db6 100644
--- a/src/Service/CalDavService.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\ProjectManagement\Infrastructure\Service;
 
-use App\Entity\Task;
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
 use App\Repository\ZimbraConfigurationRepository;
+use App\Service\TokenEncryptor;
 use DateTimeZone;
 use Psr\Log\LoggerInterface;
 use Sabre\VObject\Component\VCalendar;
diff --git a/src/Service/RecurrenceCalculator.php b/src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
similarity index 96%
rename from src/Service/RecurrenceCalculator.php
rename to src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
index f501a0b..fc67fca 100644
--- a/src/Service/RecurrenceCalculator.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/RecurrenceCalculator.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\ProjectManagement\Infrastructure\Service;
 
-use App\Entity\Task;
-use App\Entity\TaskRecurrence;
-use App\Enum\RecurrenceType;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
+use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
 use DateTimeImmutable;
 
 final class RecurrenceCalculator
diff --git a/src/Module/ProjectManagement/ProjectManagementModule.php b/src/Module/ProjectManagement/ProjectManagementModule.php
new file mode 100644
index 0000000..06dddd0
--- /dev/null
+++ b/src/Module/ProjectManagement/ProjectManagementModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ProjectManagement;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class ProjectManagementModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'project-management';
+    }
+
+    public static function label(): string
+    {
+        return 'Projets & Tâches';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module ProjectManagement (2.2).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'project-management.projects.view', 'label' => 'Voir les projets'],
+            ['code' => 'project-management.projects.manage', 'label' => 'Gérer les projets'],
+            ['code' => 'project-management.tasks.view', 'label' => 'Voir les tâches'],
+            ['code' => 'project-management.tasks.manage', 'label' => 'Gérer les tâches'],
+        ];
+    }
+}
diff --git a/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
index 5dcf02e..6808436 100644
--- a/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
+++ b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Controller;
 
-use App\Entity\Project;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use App\Module\TimeTracking\Infrastructure\Export\TimeEntryExportService;
 use DateTimeImmutable;
diff --git a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
index 1055472..0403015 100644
--- a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
@@ -6,11 +6,11 @@ namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskTagRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -26,9 +26,9 @@ class CreateTimeEntryTool
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly DoctrineUserRepository $userRepository,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly Security $security,
     ) {}
@@ -77,14 +77,14 @@ class CreateTimeEntryTool
             $entry->setDescription($description);
         }
         if (null !== $projectId) {
-            $project = $this->projectRepository->find($projectId);
+            $project = $this->projectRepository->findById($projectId);
             if (null === $project) {
                 throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
             }
             $entry->setProject($project);
         }
         if (null !== $taskId) {
-            $task = $this->taskRepository->find($taskId);
+            $task = $this->taskRepository->findById($taskId);
             if (null === $task) {
                 throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
             }
@@ -92,7 +92,7 @@ class CreateTimeEntryTool
         }
         if (null !== $tagIds) {
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
index fa67cf1..e1f3a9c 100644
--- a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
@@ -5,10 +5,10 @@ declare(strict_types=1);
 namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
-use App\Repository\ProjectRepository;
-use App\Repository\TaskRepository;
-use App\Repository\TaskTagRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -23,9 +23,9 @@ class UpdateTimeEntryTool
 {
     public function __construct(
         private readonly TimeEntryRepositoryInterface $timeEntryRepository,
-        private readonly ProjectRepository $projectRepository,
-        private readonly TaskRepository $taskRepository,
-        private readonly TaskTagRepository $taskTagRepository,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskTagRepositoryInterface $taskTagRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -66,14 +66,14 @@ class UpdateTimeEntryTool
             $entry->setDescription($description);
         }
         if (null !== $projectId) {
-            $project = $this->projectRepository->find($projectId);
+            $project = $this->projectRepository->findById($projectId);
             if (null === $project) {
                 throw new InvalidArgumentException(sprintf('Project with ID %d not found.', $projectId));
             }
             $entry->setProject($project);
         }
         if (null !== $taskId) {
-            $task = $this->taskRepository->find($taskId);
+            $task = $this->taskRepository->findById($taskId);
             if (null === $task) {
                 throw new InvalidArgumentException(sprintf('Task with ID %d not found.', $taskId));
             }
@@ -84,7 +84,7 @@ class UpdateTimeEntryTool
                 $entry->removeTag($existingTag);
             }
             foreach ($tagIds as $tagId) {
-                $tag = $this->taskTagRepository->find($tagId);
+                $tag = $this->taskTagRepository->findById($tagId);
                 if (null === $tag) {
                     throw new InvalidArgumentException(sprintf('TaskTag with ID %d not found.', $tagId));
                 }
diff --git a/src/Repository/ProjectRepository.php b/src/Repository/ProjectRepository.php
deleted file mode 100644
index 6455dae..0000000
--- a/src/Repository/ProjectRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\Project;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class ProjectRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, Project::class);
-    }
-}
diff --git a/src/Repository/TaskEffortRepository.php b/src/Repository/TaskEffortRepository.php
deleted file mode 100644
index 22c2c90..0000000
--- a/src/Repository/TaskEffortRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskEffort;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskEffortRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskEffort::class);
-    }
-}
diff --git a/src/Repository/TaskGroupRepository.php b/src/Repository/TaskGroupRepository.php
deleted file mode 100644
index a8c9053..0000000
--- a/src/Repository/TaskGroupRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskGroup;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskGroupRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskGroup::class);
-    }
-}
diff --git a/src/Repository/TaskMailLinkRepository.php b/src/Repository/TaskMailLinkRepository.php
index 565e71d..da49bd5 100644
--- a/src/Repository/TaskMailLinkRepository.php
+++ b/src/Repository/TaskMailLinkRepository.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Repository;
 
 use App\Entity\MailMessage;
-use App\Entity\Task;
 use App\Entity\TaskMailLink;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
diff --git a/src/Repository/TaskPriorityRepository.php b/src/Repository/TaskPriorityRepository.php
deleted file mode 100644
index b6ffca6..0000000
--- a/src/Repository/TaskPriorityRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskPriority;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskPriorityRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskPriority::class);
-    }
-}
diff --git a/src/Repository/TaskRecurrenceRepository.php b/src/Repository/TaskRecurrenceRepository.php
deleted file mode 100644
index b73eb6b..0000000
--- a/src/Repository/TaskRecurrenceRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskRecurrence;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskRecurrenceRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskRecurrence::class);
-    }
-}
diff --git a/src/Repository/TaskTagRepository.php b/src/Repository/TaskTagRepository.php
deleted file mode 100644
index 43540a8..0000000
--- a/src/Repository/TaskTagRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskTag;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskTagRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskTag::class);
-    }
-}
diff --git a/src/Service/GiteaApiService.php b/src/Service/GiteaApiService.php
index a61df03..95b6741 100644
--- a/src/Service/GiteaApiService.php
+++ b/src/Service/GiteaApiService.php
@@ -5,9 +5,9 @@ declare(strict_types=1);
 namespace App\Service;
 
 use App\Entity\GiteaConfiguration;
-use App\Entity\Project;
-use App\Entity\Task;
 use App\Exception\GiteaApiException;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\GiteaConfigurationRepository;
 use Symfony\Component\String\Slugger\AsciiSlugger;
 use Symfony\Component\String\Slugger\SluggerInterface;
diff --git a/src/State/BookStackLinkProcessor.php b/src/State/BookStackLinkProcessor.php
index 81809e0..13b9d85 100644
--- a/src/State/BookStackLinkProcessor.php
+++ b/src/State/BookStackLinkProcessor.php
@@ -8,8 +8,8 @@ use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\ApiResource\BookStackLink;
-use App\Entity\Task;
 use App\Entity\TaskBookStackLink;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Repository\TaskBookStackLinkRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
diff --git a/src/State/BookStackSearchResultProvider.php b/src/State/BookStackSearchResultProvider.php
index d7bb95b..014965d 100644
--- a/src/State/BookStackSearchResultProvider.php
+++ b/src/State/BookStackSearchResultProvider.php
@@ -7,8 +7,8 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\ApiResource\BookStackSearchResult;
-use App\Entity\Task;
 use App\Exception\BookStackApiException;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Service\BookStackApiService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
diff --git a/src/State/GiteaBranchNameProvider.php b/src/State/GiteaBranchNameProvider.php
index d226b62..377ec4d 100644
--- a/src/State/GiteaBranchNameProvider.php
+++ b/src/State/GiteaBranchNameProvider.php
@@ -7,7 +7,7 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\ApiResource\GiteaBranchName;
-use App\Entity\Task;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Service\GiteaApiService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
diff --git a/src/State/GiteaBranchProcessor.php b/src/State/GiteaBranchProcessor.php
index 6814630..7496eba 100644
--- a/src/State/GiteaBranchProcessor.php
+++ b/src/State/GiteaBranchProcessor.php
@@ -7,8 +7,8 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\ApiResource\GiteaBranch;
-use App\Entity\Task;
 use App\Exception\GiteaApiException;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Service\GiteaApiService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
diff --git a/src/State/GiteaBranchProvider.php b/src/State/GiteaBranchProvider.php
index 8152110..908e49f 100644
--- a/src/State/GiteaBranchProvider.php
+++ b/src/State/GiteaBranchProvider.php
@@ -8,8 +8,8 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProviderInterface;
 use App\ApiResource\GiteaBranch;
-use App\Entity\Task;
 use App\Exception\GiteaApiException;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Service\GiteaApiService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
diff --git a/src/State/GiteaPullRequestProvider.php b/src/State/GiteaPullRequestProvider.php
index 69f2128..0ca9b4a 100644
--- a/src/State/GiteaPullRequestProvider.php
+++ b/src/State/GiteaPullRequestProvider.php
@@ -7,8 +7,8 @@ namespace App\State;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use App\ApiResource\GiteaPullRequest;
-use App\Entity\Task;
 use App\Exception\GiteaApiException;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Service\GiteaApiService;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
diff --git a/src/State/ZimbraTestConnectionProvider.php b/src/State/ZimbraTestConnectionProvider.php
index 828c64f..0148f82 100644
--- a/src/State/ZimbraTestConnectionProvider.php
+++ b/src/State/ZimbraTestConnectionProvider.php
@@ -8,7 +8,7 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
 use App\ApiResource\ZimbraTestConnection;
-use App\Service\CalDavService;
+use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Throwable;
 
 final readonly class ZimbraTestConnectionProvider implements ProviderInterface, ProcessorInterface
diff --git a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
index 3b7d6e1..5d37334 100644
--- a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
@@ -6,9 +6,9 @@ namespace App\Tests\Functional\Controller\Mail;
 
 use App\Entity\MailFolder;
 use App\Entity\MailMessage;
-use App\Entity\Project;
-use App\Entity\Task;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
diff --git a/tests/Functional/EventListener/TaskNotificationListenerTest.php b/tests/Functional/EventListener/TaskNotificationListenerTest.php
index 682c0f9..d63bd55 100644
--- a/tests/Functional/EventListener/TaskNotificationListenerTest.php
+++ b/tests/Functional/EventListener/TaskNotificationListenerTest.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\EventListener;
 
-use App\Entity\Project;
-use App\Entity\Task;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
diff --git a/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php b/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
index d878905..481c4a9 100644
--- a/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
+++ b/tests/Unit/Mcp/CoercingSchemaGeneratorTest.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Tests\Unit\Mcp;
 
 use App\Mcp\Schema\CoercingSchemaGenerator;
-use App\Mcp\Tool\Task\CreateTaskTool;
-use App\Mcp\Tool\Task\ListTasksTool;
+use App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\CreateTaskTool;
+use App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task\ListTasksTool;
 use PHPUnit\Framework\TestCase;
 use ReflectionMethod;
 
-- 
2.39.5


From c90d91d6c46a5fdb53751b66b6ac1525e425d990 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 17:05:47 +0200
Subject: [PATCH 49/99] feat(project-management) : add timestampable/blamable
 to Task and Project (additive)

Tranche 3 of LST-65. Task and Project adopt TimestampableBlamableTrait.

- Additive migration on task and project: created_at/updated_at (nullable),
  created_by/updated_by (nullable INT, FK to "user" ON DELETE SET NULL) +
  indexes + COMMENT ON COLUMN. down() drops only the added objects.
- Trait fields stay out of the existing API groups (trait carries its own).
- Functional test (TaskTimestampableTest) confirms created_at on persist and
  updated_at refresh on update.

161 tests green, no destructive migration.
---
 migrations/Version20260620161500.php          |  79 ++++++++++++++
 .../Domain/Entity/Project.php                 |   7 +-
 .../ProjectManagement/Domain/Entity/Task.php  |   7 +-
 .../TaskTimestampableTest.php                 | 102 ++++++++++++++++++
 4 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100644 migrations/Version20260620161500.php
 create mode 100644 tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php

diff --git a/migrations/Version20260620161500.php b/migrations/Version20260620161500.php
new file mode 100644
index 0000000..1e9b5a4
--- /dev/null
+++ b/migrations/Version20260620161500.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * ProjectManagement module (LST-65 slice 3): add Timestampable/Blamable columns
+ * to task and project.
+ *
+ * Task and Project adopt TimestampableBlamableTrait (after TimeEntry). This
+ * migration is purely additive — nullable columns + nullable FK to "user" with
+ * ON DELETE SET NULL. No DROP/ALTER on existing data. Columns are lowercase
+ * snake_case. Hand-written to guarantee zero destructive instruction.
+ */
+final class Version20260620161500 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'ProjectManagement: add timestampable/blamable columns to task and project (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // task
+        $this->addSql('ALTER TABLE task ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB25DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB2516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB25DE12AB56 ON task (created_by)');
+        $this->addSql('CREATE INDEX IDX_527EDB2516FE72E1 ON task (updated_by)');
+        $this->addSql("COMMENT ON COLUMN task.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN task.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN task.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN task.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // project
+        $this->addSql('ALTER TABLE project ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE project ADD CONSTRAINT FK_2FB3D0EEDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE project ADD CONSTRAINT FK_2FB3D0EE16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_2FB3D0EEDE12AB56 ON project (created_by)');
+        $this->addSql('CREATE INDEX IDX_2FB3D0EE16FE72E1 ON project (updated_by)');
+        $this->addSql("COMMENT ON COLUMN project.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN project.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN project.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN project.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // task
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB25DE12AB56');
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB2516FE72E1');
+        $this->addSql('DROP INDEX IDX_527EDB25DE12AB56');
+        $this->addSql('DROP INDEX IDX_527EDB2516FE72E1');
+        $this->addSql('ALTER TABLE task DROP created_at');
+        $this->addSql('ALTER TABLE task DROP updated_at');
+        $this->addSql('ALTER TABLE task DROP created_by');
+        $this->addSql('ALTER TABLE task DROP updated_by');
+
+        // project
+        $this->addSql('ALTER TABLE project DROP CONSTRAINT FK_2FB3D0EEDE12AB56');
+        $this->addSql('ALTER TABLE project DROP CONSTRAINT FK_2FB3D0EE16FE72E1');
+        $this->addSql('DROP INDEX IDX_2FB3D0EEDE12AB56');
+        $this->addSql('DROP INDEX IDX_2FB3D0EE16FE72E1');
+        $this->addSql('ALTER TABLE project DROP created_at');
+        $this->addSql('ALTER TABLE project DROP updated_at');
+        $this->addSql('ALTER TABLE project DROP created_by');
+        $this->addSql('ALTER TABLE project DROP updated_by');
+    }
+}
diff --git a/src/Module/ProjectManagement/Domain/Entity/Project.php b/src/Module/ProjectManagement/Domain/Entity/Project.php
index 1fe5cb1..793883e 100644
--- a/src/Module/ProjectManagement/Domain/Entity/Project.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Project.php
@@ -16,8 +16,11 @@ use ApiPlatform\Metadata\Post;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\Resource\SwitchWorkflowOutput;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\SwitchProjectWorkflowProcessor;
 use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineProjectRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
 use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -56,8 +59,10 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiFilter(BooleanFilter::class, properties: ['archived'])]
 #[ORM\Entity(repositoryClass: DoctrineProjectRepository::class)]
 #[UniqueEntity(fields: ['code'], message: 'Ce code de projet est déjà utilisé.')]
-class Project implements ProjectInterface
+class Project implements ProjectInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Module/ProjectManagement/Domain/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
index ecbabc3..2795a95 100644
--- a/src/Module/ProjectManagement/Domain/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -18,8 +18,11 @@ use ApiPlatform\Metadata\Post;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarProcessor;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
 use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
 use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
@@ -47,8 +50,10 @@ use Symfony\Component\Validator\Context\ExecutionContextInterface;
 #[ORM\Entity(repositoryClass: DoctrineTaskRepository::class)]
 #[ORM\Table(name: 'task')]
 #[ORM\UniqueConstraint(name: 'uniq_task_project_number', columns: ['project_id', 'number'])]
-class Task implements TaskInterface
+class Task implements TaskInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php b/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php
new file mode 100644
index 0000000..b457cec
--- /dev/null
+++ b/tests/Functional/Module/ProjectManagement/TaskTimestampableTest.php
@@ -0,0 +1,102 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\ProjectManagement;
+
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\ProjectManagement\Domain\Entity\Task;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * Task adopts TimestampableBlamableTrait (LST-65 slice 3).
+ * Verifies the TimestampableBlamableSubscriber populates created_at on
+ * persist and refreshes updated_at on update.
+ *
+ * @internal
+ */
+final class TaskTimestampableTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+        $this->em->getConnection()->executeStatement("DELETE FROM task WHERE title = 'ts-test-task'");
+    }
+
+    protected function tearDown(): void
+    {
+        $this->em->getConnection()->executeStatement("DELETE FROM task WHERE title = 'ts-test-task'");
+        parent::tearDown();
+        unset($this->em);
+    }
+
+    public function testCreatedAtIsSetOnPersist(): void
+    {
+        $task = $this->makeTask();
+        $this->em->persist($task);
+        $this->em->flush();
+
+        self::assertInstanceOf(DateTimeImmutable::class, $task->getCreatedAt(), 'createdAt must be set after flush');
+        self::assertInstanceOf(DateTimeImmutable::class, $task->getUpdatedAt(), 'updatedAt must be set after flush');
+
+        $taskId = $task->getId();
+        $this->em->clear();
+        $reloaded = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertNotNull($reloaded);
+        self::assertNotNull($reloaded->getCreatedAt(), 'created_at must be persisted in DB');
+    }
+
+    public function testUpdatedAtIsRefreshedOnUpdate(): void
+    {
+        $task = $this->makeTask();
+        $this->em->persist($task);
+        $this->em->flush();
+
+        $taskId           = $task->getId();
+        $initialUpdatedAt = $task->getUpdatedAt();
+        self::assertNotNull($initialUpdatedAt);
+
+        // Backdate the persisted value so the preUpdate refresh is observable
+        // even within the same second.
+        $this->em->getConnection()->executeStatement(
+            "UPDATE task SET updated_at = '2000-01-01 00:00:00' WHERE id = :id",
+            ['id' => $taskId],
+        );
+        $this->em->clear();
+
+        /** @var Task $managed */
+        $managed = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertSame('2000-01-01 00:00:00', $managed->getUpdatedAt()?->format('Y-m-d H:i:s'));
+
+        $managed->setDescription('changed description');
+        $this->em->flush();
+        $this->em->clear();
+
+        /** @var Task $reloaded */
+        $reloaded = $this->em->getRepository(Task::class)->find($taskId);
+        self::assertNotNull($reloaded->getUpdatedAt());
+        self::assertNotSame(
+            '2000-01-01 00:00:00',
+            $reloaded->getUpdatedAt()->format('Y-m-d H:i:s'),
+            'updated_at must be refreshed and persisted on UPDATE',
+        );
+    }
+
+    private function makeTask(): Task
+    {
+        $project = $this->em->getRepository(Project::class)->findOneBy([]);
+        self::assertNotNull($project, 'Les fixtures doivent fournir au moins un projet.');
+
+        $task = new Task();
+        $task->setNumber(random_int(100000, 999999));
+        $task->setTitle('ts-test-task');
+        $task->setProject($project);
+
+        return $task;
+    }
+}
-- 
2.39.5


From 7446b7dca93abd15b4f6a51f0dcaa54a4c4ee93b Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 17:06:13 +0200
Subject: [PATCH 50/99] feat(project-management) : extract Projects/Tasks front
 into Nuxt module layer

Tranche 4 of LST-65. Companion to the backend module migration.

- Move pages (my-tasks, projects, projects/[id]/{index,groups,archives}),
  18 components (project + task), 10 services and 10 DTOs into
  frontend/modules/project-management/ (auto-detected layer).
- Rewrite explicit ~/services/* and ~/services/dto/* imports across 38
  consumers (admin tabs, mail modals, dashboard, mail page, layout) including
  the time-tracking module whose DTOs referenced project/task/task-tag.
- clients.ts and shared DTOs (client, user-data) stay at the root.
- Routes /my-tasks, /projects, /projects/:id(/groups|/archives) preserved;
  i18n stays global.

nuxt build passes; routes confirmed.
---
 frontend/app/layouts/default.vue              |  4 +--
 frontend/components/admin/AdminEffortTab.vue  |  4 +--
 .../components/admin/AdminPriorityTab.vue     |  4 +--
 frontend/components/admin/AdminTagTab.vue     |  4 +--
 .../components/admin/AdminWorkflowTab.vue     |  4 +--
 frontend/components/admin/WorkflowDrawer.vue  | 10 +++---
 .../components/mail/MailCreateTaskModal.vue   | 10 +++---
 .../components/mail/MailLinkTaskModal.vue     |  8 ++---
 .../components}/ProjectDrawer.vue             |  4 +--
 .../components}/ProjectGroupTab.vue           |  8 ++---
 .../ProjectWorkflowSwitchModal.vue            | 12 +++----
 .../components}/StatusPickerPopover.vue       |  2 +-
 .../components}/TaskBookStackLinks.vue        |  0
 .../components}/TaskBulkActions.vue           | 12 +++----
 .../components}/TaskCard.vue                  |  2 +-
 .../components}/TaskDocumentList.vue          |  4 +--
 .../components}/TaskDocumentPreview.vue       |  4 +--
 .../components}/TaskDocumentShareLinker.vue   |  2 +-
 .../components}/TaskDocumentUpload.vue        |  2 +-
 .../components}/TaskEffortDrawer.vue          |  4 +--
 .../components}/TaskGitSection.vue            |  2 +-
 .../components}/TaskGroupDrawer.vue           |  8 ++---
 .../components}/TaskListItem.vue              |  2 +-
 .../components}/TaskModal.vue                 | 22 ++++++-------
 .../components}/TaskPriorityDrawer.vue        |  4 +--
 .../components}/TaskTagDrawer.vue             |  4 +--
 .../modules/project-management/nuxt.config.ts |  1 +
 .../project-management}/pages/my-tasks.vue    | 32 +++++++++----------
 .../pages/projects/[id]/archives.vue          | 26 +++++++--------
 .../pages/projects/[id]/groups.vue            |  4 +--
 .../pages/projects/[id]/index.vue             | 26 +++++++--------
 .../pages/projects/index.vue                  |  4 +--
 .../services/dto/project.ts                   |  2 +-
 .../services/dto/task-document.ts             |  2 +-
 .../services/dto/task-effort.ts               |  0
 .../services/dto/task-group.ts                |  0
 .../services/dto/task-priority.ts             |  0
 .../services/dto/task-recurrence.ts           |  0
 .../services/dto/task-status.ts               |  0
 .../services/dto/task-tag.ts                  |  0
 .../project-management}/services/dto/task.ts  |  2 +-
 .../services/dto/workflow.ts                  |  0
 .../project-management}/services/projects.ts  |  0
 .../services/task-documents.ts                |  0
 .../services/task-efforts.ts                  |  0
 .../services/task-groups.ts                   |  0
 .../services/task-priorities.ts               |  0
 .../services/task-recurrences.ts              |  0
 .../services/task-statuses.ts                 |  0
 .../project-management}/services/task-tags.ts |  0
 .../project-management}/services/tasks.ts     |  0
 .../project-management}/services/workflows.ts |  0
 .../components/TimeEntryDrawer.vue            |  4 +--
 .../components/TimeTrackingExportDrawer.vue   |  4 +--
 .../time-tracking/pages/time-tracking.vue     |  4 +--
 .../time-tracking/services/dto/time-entry.ts  |  6 ++--
 .../modules/time-tracking/stores/timer.ts     |  2 +-
 frontend/pages/index.vue                      | 16 +++++-----
 frontend/pages/mail.vue                       |  2 +-
 frontend/services/mail.ts                     |  2 +-
 60 files changed, 143 insertions(+), 142 deletions(-)
 rename frontend/{components/project => modules/project-management/components}/ProjectDrawer.vue (98%)
 rename frontend/{components/project => modules/project-management/components}/ProjectGroupTab.vue (94%)
 rename frontend/{components/project => modules/project-management/components}/ProjectWorkflowSwitchModal.vue (94%)
 rename frontend/{components/task => modules/project-management/components}/StatusPickerPopover.vue (91%)
 rename frontend/{components/task => modules/project-management/components}/TaskBookStackLinks.vue (100%)
 rename frontend/{components/task => modules/project-management/components}/TaskBulkActions.vue (92%)
 rename frontend/{components/task => modules/project-management/components}/TaskCard.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentList.vue (95%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentPreview.vue (97%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentShareLinker.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskDocumentUpload.vue (97%)
 rename frontend/{components/task => modules/project-management/components}/TaskEffortDrawer.vue (91%)
 rename frontend/{components/task => modules/project-management/components}/TaskGitSection.vue (99%)
 rename frontend/{components/task => modules/project-management/components}/TaskGroupDrawer.vue (93%)
 rename frontend/{components/task => modules/project-management/components}/TaskListItem.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskModal.vue (98%)
 rename frontend/{components/task => modules/project-management/components}/TaskPriorityDrawer.vue (92%)
 rename frontend/{components/task => modules/project-management/components}/TaskTagDrawer.vue (93%)
 create mode 100644 frontend/modules/project-management/nuxt.config.ts
 rename frontend/{ => modules/project-management}/pages/my-tasks.vue (93%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/archives.vue (81%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/groups.vue (82%)
 rename frontend/{ => modules/project-management}/pages/projects/[id]/index.vue (93%)
 rename frontend/{ => modules/project-management}/pages/projects/index.vue (96%)
 rename frontend/{ => modules/project-management}/services/dto/project.ts (93%)
 rename frontend/{ => modules/project-management}/services/dto/task-document.ts (81%)
 rename frontend/{ => modules/project-management}/services/dto/task-effort.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-group.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-priority.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-recurrence.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-status.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task-tag.ts (100%)
 rename frontend/{ => modules/project-management}/services/dto/task.ts (96%)
 rename frontend/{ => modules/project-management}/services/dto/workflow.ts (100%)
 rename frontend/{ => modules/project-management}/services/projects.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-documents.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-efforts.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-groups.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-priorities.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-recurrences.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-statuses.ts (100%)
 rename frontend/{ => modules/project-management}/services/task-tags.ts (100%)
 rename frontend/{ => modules/project-management}/services/tasks.ts (100%)
 rename frontend/{ => modules/project-management}/services/workflows.ts (100%)

diff --git a/frontend/app/layouts/default.vue b/frontend/app/layouts/default.vue
index 9012026..7ae9da6 100644
--- a/frontend/app/layouts/default.vue
+++ b/frontend/app/layouts/default.vue
@@ -125,8 +125,8 @@
 
 <script setup lang="ts">
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import { useAppVersion } from '~/composables/useAppVersion'
 import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
diff --git a/frontend/components/admin/AdminEffortTab.vue b/frontend/components/admin/AdminEffortTab.vue
index 6132be6..b626bca 100644
--- a/frontend/components/admin/AdminEffortTab.vue
+++ b/frontend/components/admin/AdminEffortTab.vue
@@ -30,8 +30,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskEffort } from '~/services/dto/task-effort'
-import { useTaskEffortService } from '~/services/task-efforts'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminPriorityTab.vue b/frontend/components/admin/AdminPriorityTab.vue
index 8391328..0f91660 100644
--- a/frontend/components/admin/AdminPriorityTab.vue
+++ b/frontend/components/admin/AdminPriorityTab.vue
@@ -37,8 +37,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskPriority } from '~/services/dto/task-priority'
-import { useTaskPriorityService } from '~/services/task-priorities'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminTagTab.vue b/frontend/components/admin/AdminTagTab.vue
index 45b22da..13313a8 100644
--- a/frontend/components/admin/AdminTagTab.vue
+++ b/frontend/components/admin/AdminTagTab.vue
@@ -37,8 +37,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskTag } from '~/services/dto/task-tag'
-import { useTaskTagService } from '~/services/task-tags'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/components/admin/AdminWorkflowTab.vue b/frontend/components/admin/AdminWorkflowTab.vue
index 0c6fbdd..db4b5f5 100644
--- a/frontend/components/admin/AdminWorkflowTab.vue
+++ b/frontend/components/admin/AdminWorkflowTab.vue
@@ -42,8 +42,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Workflow } from '~/services/dto/workflow'
-import { useWorkflowService } from '~/services/workflows'
+import type { Workflow } from '~/modules/project-management/services/dto/workflow'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
 const { t } = useI18n()
diff --git a/frontend/components/admin/WorkflowDrawer.vue b/frontend/components/admin/WorkflowDrawer.vue
index 3ffd57d..0495956 100644
--- a/frontend/components/admin/WorkflowDrawer.vue
+++ b/frontend/components/admin/WorkflowDrawer.vue
@@ -96,11 +96,11 @@
 </template>
 
 <script setup lang="ts">
-import type { Workflow, StatusCategory } from '~/services/dto/workflow'
-import { STATUS_CATEGORY_COLOR } from '~/services/dto/workflow'
-import type { TaskStatusWrite } from '~/services/dto/task-status'
-import { useWorkflowService } from '~/services/workflows'
-import { useTaskStatusService } from '~/services/task-statuses'
+import type { Workflow, StatusCategory } from '~/modules/project-management/services/dto/workflow'
+import { STATUS_CATEGORY_COLOR } from '~/modules/project-management/services/dto/workflow'
+import type { TaskStatusWrite } from '~/modules/project-management/services/dto/task-status'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
 
 const { t } = useI18n()
 
diff --git a/frontend/components/mail/MailCreateTaskModal.vue b/frontend/components/mail/MailCreateTaskModal.vue
index 3b75539..93f666b 100644
--- a/frontend/components/mail/MailCreateTaskModal.vue
+++ b/frontend/components/mail/MailCreateTaskModal.vue
@@ -1,12 +1,12 @@
 <script setup lang="ts">
 import type { MailMessageDetailDto } from '~/services/dto/mail'
-import type { Task } from '~/services/dto/task'
-import type { Project } from '~/services/dto/project'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
 import { useMailService } from '~/services/mail'
-import { useProjectService } from '~/services/projects'
-import { useTaskGroupService } from '~/services/task-groups'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
 import { useAuthStore } from '~/shared/stores/auth'
 
diff --git a/frontend/components/mail/MailLinkTaskModal.vue b/frontend/components/mail/MailLinkTaskModal.vue
index 9749099..00c641c 100644
--- a/frontend/components/mail/MailLinkTaskModal.vue
+++ b/frontend/components/mail/MailLinkTaskModal.vue
@@ -1,9 +1,9 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { Project } from '~/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Project } from '~/modules/project-management/services/dto/project'
 import { useMailService } from '~/services/mail'
-import { useTaskService } from '~/services/tasks'
-import { useProjectService } from '~/services/projects'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/project/ProjectDrawer.vue b/frontend/modules/project-management/components/ProjectDrawer.vue
similarity index 98%
rename from frontend/components/project/ProjectDrawer.vue
rename to frontend/modules/project-management/components/ProjectDrawer.vue
index 27d639b..cd9aef4 100644
--- a/frontend/components/project/ProjectDrawer.vue
+++ b/frontend/modules/project-management/components/ProjectDrawer.vue
@@ -123,11 +123,11 @@
 </template>
 
 <script setup lang="ts">
-import type { Project, ProjectWrite } from '~/services/dto/project'
+import type { Project, ProjectWrite } from '~/modules/project-management/services/dto/project'
 import type { Client } from '~/services/dto/client'
 import type { GiteaRepository } from '~/services/dto/gitea'
 import type { BookStackShelf } from '~/services/dto/bookstack'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 import { useGiteaService } from '~/services/gitea'
 import { useBookStackService } from '~/services/bookstack'
 
diff --git a/frontend/components/project/ProjectGroupTab.vue b/frontend/modules/project-management/components/ProjectGroupTab.vue
similarity index 94%
rename from frontend/components/project/ProjectGroupTab.vue
rename to frontend/modules/project-management/components/ProjectGroupTab.vue
index 45047d1..e5e8627 100644
--- a/frontend/components/project/ProjectGroupTab.vue
+++ b/frontend/modules/project-management/components/ProjectGroupTab.vue
@@ -67,10 +67,10 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskGroup } from '~/services/dto/task-group'
-import type { Task } from '~/services/dto/task'
-import { useTaskGroupService } from '~/services/task-groups'
-import { useTaskService } from '~/services/tasks'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 import { stripRichText } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/project/ProjectWorkflowSwitchModal.vue b/frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
similarity index 94%
rename from frontend/components/project/ProjectWorkflowSwitchModal.vue
rename to frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
index 3b5a3a6..c485f95 100644
--- a/frontend/components/project/ProjectWorkflowSwitchModal.vue
+++ b/frontend/modules/project-management/components/ProjectWorkflowSwitchModal.vue
@@ -82,12 +82,12 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { Workflow } from '~/services/dto/workflow'
-import type { TaskStatus } from '~/services/dto/task-status'
-import { useWorkflowService } from '~/services/workflows'
-import { useTaskService } from '~/services/tasks'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { Workflow } from '~/modules/project-management/services/dto/workflow'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import { useWorkflowService } from '~/modules/project-management/services/workflows'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/StatusPickerPopover.vue b/frontend/modules/project-management/components/StatusPickerPopover.vue
similarity index 91%
rename from frontend/components/task/StatusPickerPopover.vue
rename to frontend/modules/project-management/components/StatusPickerPopover.vue
index a37e074..0927082 100644
--- a/frontend/components/task/StatusPickerPopover.vue
+++ b/frontend/modules/project-management/components/StatusPickerPopover.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { TaskStatus } from '~/services/dto/task-status'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
 
 defineProps<{
     statuses: TaskStatus[]
diff --git a/frontend/components/task/TaskBookStackLinks.vue b/frontend/modules/project-management/components/TaskBookStackLinks.vue
similarity index 100%
rename from frontend/components/task/TaskBookStackLinks.vue
rename to frontend/modules/project-management/components/TaskBookStackLinks.vue
diff --git a/frontend/components/task/TaskBulkActions.vue b/frontend/modules/project-management/components/TaskBulkActions.vue
similarity index 92%
rename from frontend/components/task/TaskBulkActions.vue
rename to frontend/modules/project-management/components/TaskBulkActions.vue
index 77cecd4..0d16060 100644
--- a/frontend/components/task/TaskBulkActions.vue
+++ b/frontend/modules/project-management/components/TaskBulkActions.vue
@@ -104,13 +104,13 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
+import type { Project } from '~/modules/project-management/services/dto/project'
 
 const props = withDefaults(defineProps<{
     selectedCount: number
diff --git a/frontend/components/task/TaskCard.vue b/frontend/modules/project-management/components/TaskCard.vue
similarity index 98%
rename from frontend/components/task/TaskCard.vue
rename to frontend/modules/project-management/components/TaskCard.vue
index 595b319..777087c 100644
--- a/frontend/components/task/TaskCard.vue
+++ b/frontend/modules/project-management/components/TaskCard.vue
@@ -102,7 +102,7 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/components/task/TaskDocumentList.vue b/frontend/modules/project-management/components/TaskDocumentList.vue
similarity index 95%
rename from frontend/components/task/TaskDocumentList.vue
rename to frontend/modules/project-management/components/TaskDocumentList.vue
index b4aed6b..acb94ab 100644
--- a/frontend/components/task/TaskDocumentList.vue
+++ b/frontend/modules/project-management/components/TaskDocumentList.vue
@@ -60,8 +60,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskDocument } from '~/services/dto/task-document'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 
 defineProps<{
diff --git a/frontend/components/task/TaskDocumentPreview.vue b/frontend/modules/project-management/components/TaskDocumentPreview.vue
similarity index 97%
rename from frontend/components/task/TaskDocumentPreview.vue
rename to frontend/modules/project-management/components/TaskDocumentPreview.vue
index e6e4327..d40ed8b 100644
--- a/frontend/components/task/TaskDocumentPreview.vue
+++ b/frontend/modules/project-management/components/TaskDocumentPreview.vue
@@ -121,8 +121,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskDocument } from '~/services/dto/task-document'
-import { useTaskDocumentService } from '~/services/task-documents'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 import { copyToClipboard } from '~/utils/clipboard'
 
diff --git a/frontend/components/task/TaskDocumentShareLinker.vue b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
similarity index 98%
rename from frontend/components/task/TaskDocumentShareLinker.vue
rename to frontend/modules/project-management/components/TaskDocumentShareLinker.vue
index 695db5c..33008e2 100644
--- a/frontend/components/task/TaskDocumentShareLinker.vue
+++ b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
@@ -58,7 +58,7 @@
 <script setup lang="ts">
 import type { Breadcrumb, FileEntry } from '~/services/dto/share'
 import { useShareService } from '~/services/share'
-import { useTaskDocumentService } from '~/services/task-documents'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/components/task/TaskDocumentUpload.vue b/frontend/modules/project-management/components/TaskDocumentUpload.vue
similarity index 97%
rename from frontend/components/task/TaskDocumentUpload.vue
rename to frontend/modules/project-management/components/TaskDocumentUpload.vue
index 853850a..d818665 100644
--- a/frontend/components/task/TaskDocumentUpload.vue
+++ b/frontend/modules/project-management/components/TaskDocumentUpload.vue
@@ -46,7 +46,7 @@
 </template>
 
 <script setup lang="ts">
-import { useTaskDocumentService } from '~/services/task-documents'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 
 const props = defineProps<{
     taskId?: number
diff --git a/frontend/components/task/TaskEffortDrawer.vue b/frontend/modules/project-management/components/TaskEffortDrawer.vue
similarity index 91%
rename from frontend/components/task/TaskEffortDrawer.vue
rename to frontend/modules/project-management/components/TaskEffortDrawer.vue
index ac186be..a0794cd 100644
--- a/frontend/components/task/TaskEffortDrawer.vue
+++ b/frontend/modules/project-management/components/TaskEffortDrawer.vue
@@ -25,8 +25,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskEffort, TaskEffortWrite } from '~/services/dto/task-effort'
-import { useTaskEffortService } from '~/services/task-efforts'
+import type { TaskEffort, TaskEffortWrite } from '~/modules/project-management/services/dto/task-effort'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskGitSection.vue b/frontend/modules/project-management/components/TaskGitSection.vue
similarity index 99%
rename from frontend/components/task/TaskGitSection.vue
rename to frontend/modules/project-management/components/TaskGitSection.vue
index 0e6dffc..6a4216a 100644
--- a/frontend/components/task/TaskGitSection.vue
+++ b/frontend/modules/project-management/components/TaskGitSection.vue
@@ -226,7 +226,7 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 import type { GiteaBranch, GiteaPullRequest } from '~/services/dto/gitea'
 import { useGiteaService } from '~/services/gitea'
 import { copyToClipboard } from '~/utils/clipboard'
diff --git a/frontend/components/task/TaskGroupDrawer.vue b/frontend/modules/project-management/components/TaskGroupDrawer.vue
similarity index 93%
rename from frontend/components/task/TaskGroupDrawer.vue
rename to frontend/modules/project-management/components/TaskGroupDrawer.vue
index 2d64266..4f52523 100644
--- a/frontend/components/task/TaskGroupDrawer.vue
+++ b/frontend/modules/project-management/components/TaskGroupDrawer.vue
@@ -56,10 +56,10 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskGroup, TaskGroupWrite } from '~/services/dto/task-group'
-import type { Task } from '~/services/dto/task'
-import { useTaskGroupService } from '~/services/task-groups'
-import { useTaskService } from '~/services/tasks'
+import type { TaskGroup, TaskGroupWrite } from '~/modules/project-management/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
+import { useTaskService } from '~/modules/project-management/services/tasks'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskListItem.vue b/frontend/modules/project-management/components/TaskListItem.vue
similarity index 98%
rename from frontend/components/task/TaskListItem.vue
rename to frontend/modules/project-management/components/TaskListItem.vue
index e2f5d5f..e978073 100644
--- a/frontend/components/task/TaskListItem.vue
+++ b/frontend/modules/project-management/components/TaskListItem.vue
@@ -110,7 +110,7 @@
 </template>
 
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/components/task/TaskModal.vue b/frontend/modules/project-management/components/TaskModal.vue
similarity index 98%
rename from frontend/components/task/TaskModal.vue
rename to frontend/modules/project-management/components/TaskModal.vue
index 5930be3..62e6309 100644
--- a/frontend/components/task/TaskModal.vue
+++ b/frontend/modules/project-management/components/TaskModal.vue
@@ -536,21 +536,21 @@
 </template>
 
 <script setup lang="ts">
-import type { Task, TaskWrite } from '~/services/dto/task'
-import type { TaskDocument } from '~/services/dto/task-document'
+import type { Task, TaskWrite } from '~/modules/project-management/services/dto/task'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
 import { useGiteaService } from '~/services/gitea'
-import { useTaskDocumentService } from '~/services/task-documents'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import ConfirmDeleteDocumentModal from '~/components/ui/ConfirmDeleteDocumentModal.vue'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useTaskService } from '~/services/tasks'
-import { useTaskRecurrenceService } from '~/services/task-recurrences'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskRecurrenceService } from '~/modules/project-management/services/task-recurrences'
 
-import type { Project } from '~/services/dto/project'
+import type { Project } from '~/modules/project-management/services/dto/project'
 import { useMailService } from '~/services/mail'
 import type { MailMessageHeaderDto } from '~/services/dto/mail'
 
diff --git a/frontend/components/task/TaskPriorityDrawer.vue b/frontend/modules/project-management/components/TaskPriorityDrawer.vue
similarity index 92%
rename from frontend/components/task/TaskPriorityDrawer.vue
rename to frontend/modules/project-management/components/TaskPriorityDrawer.vue
index 627abe4..dd9e9b8 100644
--- a/frontend/components/task/TaskPriorityDrawer.vue
+++ b/frontend/modules/project-management/components/TaskPriorityDrawer.vue
@@ -28,8 +28,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskPriority, TaskPriorityWrite } from '~/services/dto/task-priority'
-import { useTaskPriorityService } from '~/services/task-priorities'
+import type { TaskPriority, TaskPriorityWrite } from '~/modules/project-management/services/dto/task-priority'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/task/TaskTagDrawer.vue b/frontend/modules/project-management/components/TaskTagDrawer.vue
similarity index 93%
rename from frontend/components/task/TaskTagDrawer.vue
rename to frontend/modules/project-management/components/TaskTagDrawer.vue
index 01ec2e1..16dc44e 100644
--- a/frontend/components/task/TaskTagDrawer.vue
+++ b/frontend/modules/project-management/components/TaskTagDrawer.vue
@@ -28,8 +28,8 @@
 </template>
 
 <script setup lang="ts">
-import type { TaskTag, TaskTagWrite } from '~/services/dto/task-tag'
-import { useTaskTagService } from '~/services/task-tags'
+import type { TaskTag, TaskTagWrite } from '~/modules/project-management/services/dto/task-tag'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/modules/project-management/nuxt.config.ts b/frontend/modules/project-management/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/project-management/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/my-tasks.vue b/frontend/modules/project-management/pages/my-tasks.vue
similarity index 93%
rename from frontend/pages/my-tasks.vue
rename to frontend/modules/project-management/pages/my-tasks.vue
index 4172272..35bb536 100644
--- a/frontend/pages/my-tasks.vue
+++ b/frontend/modules/project-management/pages/my-tasks.vue
@@ -1,22 +1,22 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { StatusCategory } from '~/services/dto/workflow'
-import { STATUS_CATEGORY_LABEL, STATUS_CATEGORY_COLOR, contrastText } from '~/services/dto/workflow'
-import { useTaskService } from '~/services/tasks'
-import { useTaskStatusService } from '~/services/task-statuses'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { StatusCategory } from '~/modules/project-management/services/dto/workflow'
+import { STATUS_CATEGORY_LABEL, STATUS_CATEGORY_COLOR, contrastText } from '~/modules/project-management/services/dto/workflow'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const { t } = useI18n()
 const route = useRoute()
diff --git a/frontend/pages/projects/[id]/archives.vue b/frontend/modules/project-management/pages/projects/[id]/archives.vue
similarity index 81%
rename from frontend/pages/projects/[id]/archives.vue
rename to frontend/modules/project-management/pages/projects/[id]/archives.vue
index f8994d6..b17dd26 100644
--- a/frontend/pages/projects/[id]/archives.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/archives.vue
@@ -72,20 +72,20 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useProjectService } from '~/services/projects'
-import { useTaskService } from '~/services/tasks'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
 
 const route = useRoute()
diff --git a/frontend/pages/projects/[id]/groups.vue b/frontend/modules/project-management/pages/projects/[id]/groups.vue
similarity index 82%
rename from frontend/pages/projects/[id]/groups.vue
rename to frontend/modules/project-management/pages/projects/[id]/groups.vue
index ce87026..3a4f802 100644
--- a/frontend/pages/projects/[id]/groups.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/groups.vue
@@ -13,8 +13,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import { useProjectService } from '~/services/projects'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const route = useRoute()
 const projectId = computed(() => Number(route.params.id))
diff --git a/frontend/pages/projects/[id]/index.vue b/frontend/modules/project-management/pages/projects/[id]/index.vue
similarity index 93%
rename from frontend/pages/projects/[id]/index.vue
rename to frontend/modules/project-management/pages/projects/[id]/index.vue
index 861aee3..29ca735 100644
--- a/frontend/pages/projects/[id]/index.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/index.vue
@@ -207,22 +207,22 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskEffort } from '~/services/dto/task-effort'
-import type { TaskPriority } from '~/services/dto/task-priority'
-import type { TaskTag } from '~/services/dto/task-tag'
-import type { TaskGroup } from '~/services/dto/task-group'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskEffort } from '~/modules/project-management/services/dto/task-effort'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
+import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
 import type { Client } from '~/services/dto/client'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 import { useClientService } from '~/services/clients'
-import { useTaskService } from '~/services/tasks'
-import { useTaskEffortService } from '~/services/task-efforts'
-import { useTaskPriorityService } from '~/services/task-priorities'
-import { useTaskTagService } from '~/services/task-tags'
-import { useTaskGroupService } from '~/services/task-groups'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
+import { useTaskTagService } from '~/modules/project-management/services/task-tags'
+import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
 
 const route = useRoute()
diff --git a/frontend/pages/projects/index.vue b/frontend/modules/project-management/pages/projects/index.vue
similarity index 96%
rename from frontend/pages/projects/index.vue
rename to frontend/modules/project-management/pages/projects/index.vue
index 821b9aa..954d2ca 100644
--- a/frontend/pages/projects/index.vue
+++ b/frontend/modules/project-management/pages/projects/index.vue
@@ -76,9 +76,9 @@
 </template>
 
 <script setup lang="ts">
-import type { Project } from '~/services/dto/project'
+import type { Project } from '~/modules/project-management/services/dto/project'
 import type { Client } from '~/services/dto/client'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 import { useClientService } from '~/services/clients'
 
 useHead({ title: 'Projets' })
diff --git a/frontend/services/dto/project.ts b/frontend/modules/project-management/services/dto/project.ts
similarity index 93%
rename from frontend/services/dto/project.ts
rename to frontend/modules/project-management/services/dto/project.ts
index 8e36770..8e160d3 100644
--- a/frontend/services/dto/project.ts
+++ b/frontend/modules/project-management/services/dto/project.ts
@@ -1,4 +1,4 @@
-import type { Client } from './client'
+import type { Client } from '~/services/dto/client'
 import type { Workflow } from './workflow'
 
 export type Project = {
diff --git a/frontend/services/dto/task-document.ts b/frontend/modules/project-management/services/dto/task-document.ts
similarity index 81%
rename from frontend/services/dto/task-document.ts
rename to frontend/modules/project-management/services/dto/task-document.ts
index e9a8886..45688a5 100644
--- a/frontend/services/dto/task-document.ts
+++ b/frontend/modules/project-management/services/dto/task-document.ts
@@ -1,4 +1,4 @@
-import type { UserData } from './user-data'
+import type { UserData } from '~/services/dto/user-data'
 
 export type TaskDocument = {
     '@id'?: string
diff --git a/frontend/services/dto/task-effort.ts b/frontend/modules/project-management/services/dto/task-effort.ts
similarity index 100%
rename from frontend/services/dto/task-effort.ts
rename to frontend/modules/project-management/services/dto/task-effort.ts
diff --git a/frontend/services/dto/task-group.ts b/frontend/modules/project-management/services/dto/task-group.ts
similarity index 100%
rename from frontend/services/dto/task-group.ts
rename to frontend/modules/project-management/services/dto/task-group.ts
diff --git a/frontend/services/dto/task-priority.ts b/frontend/modules/project-management/services/dto/task-priority.ts
similarity index 100%
rename from frontend/services/dto/task-priority.ts
rename to frontend/modules/project-management/services/dto/task-priority.ts
diff --git a/frontend/services/dto/task-recurrence.ts b/frontend/modules/project-management/services/dto/task-recurrence.ts
similarity index 100%
rename from frontend/services/dto/task-recurrence.ts
rename to frontend/modules/project-management/services/dto/task-recurrence.ts
diff --git a/frontend/services/dto/task-status.ts b/frontend/modules/project-management/services/dto/task-status.ts
similarity index 100%
rename from frontend/services/dto/task-status.ts
rename to frontend/modules/project-management/services/dto/task-status.ts
diff --git a/frontend/services/dto/task-tag.ts b/frontend/modules/project-management/services/dto/task-tag.ts
similarity index 100%
rename from frontend/services/dto/task-tag.ts
rename to frontend/modules/project-management/services/dto/task-tag.ts
diff --git a/frontend/services/dto/task.ts b/frontend/modules/project-management/services/dto/task.ts
similarity index 96%
rename from frontend/services/dto/task.ts
rename to frontend/modules/project-management/services/dto/task.ts
index d2a8114..3a20502 100644
--- a/frontend/services/dto/task.ts
+++ b/frontend/modules/project-management/services/dto/task.ts
@@ -3,7 +3,7 @@ import type { TaskEffort } from './task-effort'
 import type { TaskPriority } from './task-priority'
 import type { TaskTag } from './task-tag'
 import type { TaskGroup } from './task-group'
-import type { UserData } from './user-data'
+import type { UserData } from '~/services/dto/user-data'
 import type { Project } from './project'
 import type { TaskDocument } from './task-document'
 
diff --git a/frontend/services/dto/workflow.ts b/frontend/modules/project-management/services/dto/workflow.ts
similarity index 100%
rename from frontend/services/dto/workflow.ts
rename to frontend/modules/project-management/services/dto/workflow.ts
diff --git a/frontend/services/projects.ts b/frontend/modules/project-management/services/projects.ts
similarity index 100%
rename from frontend/services/projects.ts
rename to frontend/modules/project-management/services/projects.ts
diff --git a/frontend/services/task-documents.ts b/frontend/modules/project-management/services/task-documents.ts
similarity index 100%
rename from frontend/services/task-documents.ts
rename to frontend/modules/project-management/services/task-documents.ts
diff --git a/frontend/services/task-efforts.ts b/frontend/modules/project-management/services/task-efforts.ts
similarity index 100%
rename from frontend/services/task-efforts.ts
rename to frontend/modules/project-management/services/task-efforts.ts
diff --git a/frontend/services/task-groups.ts b/frontend/modules/project-management/services/task-groups.ts
similarity index 100%
rename from frontend/services/task-groups.ts
rename to frontend/modules/project-management/services/task-groups.ts
diff --git a/frontend/services/task-priorities.ts b/frontend/modules/project-management/services/task-priorities.ts
similarity index 100%
rename from frontend/services/task-priorities.ts
rename to frontend/modules/project-management/services/task-priorities.ts
diff --git a/frontend/services/task-recurrences.ts b/frontend/modules/project-management/services/task-recurrences.ts
similarity index 100%
rename from frontend/services/task-recurrences.ts
rename to frontend/modules/project-management/services/task-recurrences.ts
diff --git a/frontend/services/task-statuses.ts b/frontend/modules/project-management/services/task-statuses.ts
similarity index 100%
rename from frontend/services/task-statuses.ts
rename to frontend/modules/project-management/services/task-statuses.ts
diff --git a/frontend/services/task-tags.ts b/frontend/modules/project-management/services/task-tags.ts
similarity index 100%
rename from frontend/services/task-tags.ts
rename to frontend/modules/project-management/services/task-tags.ts
diff --git a/frontend/services/tasks.ts b/frontend/modules/project-management/services/tasks.ts
similarity index 100%
rename from frontend/services/tasks.ts
rename to frontend/modules/project-management/services/tasks.ts
diff --git a/frontend/services/workflows.ts b/frontend/modules/project-management/services/workflows.ts
similarity index 100%
rename from frontend/services/workflows.ts
rename to frontend/modules/project-management/services/workflows.ts
diff --git a/frontend/modules/time-tracking/components/TimeEntryDrawer.vue b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
index e078e13..0f002a1 100644
--- a/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeEntryDrawer.vue
@@ -126,8 +126,8 @@
 <script setup lang="ts">
 import type { TimeEntry, TimeEntryWrite } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 const props = defineProps<{
diff --git a/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
index abeeb8e..77d4e7e 100644
--- a/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
@@ -108,8 +108,8 @@
 
 <script setup lang="ts">
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import type { Client } from '~/services/dto/client'
 
 const props = defineProps<{
diff --git a/frontend/modules/time-tracking/pages/time-tracking.vue b/frontend/modules/time-tracking/pages/time-tracking.vue
index e2afcd9..fa29935 100644
--- a/frontend/modules/time-tracking/pages/time-tracking.vue
+++ b/frontend/modules/time-tracking/pages/time-tracking.vue
@@ -152,8 +152,8 @@
 <script setup lang="ts">
 import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import type { Client } from '~/services/dto/client'
 import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 import type { HydraCollection } from '~/utils/api'
diff --git a/frontend/modules/time-tracking/services/dto/time-entry.ts b/frontend/modules/time-tracking/services/dto/time-entry.ts
index f129e51..3f4275e 100644
--- a/frontend/modules/time-tracking/services/dto/time-entry.ts
+++ b/frontend/modules/time-tracking/services/dto/time-entry.ts
@@ -1,7 +1,7 @@
 import type { UserData } from '~/services/dto/user-data'
-import type { Project } from '~/services/dto/project'
-import type { Task } from '~/services/dto/task'
-import type { TaskTag } from '~/services/dto/task-tag'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 
 export type TimeEntry = {
     id: number
diff --git a/frontend/modules/time-tracking/stores/timer.ts b/frontend/modules/time-tracking/stores/timer.ts
index ec6253a..6462747 100644
--- a/frontend/modules/time-tracking/stores/timer.ts
+++ b/frontend/modules/time-tracking/stores/timer.ts
@@ -1,6 +1,6 @@
 import { defineStore } from 'pinia'
 import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 
 export const useTimerStore = defineStore('timer', () => {
diff --git a/frontend/pages/index.vue b/frontend/pages/index.vue
index b55c37c..96b1d67 100644
--- a/frontend/pages/index.vue
+++ b/frontend/pages/index.vue
@@ -1,16 +1,16 @@
 <script setup lang="ts">
 import { Doughnut, Bar, Line } from 'vue-chartjs'
-import type { Task } from '~/services/dto/task'
-import type { TaskStatus } from '~/services/dto/task-status'
-import type { TaskPriority } from '~/services/dto/task-priority'
+import type { Task } from '~/modules/project-management/services/dto/task'
+import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
+import type { TaskPriority } from '~/modules/project-management/services/dto/task-priority'
 import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
-import type { Project } from '~/services/dto/project'
+import type { Project } from '~/modules/project-management/services/dto/project'
 import type { UserData } from '~/services/dto/user-data'
-import { useTaskService } from '~/services/tasks'
-import { useTaskStatusService } from '~/services/task-statuses'
-import { useTaskPriorityService } from '~/services/task-priorities'
+import { useTaskService } from '~/modules/project-management/services/tasks'
+import { useTaskStatusService } from '~/modules/project-management/services/task-statuses'
+import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
 import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
-import { useProjectService } from '~/services/projects'
+import { useProjectService } from '~/modules/project-management/services/projects'
 import { useUserService } from '~/services/users'
 
 const { t } = useI18n()
diff --git a/frontend/pages/mail.vue b/frontend/pages/mail.vue
index 6f79de7..9673b03 100644
--- a/frontend/pages/mail.vue
+++ b/frontend/pages/mail.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { Task } from '~/services/dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 import { useMailStore } from '~/stores/mail'
 
 const { t } = useI18n()
diff --git a/frontend/services/mail.ts b/frontend/services/mail.ts
index 2f44422..c3215c7 100644
--- a/frontend/services/mail.ts
+++ b/frontend/services/mail.ts
@@ -12,7 +12,7 @@ import type {
     MailLinkTaskInput,
     MailSyncResultDto,
 } from './dto/mail'
-import type { Task } from './dto/task'
+import type { Task } from '~/modules/project-management/services/dto/task'
 
 type BackendMailMessage = {
     id: number
-- 
2.39.5


From 306cfd34cdeb493945d305d3a7d9eb4ea406e9bb Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 18:32:02 +0200
Subject: [PATCH 51/99] feat(absence) : migrate Absence domain into module
 (back)

LST-66 (2.3) backend. Behaviour-preserving move of the absences domain into
src/Module/Absence/. API operations, securities, routes and the 10 MCP tool
names are unchanged.

- 3 entities + 3 enums moved to Domain/{Entity,Enum}; user relations stay on
  UserInterface. 3 repositories split into Domain/Repository interfaces +
  Doctrine impls (bound in services.yaml); find() kept off interfaces
  (findById instead).
- Pure services (AbsenceDayCalculator, PublicHolidayProvider) -> Domain/Service;
  AbsenceBalanceService -> Application/Service; State (5), controllers (5),
  10 MCP tools and AccrueLeaveCommand -> Infrastructure/.
- New LeaveProfileInterface contract (Shared) exposes the HR getters used by
  AbsenceBalanceService/AccrueLeaveCommand; User implements it -> Absence no
  longer imports the concrete Core User. MCP tools/command inject
  UserRepositoryInterface (findById) instead of the concrete repository.
- Timestampable/Blamable added to AbsenceBalance and AbsencePolicy (additive
  migration: created_at/updated_at + created_by/updated_by FK ON DELETE SET
  NULL + COMMENT). AbsenceRequest untouched (already has createdAt/reviewedAt).
- AbsenceModule registered (id absence, 4 RBAC perms, not re-wired); doctrine
  mapping added; team-absences sidebar item gated by the module.

161 tests green, mapping valid, no API route regression, cs-fixer clean.
---
 config/modules.php                            |  2 +
 config/packages/doctrine.yaml                 |  5 ++
 config/services.yaml                          | 10 ++-
 config/sidebar.php                            |  2 +-
 migrations/Version20260620170000.php          | 81 +++++++++++++++++++
 src/DataFixtures/AppFixtures.php              | 10 +--
 src/Mcp/Tool/Serializer.php                   |  6 +-
 src/Module/Absence/AbsenceModule.php          | 43 ++++++++++
 .../Service/AbsenceBalanceService.php         | 30 ++++---
 .../Absence/Domain}/Entity/AbsenceBalance.php | 17 ++--
 .../Absence/Domain}/Entity/AbsencePolicy.php  | 15 ++--
 .../Absence/Domain}/Entity/AbsenceRequest.php | 20 ++---
 .../Absence/Domain}/Enum/AbsenceStatus.php    |  2 +-
 .../Absence/Domain}/Enum/AbsenceType.php      |  2 +-
 .../Absence/Domain}/Enum/HalfDay.php          |  2 +-
 .../AbsenceBalanceRepositoryInterface.php     | 24 ++++++
 .../AbsencePolicyRepositoryInterface.php      | 23 ++++++
 .../AbsenceRequestRepositoryInterface.php     | 45 +++++++++++
 .../Domain}/Service/AbsenceDayCalculator.php  |  4 +-
 .../Domain}/Service/PublicHolidayProvider.php |  2 +-
 .../State/AbsenceBalanceProvider.php          | 12 +--
 .../State/AbsenceCancelProcessor.php          |  8 +-
 .../State/AbsenceRequestProcessor.php         | 20 ++---
 .../State/AbsenceRequestProvider.php          | 12 +--
 .../State/AbsenceReviewProcessor.php          |  8 +-
 .../Command/AccrueLeaveCommand.php            | 28 ++++---
 .../Controller}/AbsenceCalendarController.php |  6 +-
 ...AbsenceJustificationDownloadController.php |  9 +--
 .../AbsenceJustificationUploadController.php  |  7 +-
 .../Controller}/AbsencePreviewController.php  | 18 ++---
 .../Controller}/PublicHolidayController.php   |  4 +-
 .../DoctrineAbsenceBalanceRepository.php}     | 14 +++-
 .../DoctrineAbsencePolicyRepository.php}      | 14 +++-
 .../DoctrineAbsenceRequestRepository.php}     | 16 ++--
 .../Mcp/Tool}/CancelAbsenceRequestTool.php    | 12 +--
 .../Mcp/Tool}/CreateAbsenceRequestTool.php    | 28 +++----
 .../Mcp/Tool}/DeleteAbsenceRequestTool.php    |  8 +-
 .../Mcp/Tool}/GetAbsenceRequestTool.php       |  8 +-
 .../Mcp/Tool}/ListAbsenceBalancesTool.php     | 14 ++--
 .../Mcp/Tool}/ListAbsencePoliciesTool.php     |  6 +-
 .../Mcp/Tool}/ListAbsenceRequestsTool.php     | 16 ++--
 .../Mcp/Tool}/ReviewAbsenceRequestTool.php    | 12 +--
 .../Mcp/Tool}/UpdateAbsenceBalanceTool.php    |  8 +-
 .../Mcp/Tool}/UpdateAbsencePolicyTool.php     |  8 +-
 src/Module/Core/Domain/Entity/User.php        |  3 +-
 .../Repository/UserRepositoryInterface.php    |  2 +
 .../Doctrine/DoctrineUserRepository.php       |  5 ++
 .../Domain/Contract/LeaveProfileInterface.php | 24 ++++++
 .../Mcp/AbsenceRequestLifecycleTest.php       | 40 ++++-----
 .../Unit/Service/AbsenceDayCalculatorTest.php |  6 +-
 .../Service/PublicHolidayProviderTest.php     |  2 +-
 51 files changed, 514 insertions(+), 209 deletions(-)
 create mode 100644 migrations/Version20260620170000.php
 create mode 100644 src/Module/Absence/AbsenceModule.php
 rename src/{ => Module/Absence/Application}/Service/AbsenceBalanceService.php (79%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsenceBalance.php (89%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsencePolicy.php (89%)
 rename src/{ => Module/Absence/Domain}/Entity/AbsenceRequest.php (92%)
 rename src/{ => Module/Absence/Domain}/Enum/AbsenceStatus.php (91%)
 rename src/{ => Module/Absence/Domain}/Enum/AbsenceType.php (96%)
 rename src/{ => Module/Absence/Domain}/Enum/HalfDay.php (87%)
 create mode 100644 src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
 create mode 100644 src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
 create mode 100644 src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
 rename src/{ => Module/Absence/Domain}/Service/AbsenceDayCalculator.php (96%)
 rename src/{ => Module/Absence/Domain}/Service/PublicHolidayProvider.php (98%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceBalanceProvider.php (80%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceCancelProcessor.php (92%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceRequestProcessor.php (83%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceRequestProvider.php (83%)
 rename src/{ => Module/Absence/Infrastructure/ApiPlatform}/State/AbsenceReviewProcessor.php (93%)
 rename src/{ => Module/Absence/Infrastructure}/Command/AccrueLeaveCommand.php (83%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceCalendarController.php (86%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceJustificationDownloadController.php (89%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsenceJustificationUploadController.php (92%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/AbsencePreviewController.php (85%)
 rename src/{Controller/Absence => Module/Absence/Infrastructure/Controller}/PublicHolidayController.php (92%)
 rename src/{Repository/AbsenceBalanceRepository.php => Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php} (59%)
 rename src/{Repository/AbsencePolicyRepository.php => Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php} (51%)
 rename src/{Repository/AbsenceRequestRepository.php => Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php} (87%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/CancelAbsenceRequestTool.php (83%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/CreateAbsenceRequestTool.php (82%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/DeleteAbsenceRequestTool.php (81%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/GetAbsenceRequestTool.php (76%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsenceBalancesTool.php (77%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsencePoliciesTool.php (81%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ListAbsenceRequestsTool.php (80%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/ReviewAbsenceRequestTool.php (89%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/UpdateAbsenceBalanceTool.php (84%)
 rename src/{Mcp/Tool/Absence => Module/Absence/Infrastructure/Mcp/Tool}/UpdateAbsencePolicyTool.php (88%)
 create mode 100644 src/Shared/Domain/Contract/LeaveProfileInterface.php

diff --git a/config/modules.php b/config/modules.php
index 15f2ccc..9a03656 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -7,6 +7,7 @@ declare(strict_types=1);
  * Activer/désactiver un module = ajouter/commenter sa ligne. Exposé par GET /api/modules.
  */
 
+use App\Module\Absence\AbsenceModule;
 use App\Module\Core\CoreModule;
 use App\Module\ProjectManagement\ProjectManagementModule;
 use App\Module\TimeTracking\TimeTrackingModule;
@@ -15,4 +16,5 @@ return [
     CoreModule::class,
     TimeTrackingModule::class,
     ProjectManagementModule::class,
+    AbsenceModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index af7da9c..6b872cf 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -48,6 +48,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
                 prefix: 'App\Module\ProjectManagement\Domain\Entity'
+            Absence:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Absence/Domain/Entity'
+                prefix: 'App\Module\Absence\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/services.yaml b/config/services.yaml
index 9d4c54d..c722b23 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -57,11 +57,11 @@ services:
         arguments:
             $avatarUploadDir: '%avatar_upload_dir%'
 
-    App\Controller\Absence\AbsenceJustificationUploadController:
+    App\Module\Absence\Infrastructure\Controller\AbsenceJustificationUploadController:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
 
-    App\Controller\Absence\AbsenceJustificationDownloadController:
+    App\Module\Absence\Infrastructure\Controller\AbsenceJustificationDownloadController:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
 
@@ -93,4 +93,10 @@ services:
 
     App\Module\ProjectManagement\Domain\Repository\TaskRecurrenceRepositoryInterface: '@App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRecurrenceRepository'
 
+    App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository'
+
+    App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository'
+
+    App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/config/sidebar.php b/config/sidebar.php
index 1147980..7bee8f3 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -30,7 +30,7 @@ return [
         'icon'  => 'mdi:cog-outline',
         'roles' => ['ROLE_ADMIN'],
         'items' => [
-            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline'],
+            ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
             ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
         ],
     ],
diff --git a/migrations/Version20260620170000.php b/migrations/Version20260620170000.php
new file mode 100644
index 0000000..71896e8
--- /dev/null
+++ b/migrations/Version20260620170000.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Absence module: add Timestampable/Blamable columns to absence_balance and
+ * absence_policy.
+ *
+ * AbsenceBalance and AbsencePolicy adopt TimestampableBlamableTrait.
+ * AbsenceRequest is intentionally untouched (it already carries createdAt /
+ * reviewedAt). This migration is purely additive — nullable columns + nullable
+ * FK to "user" with ON DELETE SET NULL. No DROP/ALTER on existing data. Columns
+ * are lowercase snake_case. Hand-written to guarantee zero destructive
+ * instruction.
+ */
+final class Version20260620170000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Absence: add timestampable/blamable columns to absence_balance and absence_policy (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // absence_balance
+        $this->addSql('ALTER TABLE absence_balance ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_balance ADD CONSTRAINT FK_65723A76DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE absence_balance ADD CONSTRAINT FK_65723A7616FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_65723A76DE12AB56 ON absence_balance (created_by)');
+        $this->addSql('CREATE INDEX IDX_65723A7616FE72E1 ON absence_balance (updated_by)');
+        $this->addSql("COMMENT ON COLUMN absence_balance.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN absence_balance.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // absence_policy
+        $this->addSql('ALTER TABLE absence_policy ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE absence_policy ADD CONSTRAINT FK_7A780B65DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE absence_policy ADD CONSTRAINT FK_7A780B6516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_7A780B65DE12AB56 ON absence_policy (created_by)');
+        $this->addSql('CREATE INDEX IDX_7A780B6516FE72E1 ON absence_policy (updated_by)');
+        $this->addSql("COMMENT ON COLUMN absence_policy.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN absence_policy.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // absence_balance
+        $this->addSql('ALTER TABLE absence_balance DROP CONSTRAINT FK_65723A76DE12AB56');
+        $this->addSql('ALTER TABLE absence_balance DROP CONSTRAINT FK_65723A7616FE72E1');
+        $this->addSql('DROP INDEX IDX_65723A76DE12AB56');
+        $this->addSql('DROP INDEX IDX_65723A7616FE72E1');
+        $this->addSql('ALTER TABLE absence_balance DROP created_at');
+        $this->addSql('ALTER TABLE absence_balance DROP updated_at');
+        $this->addSql('ALTER TABLE absence_balance DROP created_by');
+        $this->addSql('ALTER TABLE absence_balance DROP updated_by');
+
+        // absence_policy
+        $this->addSql('ALTER TABLE absence_policy DROP CONSTRAINT FK_7A780B65DE12AB56');
+        $this->addSql('ALTER TABLE absence_policy DROP CONSTRAINT FK_7A780B6516FE72E1');
+        $this->addSql('DROP INDEX IDX_7A780B65DE12AB56');
+        $this->addSql('DROP INDEX IDX_7A780B6516FE72E1');
+        $this->addSql('ALTER TABLE absence_policy DROP created_at');
+        $this->addSql('ALTER TABLE absence_policy DROP updated_at');
+        $this->addSql('ALTER TABLE absence_policy DROP created_by');
+        $this->addSql('ALTER TABLE absence_policy DROP updated_by');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 00adb95..7ad5264 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,15 +4,15 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Entity\AbsenceRequest;
 use App\Entity\Client;
 use App\Entity\MailConfiguration;
 use App\Entity\ZimbraConfiguration;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
 use App\Enum\ContractType;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index 2003aa6..c4f4dff 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Entity\AbsenceRequest;
 use App\Entity\Client;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
diff --git a/src/Module/Absence/AbsenceModule.php b/src/Module/Absence/AbsenceModule.php
new file mode 100644
index 0000000..10eac76
--- /dev/null
+++ b/src/Module/Absence/AbsenceModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class AbsenceModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'absence';
+    }
+
+    public static function label(): string
+    {
+        return 'Absences';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Absence.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'absence.requests.view', 'label' => 'Voir les demandes d\'absence'],
+            ['code' => 'absence.requests.manage', 'label' => 'Gérer les demandes d\'absence'],
+            ['code' => 'absence.policies.manage', 'label' => 'Gérer les règles d\'absence'],
+            ['code' => 'absence.balances.manage', 'label' => 'Gérer les soldes d\'absence'],
+        ];
+    }
+}
diff --git a/src/Service/AbsenceBalanceService.php b/src/Module/Absence/Application/Service/AbsenceBalanceService.php
similarity index 79%
rename from src/Service/AbsenceBalanceService.php
rename to src/Module/Absence/Application/Service/AbsenceBalanceService.php
index a258b30..0c56363 100644
--- a/src/Service/AbsenceBalanceService.php
+++ b/src/Module/Absence/Application/Service/AbsenceBalanceService.php
@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Application\Service;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceType;
-use App\Module\Core\Domain\Entity\User;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -21,21 +22,24 @@ final readonly class AbsenceBalanceService
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
-        private AbsenceBalanceRepository $balanceRepository,
+        private AbsenceBalanceRepositoryInterface $balanceRepository,
     ) {}
 
     /**
      * Reference period string for a request: paid leave follows the employee's
      * reference period (e.g. "2025-2026"), other types are tracked yearly.
      */
-    public function periodFor(User $user, AbsenceType $type, DateTimeInterface $date): string
+    public function periodFor(UserInterface $user, AbsenceType $type, DateTimeInterface $date): string
     {
         if (AbsenceType::PaidLeave !== $type) {
             return $date->format('Y');
         }
 
-        $year            = (int) $date->format('Y');
-        $startMonthDay   = $user->getReferencePeriodStart(); // e.g. "06-01"
+        $year = (int) $date->format('Y');
+        // The reference-period start (e.g. "06-01") is an HR profile field,
+        // accessed through the LeaveProfileInterface contract to keep the
+        // Absence module decoupled from the concrete Core User entity.
+        $startMonthDay   = $user instanceof LeaveProfileInterface ? $user->getReferencePeriodStart() : '01-01';
         $currentMonthDay = $date->format('m-d');
 
         $startYear = $currentMonthDay >= $startMonthDay ? $year : $year - 1;
@@ -43,7 +47,7 @@ final readonly class AbsenceBalanceService
         return sprintf('%d-%d', $startYear, $startYear + 1);
     }
 
-    public function getOrCreateBalance(User $user, AbsenceType $type, string $period): AbsenceBalance
+    public function getOrCreateBalance(UserInterface $user, AbsenceType $type, string $period): AbsenceBalance
     {
         $balance = $this->balanceRepository->findOneForPeriod($user, $type, $period);
 
@@ -85,7 +89,7 @@ final readonly class AbsenceBalanceService
             return null;
         }
 
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user    = $request->getUser();
         $period  = $this->periodFor($user, $request->getType(), $request->getStartDate());
         $balance = $this->balanceRepository->findOneForPeriod($user, $request->getType(), $period);
@@ -128,7 +132,7 @@ final readonly class AbsenceBalanceService
 
     private function balanceForRequest(AbsenceRequest $request): AbsenceBalance
     {
-        /** @var User $user */
+        /** @var UserInterface $user */
         $user   = $request->getUser();
         $type   = $request->getType();
         $period = $this->periodFor($user, $type, $request->getStartDate());
diff --git a/src/Entity/AbsenceBalance.php b/src/Module/Absence/Domain/Entity/AbsenceBalance.php
similarity index 89%
rename from src/Entity/AbsenceBalance.php
rename to src/Module/Absence/Domain/Entity/AbsenceBalance.php
index 9164973..3de6a16 100644
--- a/src/Entity/AbsenceBalance.php
+++ b/src/Module/Absence/Domain/Entity/AbsenceBalance.php
@@ -2,16 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Enum\AbsenceType;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceBalanceProvider;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\AbsenceBalanceProvider;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -35,11 +38,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
     normalizationContext: ['groups' => ['absence_balance:read']],
     denormalizationContext: ['groups' => ['absence_balance:write']],
 )]
-#[ORM\Entity(repositoryClass: AbsenceBalanceRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsenceBalanceRepository::class)]
 #[ORM\Table(name: 'absence_balance')]
 #[ORM\UniqueConstraint(name: 'uniq_absence_balance_user_type_period', columns: ['user_id', 'type', 'period'])]
-class AbsenceBalance
+class AbsenceBalance implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/AbsencePolicy.php b/src/Module/Absence/Domain/Entity/AbsencePolicy.php
similarity index 89%
rename from src/Entity/AbsencePolicy.php
rename to src/Module/Absence/Domain/Entity/AbsencePolicy.php
index 00abb17..16612a3 100644
--- a/src/Entity/AbsencePolicy.php
+++ b/src/Module/Absence/Domain/Entity/AbsencePolicy.php
@@ -2,14 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
-use App\Enum\AbsenceType;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
@@ -31,11 +34,13 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['absence_policy:write']],
     order: ['type' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: AbsencePolicyRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsencePolicyRepository::class)]
 #[ORM\Table(name: 'absence_policy')]
 #[ORM\UniqueConstraint(name: 'uniq_absence_policy_type', columns: ['type'])]
-class AbsencePolicy
+class AbsencePolicy implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/AbsenceRequest.php b/src/Module/Absence/Domain/Entity/AbsenceRequest.php
similarity index 92%
rename from src/Entity/AbsenceRequest.php
rename to src/Module/Absence/Domain/Entity/AbsenceRequest.php
index 7daefd8..55ce07a 100644
--- a/src/Entity/AbsenceRequest.php
+++ b/src/Module/Absence/Domain/Entity/AbsenceRequest.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Absence\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,15 +10,15 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceCancelProcessor;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceRequestProcessor;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceRequestProvider;
+use App\Module\Absence\Infrastructure\ApiPlatform\State\AbsenceReviewProcessor;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository;
 use App\Shared\Domain\Contract\UserInterface;
-use App\State\AbsenceCancelProcessor;
-use App\State\AbsenceRequestProcessor;
-use App\State\AbsenceRequestProvider;
-use App\State\AbsenceReviewProcessor;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
@@ -64,7 +64,7 @@ use Symfony\Component\Validator\Constraints as Assert;
     denormalizationContext: ['groups' => ['absence_request:write']],
     order: ['createdAt' => 'DESC'],
 )]
-#[ORM\Entity(repositoryClass: AbsenceRequestRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineAbsenceRequestRepository::class)]
 #[ORM\Table(name: 'absence_request')]
 class AbsenceRequest
 {
diff --git a/src/Enum/AbsenceStatus.php b/src/Module/Absence/Domain/Enum/AbsenceStatus.php
similarity index 91%
rename from src/Enum/AbsenceStatus.php
rename to src/Module/Absence/Domain/Enum/AbsenceStatus.php
index ce45714..2fc35c8 100644
--- a/src/Enum/AbsenceStatus.php
+++ b/src/Module/Absence/Domain/Enum/AbsenceStatus.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum AbsenceStatus: string
 {
diff --git a/src/Enum/AbsenceType.php b/src/Module/Absence/Domain/Enum/AbsenceType.php
similarity index 96%
rename from src/Enum/AbsenceType.php
rename to src/Module/Absence/Domain/Enum/AbsenceType.php
index 0406dcb..1fafb53 100644
--- a/src/Enum/AbsenceType.php
+++ b/src/Module/Absence/Domain/Enum/AbsenceType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum AbsenceType: string
 {
diff --git a/src/Enum/HalfDay.php b/src/Module/Absence/Domain/Enum/HalfDay.php
similarity index 87%
rename from src/Enum/HalfDay.php
rename to src/Module/Absence/Domain/Enum/HalfDay.php
index fa868f3..fed94ca 100644
--- a/src/Enum/HalfDay.php
+++ b/src/Module/Absence/Domain/Enum/HalfDay.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Absence\Domain\Enum;
 
 enum HalfDay: string
 {
diff --git a/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
new file mode 100644
index 0000000..e2dffd2
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsenceBalanceRepositoryInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
+
+interface AbsenceBalanceRepositoryInterface
+{
+    public function findById(int $id): ?AbsenceBalance;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return AbsenceBalance[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance;
+}
diff --git a/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
new file mode 100644
index 0000000..21a1330
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsencePolicyRepositoryInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+
+interface AbsencePolicyRepositoryInterface
+{
+    public function findById(int $id): ?AbsencePolicy;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return AbsencePolicy[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+
+    public function findOneByType(AbsenceType $type): ?AbsencePolicy;
+}
diff --git a/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php b/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
new file mode 100644
index 0000000..5a648a5
--- /dev/null
+++ b/src/Module/Absence/Domain/Repository/AbsenceRequestRepositoryInterface.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Absence\Domain\Repository;
+
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeInterface;
+
+interface AbsenceRequestRepositoryInterface
+{
+    public function findById(int $id): ?AbsenceRequest;
+
+    /**
+     * Whether the user already has a PENDING or APPROVED absence that overlaps
+     * the given date range.
+     */
+    public function hasOverlap(
+        UserInterface $user,
+        DateTimeInterface $startDate,
+        DateTimeInterface $endDate,
+        ?int $excludeId = null,
+    ): bool;
+
+    /**
+     * Absences (approved or pending) overlapping a date range, all employees.
+     *
+     * @return AbsenceRequest[]
+     */
+    public function findInRange(DateTimeInterface $from, DateTimeInterface $to): array;
+
+    /**
+     * @return AbsenceRequest[]
+     */
+    public function findFiltered(
+        ?UserInterface $user = null,
+        ?AbsenceStatus $status = null,
+        ?AbsenceType $type = null,
+        ?DateTimeInterface $from = null,
+        ?DateTimeInterface $to = null,
+    ): array;
+}
diff --git a/src/Service/AbsenceDayCalculator.php b/src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
similarity index 96%
rename from src/Service/AbsenceDayCalculator.php
rename to src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
index d30a598..d8bf055 100644
--- a/src/Service/AbsenceDayCalculator.php
+++ b/src/Module/Absence/Domain/Service/AbsenceDayCalculator.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Domain\Service;
 
-use App\Enum\HalfDay;
+use App\Module\Absence\Domain\Enum\HalfDay;
 use DateInterval;
 use DatePeriod;
 use DateTimeImmutable;
diff --git a/src/Service/PublicHolidayProvider.php b/src/Module/Absence/Domain/Service/PublicHolidayProvider.php
similarity index 98%
rename from src/Service/PublicHolidayProvider.php
rename to src/Module/Absence/Domain/Service/PublicHolidayProvider.php
index 1897757..c7273d7 100644
--- a/src/Service/PublicHolidayProvider.php
+++ b/src/Module/Absence/Domain/Service/PublicHolidayProvider.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Absence\Domain\Service;
 
 use DateTimeImmutable;
 use DateTimeInterface;
diff --git a/src/State/AbsenceBalanceProvider.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
similarity index 80%
rename from src/State/AbsenceBalanceProvider.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
index 9efa094..c969db3 100644
--- a/src/State/AbsenceBalanceProvider.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceBalanceProvider.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,6 +19,7 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
+        private AbsenceBalanceRepositoryInterface $balanceRepository,
         private Security $security,
     ) {}
 
@@ -26,11 +28,10 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
         $user = $this->security->getUser();
         assert($user instanceof UserInterface);
 
-        $repo    = $this->entityManager->getRepository(AbsenceBalance::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
 
         if (isset($uriVariables['id'])) {
-            $balance = $repo->find($uriVariables['id']);
+            $balance = $this->balanceRepository->findById((int) $uriVariables['id']);
             if (null === $balance) {
                 return null;
             }
@@ -41,7 +42,8 @@ final readonly class AbsenceBalanceProvider implements ProviderInterface
             return $balance;
         }
 
-        $qb = $repo->createQueryBuilder('b')
+        $qb = $this->entityManager->getRepository(AbsenceBalance::class)
+            ->createQueryBuilder('b')
             ->orderBy('b.type', 'ASC')
         ;
 
diff --git a/src/State/AbsenceCancelProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
similarity index 92%
rename from src/State/AbsenceCancelProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
index 59b9e0f..c960b23 100644
--- a/src/State/AbsenceCancelProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
diff --git a/src/State/AbsenceRequestProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
similarity index 83%
rename from src/State/AbsenceRequestProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
index 2e08eb5..5dabdf8 100644
--- a/src/State/AbsenceRequestProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProcessor.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -32,8 +32,8 @@ final readonly class AbsenceRequestProcessor implements ProcessorInterface
         private EntityManagerInterface $entityManager,
         private Security $security,
         private AbsenceDayCalculator $calculator,
-        private AbsencePolicyRepository $policyRepository,
-        private AbsenceRequestRepository $requestRepository,
+        private AbsencePolicyRepositoryInterface $policyRepository,
+        private AbsenceRequestRepositoryInterface $requestRepository,
         private AbsenceBalanceService $balanceService,
     ) {}
 
diff --git a/src/State/AbsenceRequestProvider.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
similarity index 83%
rename from src/State/AbsenceRequestProvider.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
index 8287b37..854cc29 100644
--- a/src/State/AbsenceRequestProvider.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceRequestProvider.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -18,6 +19,7 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
+        private AbsenceRequestRepositoryInterface $requestRepository,
         private Security $security,
     ) {}
 
@@ -26,12 +28,11 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
         $user = $this->security->getUser();
         assert($user instanceof UserInterface);
 
-        $repo    = $this->entityManager->getRepository(AbsenceRequest::class);
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
 
         // Single item: owner or admin only
         if (isset($uriVariables['id'])) {
-            $request = $repo->find($uriVariables['id']);
+            $request = $this->requestRepository->findById((int) $uriVariables['id']);
             if (null === $request) {
                 return null;
             }
@@ -42,7 +43,8 @@ final readonly class AbsenceRequestProvider implements ProviderInterface
             return $request;
         }
 
-        $qb = $repo->createQueryBuilder('a')
+        $qb = $this->entityManager->getRepository(AbsenceRequest::class)
+            ->createQueryBuilder('a')
             ->orderBy('a.createdAt', 'DESC')
         ;
 
diff --git a/src/State/AbsenceReviewProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
similarity index 93%
rename from src/State/AbsenceReviewProcessor.php
rename to src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
index 4f40863..01853ae 100644
--- a/src/State/AbsenceReviewProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceReviewProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Absence\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
diff --git a/src/Command/AccrueLeaveCommand.php b/src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
similarity index 83%
rename from src/Command/AccrueLeaveCommand.php
rename to src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
index 8fe502f..7257dc8 100644
--- a/src/Command/AccrueLeaveCommand.php
+++ b/src/Module/Absence/Infrastructure/Command/AccrueLeaveCommand.php
@@ -2,12 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Absence\Infrastructure\Command;
 
-use App\Enum\AbsenceType;
-use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\AbsenceBalanceRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Exception;
@@ -37,8 +38,8 @@ use function sprintf;
 class AccrueLeaveCommand extends Command
 {
     public function __construct(
-        private readonly DoctrineUserRepository $userRepository,
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly UserRepositoryInterface $userRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly EntityManagerInterface $entityManager,
     ) {
@@ -88,7 +89,14 @@ class AccrueLeaveCommand extends Command
         $skipped = 0;
 
         foreach ($employees as $user) {
-            $rate   = ($user->getAnnualLeaveDays() / 12) * $user->getWorkTimeRatio();
+            // RH leave profile fields are read through the contract to keep the
+            // Absence module decoupled from the concrete Core User entity.
+            $profile = $user instanceof LeaveProfileInterface ? $user : null;
+            if (null === $profile) {
+                continue;
+            }
+
+            $rate   = ($profile->getAnnualLeaveDays() / 12) * $profile->getWorkTimeRatio();
             $period = $this->balanceService->periodFor($user, AbsenceType::PaidLeave, $firstDay);
 
             $balance = $this->balanceRepository->findOneForPeriod($user, AbsenceType::PaidLeave, $period);
@@ -104,7 +112,7 @@ class AccrueLeaveCommand extends Command
                     ? $this->balanceRepository->findOneForPeriod($user, AbsenceType::PaidLeave, $previousPeriod)
                     : null;
                 $balance->setAcquired(
-                    null !== $previousBalance ? $previousBalance->getAcquiring() : $user->getInitialLeaveBalance(),
+                    null !== $previousBalance ? $previousBalance->getAcquiring() : $profile->getInitialLeaveBalance(),
                 );
             }
 
@@ -119,7 +127,7 @@ class AccrueLeaveCommand extends Command
             $balance->setLastAccruedMonth($monthKey);
             ++$accrued;
 
-            $seeded = $isNew && (null !== self::previousPeriod($period) || $user->getInitialLeaveBalance() > 0);
+            $seeded = $isNew && (null !== self::previousPeriod($period) || $profile->getInitialLeaveBalance() > 0);
             $rows[] = [
                 $user->getUsername(),
                 $period,
diff --git a/src/Controller/Absence/AbsenceCalendarController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
similarity index 86%
rename from src/Controller/Absence/AbsenceCalendarController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
index aec8f07..766c8f9 100644
--- a/src/Controller/Absence/AbsenceCalendarController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceCalendarController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -19,7 +19,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class AbsenceCalendarController extends AbstractController
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
     ) {}
 
     #[Route('/api/admin/absences/calendar', name: 'absence_calendar', methods: ['GET'], priority: 1)]
diff --git a/src/Controller/Absence/AbsenceJustificationDownloadController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
similarity index 89%
rename from src/Controller/Absence/AbsenceJustificationDownloadController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
index 3a48dd8..05bf4af 100644
--- a/src/Controller/Absence/AbsenceJustificationDownloadController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationDownloadController.php
@@ -2,10 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Entity\AbsenceRequest;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
@@ -21,7 +20,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class AbsenceJustificationDownloadController extends AbstractController
 {
     public function __construct(
-        private readonly EntityManagerInterface $entityManager,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -30,7 +29,7 @@ class AbsenceJustificationDownloadController extends AbstractController
     #[IsGranted('ROLE_USER')]
     public function __invoke(int $id): BinaryFileResponse
     {
-        $absence = $this->entityManager->getRepository(AbsenceRequest::class)->find($id);
+        $absence = $this->requestRepository->findById($id);
         if (null === $absence) {
             throw new NotFoundHttpException('Absence request not found.');
         }
diff --git a/src/Controller/Absence/AbsenceJustificationUploadController.php b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
similarity index 92%
rename from src/Controller/Absence/AbsenceJustificationUploadController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
index 5cfaa20..3f2afcb 100644
--- a/src/Controller/Absence/AbsenceJustificationUploadController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsenceJustificationUploadController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -34,6 +34,7 @@ class AbsenceJustificationUploadController extends AbstractController
 
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
@@ -42,7 +43,7 @@ class AbsenceJustificationUploadController extends AbstractController
     #[IsGranted('ROLE_USER')]
     public function __invoke(int $id, Request $request): JsonResponse
     {
-        $absence = $this->entityManager->getRepository(AbsenceRequest::class)->find($id);
+        $absence = $this->requestRepository->findById($id);
         if (null === $absence) {
             throw new NotFoundHttpException('Absence request not found.');
         }
diff --git a/src/Controller/Absence/AbsencePreviewController.php b/src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
similarity index 85%
rename from src/Controller/Absence/AbsencePreviewController.php
rename to src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
index 32ec5a8..887fcec 100644
--- a/src/Controller/Absence/AbsencePreviewController.php
+++ b/src/Module/Absence/Infrastructure/Controller/AbsencePreviewController.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\AbsencePolicyRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -30,8 +30,8 @@ class AbsencePreviewController extends AbstractController
     public function __construct(
         private readonly Security $security,
         private readonly AbsenceDayCalculator $calculator,
-        private readonly AbsencePolicyRepository $policyRepository,
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly AbsenceBalanceService $balanceService,
     ) {}
 
diff --git a/src/Controller/Absence/PublicHolidayController.php b/src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
similarity index 92%
rename from src/Controller/Absence/PublicHolidayController.php
rename to src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
index 5c308fa..9e0ae37 100644
--- a/src/Controller/Absence/PublicHolidayController.php
+++ b/src/Module/Absence/Infrastructure/Controller/PublicHolidayController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Absence;
+namespace App\Module\Absence\Infrastructure\Controller;
 
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
diff --git a/src/Repository/AbsenceBalanceRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
similarity index 59%
rename from src/Repository/AbsenceBalanceRepository.php
rename to src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
index 2b16bf0..7a3d7fe 100644
--- a/src/Repository/AbsenceBalanceRepository.php
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceBalanceRepository.php
@@ -2,10 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Absence\Infrastructure\Doctrine;
 
-use App\Entity\AbsenceBalance;
-use App\Enum\AbsenceType;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
@@ -13,13 +14,18 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<AbsenceBalance>
  */
-class AbsenceBalanceRepository extends ServiceEntityRepository
+class DoctrineAbsenceBalanceRepository extends ServiceEntityRepository implements AbsenceBalanceRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AbsenceBalance::class);
     }
 
+    public function findById(int $id): ?AbsenceBalance
+    {
+        return $this->find($id);
+    }
+
     public function findOneForPeriod(UserInterface $user, AbsenceType $type, string $period): ?AbsenceBalance
     {
         return $this->findOneBy([
diff --git a/src/Repository/AbsencePolicyRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
similarity index 51%
rename from src/Repository/AbsencePolicyRepository.php
rename to src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
index b1467a7..4f1d64a 100644
--- a/src/Repository/AbsencePolicyRepository.php
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsencePolicyRepository.php
@@ -2,23 +2,29 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Absence\Infrastructure\Doctrine;
 
-use App\Entity\AbsencePolicy;
-use App\Enum\AbsenceType;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
 /**
  * @extends ServiceEntityRepository<AbsencePolicy>
  */
-class AbsencePolicyRepository extends ServiceEntityRepository
+class DoctrineAbsencePolicyRepository extends ServiceEntityRepository implements AbsencePolicyRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AbsencePolicy::class);
     }
 
+    public function findById(int $id): ?AbsencePolicy
+    {
+        return $this->find($id);
+    }
+
     public function findOneByType(AbsenceType $type): ?AbsencePolicy
     {
         return $this->findOneBy(['type' => $type]);
diff --git a/src/Repository/AbsenceRequestRepository.php b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
similarity index 87%
rename from src/Repository/AbsenceRequestRepository.php
rename to src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
index bca61e3..a3bc830 100644
--- a/src/Repository/AbsenceRequestRepository.php
+++ b/src/Module/Absence/Infrastructure/Doctrine/DoctrineAbsenceRequestRepository.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Absence\Infrastructure\Doctrine;
 
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
@@ -15,13 +16,18 @@ use Doctrine\Persistence\ManagerRegistry;
 /**
  * @extends ServiceEntityRepository<AbsenceRequest>
  */
-class AbsenceRequestRepository extends ServiceEntityRepository
+class DoctrineAbsenceRequestRepository extends ServiceEntityRepository implements AbsenceRequestRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AbsenceRequest::class);
     }
 
+    public function findById(int $id): ?AbsenceRequest
+    {
+        return $this->find($id);
+    }
+
     /**
      * Whether the user already has a PENDING or APPROVED absence that overlaps
      * the given date range. Two ranges overlap when start_a <= end_b and
diff --git a/src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
similarity index 83%
rename from src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
index d946bae..5dd3ea3 100644
--- a/src/Mcp/Tool/Absence/CancelAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceStatus;
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -21,7 +21,7 @@ class CancelAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
     ) {}
@@ -32,7 +32,7 @@ class CancelAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
similarity index 82%
rename from src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
index 5d58d30..97ac0f6 100644
--- a/src/Mcp/Tool/Absence/CreateAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
@@ -2,18 +2,18 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Entity\AbsenceRequest;
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
-use App\Enum\HalfDay;
 use App\Mcp\Tool\Serializer;
-use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceRequest;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
@@ -28,9 +28,9 @@ class CreateAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly DoctrineUserRepository $userRepository,
-        private readonly AbsencePolicyRepository $policyRepository,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly UserRepositoryInterface $userRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceDayCalculator $calculator,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
@@ -49,7 +49,7 @@ class CreateAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $user = $this->userRepository->find($userId)
+        $user = $this->userRepository->findById($userId)
             ?? throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
 
         $typeEnum = AbsenceType::tryFrom($type)
diff --git a/src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
similarity index 81%
rename from src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
index 2048ba3..eb917f9 100644
--- a/src/Mcp/Tool/Absence/DeleteAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/DeleteAbsenceRequestTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteAbsenceRequestTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/GetAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
similarity index 76%
rename from src/Mcp/Tool/Absence/GetAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
index eb0d2aa..d7f6b14 100644
--- a/src/Mcp/Tool/Absence/GetAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetAbsenceRequestTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetAbsenceRequestTool
             throw new AccessDeniedException('Access denied: ROLE_USER required.');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
similarity index 77%
rename from src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
index 253e0fb..61415cd 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceBalancesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
-use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -19,8 +19,8 @@ use function sprintf;
 class ListAbsenceBalancesTool
 {
     public function __construct(
-        private readonly AbsenceBalanceRepository $balanceRepository,
-        private readonly DoctrineUserRepository $userRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -32,7 +32,7 @@ class ListAbsenceBalancesTool
 
         $criteria = [];
         if (null !== $userId) {
-            $user = $this->userRepository->find($userId);
+            $user = $this->userRepository->findById($userId);
             if (null === $user) {
                 throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
             }
diff --git a/src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
similarity index 81%
rename from src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
index 491aed0..4d2507d 100644
--- a/src/Mcp/Tool/Absence/ListAbsencePoliciesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -14,7 +14,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListAbsencePoliciesTool
 {
     public function __construct(
-        private readonly AbsencePolicyRepository $policyRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
similarity index 80%
rename from src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
index 1f09368..af4c701 100644
--- a/src/Mcp/Tool/Absence/ListAbsenceRequestsTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceStatus;
-use App\Enum\AbsenceType;
 use App\Mcp\Tool\Serializer;
-use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\AbsenceRequestRepository;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
 use DateTimeImmutable;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -21,8 +21,8 @@ use function sprintf;
 class ListAbsenceRequestsTool
 {
     public function __construct(
-        private readonly AbsenceRequestRepository $requestRepository,
-        private readonly DoctrineUserRepository $userRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -39,7 +39,7 @@ class ListAbsenceRequestsTool
 
         $user = null;
         if (null !== $userId) {
-            $user = $this->userRepository->find($userId)
+            $user = $this->userRepository->findById($userId)
                 ?? throw new InvalidArgumentException(sprintf('User with ID %d not found.', $userId));
         }
 
diff --git a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
similarity index 89%
rename from src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
index d81fb0f..1ddd61f 100644
--- a/src/Mcp/Tool/Absence/ReviewAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Enum\AbsenceStatus;
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Enum\AbsenceStatus;
+use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
@@ -24,7 +24,7 @@ class ReviewAbsenceRequestTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly AbsenceRequestRepository $requestRepository,
+        private readonly AbsenceRequestRepositoryInterface $requestRepository,
         private readonly AbsenceBalanceService $balanceService,
         private readonly Security $security,
     ) {}
@@ -39,7 +39,7 @@ class ReviewAbsenceRequestTool
             throw new InvalidArgumentException('decision must be "approve" or "reject".');
         }
 
-        $request = $this->requestRepository->find($id);
+        $request = $this->requestRepository->findById($id);
         if (null === $request) {
             throw new InvalidArgumentException(sprintf('AbsenceRequest with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
similarity index 84%
rename from src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
index 069d764..2c06144 100644
--- a/src/Mcp/Tool/Absence/UpdateAbsenceBalanceTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsenceBalanceRepository;
+use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateAbsenceBalanceTool
 {
     public function __construct(
-        private readonly AbsenceBalanceRepository $balanceRepository,
+        private readonly AbsenceBalanceRepositoryInterface $balanceRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -33,7 +33,7 @@ class UpdateAbsenceBalanceTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $balance = $this->balanceRepository->find($id);
+        $balance = $this->balanceRepository->findById($id);
         if (null === $balance) {
             throw new InvalidArgumentException(sprintf('AbsenceBalance with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
similarity index 88%
rename from src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php
rename to src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
index 7ff6274..0e803fe 100644
--- a/src/Mcp/Tool/Absence/UpdateAbsencePolicyTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Absence;
+namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\AbsencePolicyRepository;
+use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateAbsencePolicyTool
 {
     public function __construct(
-        private readonly AbsencePolicyRepository $policyRepository,
+        private readonly AbsencePolicyRepositoryInterface $policyRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -36,7 +36,7 @@ class UpdateAbsencePolicyTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $policy = $this->policyRepository->find($id);
+        $policy = $this->policyRepository->findById($id);
         if (null === $policy) {
             throw new InvalidArgumentException(sprintf('AbsencePolicy with ID %d not found.', $id));
         }
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 8a9dd35..6c35a12 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -18,6 +18,7 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Attribute\Auditable;
 use App\Shared\Domain\Attribute\AuditIgnore;
+use App\Shared\Domain\Contract\LeaveProfileInterface;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -63,7 +64,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[Auditable]
 #[ORM\Entity(repositoryClass: DoctrineUserRepository::class)]
 #[ORM\Table(name: '`user`')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedUserInterface, LeaveProfileInterface
 {
     #[ORM\Id]
     #[ORM\GeneratedValue]
diff --git a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
index 6f45735..4545c08 100644
--- a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
+++ b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
@@ -9,6 +9,8 @@ use DateTimeInterface;
 
 interface UserRepositoryInterface
 {
+    public function findById(int $id): ?UserInterface;
+
     /**
      * @return list<UserInterface>
      */
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
index c688df0..c1d9777 100644
--- a/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
@@ -21,6 +21,11 @@ class DoctrineUserRepository extends ServiceEntityRepository implements UserRepo
         parent::__construct($registry, User::class);
     }
 
+    public function findById(int $id): ?UserInterface
+    {
+        return $this->find($id);
+    }
+
     /**
      * @return list<UserInterface>
      */
diff --git a/src/Shared/Domain/Contract/LeaveProfileInterface.php b/src/Shared/Domain/Contract/LeaveProfileInterface.php
new file mode 100644
index 0000000..b8656b8
--- /dev/null
+++ b/src/Shared/Domain/Contract/LeaveProfileInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * HR leave profile of an employee, consumed by the Absence module without
+ * coupling it to the concrete Core User entity.
+ *
+ * Exposes only the RH getters actually used by AbsenceBalanceService and
+ * AccrueLeaveCommand. This is a service-level typing contract, not a Doctrine
+ * relation (no resolve_target_entities entry).
+ */
+interface LeaveProfileInterface
+{
+    public function getWorkTimeRatio(): float;
+
+    public function getAnnualLeaveDays(): float;
+
+    public function getReferencePeriodStart(): string;
+
+    public function getInitialLeaveBalance(): float;
+}
diff --git a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
index 1036b6d..b636505 100644
--- a/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
+++ b/tests/Functional/Mcp/AbsenceRequestLifecycleTest.php
@@ -4,19 +4,19 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Mcp;
 
-use App\Entity\AbsenceBalance;
-use App\Entity\AbsencePolicy;
-use App\Enum\AbsenceType;
-use App\Mcp\Tool\Absence\CancelAbsenceRequestTool;
-use App\Mcp\Tool\Absence\CreateAbsenceRequestTool;
-use App\Mcp\Tool\Absence\ReviewAbsenceRequestTool;
+use App\Module\Absence\Application\Service\AbsenceBalanceService;
+use App\Module\Absence\Domain\Entity\AbsenceBalance;
+use App\Module\Absence\Domain\Entity\AbsencePolicy;
+use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsencePolicyRepository;
+use App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceRequestRepository;
+use App\Module\Absence\Infrastructure\Mcp\Tool\CancelAbsenceRequestTool;
+use App\Module\Absence\Infrastructure\Mcp\Tool\CreateAbsenceRequestTool;
+use App\Module\Absence\Infrastructure\Mcp\Tool\ReviewAbsenceRequestTool;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
-use App\Repository\AbsenceBalanceRepository;
-use App\Repository\AbsencePolicyRepository;
-use App\Repository\AbsenceRequestRepository;
-use App\Service\AbsenceBalanceService;
-use App\Service\AbsenceDayCalculator;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
@@ -93,7 +93,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         self::assertSame(5.0, (float) $data['countedDays']);
         self::assertSame($this->employee->getId(), $data['user']['id']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertNotNull($balance);
@@ -113,7 +113,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         self::assertSame('approved', $data['status']);
         self::assertSame($this->admin->getId(), $data['reviewedBy']['id']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertSame(0.0, $balance->getPending());
@@ -128,7 +128,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         );
 
         // Shrink the entitlement below the 5 requested days.
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         $balance->setAcquired(2.0);
@@ -158,7 +158,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         $data = json_decode(($this->cancelTool($this->admin))($created['id']), true);
         self::assertSame('cancelled', $data['status']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::PaidLeave, '2026-2027')
         ;
         self::assertSame(0.0, $balance->getTaken());
@@ -195,7 +195,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         );
         self::assertSame('pending', $data['status']);
 
-        $balance = self::getContainer()->get(AbsenceBalanceRepository::class)
+        $balance = self::getContainer()->get(DoctrineAbsenceBalanceRepository::class)
             ->findOneForPeriod($this->employee, AbsenceType::Bereavement, '2026')
         ;
         self::assertNull($balance, 'Bereavement must not create or touch any balance.');
@@ -217,8 +217,8 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
         return new CreateAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
             $c->get(DoctrineUserRepository::class),
-            $c->get(AbsencePolicyRepository::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineAbsencePolicyRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceDayCalculator::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
@@ -231,7 +231,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new ReviewAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
         );
@@ -243,7 +243,7 @@ class AbsenceRequestLifecycleTest extends KernelTestCase
 
         return new CancelAbsenceRequestTool(
             $c->get(EntityManagerInterface::class),
-            $c->get(AbsenceRequestRepository::class),
+            $c->get(DoctrineAbsenceRequestRepository::class),
             $c->get(AbsenceBalanceService::class),
             $this->securityFor($actor),
         );
diff --git a/tests/Unit/Service/AbsenceDayCalculatorTest.php b/tests/Unit/Service/AbsenceDayCalculatorTest.php
index 33b96a3..6aa6347 100644
--- a/tests/Unit/Service/AbsenceDayCalculatorTest.php
+++ b/tests/Unit/Service/AbsenceDayCalculatorTest.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Enum\HalfDay;
-use App\Service\AbsenceDayCalculator;
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Enum\HalfDay;
+use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
diff --git a/tests/Unit/Service/PublicHolidayProviderTest.php b/tests/Unit/Service/PublicHolidayProviderTest.php
index ff1716c..f59084f 100644
--- a/tests/Unit/Service/PublicHolidayProviderTest.php
+++ b/tests/Unit/Service/PublicHolidayProviderTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Service\PublicHolidayProvider;
+use App\Module\Absence\Domain\Service\PublicHolidayProvider;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
-- 
2.39.5


From 163bf0891abcac45ce10e3fc0252a57b47f2c79e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 18:36:48 +0200
Subject: [PATCH 52/99] feat(absence) : extract Absence front into Nuxt module
 layer

LST-66 (2.3) front. Companion to the backend module migration.

- Move pages (absences, team-absences), 8 components, the absences service +
  DTO and the useAbsenceHelpers composable into frontend/modules/absence/
  (auto-detected layer; composable now auto-imported).
- Rewrite consumers: AdminAbsencePolicyTab and the time-tracking calendar
  (getPublicHolidays) point to ~/modules/absence/...
- Middlewares (employee/admin) and shared services (clients, users,
  user-data DTO) stay at the root. i18n stays global.
- Routes /absences and /team-absences preserved.

nuxt build passes; routes confirmed.
---
 frontend/components/admin/AdminAbsencePolicyTab.vue          | 4 ++--
 .../absence/components}/AbsenceBalanceAdjustDrawer.vue       | 4 ++--
 .../absence/components}/AbsenceBalanceCards.vue              | 3 +--
 .../absence/components}/AbsenceCalendar.vue                  | 5 ++---
 .../absence/components}/AbsenceDateField.vue                 | 2 +-
 .../absence/components}/AbsenceDetailDrawer.vue              | 5 ++---
 .../absence/components}/AbsenceRejectDrawer.vue              | 5 ++---
 .../absence/components}/AbsenceRequestDrawer.vue             | 5 ++---
 .../absence/components}/EmployeeDrawer.vue                   | 0
 .../{ => modules/absence}/composables/useAbsenceHelpers.ts   | 2 +-
 frontend/modules/absence/nuxt.config.ts                      | 1 +
 frontend/{ => modules/absence}/pages/absences.vue            | 5 ++---
 frontend/{ => modules/absence}/pages/team-absences.vue       | 5 ++---
 frontend/{ => modules/absence}/services/absences.ts          | 0
 frontend/{ => modules/absence}/services/dto/absence.ts       | 0
 .../time-tracking/components/TimeTrackingCalendar.vue        | 2 +-
 16 files changed, 21 insertions(+), 27 deletions(-)
 rename frontend/{components/absence => modules/absence/components}/AbsenceBalanceAdjustDrawer.vue (93%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceBalanceCards.vue (97%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceCalendar.vue (96%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceDateField.vue (96%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceDetailDrawer.vue (97%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceRejectDrawer.vue (91%)
 rename frontend/{components/absence => modules/absence/components}/AbsenceRequestDrawer.vue (98%)
 rename frontend/{components/absence => modules/absence/components}/EmployeeDrawer.vue (100%)
 rename frontend/{ => modules/absence}/composables/useAbsenceHelpers.ts (98%)
 create mode 100644 frontend/modules/absence/nuxt.config.ts
 rename frontend/{ => modules/absence}/pages/absences.vue (97%)
 rename frontend/{ => modules/absence}/pages/team-absences.vue (99%)
 rename frontend/{ => modules/absence}/services/absences.ts (100%)
 rename frontend/{ => modules/absence}/services/dto/absence.ts (100%)

diff --git a/frontend/components/admin/AdminAbsencePolicyTab.vue b/frontend/components/admin/AdminAbsencePolicyTab.vue
index 290df97..5929d6a 100644
--- a/frontend/components/admin/AdminAbsencePolicyTab.vue
+++ b/frontend/components/admin/AdminAbsencePolicyTab.vue
@@ -51,8 +51,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsencePolicy } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
+import type { AbsencePolicy } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const service = useAbsenceService()
 const rows = ref<AbsencePolicy[]>([])
diff --git a/frontend/components/absence/AbsenceBalanceAdjustDrawer.vue b/frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
similarity index 93%
rename from frontend/components/absence/AbsenceBalanceAdjustDrawer.vue
rename to frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
index d85d9a0..cda4b04 100644
--- a/frontend/components/absence/AbsenceBalanceAdjustDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceBalanceAdjustDrawer.vue
@@ -19,8 +19,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
+import type { AbsenceBalance } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceBalanceCards.vue b/frontend/modules/absence/components/AbsenceBalanceCards.vue
similarity index 97%
rename from frontend/components/absence/AbsenceBalanceCards.vue
rename to frontend/modules/absence/components/AbsenceBalanceCards.vue
index b811b5e..02beddf 100644
--- a/frontend/components/absence/AbsenceBalanceCards.vue
+++ b/frontend/modules/absence/components/AbsenceBalanceCards.vue
@@ -73,8 +73,7 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance } from '~/services/dto/absence'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceBalance } from '~/modules/absence/services/dto/absence'
 
 const props = defineProps<{
     balances: AbsenceBalance[]
diff --git a/frontend/components/absence/AbsenceCalendar.vue b/frontend/modules/absence/components/AbsenceCalendar.vue
similarity index 96%
rename from frontend/components/absence/AbsenceCalendar.vue
rename to frontend/modules/absence/components/AbsenceCalendar.vue
index 604bf76..f9bf4e6 100644
--- a/frontend/components/absence/AbsenceCalendar.vue
+++ b/frontend/modules/absence/components/AbsenceCalendar.vue
@@ -52,9 +52,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     absences: AbsenceRequest[]
diff --git a/frontend/components/absence/AbsenceDateField.vue b/frontend/modules/absence/components/AbsenceDateField.vue
similarity index 96%
rename from frontend/components/absence/AbsenceDateField.vue
rename to frontend/modules/absence/components/AbsenceDateField.vue
index fbf31e9..2e96309 100644
--- a/frontend/components/absence/AbsenceDateField.vue
+++ b/frontend/modules/absence/components/AbsenceDateField.vue
@@ -29,7 +29,7 @@
 </template>
 
 <script setup lang="ts">
-import type { HalfDay } from '~/services/dto/absence'
+import type { HalfDay } from '~/modules/absence/services/dto/absence'
 
 const props = withDefaults(defineProps<{
     /** ISO date string "YYYY-MM-DD" or null. */
diff --git a/frontend/components/absence/AbsenceDetailDrawer.vue b/frontend/modules/absence/components/AbsenceDetailDrawer.vue
similarity index 97%
rename from frontend/components/absence/AbsenceDetailDrawer.vue
rename to frontend/modules/absence/components/AbsenceDetailDrawer.vue
index 1ba3820..7870c3f 100644
--- a/frontend/components/absence/AbsenceDetailDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceDetailDrawer.vue
@@ -135,9 +135,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceRejectDrawer.vue b/frontend/modules/absence/components/AbsenceRejectDrawer.vue
similarity index 91%
rename from frontend/components/absence/AbsenceRejectDrawer.vue
rename to frontend/modules/absence/components/AbsenceRejectDrawer.vue
index 1828743..074efbd 100644
--- a/frontend/components/absence/AbsenceRejectDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceRejectDrawer.vue
@@ -26,9 +26,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceRequest } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceRequest } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/AbsenceRequestDrawer.vue b/frontend/modules/absence/components/AbsenceRequestDrawer.vue
similarity index 98%
rename from frontend/components/absence/AbsenceRequestDrawer.vue
rename to frontend/modules/absence/components/AbsenceRequestDrawer.vue
index 35b4ce0..34ba73f 100644
--- a/frontend/components/absence/AbsenceRequestDrawer.vue
+++ b/frontend/modules/absence/components/AbsenceRequestDrawer.vue
@@ -105,9 +105,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsencePolicy, AbsencePreviewResult, AbsenceType, HalfDay } from '~/services/dto/absence'
-import { useAbsenceService } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsencePolicy, AbsencePreviewResult, AbsenceType, HalfDay } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/components/absence/EmployeeDrawer.vue b/frontend/modules/absence/components/EmployeeDrawer.vue
similarity index 100%
rename from frontend/components/absence/EmployeeDrawer.vue
rename to frontend/modules/absence/components/EmployeeDrawer.vue
diff --git a/frontend/composables/useAbsenceHelpers.ts b/frontend/modules/absence/composables/useAbsenceHelpers.ts
similarity index 98%
rename from frontend/composables/useAbsenceHelpers.ts
rename to frontend/modules/absence/composables/useAbsenceHelpers.ts
index 3921706..07b03c3 100644
--- a/frontend/composables/useAbsenceHelpers.ts
+++ b/frontend/modules/absence/composables/useAbsenceHelpers.ts
@@ -1,4 +1,4 @@
-import type { AbsenceRequest, AbsenceStatus, AbsenceType, HalfDay } from '~/services/dto/absence'
+import type { AbsenceRequest, AbsenceStatus, AbsenceType, HalfDay } from '~/modules/absence/services/dto/absence'
 
 export type BadgeVariant = 'neutral' | 'info' | 'success' | 'warning' | 'danger'
 
diff --git a/frontend/modules/absence/nuxt.config.ts b/frontend/modules/absence/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/absence/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/absences.vue b/frontend/modules/absence/pages/absences.vue
similarity index 97%
rename from frontend/pages/absences.vue
rename to frontend/modules/absence/pages/absences.vue
index 7b68792..9f569c0 100644
--- a/frontend/pages/absences.vue
+++ b/frontend/modules/absence/pages/absences.vue
@@ -69,9 +69,8 @@
 </template>
 
 <script setup lang="ts">
-import type { AbsenceBalance, AbsencePolicy, AbsenceRequest, AbsenceStatus, AbsenceType } from '~/services/dto/absence'
-import { useAbsenceService, type AbsenceRequestFilters } from '~/services/absences'
-import { useAbsenceHelpers } from '~/composables/useAbsenceHelpers'
+import type { AbsenceBalance, AbsencePolicy, AbsenceRequest, AbsenceStatus, AbsenceType } from '~/modules/absence/services/dto/absence'
+import { useAbsenceService, type AbsenceRequestFilters } from '~/modules/absence/services/absences'
 
 type Row = AbsenceRequest & { typeLabelText: string; periodText: string; daysText: string; createdAtText: string }
 
diff --git a/frontend/pages/team-absences.vue b/frontend/modules/absence/pages/team-absences.vue
similarity index 99%
rename from frontend/pages/team-absences.vue
rename to frontend/modules/absence/pages/team-absences.vue
index 389e55e..385bdba 100644
--- a/frontend/pages/team-absences.vue
+++ b/frontend/modules/absence/pages/team-absences.vue
@@ -198,12 +198,11 @@ import type {
     AbsenceRequest,
     AbsenceStatus,
     AbsenceType,
-} from "~/services/dto/absence";
+} from "~/modules/absence/services/dto/absence";
 import {
     useAbsenceService,
     type AbsenceRequestFilters,
-} from "~/services/absences";
-import { useAbsenceHelpers } from "~/composables/useAbsenceHelpers";
+} from "~/modules/absence/services/absences";
 import { useUserService } from "~/services/users";
 import type { UserData } from "~/services/dto/user-data";
 
diff --git a/frontend/services/absences.ts b/frontend/modules/absence/services/absences.ts
similarity index 100%
rename from frontend/services/absences.ts
rename to frontend/modules/absence/services/absences.ts
diff --git a/frontend/services/dto/absence.ts b/frontend/modules/absence/services/dto/absence.ts
similarity index 100%
rename from frontend/services/dto/absence.ts
rename to frontend/modules/absence/services/dto/absence.ts
diff --git a/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
index 2652309..455c7dd 100644
--- a/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingCalendar.vue
@@ -151,7 +151,7 @@
 
 <script setup lang="ts">
 import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
-import { useAbsenceService } from '~/services/absences'
+import { useAbsenceService } from '~/modules/absence/services/absences'
 
 const { t } = useI18n()
 const absenceService = useAbsenceService()
-- 
2.39.5


From c5738d269b4dd66bb049db4ef05129994a86b0bc Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 18:51:49 +0200
Subject: [PATCH 53/99] feat(directory) : migrate Client into Directory module
 (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-58 (2.4), part 1/2 — Client move. Prospect + repertoire front are pending
the product spec and will be added on this branch afterward.

- Client entity moved to src/Module/Directory/Domain/Entity; repository split
  into Domain/Repository/ClientRepositoryInterface + Doctrine impl (bound in
  services.yaml). 5 client MCP tools moved to Infrastructure/Mcp/Tool, now
  injecting the interface.
- resolve_target_entities ClientInterface repointed to Directory\Client;
  Directory mapping added; DirectoryModule registered (id directory, 2 RBAC
  perms). Client.projects relation now uses ProjectInterface -> Directory no
  longer depends on ProjectManagement.
- ProjectManagement Create/UpdateProjectTool inject Directory's
  ClientRepositoryInterface; Serializer and fixtures repointed.
- Garde-fous: #[Auditable] + Timestampable/Blamable on Client (additive
  migration: created_at/updated_at + created_by/updated_by FK ON DELETE SET
  NULL + COMMENT).

161 tests green, mapping valid, no API route regression, cs-fixer clean.
---
 config/modules.php                            |  2 +
 config/packages/doctrine.yaml                 |  7 ++-
 config/services.yaml                          |  2 +
 migrations/Version20260620180000.php          | 53 +++++++++++++++++++
 src/DataFixtures/AppFixtures.php              |  2 +-
 src/Mcp/Tool/Serializer.php                   |  2 +-
 src/Module/Directory/DirectoryModule.php      | 41 ++++++++++++++
 .../Directory/Domain}/Entity/Client.php       | 23 +++++---
 .../Repository/ClientRepositoryInterface.php  | 20 +++++++
 .../Doctrine/DoctrineClientRepository.php     | 26 +++++++++
 .../Mcp/Tool}/CreateClientTool.php            |  4 +-
 .../Mcp/Tool}/DeleteClientTool.php            |  8 +--
 .../Mcp/Tool}/GetClientTool.php               |  8 +--
 .../Mcp/Tool}/ListClientsTool.php             |  6 +--
 .../Mcp/Tool}/UpdateClientTool.php            |  8 +--
 .../Mcp/Tool/Project/CreateProjectTool.php    |  6 +--
 .../Mcp/Tool/Project/UpdateProjectTool.php    |  6 +--
 src/Repository/ClientRepository.php           | 17 ------
 18 files changed, 190 insertions(+), 51 deletions(-)
 create mode 100644 migrations/Version20260620180000.php
 create mode 100644 src/Module/Directory/DirectoryModule.php
 rename src/{ => Module/Directory/Domain}/Entity/Client.php (82%)
 create mode 100644 src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/CreateClientTool.php (92%)
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/DeleteClientTool.php (81%)
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/GetClientTool.php (77%)
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/ListClientsTool.php (82%)
 rename src/{Mcp/Tool/Reference => Module/Directory/Infrastructure/Mcp/Tool}/UpdateClientTool.php (87%)
 delete mode 100644 src/Repository/ClientRepository.php

diff --git a/config/modules.php b/config/modules.php
index 9a03656..a799714 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -9,6 +9,7 @@ declare(strict_types=1);
 
 use App\Module\Absence\AbsenceModule;
 use App\Module\Core\CoreModule;
+use App\Module\Directory\DirectoryModule;
 use App\Module\ProjectManagement\ProjectManagementModule;
 use App\Module\TimeTracking\TimeTrackingModule;
 
@@ -17,4 +18,5 @@ return [
     TimeTrackingModule::class,
     ProjectManagementModule::class,
     AbsenceModule::class,
+    DirectoryModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 6b872cf..9157f14 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -25,7 +25,7 @@ doctrine:
             App\Shared\Domain\Contract\ProjectInterface: App\Module\ProjectManagement\Domain\Entity\Project
             App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
             App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
-            App\Shared\Domain\Contract\ClientInterface: App\Entity\Client
+            App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
         mappings:
             App:
                 type: attribute
@@ -53,6 +53,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Absence/Domain/Entity'
                 prefix: 'App\Module\Absence\Domain\Entity'
+            Directory:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Directory/Domain/Entity'
+                prefix: 'App\Module\Directory\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/services.yaml b/config/services.yaml
index c722b23..cb54a66 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -99,4 +99,6 @@ services:
 
     App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface: '@App\Module\Absence\Infrastructure\Doctrine\DoctrineAbsenceBalanceRepository'
 
+    App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/migrations/Version20260620180000.php b/migrations/Version20260620180000.php
new file mode 100644
index 0000000..1304283
--- /dev/null
+++ b/migrations/Version20260620180000.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Directory module: add Timestampable/Blamable columns to client.
+ *
+ * Client (moved to App\Module\Directory\Domain\Entity) adopts
+ * TimestampableBlamableTrait. This migration is purely additive — nullable
+ * columns + nullable FK to "user" with ON DELETE SET NULL. No DROP/ALTER on
+ * existing data. Columns are lowercase snake_case. Hand-written to guarantee
+ * zero destructive instruction.
+ */
+final class Version20260620180000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Directory: add timestampable/blamable columns to client (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE client ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD CONSTRAINT FK_C7440455DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client ADD CONSTRAINT FK_C744045516FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_C7440455DE12AB56 ON client (created_by)');
+        $this->addSql('CREATE INDEX IDX_C744045516FE72E1 ON client (updated_by)');
+        $this->addSql("COMMENT ON COLUMN client.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN client.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN client.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN client.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE client DROP CONSTRAINT FK_C7440455DE12AB56');
+        $this->addSql('ALTER TABLE client DROP CONSTRAINT FK_C744045516FE72E1');
+        $this->addSql('DROP INDEX IDX_C7440455DE12AB56');
+        $this->addSql('DROP INDEX IDX_C744045516FE72E1');
+        $this->addSql('ALTER TABLE client DROP created_at');
+        $this->addSql('ALTER TABLE client DROP updated_at');
+        $this->addSql('ALTER TABLE client DROP created_by');
+        $this->addSql('ALTER TABLE client DROP updated_by');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 7ad5264..f52805f 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Entity\Client;
 use App\Entity\MailConfiguration;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\ContractType;
@@ -15,6 +14,7 @@ use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Directory\Domain\Entity\Client;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index c4f4dff..5111143 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Mcp\Tool;
 
-use App\Entity\Client;
 use App\Module\Absence\Domain\Entity\AbsenceBalance;
 use App\Module\Absence\Domain\Entity\AbsencePolicy;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Directory\Domain\Entity\Client;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
diff --git a/src/Module/Directory/DirectoryModule.php b/src/Module/Directory/DirectoryModule.php
new file mode 100644
index 0000000..6ccf2aa
--- /dev/null
+++ b/src/Module/Directory/DirectoryModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class DirectoryModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'directory';
+    }
+
+    public static function label(): string
+    {
+        return 'Répertoire';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Directory.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'directory.clients.view', 'label' => 'Voir les clients'],
+            ['code' => 'directory.clients.manage', 'label' => 'Gérer les clients'],
+        ];
+    }
+}
diff --git a/src/Entity/Client.php b/src/Module/Directory/Domain/Entity/Client.php
similarity index 82%
rename from src/Entity/Client.php
rename to src/Module/Directory/Domain/Entity/Client.php
index 6f3bf8a..eb28ae0 100644
--- a/src/Entity/Client.php
+++ b/src/Module/Directory/Domain/Entity/Client.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Directory\Domain\Entity;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
@@ -10,14 +10,19 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Module\ProjectManagement\Domain\Entity\Project;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
 use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Attribute\Groups;
 
+#[Auditable]
 #[ApiResource(
     operations: [
         new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
@@ -30,9 +35,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['client:write']],
     order: ['name' => 'ASC'],
 )]
-#[ORM\Entity(repositoryClass: ClientRepository::class)]
-class Client implements ClientInterface
+#[ORM\Entity(repositoryClass: DoctrineClientRepository::class)]
+class Client implements ClientInterface, TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
@@ -63,8 +70,8 @@ class Client implements ClientInterface
     #[Groups(['client:read', 'client:write'])]
     private ?string $postalCode = null;
 
-    /** @var Collection<int, Project> */
-    #[ORM\OneToMany(targetEntity: Project::class, mappedBy: 'client')]
+    /** @var Collection<int, ProjectInterface> */
+    #[ORM\OneToMany(targetEntity: ProjectInterface::class, mappedBy: 'client')]
     private Collection $projects;
 
     public function __construct()
@@ -149,7 +156,7 @@ class Client implements ClientInterface
         return $this;
     }
 
-    /** @return Collection<int, Project> */
+    /** @return Collection<int, ProjectInterface> */
     public function getProjects(): Collection
     {
         return $this->projects;
diff --git a/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
new file mode 100644
index 0000000..4562b76
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ClientRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Client;
+
+interface ClientRepositoryInterface
+{
+    public function findById(int $id): ?Client;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Client[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
new file mode 100644
index 0000000..a5cdf9d
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineClientRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Client>
+ */
+final class DoctrineClientRepository extends ServiceEntityRepository implements ClientRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Client::class);
+    }
+
+    public function findById(int $id): ?Client
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Mcp/Tool/Reference/CreateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
similarity index 92%
rename from src/Mcp/Tool/Reference/CreateClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
index 3218610..087d30b 100644
--- a/src/Mcp/Tool/Reference/CreateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Entity\Client;
 use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Entity\Client;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/Reference/DeleteClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
similarity index 81%
rename from src/Mcp/Tool/Reference/DeleteClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
index b3af640..168af47 100644
--- a/src/Mcp/Tool/Reference/DeleteClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteClientTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -17,7 +17,7 @@ use function sprintf;
 class DeleteClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -28,7 +28,7 @@ class DeleteClientTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Reference/GetClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
similarity index 77%
rename from src/Mcp/Tool/Reference/GetClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
index 163070f..de37db3 100644
--- a/src/Mcp/Tool/Reference/GetClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -17,7 +17,7 @@ use function sprintf;
 class GetClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
@@ -27,7 +27,7 @@ class GetClientTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
diff --git a/src/Mcp/Tool/Reference/ListClientsTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
similarity index 82%
rename from src/Mcp/Tool/Reference/ListClientsTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
index 29ef197..9eb8218 100644
--- a/src/Mcp/Tool/Reference/ListClientsTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ListClientsTool.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 class ListClientsTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
diff --git a/src/Mcp/Tool/Reference/UpdateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
similarity index 87%
rename from src/Mcp/Tool/Reference/UpdateClientTool.php
rename to src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
index fc03cb8..f6ff65b 100644
--- a/src/Mcp/Tool/Reference/UpdateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
 use App\Mcp\Tool\Serializer;
-use App\Repository\ClientRepository;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -18,7 +18,7 @@ use function sprintf;
 class UpdateClientTool
 {
     public function __construct(
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -36,7 +36,7 @@ class UpdateClientTool
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
         }
 
-        $client = $this->clientRepository->find($id);
+        $client = $this->clientRepository->findById($id);
         if (null === $client) {
             throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $id));
         }
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
index ff212e6..25c2fae 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Project;
-use App\Repository\ClientRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -20,7 +20,7 @@ class CreateProjectTool
 {
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly Security $security,
     ) {}
 
@@ -46,7 +46,7 @@ class CreateProjectTool
             $project->setColor($color);
         }
         if (null !== $clientId) {
-            $client = $this->clientRepository->find($clientId);
+            $client = $this->clientRepository->findById($clientId);
             if (null === $client) {
                 throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $clientId));
             }
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
index 4e9275b..d3bb783 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
@@ -5,8 +5,8 @@ declare(strict_types=1);
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
 use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
-use App\Repository\ClientRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
@@ -20,7 +20,7 @@ class UpdateProjectTool
 {
     public function __construct(
         private readonly ProjectRepositoryInterface $projectRepository,
-        private readonly ClientRepository $clientRepository,
+        private readonly ClientRepositoryInterface $clientRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
     ) {}
@@ -57,7 +57,7 @@ class UpdateProjectTool
             $project->setColor($color);
         }
         if (null !== $clientId) {
-            $client = $this->clientRepository->find($clientId);
+            $client = $this->clientRepository->findById($clientId);
             if (null === $client) {
                 throw new InvalidArgumentException(sprintf('Client with ID %d not found.', $clientId));
             }
diff --git a/src/Repository/ClientRepository.php b/src/Repository/ClientRepository.php
deleted file mode 100644
index 198e9d2..0000000
--- a/src/Repository/ClientRepository.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\Client;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class ClientRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, Client::class);
-    }
-}
-- 
2.39.5


From d42b2884341156e73b03a576c3b7ebb880731b0e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 19:09:12 +0200
Subject: [PATCH 54/99] feat(directory) : add Prospect entity with conversion
 to Client (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-58 (2.4), part 2 — Prospect (new entity). Completes the Directory backend.

- ProspectStatus enum (new/contacted/qualified/won/lost) + Prospect entity
  (name, company, email, phone, address, status, source, notes,
  convertedClient -> ClientInterface) with Timestampable/Blamable + #[Auditable].
- API: GetCollection/Get (ROLE_USER), Post/Patch/Delete (ROLE_ADMIN),
  custom POST /prospects/{id}/convert (ConvertProspectProcessor: creates a
  Client from the prospect, links convertedClient, sets status=Won; idempotent).
  SearchFilter on status.
- Repository interface + Doctrine impl (bound); 6 MCP tools (list/get/create/
  update/delete/convert-prospect); Serializer::prospect(). Module perms
  directory.prospects.view/manage. Demo fixtures (3 prospects, one converted).
- Additive migration: CREATE TABLE prospect + FKs ON DELETE SET NULL + COMMENT.

163 tests green (incl. conversion test), mapping valid, cs-fixer clean.
---
 config/services.yaml                          |   2 +
 migrations/Version20260620190000.php          |  48 ++++
 src/DataFixtures/AppFixtures.php              |  39 +++
 src/Mcp/Tool/Serializer.php                   |  30 +++
 src/Module/Directory/DirectoryModule.php      |   2 +
 .../Directory/Domain/Entity/Prospect.php      | 239 ++++++++++++++++++
 .../Directory/Domain/Enum/ProspectStatus.php  |  25 ++
 .../ProspectRepositoryInterface.php           |  20 ++
 .../State/ConvertProspectProcessor.php        |  63 +++++
 .../Doctrine/DoctrineProspectRepository.php   |  26 ++
 .../Mcp/Tool/ConvertProspectTool.php          |  58 +++++
 .../Mcp/Tool/CreateProspectTool.php           |  66 +++++
 .../Mcp/Tool/DeleteProspectTool.php           |  42 +++
 .../Mcp/Tool/GetProspectTool.php              |  37 +++
 .../Mcp/Tool/ListProspectsTool.php            |  44 ++++
 .../Mcp/Tool/UpdateProspectTool.php           |  88 +++++++
 .../Directory/ProspectConversionTest.php      |  77 ++++++
 17 files changed, 906 insertions(+)
 create mode 100644 migrations/Version20260620190000.php
 create mode 100644 src/Module/Directory/Domain/Entity/Prospect.php
 create mode 100644 src/Module/Directory/Domain/Enum/ProspectStatus.php
 create mode 100644 src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
 create mode 100644 src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
 create mode 100644 tests/Functional/Module/Directory/ProspectConversionTest.php

diff --git a/config/services.yaml b/config/services.yaml
index cb54a66..e3625b1 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -101,4 +101,6 @@ services:
 
     App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
 
+    App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/migrations/Version20260620190000.php b/migrations/Version20260620190000.php
new file mode 100644
index 0000000..26f5306
--- /dev/null
+++ b/migrations/Version20260620190000.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Directory module: create the prospect table.
+ *
+ * Purely additive — creates a brand-new table with nullable FKs:
+ *   converted_client_id -> client(id)  ON DELETE SET NULL
+ *   created_by/updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case.
+ * Hand-written to mirror the schema dump and guarantee zero destructive
+ * instruction. down() drops the new table.
+ */
+final class Version20260620190000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Directory: create prospect table (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('CREATE TABLE prospect (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, name VARCHAR(255) NOT NULL, company VARCHAR(255) DEFAULT NULL, email VARCHAR(255) DEFAULT NULL, phone VARCHAR(50) DEFAULT NULL, street VARCHAR(255) DEFAULT NULL, city VARCHAR(255) DEFAULT NULL, postal_code VARCHAR(20) DEFAULT NULL, status VARCHAR(32) NOT NULL, source VARCHAR(255) DEFAULT NULL, notes TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, converted_client_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7D5AA408DD ON prospect (converted_client_id)');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7DDE12AB56 ON prospect (created_by)');
+        $this->addSql('CREATE INDEX IDX_C9CE8C7D16FE72E1 ON prospect (updated_by)');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7D5AA408DD FOREIGN KEY (converted_client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7DDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE prospect ADD CONSTRAINT FK_C9CE8C7D16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql("COMMENT ON COLUMN prospect.status IS 'Prospect pipeline status (ProspectStatus enum: new, contacted, qualified, won, lost)'");
+        $this->addSql("COMMENT ON COLUMN prospect.converted_client_id IS 'Client created when the prospect is converted (FK client.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN prospect.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN prospect.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN prospect.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN prospect.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('DROP TABLE prospect');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index f52805f..da9cfab 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -15,6 +15,8 @@ use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
@@ -104,6 +106,43 @@ class AppFixtures extends Fixture
         $clientNova->setPostalCode('69007');
         $manager->persist($clientNova);
 
+        // Prospects
+        $prospectLead = new Prospect();
+        $prospectLead->setName('Marie Dupont');
+        $prospectLead->setCompany('Atelier Dupont');
+        $prospectLead->setEmail('marie@atelier-dupont.fr');
+        $prospectLead->setPhone('06 11 22 33 44');
+        $prospectLead->setCity('Nantes');
+        $prospectLead->setPostalCode('44000');
+        $prospectLead->setStatus(ProspectStatus::New);
+        $prospectLead->setSource('Site web');
+        $prospectLead->setNotes('Demande de devis via le formulaire de contact.');
+        $manager->persist($prospectLead);
+
+        $prospectQualified = new Prospect();
+        $prospectQualified->setName('Jean Martin');
+        $prospectQualified->setCompany('Martin & Fils');
+        $prospectQualified->setEmail('contact@martin-fils.fr');
+        $prospectQualified->setPhone('07 55 66 77 88');
+        $prospectQualified->setStreet('22 rue du Commerce');
+        $prospectQualified->setCity('Bordeaux');
+        $prospectQualified->setPostalCode('33000');
+        $prospectQualified->setStatus(ProspectStatus::Qualified);
+        $prospectQualified->setSource('Salon professionnel');
+        $manager->persist($prospectQualified);
+
+        $prospectWon = new Prospect();
+        $prospectWon->setName('Sophie Bernard');
+        $prospectWon->setCompany('ACME Corp');
+        $prospectWon->setEmail('contact@acme.com');
+        $prospectWon->setPhone('01 23 45 67 89');
+        $prospectWon->setCity('Paris');
+        $prospectWon->setPostalCode('75002');
+        $prospectWon->setStatus(ProspectStatus::Won);
+        $prospectWon->setSource('Recommandation');
+        $prospectWon->setConvertedClient($clientAcme);
+        $manager->persist($prospectWon);
+
         // Workflow par défaut
         $standardWorkflow = new Workflow();
         $standardWorkflow->setName('Standard');
diff --git a/src/Mcp/Tool/Serializer.php b/src/Mcp/Tool/Serializer.php
index 5111143..2871484 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Mcp/Tool/Serializer.php
@@ -9,6 +9,7 @@ use App\Module\Absence\Domain\Entity\AbsencePolicy;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
@@ -372,6 +373,35 @@ final class Serializer
         ];
     }
 
+    /**
+     * @return array<string, mixed>
+     */
+    public static function prospect(Prospect $p): array
+    {
+        $client = $p->getConvertedClient();
+
+        return [
+            'id'              => $p->getId(),
+            'name'            => $p->getName(),
+            'company'         => $p->getCompany(),
+            'email'           => $p->getEmail(),
+            'phone'           => $p->getPhone(),
+            'street'          => $p->getStreet(),
+            'city'            => $p->getCity(),
+            'postalCode'      => $p->getPostalCode(),
+            'status'          => $p->getStatus()->value,
+            'statusLabel'     => $p->getStatus()->label(),
+            'source'          => $p->getSource(),
+            'notes'           => $p->getNotes(),
+            'convertedClient' => null === $client ? null : [
+                'id'   => $client->getId(),
+                'name' => $client->getName(),
+            ],
+            'createdAt' => $p->getCreatedAt()?->format('c'),
+            'updatedAt' => $p->getUpdatedAt()?->format('c'),
+        ];
+    }
+
     /**
      * @return array<string, mixed>
      */
diff --git a/src/Module/Directory/DirectoryModule.php b/src/Module/Directory/DirectoryModule.php
index 6ccf2aa..a3b9ecf 100644
--- a/src/Module/Directory/DirectoryModule.php
+++ b/src/Module/Directory/DirectoryModule.php
@@ -36,6 +36,8 @@ final class DirectoryModule implements ModuleInterface
         return [
             ['code' => 'directory.clients.view', 'label' => 'Voir les clients'],
             ['code' => 'directory.clients.manage', 'label' => 'Gérer les clients'],
+            ['code' => 'directory.prospects.view', 'label' => 'Voir les prospects'],
+            ['code' => 'directory.prospects.manage', 'label' => 'Gérer les prospects'],
         ];
     }
 }
diff --git a/src/Module/Directory/Domain/Entity/Prospect.php b/src/Module/Directory/Domain/Entity/Prospect.php
new file mode 100644
index 0000000..2806fd7
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Prospect.php
@@ -0,0 +1,239 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Post(
+            uriTemplate: '/prospects/{id}/convert',
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ConvertProspectProcessor::class,
+        ),
+    ],
+    normalizationContext: ['groups' => ['prospect:read']],
+    denormalizationContext: ['groups' => ['prospect:write']],
+    order: ['name' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['status' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineProspectRepository::class)]
+#[ORM\Table(name: 'prospect')]
+class Prospect implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['prospect:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $name = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $company = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $phone = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $street = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $city = null;
+
+    #[ORM\Column(length: 20, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $postalCode = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ProspectStatus::class)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ProspectStatus $status = ProspectStatus::New;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $source = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['prospect:read', 'prospect:write'])]
+    private ?string $notes = null;
+
+    #[ORM\ManyToOne(targetEntity: ClientInterface::class)]
+    #[ORM\JoinColumn(name: 'converted_client_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['prospect:read'])]
+    private ?ClientInterface $convertedClient = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getName(): ?string
+    {
+        return $this->name;
+    }
+
+    public function setName(string $name): static
+    {
+        $this->name = $name;
+
+        return $this;
+    }
+
+    public function getCompany(): ?string
+    {
+        return $this->company;
+    }
+
+    public function setCompany(?string $company): static
+    {
+        $this->company = $company;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhone(): ?string
+    {
+        return $this->phone;
+    }
+
+    public function setPhone(?string $phone): static
+    {
+        $this->phone = $phone;
+
+        return $this;
+    }
+
+    public function getStreet(): ?string
+    {
+        return $this->street;
+    }
+
+    public function setStreet(?string $street): static
+    {
+        $this->street = $street;
+
+        return $this;
+    }
+
+    public function getCity(): ?string
+    {
+        return $this->city;
+    }
+
+    public function setCity(?string $city): static
+    {
+        $this->city = $city;
+
+        return $this;
+    }
+
+    public function getPostalCode(): ?string
+    {
+        return $this->postalCode;
+    }
+
+    public function setPostalCode(?string $postalCode): static
+    {
+        $this->postalCode = $postalCode;
+
+        return $this;
+    }
+
+    public function getStatus(): ProspectStatus
+    {
+        return $this->status;
+    }
+
+    public function setStatus(ProspectStatus $status): static
+    {
+        $this->status = $status;
+
+        return $this;
+    }
+
+    public function getSource(): ?string
+    {
+        return $this->source;
+    }
+
+    public function setSource(?string $source): static
+    {
+        $this->source = $source;
+
+        return $this;
+    }
+
+    public function getNotes(): ?string
+    {
+        return $this->notes;
+    }
+
+    public function setNotes(?string $notes): static
+    {
+        $this->notes = $notes;
+
+        return $this;
+    }
+
+    public function getConvertedClient(): ?ClientInterface
+    {
+        return $this->convertedClient;
+    }
+
+    public function setConvertedClient(?ClientInterface $convertedClient): static
+    {
+        $this->convertedClient = $convertedClient;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Enum/ProspectStatus.php b/src/Module/Directory/Domain/Enum/ProspectStatus.php
new file mode 100644
index 0000000..b23c169
--- /dev/null
+++ b/src/Module/Directory/Domain/Enum/ProspectStatus.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ProspectStatus: string
+{
+    case New       = 'new';
+    case Contacted = 'contacted';
+    case Qualified = 'qualified';
+    case Won       = 'won';
+    case Lost      = 'lost';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::New       => 'Nouveau',
+            self::Contacted => 'Contacté',
+            self::Qualified => 'Qualifié',
+            self::Won       => 'Gagné',
+            self::Lost      => 'Perdu',
+        };
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
new file mode 100644
index 0000000..c4fba0c
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ProspectRepositoryInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Prospect;
+
+interface ProspectRepositoryInterface
+{
+    public function findById(int $id): ?Prospect;
+
+    /**
+     * @param array<string, mixed>       $criteria
+     * @param null|array<string, string> $orderBy
+     *
+     * @return Prospect[]
+     */
+    public function findBy(array $criteria, ?array $orderBy = null, ?int $limit = null, ?int $offset = null): array;
+}
diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
new file mode 100644
index 0000000..51d801a
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Converts a Prospect into a Client.
+ *
+ * Loads the Prospect via the URI id, creates a Client (name = company or name,
+ * copying contact details), links it back via convertedClient and flags the
+ * prospect as Won. Idempotent: if already converted, returns it unchanged.
+ *
+ * @implements ProcessorInterface<Prospect, Prospect>
+ */
+final readonly class ConvertProspectProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private ProspectRepositoryInterface $prospectRepository,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): Prospect
+    {
+        $id       = $uriVariables['id'] ?? null;
+        $prospect = is_numeric($id) ? $this->prospectRepository->findById((int) $id) : null;
+
+        if (!$prospect instanceof Prospect) {
+            throw new NotFoundHttpException('Prospect not found.');
+        }
+
+        // Idempotent: already converted, return as-is.
+        if (null !== $prospect->getConvertedClient()) {
+            return $prospect;
+        }
+
+        $client = new Client();
+        $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+        $client->setEmail($prospect->getEmail());
+        $client->setPhone($prospect->getPhone());
+        $client->setStreet($prospect->getStreet());
+        $client->setCity($prospect->getCity());
+        $client->setPostalCode($prospect->getPostalCode());
+
+        $this->entityManager->persist($client);
+
+        $prospect->setConvertedClient($client);
+        $prospect->setStatus(ProspectStatus::Won);
+
+        $this->entityManager->flush();
+
+        return $prospect;
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
new file mode 100644
index 0000000..7bcf2da
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineProspectRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Prospect>
+ */
+final class DoctrineProspectRepository extends ServiceEntityRepository implements ProspectRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Prospect::class);
+    }
+
+    public function findById(int $id): ?Prospect
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
new file mode 100644
index 0000000..a80cf60
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'convert-prospect', description: 'Convert a prospect into a client (admin). Idempotent: returns the prospect unchanged if already converted.')]
+class ConvertProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        if (null === $prospect->getConvertedClient()) {
+            $client = new Client();
+            $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+            $client->setEmail($prospect->getEmail());
+            $client->setPhone($prospect->getPhone());
+            $client->setStreet($prospect->getStreet());
+            $client->setCity($prospect->getCity());
+            $client->setPostalCode($prospect->getPostalCode());
+
+            $this->entityManager->persist($client);
+
+            $prospect->setConvertedClient($client);
+            $prospect->setStatus(ProspectStatus::Won);
+
+            $this->entityManager->flush();
+        }
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
new file mode 100644
index 0000000..3663fc4
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'create-prospect', description: 'Create a prospect (admin). Only name is required. Status defaults to "new".')]
+class CreateProspectTool
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(
+        string $name,
+        ?string $company = null,
+        ?string $email = null,
+        ?string $phone = null,
+        ?string $street = null,
+        ?string $city = null,
+        ?string $postalCode = null,
+        ?string $status = null,
+        ?string $source = null,
+        ?string $notes = null,
+    ): string {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = new Prospect();
+        $prospect->setName($name);
+        $prospect->setCompany($company);
+        $prospect->setEmail($email);
+        $prospect->setPhone($phone);
+        $prospect->setStreet($street);
+        $prospect->setCity($city);
+        $prospect->setPostalCode($postalCode);
+        $prospect->setSource($source);
+        $prospect->setNotes($notes);
+
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $prospect->setStatus($statusEnum);
+        }
+
+        $this->entityManager->persist($prospect);
+        $this->entityManager->flush();
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
new file mode 100644
index 0000000..ab20019
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/DeleteProspectTool.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'delete-prospect', description: 'Delete a prospect (admin).')]
+class DeleteProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        $name = $prospect->getName();
+        $this->entityManager->remove($prospect);
+        $this->entityManager->flush();
+
+        return json_encode(['success' => true, 'message' => sprintf('Prospect "%s" deleted.', $name)]);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
new file mode 100644
index 0000000..b19e14c
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'get-prospect', description: 'Get a prospect by ID with full details.')]
+class GetProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(int $id): string
+    {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
new file mode 100644
index 0000000..671a55b
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'list-prospects', description: 'List prospects, optionally filtered by status (new, contacted, qualified, won, lost).')]
+class ListProspectsTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(?string $status = null): string
+    {
+        if (!$this->security->isGranted('ROLE_USER')) {
+            throw new AccessDeniedException('Access denied: ROLE_USER required.');
+        }
+
+        $criteria = [];
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $criteria['status'] = $statusEnum;
+        }
+
+        $prospects = $this->prospectRepository->findBy($criteria, ['name' => 'ASC']);
+
+        return json_encode(array_map(static fn ($prospect) => Serializer::prospect($prospect), $prospects));
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
new file mode 100644
index 0000000..e155112
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
@@ -0,0 +1,88 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Mcp\Tool;
+
+use App\Mcp\Tool\Serializer;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use InvalidArgumentException;
+use Mcp\Capability\Attribute\McpTool;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+use function sprintf;
+
+#[McpTool(name: 'update-prospect', description: 'Update a prospect (admin). Only provided fields change.')]
+class UpdateProspectTool
+{
+    public function __construct(
+        private readonly ProspectRepositoryInterface $prospectRepository,
+        private readonly EntityManagerInterface $entityManager,
+        private readonly Security $security,
+    ) {}
+
+    public function __invoke(
+        int $id,
+        ?string $name = null,
+        ?string $company = null,
+        ?string $email = null,
+        ?string $phone = null,
+        ?string $street = null,
+        ?string $city = null,
+        ?string $postalCode = null,
+        ?string $status = null,
+        ?string $source = null,
+        ?string $notes = null,
+    ): string {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
+        }
+
+        $prospect = $this->prospectRepository->findById($id);
+        if (null === $prospect) {
+            throw new InvalidArgumentException(sprintf('Prospect with ID %d not found.', $id));
+        }
+
+        if (null !== $name) {
+            $prospect->setName($name);
+        }
+        if (null !== $company) {
+            $prospect->setCompany($company);
+        }
+        if (null !== $email) {
+            $prospect->setEmail($email);
+        }
+        if (null !== $phone) {
+            $prospect->setPhone($phone);
+        }
+        if (null !== $street) {
+            $prospect->setStreet($street);
+        }
+        if (null !== $city) {
+            $prospect->setCity($city);
+        }
+        if (null !== $postalCode) {
+            $prospect->setPostalCode($postalCode);
+        }
+        if (null !== $status) {
+            $statusEnum = ProspectStatus::tryFrom($status);
+            if (null === $statusEnum) {
+                throw new InvalidArgumentException(sprintf('Invalid status "%s". Allowed: new, contacted, qualified, won, lost.', $status));
+            }
+            $prospect->setStatus($statusEnum);
+        }
+        if (null !== $source) {
+            $prospect->setSource($source);
+        }
+        if (null !== $notes) {
+            $prospect->setNotes($notes);
+        }
+
+        $this->entityManager->flush();
+
+        return json_encode(Serializer::prospect($prospect));
+    }
+}
diff --git a/tests/Functional/Module/Directory/ProspectConversionTest.php b/tests/Functional/Module/Directory/ProspectConversionTest.php
new file mode 100644
index 0000000..852b2f8
--- /dev/null
+++ b/tests/Functional/Module/Directory/ProspectConversionTest.php
@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Directory;
+
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+class ProspectConversionTest extends KernelTestCase
+{
+    private EntityManagerInterface $em;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $this->em = self::getContainer()->get(EntityManagerInterface::class);
+    }
+
+    public function testConvertCreatesClientAndFlagsProspectWon(): void
+    {
+        $prospect = new Prospect();
+        $prospect->setName('Lead Test');
+        $prospect->setCompany('Lead Company '.uniqid());
+        $prospect->setEmail('lead@example.com');
+        $prospect->setPhone('06 00 00 00 00');
+        $prospect->setStreet('1 rue du Test');
+        $prospect->setCity('Testville');
+        $prospect->setPostalCode('00000');
+        $prospect->setStatus(ProspectStatus::Qualified);
+        $this->em->persist($prospect);
+        $this->em->flush();
+
+        $result = $this->processor()->process($prospect, new Post(), ['id' => $prospect->getId()]);
+
+        self::assertSame(ProspectStatus::Won, $result->getStatus());
+        $client = $result->getConvertedClient();
+        self::assertNotNull($client);
+        self::assertSame($prospect->getCompany(), $client->getName());
+    }
+
+    public function testConvertIsIdempotent(): void
+    {
+        $prospect = new Prospect();
+        $prospect->setName('Idempotent Lead');
+        $prospect->setStatus(ProspectStatus::New);
+        $this->em->persist($prospect);
+        $this->em->flush();
+
+        $processor = $this->processor();
+        $first     = $processor->process($prospect, new Post(), ['id' => $prospect->getId()]);
+        $clientId  = $first->getConvertedClient()?->getId();
+
+        $second = $processor->process($prospect, new Post(), ['id' => $prospect->getId()]);
+
+        self::assertNotNull($clientId);
+        self::assertSame($clientId, $second->getConvertedClient()?->getId());
+    }
+
+    private function processor(): ConvertProspectProcessor
+    {
+        $c = self::getContainer();
+
+        return new ConvertProspectProcessor(
+            $c->get(EntityManagerInterface::class),
+            $c->get(DoctrineProspectRepository::class),
+        );
+    }
+}
-- 
2.39.5


From 57ccd9a7403755cd4a94654750ff255ccc38e1ba Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 19:18:09 +0200
Subject: [PATCH 55/99] feat(directory) : add Clients/Prospects repertoire
 front layer

LST-58 (2.4) front. Completes the Directory module.

- New frontend/modules/directory/ layer (auto-detected): /directory page with
  Clients and Prospects tabs.
- Client front moved into the layer (clients service + client DTO +
  ClientDrawer). New prospects service, prospect DTO and ProspectDrawer (with
  a "Convert to client" action calling POST /prospects/{id}/convert).
- Consumers repointed to ~/modules/directory/... (admin client tab, PM project
  drawer + project pages + project DTO, time-tracking page + export drawer).
- Sidebar admin item /directory gated by the directory module; /directory
  protected by the admin middleware. i18n keys added (directory.*, prospects.*).

nuxt build passes; routes preserved.

Adds the 2.4 plan doc.
---
 config/sidebar.php                            |    1 +
 .../2026-06-20-lst-58-directory-prospect.md   |   66 +
 frontend/components/admin/AdminClientTab.vue  |    4 +-
 frontend/i18n/locales/fr.json                 | 1741 +++++++++--------
 .../directory/components}/ClientDrawer.vue    |    4 +-
 .../directory/components/ProspectDrawer.vue   |  221 +++
 frontend/modules/directory/nuxt.config.ts     |    1 +
 .../modules/directory/pages/directory.vue     |  240 +++
 .../directory}/services/clients.ts            |    0
 .../directory}/services/dto/client.ts         |    0
 .../directory/services/dto/prospect.ts        |   34 +
 .../modules/directory/services/prospects.ts   |   44 +
 .../components/ProjectDrawer.vue              |    2 +-
 .../pages/projects/[id]/index.vue             |    4 +-
 .../pages/projects/index.vue                  |    4 +-
 .../services/dto/project.ts                   |    2 +-
 .../components/TimeTrackingExportDrawer.vue   |    2 +-
 .../time-tracking/pages/time-tracking.vue     |    2 +-
 18 files changed, 1514 insertions(+), 858 deletions(-)
 create mode 100644 docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
 rename frontend/{components/client => modules/directory/components}/ClientDrawer.vue (95%)
 create mode 100644 frontend/modules/directory/components/ProspectDrawer.vue
 create mode 100644 frontend/modules/directory/nuxt.config.ts
 create mode 100644 frontend/modules/directory/pages/directory.vue
 rename frontend/{ => modules/directory}/services/clients.ts (100%)
 rename frontend/{ => modules/directory}/services/dto/client.ts (100%)
 create mode 100644 frontend/modules/directory/services/dto/prospect.ts
 create mode 100644 frontend/modules/directory/services/prospects.ts

diff --git a/config/sidebar.php b/config/sidebar.php
index 7bee8f3..12d9a50 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -31,6 +31,7 @@ return [
         'roles' => ['ROLE_ADMIN'],
         'items' => [
             ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
+            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:contact-multiple-outline', 'module' => 'directory'],
             ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
         ],
     ],
diff --git a/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md b/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
new file mode 100644
index 0000000..b6df3d6
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-20-lst-58-directory-prospect.md
@@ -0,0 +1,66 @@
+# LST-58 (2.4) — Module Directory : Prospect + front répertoire (plan)
+
+> Suite de la migration Directory. Client (back) déjà livré (`c5738d2`).
+> Reste : **entité Prospect** (nouvelle) + **front répertoire** (Clients + Prospects).
+> Spec produit non fournie → design défini ici de façon raisonnable, à valider au test.
+> Additif, sans régression. Branche `integration/modular-monolith-0.1-1.3`.
+
+## Design Prospect (décidé, à valider)
+Aligné sur `Client` (même module Directory), enrichi des concepts de prospection commerciale.
+
+**Entité `App\Module\Directory\Domain\Entity\Prospect`** (table `prospect`) :
+- `id` int PK
+- `name` string(255) NOT NULL — contact ou société
+- `company` string(255) nullable
+- `email` string(255) nullable
+- `phone` string(50) nullable
+- `street` string(255) nullable / `city` string(255) nullable / `postalCode` string(20) nullable (alignés Client)
+- `status` enum `ProspectStatus` NOT NULL (default `New`)
+- `source` string(255) nullable — origine (recommandation, salon, site web…)
+- `notes` text nullable
+- `convertedClient` ManyToOne `ClientInterface` nullable, JoinColumn ON DELETE SET NULL — rempli à la conversion
+- Timestampable/Blamable (trait) + `#[Auditable]`
+- Groupes : `prospect:read` / `prospect:write`
+
+**Enum `App\Module\Directory\Domain\Enum\ProspectStatus`** : `New` (nouveau), `Contacted` (contacté), `Qualified` (qualifié), `Won` (gagné/converti), `Lost` (perdu). Méthode `label(): string` (FR), comme les autres enums.
+
+**API Platform** (aligné Client) :
+- `GetCollection` paginationEnabled:false, `is_granted('ROLE_USER')`
+- `Get` ROLE_USER ; `Post`/`Patch`/`Delete` ROLE_ADMIN
+- Opération custom **`Post /prospects/{id}/convert`** (processor `ConvertProspectProcessor`) : crée un `Client` à partir du Prospect (name/company→name, email, phone, adresse), lie `convertedClient`, passe `status=Won`. Sécurité ROLE_ADMIN. Renvoie le Prospect mis à jour. Idempotent si déjà converti (renvoie l'existant).
+- `#[ApiFilter]` SearchFilter sur `status` (filtre répertoire).
+
+**Repo** : `ProspectRepositoryInterface` (Domain) + `DoctrineProspectRepository` (Infra) + binding.
+
+**MCP** (cohérent avec clients, sous `Infrastructure/Mcp/Tool/`) : `list-prospects`, `get-prospect`, `create-prospect`, `update-prospect`, `delete-prospect`, `convert-prospect`. Serializer : ajouter `prospect()` dans `src/Mcp/Tool/Serializer.php`.
+
+**DirectoryModule.permissions()** : ajouter `directory.prospects.view`, `directory.prospects.manage` (additif).
+
+**Migration additive** : CREATE TABLE prospect (colonnes + FK converted_client→client ON DELETE SET NULL + created_by/updated_by FK user + index + COMMENT). Down = DROP TABLE.
+
+**Fixtures** : 2-3 prospects de démo (statuts variés), dont un converti.
+
+## Front répertoire (`frontend/modules/directory/`)
+Aujourd'hui : pas de page client dédiée (AdminClientTab + picker ProjectDrawer). On crée un vrai répertoire.
+- `nuxt.config.ts` vide.
+- `services/` : `clients.ts` (move depuis racine), `prospects.ts` (nouveau) + `dto/{client,prospect}.ts`.
+- `pages/directory.vue` : page à 2 onglets (Clients / Prospects), tableaux paginés côté client (paginationEnabled:false back), recherche/filtre statut pour prospects.
+- `components/` : `ClientDrawer.vue` (move depuis `components/client/`), `ProspectDrawer.vue` (nouveau, create/edit + bouton « Convertir en client »).
+- Sidebar : ajouter item `sidebar.general.directory` → `/directory`, `'module' => 'directory'`, gate ROLE_ADMIN (gestion référentiel).
+- Réécrire imports consommateurs de `~/services/clients` / `~/services/dto/client` (AdminClientTab, ProjectDrawer, pages projects) → `~/modules/directory/services/...`. AdminClientTab : soit le retirer de /admin au profit de /directory, soit le laisser pointer le nouveau service. Décision : garder AdminClientTab fonctionnel (repoint service) ET ajouter la page /directory (les deux coexistent ; /directory = vue dédiée).
+- i18n global : ajouter clés `directory.*`, `prospects.*`, `sidebar.general.directory`.
+
+## Vagues d'exécution
+1. **Back Prospect** : enum + entité + repo + API (CRUD + convert) + MCP (6 tools) + Serializer + permissions module + fixtures + migration. Vérif cache:clear/migrate/phpunit/cs-fixer → commit.
+2. **Front Directory** : layer (move client front + page répertoire + ProspectDrawer + prospects service/dto) + sidebar + imports + i18n. Vérif nuxt build → commit.
+
+## Critères d'acceptation (ticket #58)
+- [x] Clients en module (fait, c5738d2)
+- [ ] Prospects en module + front répertoire fonctionnel
+- [x] resolve_target_entities → Directory\Client
+- [ ] make test vert, aucune migration destructive
+- [ ] toggle module directory (sidebar + route /directory)
+
+## Suite phase 2 (après 2.4)
+- 2.5 (#67) Module Mail — WIP `docs/mail-integration.md`, à traiter avec précaution.
+- 2.6 (#68) Module Integration (Gitea/BookStack/Zimbra/Share).
diff --git a/frontend/components/admin/AdminClientTab.vue b/frontend/components/admin/AdminClientTab.vue
index 12d3863..36af726 100644
--- a/frontend/components/admin/AdminClientTab.vue
+++ b/frontend/components/admin/AdminClientTab.vue
@@ -40,8 +40,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Client } from '~/services/dto/client'
-import { useClientService } from '~/services/clients'
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
 
 import type { DataTableColumn } from '~/components/ui/DataTable.vue'
 
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 6d3f47e..9f167de 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -1,852 +1,901 @@
 {
-    "errors": {
-        "http": {
-            "get": "Impossible de récupérer les données.",
-            "post": "Impossible de créer la ressource.",
-            "put": "Impossible de mettre à jour la ressource.",
-            "patch": "Impossible de mettre à jour la ressource.",
-            "delete": "Impossible de supprimer la ressource."
-        },
-        "auth": {
-            "login": "Identifiants invalides.",
-            "logout": "Impossible de se déconnecter.",
-            "session": "Session expirée"
-        }
+  "errors": {
+    "http": {
+      "get": "Impossible de récupérer les données.",
+      "post": "Impossible de créer la ressource.",
+      "put": "Impossible de mettre à jour la ressource.",
+      "patch": "Impossible de mettre à jour la ressource.",
+      "delete": "Impossible de supprimer la ressource."
     },
-    "success": {
-        "auth": {
-            "login": "Connexion réussie.",
-            "logout": "Déconnexion réussie."
-        }
-    },
-    "clients": {
-        "created": "Client créé avec succès.",
-        "updated": "Client mis à jour avec succès.",
-        "deleted": "Client supprimé avec succès.",
-        "addClient": "Ajouter un client",
-        "editClient": "Modifier un client"
-    },
-    "projects": {
-        "title": "Projets",
-        "created": "Projet créé avec succès.",
-        "updated": "Projet mis à jour avec succès.",
-        "deleted": "Projet supprimé avec succès.",
-        "archived": "Projet archivé avec succès.",
-        "unarchived": "Projet désarchivé avec succès.",
-        "showArchived": "Voir les projets archivés",
-        "hideArchived": "Masquer les projets archivés",
-        "noProjects": "Aucun projet trouvé.",
-        "noArchivedProjects": "Aucun projet archivé.",
-        "addProject": "Ajouter un projet",
-        "addProjectShort": "Projet",
-        "editProject": "Modifier un projet",
-        "deleteConfirmTitle": "Supprimer le projet",
-        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce projet ? Cette action est irréversible.",
-        "cannotDelete": "Impossible de supprimer un projet contenant des tickets."
-    },
-    "taskStatuses": {
-        "created": "Statut créé avec succès.",
-        "updated": "Statut mis à jour avec succès.",
-        "deleted": "Statut supprimé avec succès.",
-        "addStatus": "Ajouter un statut",
-        "editStatus": "Modifier un statut",
-        "deleteStatus": "Supprimer le statut « {label} »",
-        "linkedTasks": "{count} tâche est liée à ce statut. Choisissez où les déplacer :",
-        "linkedTasksPlural": "{count} tâches sont liées à ce statut. Choisissez où les déplacer :",
-        "moveTo": "Déplacer vers",
-        "backlog": "Backlog (sans statut)"
-    },
-    "workflows": {
-        "title": "Workflows",
-        "addWorkflow": "Ajouter un workflow",
-        "editWorkflow": "Modifier le workflow",
-        "name": "Nom",
-        "isDefault": "Workflow par défaut",
-        "statuses": "Statuts",
-        "addStatus": "Ajouter un statut",
-        "category": "Catégorie",
-        "created": "Workflow créé",
-        "updated": "Workflow mis à jour",
-        "deleted": "Workflow supprimé",
-        "switched": "Workflow du projet changé",
-        "switchTitle": "Changer de workflow",
-        "switchTargetLabel": "Nouveau workflow",
-        "switchMappingTitle": "Mapping des statuts",
-        "switchSourceCol": "Statut actuel",
-        "switchTargetCol": "Statut cible",
-        "switchTaskCountCol": "Tâches",
-        "switchToBacklog": "Mapper vers le backlog",
-        "switchConfirm": "Confirmer la migration",
-        "switchSummary": "{count} tâche(s) migrée(s), projet sur workflow « {name} »",
-        "deleteUsedBy": "Workflow utilisé par {count} projet(s) — impossible de supprimer.",
-        "categories": {
-            "todo": "À faire",
-            "in_progress": "En cours",
-            "blocked": "Bloqué",
-            "review": "En validation",
-            "done": "Terminé"
-        }
-    },
-    "taskEfforts": {
-        "created": "Effort créé avec succès.",
-        "updated": "Effort mis à jour avec succès.",
-        "deleted": "Effort supprimé avec succès.",
-        "addEffort": "Ajouter un effort",
-        "editEffort": "Modifier un effort"
-    },
-    "taskPriorities": {
-        "created": "Priorité créée avec succès.",
-        "updated": "Priorité mise à jour avec succès.",
-        "deleted": "Priorité supprimée avec succès.",
-        "addPriority": "Ajouter une priorité",
-        "editPriority": "Modifier une priorité"
-    },
-    "taskTags": {
-        "created": "Tag créé avec succès.",
-        "updated": "Tag mis à jour avec succès.",
-        "deleted": "Tag supprimé avec succès.",
-        "addTag": "Ajouter un tag",
-        "editTag": "Modifier un tag"
-    },
-    "taskGroups": {
-        "created": "Groupe créé avec succès.",
-        "updated": "Groupe mis à jour avec succès.",
-        "deleted": "Groupe supprimé avec succès.",
-        "archived": "Groupe archivé avec succès.",
-        "unarchived": "Groupe désarchivé avec succès.",
-        "addGroup": "Ajouter un groupe",
-        "editGroup": "Modifier un groupe"
-    },
-    "taskDocuments": {
-        "title": "Documents",
-        "dropzone": "Glisser des fichiers ici ou cliquer pour sélectionner",
-        "uploaded": "Document ajouté avec succès.",
-        "deleted": "Document supprimé avec succès.",
-        "uploadError": "Erreur lors de l'upload du document.",
-        "confirmDeleteTitle": "Supprimer le document",
-        "confirmDeleteMessage": "Êtes-vous sûr de vouloir supprimer ce document ?",
-        "download": "Télécharger",
-        "copy": "Copier",
-        "copied": "Contenu copié !",
-        "maxSizeError": "Le fichier dépasse la taille maximale de 50 Mo.",
-        "linkShareButton": "Lier depuis le partage",
-        "linkShareTitle": "Lier un fichier du partage",
-        "linkShareHint": "Cliquez sur un dossier pour naviguer, sur un fichier pour le lier au ticket.",
-        "linkShareSuccess": "Fichier du partage lié au ticket.",
-        "linkShareError": "Impossible de lier ce fichier (type non autorisé ou introuvable).",
-        "shareLinkBadge": "Lien vers le partage",
-        "shareLinkLabel": "Partage"
-    },
-    "tasks": {
-        "created": "Ticket créé avec succès.",
-        "updated": "Ticket mis à jour avec succès.",
-        "deleted": "Ticket supprimé avec succès.",
-        "archived": "Ticket archivé avec succès.",
-        "unarchived": "Ticket désarchivé avec succès.",
-        "deleteConfirmTitle": "Supprimer le ticket",
-        "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible.",
-        "addTask": "Ajouter un ticket",
-        "editTask": "Modifier un ticket",
-        "detailsTab": "Détails",
-        "planningTab": "Planification",
-        "planning": {
-            "dates": "Dates",
-            "scheduledStart": "Début planifié",
-            "scheduledEnd": "Fin planifiée",
-            "deadline": "Deadline",
-            "calendar": "Calendrier",
-            "syncToCalendar": "Envoyer au calendrier Zimbra",
-            "syncOk": "Synchronisé",
-            "recurrence": "Récurrence",
-            "isRecurring": "Tâche récurrente",
-            "type": "Type",
-            "daily": "Quotidien",
-            "weekly": "Hebdomadaire",
-            "monthly": "Mensuel",
-            "yearly": "Annuel",
-            "interval": "Intervalle",
-            "daysOfWeek": "Jours de la semaine",
-            "days": {
-                "mon": "Lu",
-                "tue": "Ma",
-                "wed": "Me",
-                "thu": "Je",
-                "fri": "Ve",
-                "sat": "Sa",
-                "sun": "Di"
-            },
-            "dayOfMonth": "Jour du mois",
-            "dayOfMonthLabel": "Jour (1-31)",
-            "weekOfMonth": "Semaine du mois",
-            "weekOfMonthLabel": "Semaine",
-            "dayLabel": "Jour",
-            "endRecurrence": "Fin de la récurrence",
-            "neverEnds": "Jamais",
-            "afterOccurrences": "Après X occurrences",
-            "occurrences": "Occurrences",
-            "onDate": "À une date",
-            "endDate": "Date de fin"
-        }
-    },
-    "users": {
-        "created": "Utilisateur créé avec succès.",
-        "updated": "Utilisateur mis à jour avec succès.",
-        "deleted": "Utilisateur supprimé avec succès.",
-        "addUser": "Ajouter un utilisateur",
-        "editUser": "Modifier un utilisateur"
-    },
-    "admin": {
-        "roles": {
-            "title": "Rôles",
-            "addRole": "Ajouter un rôle",
-            "editRole": "Modifier un rôle",
-            "empty": "Aucun rôle trouvé.",
-            "system": "Système",
-            "code": "Code",
-            "codeHint": "Identifiant technique en snake_case (immuable).",
-            "codeImmutable": "Le code ne peut pas être modifié après création.",
-            "codeInvalid": "Code invalide (attendu snake_case : minuscules, chiffres et underscores).",
-            "label": "Libellé",
-            "labelRequired": "Le libellé est requis.",
-            "description": "Description",
-            "permissions": "Permissions",
-            "noPermissions": "Aucune permission disponible.",
-            "created": "Rôle créé avec succès.",
-            "updated": "Rôle mis à jour avec succès.",
-            "deleted": "Rôle supprimé avec succès."
-        },
-        "audit": {
-            "title": "Audit",
-            "empty": "Aucune entrée d'audit trouvée.",
-            "date": "Date",
-            "performedBy": "Utilisateur",
-            "entityType": "Type d'entité",
-            "action": "Action",
-            "entityId": "Identifiant",
-            "filterEntityType": "Type d'entité",
-            "filterEntityTypeAll": "Tous les types",
-            "filterAction": "Action",
-            "filterActionAll": "Toutes les actions",
-            "previous": "Précédent",
-            "next": "Suivant",
-            "page": "Page {page}"
-        }
+    "auth": {
+      "login": "Identifiants invalides.",
+      "logout": "Impossible de se déconnecter.",
+      "session": "Session expirée"
+    }
+  },
+  "success": {
+    "auth": {
+      "login": "Connexion réussie.",
+      "logout": "Déconnexion réussie."
+    }
+  },
+  "clients": {
+    "created": "Client créé avec succès.",
+    "updated": "Client mis à jour avec succès.",
+    "deleted": "Client supprimé avec succès.",
+    "addClient": "Ajouter un client",
+    "editClient": "Modifier un client"
+  },
+  "projects": {
+    "title": "Projets",
+    "created": "Projet créé avec succès.",
+    "updated": "Projet mis à jour avec succès.",
+    "deleted": "Projet supprimé avec succès.",
+    "archived": "Projet archivé avec succès.",
+    "unarchived": "Projet désarchivé avec succès.",
+    "showArchived": "Voir les projets archivés",
+    "hideArchived": "Masquer les projets archivés",
+    "noProjects": "Aucun projet trouvé.",
+    "noArchivedProjects": "Aucun projet archivé.",
+    "addProject": "Ajouter un projet",
+    "addProjectShort": "Projet",
+    "editProject": "Modifier un projet",
+    "deleteConfirmTitle": "Supprimer le projet",
+    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce projet ? Cette action est irréversible.",
+    "cannotDelete": "Impossible de supprimer un projet contenant des tickets."
+  },
+  "taskStatuses": {
+    "created": "Statut créé avec succès.",
+    "updated": "Statut mis à jour avec succès.",
+    "deleted": "Statut supprimé avec succès.",
+    "addStatus": "Ajouter un statut",
+    "editStatus": "Modifier un statut",
+    "deleteStatus": "Supprimer le statut « {label} »",
+    "linkedTasks": "{count} tâche est liée à ce statut. Choisissez où les déplacer :",
+    "linkedTasksPlural": "{count} tâches sont liées à ce statut. Choisissez où les déplacer :",
+    "moveTo": "Déplacer vers",
+    "backlog": "Backlog (sans statut)"
+  },
+  "workflows": {
+    "title": "Workflows",
+    "addWorkflow": "Ajouter un workflow",
+    "editWorkflow": "Modifier le workflow",
+    "name": "Nom",
+    "isDefault": "Workflow par défaut",
+    "statuses": "Statuts",
+    "addStatus": "Ajouter un statut",
+    "category": "Catégorie",
+    "created": "Workflow créé",
+    "updated": "Workflow mis à jour",
+    "deleted": "Workflow supprimé",
+    "switched": "Workflow du projet changé",
+    "switchTitle": "Changer de workflow",
+    "switchTargetLabel": "Nouveau workflow",
+    "switchMappingTitle": "Mapping des statuts",
+    "switchSourceCol": "Statut actuel",
+    "switchTargetCol": "Statut cible",
+    "switchTaskCountCol": "Tâches",
+    "switchToBacklog": "Mapper vers le backlog",
+    "switchConfirm": "Confirmer la migration",
+    "switchSummary": "{count} tâche(s) migrée(s), projet sur workflow « {name} »",
+    "deleteUsedBy": "Workflow utilisé par {count} projet(s) — impossible de supprimer.",
+    "categories": {
+      "todo": "À faire",
+      "in_progress": "En cours",
+      "blocked": "Bloqué",
+      "review": "En validation",
+      "done": "Terminé"
+    }
+  },
+  "taskEfforts": {
+    "created": "Effort créé avec succès.",
+    "updated": "Effort mis à jour avec succès.",
+    "deleted": "Effort supprimé avec succès.",
+    "addEffort": "Ajouter un effort",
+    "editEffort": "Modifier un effort"
+  },
+  "taskPriorities": {
+    "created": "Priorité créée avec succès.",
+    "updated": "Priorité mise à jour avec succès.",
+    "deleted": "Priorité supprimée avec succès.",
+    "addPriority": "Ajouter une priorité",
+    "editPriority": "Modifier une priorité"
+  },
+  "taskTags": {
+    "created": "Tag créé avec succès.",
+    "updated": "Tag mis à jour avec succès.",
+    "deleted": "Tag supprimé avec succès.",
+    "addTag": "Ajouter un tag",
+    "editTag": "Modifier un tag"
+  },
+  "taskGroups": {
+    "created": "Groupe créé avec succès.",
+    "updated": "Groupe mis à jour avec succès.",
+    "deleted": "Groupe supprimé avec succès.",
+    "archived": "Groupe archivé avec succès.",
+    "unarchived": "Groupe désarchivé avec succès.",
+    "addGroup": "Ajouter un groupe",
+    "editGroup": "Modifier un groupe"
+  },
+  "taskDocuments": {
+    "title": "Documents",
+    "dropzone": "Glisser des fichiers ici ou cliquer pour sélectionner",
+    "uploaded": "Document ajouté avec succès.",
+    "deleted": "Document supprimé avec succès.",
+    "uploadError": "Erreur lors de l'upload du document.",
+    "confirmDeleteTitle": "Supprimer le document",
+    "confirmDeleteMessage": "Êtes-vous sûr de vouloir supprimer ce document ?",
+    "download": "Télécharger",
+    "copy": "Copier",
+    "copied": "Contenu copié !",
+    "maxSizeError": "Le fichier dépasse la taille maximale de 50 Mo.",
+    "linkShareButton": "Lier depuis le partage",
+    "linkShareTitle": "Lier un fichier du partage",
+    "linkShareHint": "Cliquez sur un dossier pour naviguer, sur un fichier pour le lier au ticket.",
+    "linkShareSuccess": "Fichier du partage lié au ticket.",
+    "linkShareError": "Impossible de lier ce fichier (type non autorisé ou introuvable).",
+    "shareLinkBadge": "Lien vers le partage",
+    "shareLinkLabel": "Partage"
+  },
+  "tasks": {
+    "created": "Ticket créé avec succès.",
+    "updated": "Ticket mis à jour avec succès.",
+    "deleted": "Ticket supprimé avec succès.",
+    "archived": "Ticket archivé avec succès.",
+    "unarchived": "Ticket désarchivé avec succès.",
+    "deleteConfirmTitle": "Supprimer le ticket",
+    "deleteConfirmMessage": "Êtes-vous sûr de vouloir supprimer ce ticket ? Cette action est irréversible.",
+    "addTask": "Ajouter un ticket",
+    "editTask": "Modifier un ticket",
+    "detailsTab": "Détails",
+    "planningTab": "Planification",
+    "planning": {
+      "dates": "Dates",
+      "scheduledStart": "Début planifié",
+      "scheduledEnd": "Fin planifiée",
+      "deadline": "Deadline",
+      "calendar": "Calendrier",
+      "syncToCalendar": "Envoyer au calendrier Zimbra",
+      "syncOk": "Synchronisé",
+      "recurrence": "Récurrence",
+      "isRecurring": "Tâche récurrente",
+      "type": "Type",
+      "daily": "Quotidien",
+      "weekly": "Hebdomadaire",
+      "monthly": "Mensuel",
+      "yearly": "Annuel",
+      "interval": "Intervalle",
+      "daysOfWeek": "Jours de la semaine",
+      "days": {
+        "mon": "Lu",
+        "tue": "Ma",
+        "wed": "Me",
+        "thu": "Je",
+        "fri": "Ve",
+        "sat": "Sa",
+        "sun": "Di"
+      },
+      "dayOfMonth": "Jour du mois",
+      "dayOfMonthLabel": "Jour (1-31)",
+      "weekOfMonth": "Semaine du mois",
+      "weekOfMonthLabel": "Semaine",
+      "dayLabel": "Jour",
+      "endRecurrence": "Fin de la récurrence",
+      "neverEnds": "Jamais",
+      "afterOccurrences": "Après X occurrences",
+      "occurrences": "Occurrences",
+      "onDate": "À une date",
+      "endDate": "Date de fin"
+    }
+  },
+  "users": {
+    "created": "Utilisateur créé avec succès.",
+    "updated": "Utilisateur mis à jour avec succès.",
+    "deleted": "Utilisateur supprimé avec succès.",
+    "addUser": "Ajouter un utilisateur",
+    "editUser": "Modifier un utilisateur"
+  },
+  "admin": {
+    "roles": {
+      "title": "Rôles",
+      "addRole": "Ajouter un rôle",
+      "editRole": "Modifier un rôle",
+      "empty": "Aucun rôle trouvé.",
+      "system": "Système",
+      "code": "Code",
+      "codeHint": "Identifiant technique en snake_case (immuable).",
+      "codeImmutable": "Le code ne peut pas être modifié après création.",
+      "codeInvalid": "Code invalide (attendu snake_case : minuscules, chiffres et underscores).",
+      "label": "Libellé",
+      "labelRequired": "Le libellé est requis.",
+      "description": "Description",
+      "permissions": "Permissions",
+      "noPermissions": "Aucune permission disponible.",
+      "created": "Rôle créé avec succès.",
+      "updated": "Rôle mis à jour avec succès.",
+      "deleted": "Rôle supprimé avec succès."
     },
     "audit": {
-        "entity": {
-            "core": {
-                "User": "Utilisateur",
-                "Role": "Rôle",
-                "Permission": "Permission"
-            }
-        },
-        "action": {
-            "create": "Création",
-            "update": "Modification",
-            "delete": "Suppression"
-        }
-    },
-    "timeEntries": {
-        "created": "Temps enregistré",
-        "updated": "Temps modifié",
-        "deleted": "Temps supprimé",
-        "noEntries": "Aucune activité pour cette période",
-        "addEntry": "Ajouter une Activité",
-        "editEntry": "Modifier un temps",
-        "export": "Exporter",
-        "exportTitle": "Exporter les temps",
-        "exportCurrentMonth": "Mois en cours",
-        "exportLastMonth": "Mois dernier",
-        "exportCustomPeriod": "Période personnalisée",
-        "exportFrom": "Du",
-        "exportTo": "Au",
-        "exportUsers": "Utilisateurs",
-        "exportClient": "Client",
-        "exportProjects": "Projets",
-        "exportTags": "Tags",
-        "exportAllClients": "Tous les clients",
-        "exportLoading": "Export en cours...",
-        "exportSuccess": "Export terminé !",
-        "exportError": "Erreur lors de l'export."
-    },
-    "archive": {
-        "title": "Archives",
-        "empty": "Aucun ticket archivé.",
-        "archiveButton": "Archiver",
-        "unarchiveButton": "Désarchiver",
-        "showArchived": "Voir les groupes archivés",
-        "hideArchived": "Masquer les groupes archivés",
-        "statusFinal": "Statut final",
-        "groupArchiveDisabled": "Tous les tickets doivent être en statut final pour archiver le groupe.",
-        "groupNonFinalTasks": "Il reste {count} ticket(s) sans statut final dans ce groupe."
-    },
-    "myTasks": {
-        "title": "Mes tâches",
-        "viewKanban": "Vue Kanban",
-        "viewList": "Vue Liste",
-        "allProjects": "Tous les projets",
-        "allGroups": "Tous les groupes",
-        "allTypes": "Tous les types",
-        "allPriorities": "Toutes les priorités",
-        "allEfforts": "Tous les efforts",
-        "allAssignees": "Tous",
-        "noTasks": "Aucune tâche",
-        "backlog": "Backlog",
-        "createTask": "Créer une tâche",
-        "sortBy": "Trier par",
-        "sortDefault": "Par défaut",
-        "sortDeadline": "Échéance",
-        "sortScheduledStart": "Date planifiée",
-        "dropRefused": "Aucun statut de cette colonne dans le workflow de ce projet"
-    },
-    "dashboard": {
-        "title": "Tableau de bord",
-        "noData": "Aucune donnée",
-        "noPriority": "Sans priorité",
-        "noProject": "Sans projet",
-        "hoursWorked": "Heures travaillées",
-        "inProgress": "En cours",
-        "done": "Terminé",
-        "filters": {
-            "period": "Période",
-            "project": "Projet",
-            "user": "Utilisateur",
-            "allProjects": "Tous les projets",
-            "allUsers": "Tous les utilisateurs"
-        },
-        "periods": {
-            "thisWeek": "Cette semaine",
-            "lastWeek": "Semaine dernière",
-            "thisMonth": "Ce mois",
-            "lastMonth": "Mois dernier"
-        },
-        "stats": {
-            "hoursPeriod": "Heures sur la période",
-            "myActiveTasks": "Mes tâches actives",
-            "completed": "terminée(s)",
-            "totalTasks": "Tâches totales",
-            "unassigned": "non assignée(s)",
-            "projects": "Projets",
-            "users": "utilisateur(s)"
-        },
-        "charts": {
-            "hoursByDay": "Heures par jour",
-            "hoursByProject": "Temps par projet",
-            "tasksByStatus": "Tâches par statut",
-            "tasksByPriority": "Tâches par priorité",
-            "tasksByProject": "Tâches par projet"
-        },
-        "days": {
-            "mon": "Lun",
-            "tue": "Mar",
-            "wed": "Mer",
-            "thu": "Jeu",
-            "fri": "Ven",
-            "sat": "Sam",
-            "sun": "Dim"
-        }
-    },
-    "sidebar": {
-        "myTasks": "Mes tâches",
-        "general": {
-            "section": "Gestion de projet",
-            "dashboard": "Tableau de bord",
-            "myTasks": "Mes tâches",
-            "projects": "Projets",
-            "timeTracking": "Suivi de temps"
-        },
-        "admin": {
-            "section": "Administration",
-            "teamAbsences": "Absences équipe",
-            "administration": "Administration"
-        }
-    },
-    "common": {
-        "cancel": "Annuler",
-        "save": "Enregistrer",
-        "edit": "Modifier",
-        "delete": "Supprimer",
-        "add": "Ajouter",
-        "loading": "Chargement...",
-        "archived": "Archivé",
-        "noClient": "Aucun client",
-        "untitled": "Sans titre",
-        "dateFilter": "Date",
-        "today": "Aujourd'hui",
-        "thisWeek": "Cette semaine",
-        "clear": "Effacer",
-        "day": "Jour",
-        "weekShort": "Sem."
-    },
-    "gitea": {
-        "settings": {
-            "title": "Configuration Gitea",
-            "url": "URL du serveur",
-            "urlPlaceholder": "https://git.example.com",
-            "token": "Token API",
-            "tokenPlaceholder": "Entrez un nouveau token",
-            "tokenConfigured": "Token configuré",
-            "save": "Enregistrer",
-            "saved": "Configuration Gitea sauvegardée.",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie.",
-            "testFailed": "Connexion échouée."
-        },
-        "branch": {
-            "title": "Git",
-            "create": "Créer une branche",
-            "created": "Branche créée avec succès.",
-            "copy": "Copier le nom",
-            "copied": "Nom de branche copié.",
-            "type": "Type",
-            "baseBranch": "Branche de base",
-            "preview": "Aperçu",
-            "types": {
-                "feature": "feature",
-                "fix": "fix",
-                "refactor": "refactor",
-                "hotfix": "hotfix",
-                "chore": "chore"
-            },
-            "noBranches": "Aucune branche liée.",
-            "commits": "Commits",
-            "noCommits": "Aucun commit."
-        },
-        "pr": {
-            "title": "Pull Requests",
-            "noPrs": "Aucune pull request.",
-            "open": "Ouverte",
-            "merged": "Mergée",
-            "closed": "Fermée",
-            "ci": "CI/CD"
-        },
-        "error": "Erreur de connexion à Gitea.",
-        "notConfigured": "Gitea non configuré pour ce projet."
-    },
-    "notification": {
-        "title": "Notifications",
-        "markAllRead": "Tout marquer comme lu",
-        "empty": "Aucune notification",
-        "ticketCreated": "Nouveau ticket client {number}",
-        "ticketStatusChanged": "Ticket {number} mis à jour",
-        "timeAgo": {
-            "now": "À l'instant",
-            "minutes": "Il y a {n} min",
-            "hours": "Il y a {n}h",
-            "days": "Il y a {n}j"
-        }
-    },
-    "profile": {
-        "title": "Mon profil",
-        "changeAvatar": "Changer l'avatar",
-        "removeAvatar": "Supprimer l'avatar",
-        "cropAvatar": "Recadrer l'avatar",
-        "apiToken": {
-            "title": "Token API MCP",
-            "help": "Utilisé pour authentifier le serveur MCP HTTP (à coller dans le header Authorization: Bearer …). Ne pas partager.",
-            "label": "Token",
-            "empty": "Aucun token généré pour le moment.",
-            "generate": "Générer un token",
-            "regenerate": "Régénérer",
-            "copy": "Copier",
-            "copied": "Token copié dans le presse-papiers.",
-            "copyFailed": "Impossible de copier le token.",
-            "regenerated": "Nouveau token généré. L'ancien token est désormais invalide.",
-            "confirmTitle": "Régénérer le token MCP ?",
-            "confirmMessage": "L'ancien token sera immédiatement invalidé. Tous les clients MCP utilisant ce token devront être reconfigurés."
-        }
-    },
-    "bookstack": {
-        "settings": {
-            "title": "Configuration BookStack",
-            "url": "URL du serveur",
-            "urlPlaceholder": "https://wiki.example.com",
-            "tokenId": "Token ID",
-            "tokenIdPlaceholder": "Entrez le Token ID",
-            "tokenSecret": "Token Secret",
-            "tokenSecretPlaceholder": "Entrez le Token Secret",
-            "tokenConfigured": "Token configuré",
-            "save": "Enregistrer",
-            "saved": "Configuration BookStack sauvegardée.",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie.",
-            "testFailed": "Connexion échouée."
-        },
-        "links": {
-            "title": "Documentation",
-            "searchPlaceholder": "Rechercher une page ou un livre...",
-            "noResults": "Aucun résultat",
-            "empty": "Aucun document lié"
-        }
-    },
-    "zimbra": {
-        "settings": {
-            "title": "Calendrier Zimbra",
-            "serverUrl": "URL du serveur CalDAV",
-            "serverUrlPlaceholder": "https://mail.ovh.com",
-            "username": "Nom d'utilisateur",
-            "usernamePlaceholder": "user{'@'}domain.com",
-            "calendarPath": "Chemin du calendrier",
-            "calendarPathPlaceholder": "/dav/user{'@'}domain.com/Calendar/",
-            "password": "Mot de passe",
-            "passwordConfigured": "Mot de passe configuré",
-            "enabled": "Activer la synchronisation CalDAV",
-            "save": "Enregistrer",
-            "saved": "Configuration Zimbra enregistrée",
-            "testConnection": "Tester la connexion",
-            "testSuccess": "Connexion réussie",
-            "testFailed": "Connexion échouée"
-        }
-    },
-    "sharedFiles": {
-        "title": "Documents",
-        "root": "Racine",
-        "empty": "Ce dossier est vide.",
-        "noResults": "Aucun document ne correspond à votre recherche.",
-        "searchPlaceholder": "Rechercher dans tout le partage…",
-        "download": "Télécharger",
-        "reload": "Recharger",
-        "previewError": "Aperçu impossible. Téléchargez le fichier pour l'ouvrir.",
-        "colName": "Nom",
-        "colSize": "Taille",
-        "colModified": "Modifié le",
-        "sidebar": {
-            "title": "Documents"
-        }
-    },
-    "adminShare": {
-        "title": "Partage réseau (SMB)",
-        "host": "Serveur",
-        "hostPlaceholder": "ex. WIN-SRV ou 192.168.1.10",
-        "shareName": "Nom du partage",
-        "shareNamePlaceholder": "ex. Documents",
-        "basePath": "Sous-dossier racine (optionnel)",
-        "basePathPlaceholder": "ex. /Projets",
-        "domain": "Domaine / groupe de travail",
-        "domainPlaceholder": "WORKGROUP",
-        "username": "Identifiant",
-        "usernamePlaceholder": "ex. lesstime",
-        "password": "Mot de passe",
-        "passwordConfigured": "Un mot de passe est déjà enregistré.",
-        "enabled": "Activer l'accès au partage",
-        "save": "Enregistrer",
-        "saved": "Configuration enregistrée.",
-        "testConnection": "Tester la connexion",
-        "testSuccess": "Connexion réussie.",
-        "testFailed": "Échec de la connexion."
-    },
-    "taskRecurrence": {
-        "created": "Récurrence créée",
-        "updated": "Récurrence mise à jour",
-        "deleted": "Récurrence supprimée"
-    },
-    "recurrence": {
-        "daily": "Quotidien",
-        "weekly": "Hebdomadaire",
-        "monthly": "Mensuel",
-        "yearly": "Annuel"
-    },
-    "mail": {
-        "title": "Messagerie",
-        "sidebar": {
-            "title": "Messagerie",
-            "ariaLabel": "Accès à la messagerie, {count} messages non lus"
-        },
-        "admin": {
-            "title": "Configuration messagerie",
-            "protocol": "Protocole",
-            "imapSection": "Réception (IMAP)",
-            "smtpSection": "Envoi (SMTP)",
-            "host": "Serveur",
-            "port": "Port",
-            "encryption": "Chiffrement",
-            "username": "Adresse e-mail",
-            "password": "Mot de passe",
-            "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
-            "sentFolderPath": "Dossier des envois",
-            "enabled": "Activer la synchronisation mail",
-            "test": "Tester la connexion",
-            "testSuccess": "Connexion IMAP réussie",
-            "testFailed": "Échec de connexion",
-            "save": "Enregistrer",
-            "saveSuccess": "Configuration enregistrée",
-            "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
-        },
-        "folders": "Dossiers",
-        "messages": "Messages",
-        "viewer": "Lecture",
-        "empty": {
-            "folder": "Aucun dossier disponible.",
-            "list": "Aucun message dans ce dossier.",
-            "viewer": "Sélectionnez un message pour le lire."
-        },
-        "preview": {
-            "open": "Prévisualiser",
-            "close": "Fermer l'aperçu",
-            "loading": "Chargement de l'aperçu…",
-            "unavailable": "Aperçu indisponible pour ce type de fichier."
-        },
-        "folderTree": {
-            "expand": "Déplier le dossier",
-            "collapse": "Replier le dossier"
-        },
-        "systemFolder": {
-            "inbox": "Boîte de réception",
-            "sent": "Éléments envoyés",
-            "drafts": "Brouillons",
-            "archive": "Archives",
-            "trash": "Corbeille",
-            "junk": "Indésirables"
-        },
-        "actions": {
-            "refresh": "Actualiser",
-            "createTask": "Créer une tâche",
-            "linkTask": "Lier à une tâche",
-            "markRead": "Marquer comme lu",
-            "markUnread": "Marquer comme non lu",
-            "flag": "Marquer important",
-            "unflag": "Retirer l'importance",
-            "download": "Télécharger",
-            "showImages": "Afficher les images"
-        },
-        "errors": {
-            "syncFailed": "Erreur lors de la synchronisation.",
-            "fetchFailed": "Impossible de charger les messages.",
-            "notAuthorized": "Vous n'avez pas accès à la messagerie."
-        },
-        "configuration": {
-            "saved": "Configuration mail enregistrée."
-        },
-        "task": {
-            "created": "Tâche créée depuis le mail.",
-            "linked": "Mail lié à la tâche.",
-            "unlinked": "Lien supprimé."
-        },
-        "createTaskModal": {
-            "title": "Créer une tâche depuis ce mail",
-            "submit": "Créer la tâche",
-            "projectLabel": "Projet *",
-            "projectPlaceholder": "Sélectionner un projet",
-            "groupLabel": "Groupe (optionnel)",
-            "groupPlaceholder": "Aucun groupe",
-            "statusLabel": "Statut",
-            "assigneeLabel": "Assigné à",
-            "assigneePlaceholder": "Aucun",
-            "titleHint": "Le titre sera rempli depuis le sujet du mail.",
-            "descriptionHint": "La description sera remplie depuis le corps du mail."
-        },
-        "linkTaskModal": {
-            "title": "Lier à une tâche existante",
-            "submit": "Lier la tâche",
-            "searchPlaceholder": "Rechercher une tâche par titre…",
-            "projectFilter": "Filtrer par projet",
-            "projectAll": "Tous les projets",
-            "empty": "Aucune tâche correspondante.",
-            "loading": "Recherche en cours…"
-        },
-        "taskTab": {
-            "title": "Mails",
-            "empty": "Aucun mail lié à cette tâche.",
-            "openInMailer": "Ouvrir dans la messagerie",
-            "unlinkConfirm": "Délier ce mail ?"
-        },
-        "sync": {
-            "dispatched": "Synchronisation lancée en arrière-plan."
-        },
-        "attachments": "Pièces jointes",
-        "noAttachments": "Aucune pièce jointe.",
-        "from": "De",
-        "to": "À",
-        "cc": "Cc",
-        "date": "Date",
-        "subject": "Sujet",
-        "noSubject": "(Sans objet)",
-        "loadMore": "Charger plus",
-        "loading": "Chargement…",
-        "hasAttachments": "Pièces jointes",
-        "unread": "non lu | non lus",
-        "remoteImagesBlocked": "Les images distantes sont masquées pour votre sécurité."
-    },
-    "absences": {
-        "title": "Mes absences",
-        "teamTitle": "Absences de l'équipe",
-        "newRequest": "Nouvelle demande",
-        "daySingular": "jour",
-        "daysPlural": "jours",
-        "noBalance": "Aucun solde à afficher.",
-        "noRequests": "Aucune demande.",
-        "remaining": "restants",
-        "acquired": "acquis",
-        "acquiredN1": "Acquis (N-1)",
-        "acquiringN": "En cours d'acquisition (N)",
-        "acquiringHint": "posables par anticipation",
-        "taken": "pris",
-        "pending": "en attente",
-        "available": "disponible",
-        "types": {
-            "cp": "Congés payés",
-            "mariage_pacs": "Mariage / PACS",
-            "naissance": "Naissance",
-            "conge_parental": "Congé parental",
-            "deces": "Décès proche",
-            "maladie": "Arrêt maladie"
-        },
-        "status": {
-            "pending": "En attente",
-            "approved": "Approuvée",
-            "rejected": "Refusée",
-            "cancelled": "Annulée"
-        },
-        "halfDay": {
-            "matin": "Matin",
-            "apres_midi": "Après-midi"
-        },
-        "table": {
-            "type": "Type",
-            "period": "Période",
-            "days": "Jours",
-            "status": "Statut",
-            "employee": "Salarié",
-            "year": "Année",
-            "requestedAt": "Demandé le",
-            "actions": "Actions"
-        },
-        "filters": {
-            "allStatuses": "Tous les statuts",
-            "allTypes": "Tous les types",
-            "allYears": "Toutes les années",
-            "allEmployees": "Tous les salariés"
-        },
-        "form": {
-            "type": "Type d'absence",
-            "startDate": "Date de début",
-            "endDate": "Date de fin",
-            "startHalfDay": "Demi-journée (début)",
-            "endHalfDay": "Demi-journée (fin)",
-            "halfDayCheckbox": "Demi-journée",
-            "reason": "Motif",
-            "reasonPlaceholder": "Précisez le motif si nécessaire…",
-            "justification": "Justificatif",
-            "computed": "{days} décompté(s)",
-            "balanceAfter": "Solde restant après cette demande : {value}",
-            "negativeWarning": "Cette demande dépasse votre solde disponible.",
-            "noticeWarning": "Le délai de prévenance ({days} jours) n'est pas respecté.",
-            "submit": "Soumettre la demande",
-            "justificationRequired": "Un justificatif est requis pour ce type d'absence.",
-            "fullDay": "Journée entière",
-            "balanceAt": "Solde au {date}",
-            "balanceAfterValidation": "Solde après validation",
-            "duration": "Durée de la demande",
-            "commentPlaceholder": "Écrire un commentaire…",
-            "serverError": "La demande n'a pas pu être enregistrée.",
-            "errors": {
-                "typeRequired": "Veuillez choisir un type d'absence.",
-                "startRequired": "Veuillez indiquer une date de début.",
-                "endRequired": "Veuillez indiquer une date de fin.",
-                "endBeforeStart": "La date de fin doit être après la date de début.",
-                "zeroDays": "La période sélectionnée ne décompte aucun jour.",
-                "justificationRequired": "Un justificatif est obligatoire pour ce type d'absence."
-            }
-        },
-        "detail": {
-            "title": "Détail de la demande",
-            "timeline": "Historique",
-            "created": "Demande créée",
-            "reviewed": "Traitée par {name}",
-            "rejectionReason": "Motif du refus",
-            "downloadJustification": "Télécharger le justificatif",
-            "cancel": "Annuler ma demande",
-            "cancelConfirm": "Annuler cette demande ?"
-        },
-        "review": {
-            "approve": "Valider",
-            "reject": "Refuser",
-            "rejectTitle": "Refuser la demande",
-            "rejectReasonLabel": "Motif du refus",
-            "rejectReasonPlaceholder": "Expliquez la raison du refus…",
-            "confirm": "Confirmer"
-        },
-        "admin": {
-            "tabs": {
-                "requests": "Demandes",
-                "calendar": "Calendrier",
-                "balances": "Soldes",
-                "employees": "Employés"
-            },
-            "kpis": {
-                "pending": "En attente",
-                "todayAbsent": "Absents aujourd'hui",
-                "weekAbsent": "Absents cette semaine"
-            },
-            "balancesTable": {
-                "employee": "Salarié",
-                "type": "Type",
-                "period": "Période",
-                "acquired": "Acquis (N-1)",
-                "acquiring": "En cours (N)",
-                "taken": "Pris",
-                "pending": "En attente",
-                "available": "Disponible",
-                "adjust": "Ajuster"
-            },
-            "adjust": {
-                "title": "Ajuster le solde",
-                "acquired": "Acquis (N-1)",
-                "acquiring": "En cours d'acquisition (N)",
-                "taken": "Pris",
-                "save": "Enregistrer"
-            },
-            "employees": {
-                "columns": {
-                    "name": "Nom",
-                    "contract": "Contrat",
-                    "cpTaken": "CP pris",
-                    "cpRemaining": "CP restants"
-                },
-                "empty": "Aucun employé. Cochez « Employé » sur un utilisateur dans l'administration.",
-                "noContract": "—",
-                "drawer": {
-                    "title": "Informations employé",
-                    "save": "Enregistrer"
-                },
-                "fields": {
-                    "hireDate": "Date d'embauche",
-                    "endDate": "Date de sortie",
-                    "contractType": "Type de contrat",
-                    "workTimeRatio": "Temps de travail (ex : 1.0)",
-                    "annualLeaveDays": "CP annuels (jours)",
-                    "referencePeriodStart": "Début période réf. (MM-DD)",
-                    "initialLeaveBalance": "Solde CP initial"
-                },
-                "contract": {
-                    "cdi": "CDI",
-                    "cdd": "CDD",
-                    "stage": "Stage",
-                    "alternance": "Alternance",
-                    "autre": "Autre"
-                }
-            }
-        },
-        "policies": {
-            "title": "Politiques d'absence",
-            "subtitle": "Réglez les défauts par type d'absence — convention de référence : Syntec (IDCC 1486), à confirmer selon le code APE.",
-            "type": "Type",
-            "daysPerYear": "Jours / an",
-            "daysPerEvent": "Jours / événement",
-            "justificationRequired": "Justificatif requis",
-            "noticeDays": "Délai prévenance (j)",
-            "countWorkingDaysOnly": "Jours ouvrés",
-            "active": "Actif",
-            "save": "Enregistrer"
-        },
-        "toast": {
-            "created": "Demande d'absence créée.",
-            "approved": "Demande validée.",
-            "rejected": "Demande refusée.",
-            "cancelled": "Demande annulée.",
-            "justificationUploaded": "Justificatif ajouté.",
-            "balanceAdjusted": "Solde ajusté.",
-            "policyUpdated": "Politique mise à jour."
-        }
+      "title": "Audit",
+      "empty": "Aucune entrée d'audit trouvée.",
+      "date": "Date",
+      "performedBy": "Utilisateur",
+      "entityType": "Type d'entité",
+      "action": "Action",
+      "entityId": "Identifiant",
+      "filterEntityType": "Type d'entité",
+      "filterEntityTypeAll": "Tous les types",
+      "filterAction": "Action",
+      "filterActionAll": "Toutes les actions",
+      "previous": "Précédent",
+      "next": "Suivant",
+      "page": "Page {page}"
     }
+  },
+  "audit": {
+    "entity": {
+      "core": {
+        "User": "Utilisateur",
+        "Role": "Rôle",
+        "Permission": "Permission"
+      }
+    },
+    "action": {
+      "create": "Création",
+      "update": "Modification",
+      "delete": "Suppression"
+    }
+  },
+  "timeEntries": {
+    "created": "Temps enregistré",
+    "updated": "Temps modifié",
+    "deleted": "Temps supprimé",
+    "noEntries": "Aucune activité pour cette période",
+    "addEntry": "Ajouter une Activité",
+    "editEntry": "Modifier un temps",
+    "export": "Exporter",
+    "exportTitle": "Exporter les temps",
+    "exportCurrentMonth": "Mois en cours",
+    "exportLastMonth": "Mois dernier",
+    "exportCustomPeriod": "Période personnalisée",
+    "exportFrom": "Du",
+    "exportTo": "Au",
+    "exportUsers": "Utilisateurs",
+    "exportClient": "Client",
+    "exportProjects": "Projets",
+    "exportTags": "Tags",
+    "exportAllClients": "Tous les clients",
+    "exportLoading": "Export en cours...",
+    "exportSuccess": "Export terminé !",
+    "exportError": "Erreur lors de l'export."
+  },
+  "archive": {
+    "title": "Archives",
+    "empty": "Aucun ticket archivé.",
+    "archiveButton": "Archiver",
+    "unarchiveButton": "Désarchiver",
+    "showArchived": "Voir les groupes archivés",
+    "hideArchived": "Masquer les groupes archivés",
+    "statusFinal": "Statut final",
+    "groupArchiveDisabled": "Tous les tickets doivent être en statut final pour archiver le groupe.",
+    "groupNonFinalTasks": "Il reste {count} ticket(s) sans statut final dans ce groupe."
+  },
+  "myTasks": {
+    "title": "Mes tâches",
+    "viewKanban": "Vue Kanban",
+    "viewList": "Vue Liste",
+    "allProjects": "Tous les projets",
+    "allGroups": "Tous les groupes",
+    "allTypes": "Tous les types",
+    "allPriorities": "Toutes les priorités",
+    "allEfforts": "Tous les efforts",
+    "allAssignees": "Tous",
+    "noTasks": "Aucune tâche",
+    "backlog": "Backlog",
+    "createTask": "Créer une tâche",
+    "sortBy": "Trier par",
+    "sortDefault": "Par défaut",
+    "sortDeadline": "Échéance",
+    "sortScheduledStart": "Date planifiée",
+    "dropRefused": "Aucun statut de cette colonne dans le workflow de ce projet"
+  },
+  "dashboard": {
+    "title": "Tableau de bord",
+    "noData": "Aucune donnée",
+    "noPriority": "Sans priorité",
+    "noProject": "Sans projet",
+    "hoursWorked": "Heures travaillées",
+    "inProgress": "En cours",
+    "done": "Terminé",
+    "filters": {
+      "period": "Période",
+      "project": "Projet",
+      "user": "Utilisateur",
+      "allProjects": "Tous les projets",
+      "allUsers": "Tous les utilisateurs"
+    },
+    "periods": {
+      "thisWeek": "Cette semaine",
+      "lastWeek": "Semaine dernière",
+      "thisMonth": "Ce mois",
+      "lastMonth": "Mois dernier"
+    },
+    "stats": {
+      "hoursPeriod": "Heures sur la période",
+      "myActiveTasks": "Mes tâches actives",
+      "completed": "terminée(s)",
+      "totalTasks": "Tâches totales",
+      "unassigned": "non assignée(s)",
+      "projects": "Projets",
+      "users": "utilisateur(s)"
+    },
+    "charts": {
+      "hoursByDay": "Heures par jour",
+      "hoursByProject": "Temps par projet",
+      "tasksByStatus": "Tâches par statut",
+      "tasksByPriority": "Tâches par priorité",
+      "tasksByProject": "Tâches par projet"
+    },
+    "days": {
+      "mon": "Lun",
+      "tue": "Mar",
+      "wed": "Mer",
+      "thu": "Jeu",
+      "fri": "Ven",
+      "sat": "Sam",
+      "sun": "Dim"
+    }
+  },
+  "sidebar": {
+    "myTasks": "Mes tâches",
+    "general": {
+      "section": "Gestion de projet",
+      "dashboard": "Tableau de bord",
+      "myTasks": "Mes tâches",
+      "projects": "Projets",
+      "timeTracking": "Suivi de temps"
+    },
+    "admin": {
+      "section": "Administration",
+      "teamAbsences": "Absences équipe",
+      "administration": "Administration",
+      "directory": "Répertoire"
+    }
+  },
+  "common": {
+    "cancel": "Annuler",
+    "save": "Enregistrer",
+    "edit": "Modifier",
+    "delete": "Supprimer",
+    "add": "Ajouter",
+    "loading": "Chargement...",
+    "archived": "Archivé",
+    "noClient": "Aucun client",
+    "untitled": "Sans titre",
+    "dateFilter": "Date",
+    "today": "Aujourd'hui",
+    "thisWeek": "Cette semaine",
+    "clear": "Effacer",
+    "day": "Jour",
+    "weekShort": "Sem."
+  },
+  "gitea": {
+    "settings": {
+      "title": "Configuration Gitea",
+      "url": "URL du serveur",
+      "urlPlaceholder": "https://git.example.com",
+      "token": "Token API",
+      "tokenPlaceholder": "Entrez un nouveau token",
+      "tokenConfigured": "Token configuré",
+      "save": "Enregistrer",
+      "saved": "Configuration Gitea sauvegardée.",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie.",
+      "testFailed": "Connexion échouée."
+    },
+    "branch": {
+      "title": "Git",
+      "create": "Créer une branche",
+      "created": "Branche créée avec succès.",
+      "copy": "Copier le nom",
+      "copied": "Nom de branche copié.",
+      "type": "Type",
+      "baseBranch": "Branche de base",
+      "preview": "Aperçu",
+      "types": {
+        "feature": "feature",
+        "fix": "fix",
+        "refactor": "refactor",
+        "hotfix": "hotfix",
+        "chore": "chore"
+      },
+      "noBranches": "Aucune branche liée.",
+      "commits": "Commits",
+      "noCommits": "Aucun commit."
+    },
+    "pr": {
+      "title": "Pull Requests",
+      "noPrs": "Aucune pull request.",
+      "open": "Ouverte",
+      "merged": "Mergée",
+      "closed": "Fermée",
+      "ci": "CI/CD"
+    },
+    "error": "Erreur de connexion à Gitea.",
+    "notConfigured": "Gitea non configuré pour ce projet."
+  },
+  "notification": {
+    "title": "Notifications",
+    "markAllRead": "Tout marquer comme lu",
+    "empty": "Aucune notification",
+    "ticketCreated": "Nouveau ticket client {number}",
+    "ticketStatusChanged": "Ticket {number} mis à jour",
+    "timeAgo": {
+      "now": "À l'instant",
+      "minutes": "Il y a {n} min",
+      "hours": "Il y a {n}h",
+      "days": "Il y a {n}j"
+    }
+  },
+  "profile": {
+    "title": "Mon profil",
+    "changeAvatar": "Changer l'avatar",
+    "removeAvatar": "Supprimer l'avatar",
+    "cropAvatar": "Recadrer l'avatar",
+    "apiToken": {
+      "title": "Token API MCP",
+      "help": "Utilisé pour authentifier le serveur MCP HTTP (à coller dans le header Authorization: Bearer …). Ne pas partager.",
+      "label": "Token",
+      "empty": "Aucun token généré pour le moment.",
+      "generate": "Générer un token",
+      "regenerate": "Régénérer",
+      "copy": "Copier",
+      "copied": "Token copié dans le presse-papiers.",
+      "copyFailed": "Impossible de copier le token.",
+      "regenerated": "Nouveau token généré. L'ancien token est désormais invalide.",
+      "confirmTitle": "Régénérer le token MCP ?",
+      "confirmMessage": "L'ancien token sera immédiatement invalidé. Tous les clients MCP utilisant ce token devront être reconfigurés."
+    }
+  },
+  "bookstack": {
+    "settings": {
+      "title": "Configuration BookStack",
+      "url": "URL du serveur",
+      "urlPlaceholder": "https://wiki.example.com",
+      "tokenId": "Token ID",
+      "tokenIdPlaceholder": "Entrez le Token ID",
+      "tokenSecret": "Token Secret",
+      "tokenSecretPlaceholder": "Entrez le Token Secret",
+      "tokenConfigured": "Token configuré",
+      "save": "Enregistrer",
+      "saved": "Configuration BookStack sauvegardée.",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie.",
+      "testFailed": "Connexion échouée."
+    },
+    "links": {
+      "title": "Documentation",
+      "searchPlaceholder": "Rechercher une page ou un livre...",
+      "noResults": "Aucun résultat",
+      "empty": "Aucun document lié"
+    }
+  },
+  "zimbra": {
+    "settings": {
+      "title": "Calendrier Zimbra",
+      "serverUrl": "URL du serveur CalDAV",
+      "serverUrlPlaceholder": "https://mail.ovh.com",
+      "username": "Nom d'utilisateur",
+      "usernamePlaceholder": "user{'@'}domain.com",
+      "calendarPath": "Chemin du calendrier",
+      "calendarPathPlaceholder": "/dav/user{'@'}domain.com/Calendar/",
+      "password": "Mot de passe",
+      "passwordConfigured": "Mot de passe configuré",
+      "enabled": "Activer la synchronisation CalDAV",
+      "save": "Enregistrer",
+      "saved": "Configuration Zimbra enregistrée",
+      "testConnection": "Tester la connexion",
+      "testSuccess": "Connexion réussie",
+      "testFailed": "Connexion échouée"
+    }
+  },
+  "sharedFiles": {
+    "title": "Documents",
+    "root": "Racine",
+    "empty": "Ce dossier est vide.",
+    "noResults": "Aucun document ne correspond à votre recherche.",
+    "searchPlaceholder": "Rechercher dans tout le partage…",
+    "download": "Télécharger",
+    "reload": "Recharger",
+    "previewError": "Aperçu impossible. Téléchargez le fichier pour l'ouvrir.",
+    "colName": "Nom",
+    "colSize": "Taille",
+    "colModified": "Modifié le",
+    "sidebar": {
+      "title": "Documents"
+    }
+  },
+  "adminShare": {
+    "title": "Partage réseau (SMB)",
+    "host": "Serveur",
+    "hostPlaceholder": "ex. WIN-SRV ou 192.168.1.10",
+    "shareName": "Nom du partage",
+    "shareNamePlaceholder": "ex. Documents",
+    "basePath": "Sous-dossier racine (optionnel)",
+    "basePathPlaceholder": "ex. /Projets",
+    "domain": "Domaine / groupe de travail",
+    "domainPlaceholder": "WORKGROUP",
+    "username": "Identifiant",
+    "usernamePlaceholder": "ex. lesstime",
+    "password": "Mot de passe",
+    "passwordConfigured": "Un mot de passe est déjà enregistré.",
+    "enabled": "Activer l'accès au partage",
+    "save": "Enregistrer",
+    "saved": "Configuration enregistrée.",
+    "testConnection": "Tester la connexion",
+    "testSuccess": "Connexion réussie.",
+    "testFailed": "Échec de la connexion."
+  },
+  "taskRecurrence": {
+    "created": "Récurrence créée",
+    "updated": "Récurrence mise à jour",
+    "deleted": "Récurrence supprimée"
+  },
+  "recurrence": {
+    "daily": "Quotidien",
+    "weekly": "Hebdomadaire",
+    "monthly": "Mensuel",
+    "yearly": "Annuel"
+  },
+  "mail": {
+    "title": "Messagerie",
+    "sidebar": {
+      "title": "Messagerie",
+      "ariaLabel": "Accès à la messagerie, {count} messages non lus"
+    },
+    "admin": {
+      "title": "Configuration messagerie",
+      "protocol": "Protocole",
+      "imapSection": "Réception (IMAP)",
+      "smtpSection": "Envoi (SMTP)",
+      "host": "Serveur",
+      "port": "Port",
+      "encryption": "Chiffrement",
+      "username": "Adresse e-mail",
+      "password": "Mot de passe",
+      "passwordSet": "Mot de passe déjà configuré — laisser vide pour conserver",
+      "sentFolderPath": "Dossier des envois",
+      "enabled": "Activer la synchronisation mail",
+      "test": "Tester la connexion",
+      "testSuccess": "Connexion IMAP réussie",
+      "testFailed": "Échec de connexion",
+      "save": "Enregistrer",
+      "saveSuccess": "Configuration enregistrée",
+      "ovhDefaultsHelp": "OVH : ssl0.ovh.net (port 993 IMAP / 465 SMTP)"
+    },
+    "folders": "Dossiers",
+    "messages": "Messages",
+    "viewer": "Lecture",
+    "empty": {
+      "folder": "Aucun dossier disponible.",
+      "list": "Aucun message dans ce dossier.",
+      "viewer": "Sélectionnez un message pour le lire."
+    },
+    "preview": {
+      "open": "Prévisualiser",
+      "close": "Fermer l'aperçu",
+      "loading": "Chargement de l'aperçu…",
+      "unavailable": "Aperçu indisponible pour ce type de fichier."
+    },
+    "folderTree": {
+      "expand": "Déplier le dossier",
+      "collapse": "Replier le dossier"
+    },
+    "systemFolder": {
+      "inbox": "Boîte de réception",
+      "sent": "Éléments envoyés",
+      "drafts": "Brouillons",
+      "archive": "Archives",
+      "trash": "Corbeille",
+      "junk": "Indésirables"
+    },
+    "actions": {
+      "refresh": "Actualiser",
+      "createTask": "Créer une tâche",
+      "linkTask": "Lier à une tâche",
+      "markRead": "Marquer comme lu",
+      "markUnread": "Marquer comme non lu",
+      "flag": "Marquer important",
+      "unflag": "Retirer l'importance",
+      "download": "Télécharger",
+      "showImages": "Afficher les images"
+    },
+    "errors": {
+      "syncFailed": "Erreur lors de la synchronisation.",
+      "fetchFailed": "Impossible de charger les messages.",
+      "notAuthorized": "Vous n'avez pas accès à la messagerie."
+    },
+    "configuration": {
+      "saved": "Configuration mail enregistrée."
+    },
+    "task": {
+      "created": "Tâche créée depuis le mail.",
+      "linked": "Mail lié à la tâche.",
+      "unlinked": "Lien supprimé."
+    },
+    "createTaskModal": {
+      "title": "Créer une tâche depuis ce mail",
+      "submit": "Créer la tâche",
+      "projectLabel": "Projet *",
+      "projectPlaceholder": "Sélectionner un projet",
+      "groupLabel": "Groupe (optionnel)",
+      "groupPlaceholder": "Aucun groupe",
+      "statusLabel": "Statut",
+      "assigneeLabel": "Assigné à",
+      "assigneePlaceholder": "Aucun",
+      "titleHint": "Le titre sera rempli depuis le sujet du mail.",
+      "descriptionHint": "La description sera remplie depuis le corps du mail."
+    },
+    "linkTaskModal": {
+      "title": "Lier à une tâche existante",
+      "submit": "Lier la tâche",
+      "searchPlaceholder": "Rechercher une tâche par titre…",
+      "projectFilter": "Filtrer par projet",
+      "projectAll": "Tous les projets",
+      "empty": "Aucune tâche correspondante.",
+      "loading": "Recherche en cours…"
+    },
+    "taskTab": {
+      "title": "Mails",
+      "empty": "Aucun mail lié à cette tâche.",
+      "openInMailer": "Ouvrir dans la messagerie",
+      "unlinkConfirm": "Délier ce mail ?"
+    },
+    "sync": {
+      "dispatched": "Synchronisation lancée en arrière-plan."
+    },
+    "attachments": "Pièces jointes",
+    "noAttachments": "Aucune pièce jointe.",
+    "from": "De",
+    "to": "À",
+    "cc": "Cc",
+    "date": "Date",
+    "subject": "Sujet",
+    "noSubject": "(Sans objet)",
+    "loadMore": "Charger plus",
+    "loading": "Chargement…",
+    "hasAttachments": "Pièces jointes",
+    "unread": "non lu | non lus",
+    "remoteImagesBlocked": "Les images distantes sont masquées pour votre sécurité."
+  },
+  "absences": {
+    "title": "Mes absences",
+    "teamTitle": "Absences de l'équipe",
+    "newRequest": "Nouvelle demande",
+    "daySingular": "jour",
+    "daysPlural": "jours",
+    "noBalance": "Aucun solde à afficher.",
+    "noRequests": "Aucune demande.",
+    "remaining": "restants",
+    "acquired": "acquis",
+    "acquiredN1": "Acquis (N-1)",
+    "acquiringN": "En cours d'acquisition (N)",
+    "acquiringHint": "posables par anticipation",
+    "taken": "pris",
+    "pending": "en attente",
+    "available": "disponible",
+    "types": {
+      "cp": "Congés payés",
+      "mariage_pacs": "Mariage / PACS",
+      "naissance": "Naissance",
+      "conge_parental": "Congé parental",
+      "deces": "Décès proche",
+      "maladie": "Arrêt maladie"
+    },
+    "status": {
+      "pending": "En attente",
+      "approved": "Approuvée",
+      "rejected": "Refusée",
+      "cancelled": "Annulée"
+    },
+    "halfDay": {
+      "matin": "Matin",
+      "apres_midi": "Après-midi"
+    },
+    "table": {
+      "type": "Type",
+      "period": "Période",
+      "days": "Jours",
+      "status": "Statut",
+      "employee": "Salarié",
+      "year": "Année",
+      "requestedAt": "Demandé le",
+      "actions": "Actions"
+    },
+    "filters": {
+      "allStatuses": "Tous les statuts",
+      "allTypes": "Tous les types",
+      "allYears": "Toutes les années",
+      "allEmployees": "Tous les salariés"
+    },
+    "form": {
+      "type": "Type d'absence",
+      "startDate": "Date de début",
+      "endDate": "Date de fin",
+      "startHalfDay": "Demi-journée (début)",
+      "endHalfDay": "Demi-journée (fin)",
+      "halfDayCheckbox": "Demi-journée",
+      "reason": "Motif",
+      "reasonPlaceholder": "Précisez le motif si nécessaire…",
+      "justification": "Justificatif",
+      "computed": "{days} décompté(s)",
+      "balanceAfter": "Solde restant après cette demande : {value}",
+      "negativeWarning": "Cette demande dépasse votre solde disponible.",
+      "noticeWarning": "Le délai de prévenance ({days} jours) n'est pas respecté.",
+      "submit": "Soumettre la demande",
+      "justificationRequired": "Un justificatif est requis pour ce type d'absence.",
+      "fullDay": "Journée entière",
+      "balanceAt": "Solde au {date}",
+      "balanceAfterValidation": "Solde après validation",
+      "duration": "Durée de la demande",
+      "commentPlaceholder": "Écrire un commentaire…",
+      "serverError": "La demande n'a pas pu être enregistrée.",
+      "errors": {
+        "typeRequired": "Veuillez choisir un type d'absence.",
+        "startRequired": "Veuillez indiquer une date de début.",
+        "endRequired": "Veuillez indiquer une date de fin.",
+        "endBeforeStart": "La date de fin doit être après la date de début.",
+        "zeroDays": "La période sélectionnée ne décompte aucun jour.",
+        "justificationRequired": "Un justificatif est obligatoire pour ce type d'absence."
+      }
+    },
+    "detail": {
+      "title": "Détail de la demande",
+      "timeline": "Historique",
+      "created": "Demande créée",
+      "reviewed": "Traitée par {name}",
+      "rejectionReason": "Motif du refus",
+      "downloadJustification": "Télécharger le justificatif",
+      "cancel": "Annuler ma demande",
+      "cancelConfirm": "Annuler cette demande ?"
+    },
+    "review": {
+      "approve": "Valider",
+      "reject": "Refuser",
+      "rejectTitle": "Refuser la demande",
+      "rejectReasonLabel": "Motif du refus",
+      "rejectReasonPlaceholder": "Expliquez la raison du refus…",
+      "confirm": "Confirmer"
+    },
+    "admin": {
+      "tabs": {
+        "requests": "Demandes",
+        "calendar": "Calendrier",
+        "balances": "Soldes",
+        "employees": "Employés"
+      },
+      "kpis": {
+        "pending": "En attente",
+        "todayAbsent": "Absents aujourd'hui",
+        "weekAbsent": "Absents cette semaine"
+      },
+      "balancesTable": {
+        "employee": "Salarié",
+        "type": "Type",
+        "period": "Période",
+        "acquired": "Acquis (N-1)",
+        "acquiring": "En cours (N)",
+        "taken": "Pris",
+        "pending": "En attente",
+        "available": "Disponible",
+        "adjust": "Ajuster"
+      },
+      "adjust": {
+        "title": "Ajuster le solde",
+        "acquired": "Acquis (N-1)",
+        "acquiring": "En cours d'acquisition (N)",
+        "taken": "Pris",
+        "save": "Enregistrer"
+      },
+      "employees": {
+        "columns": {
+          "name": "Nom",
+          "contract": "Contrat",
+          "cpTaken": "CP pris",
+          "cpRemaining": "CP restants"
+        },
+        "empty": "Aucun employé. Cochez « Employé » sur un utilisateur dans l'administration.",
+        "noContract": "—",
+        "drawer": {
+          "title": "Informations employé",
+          "save": "Enregistrer"
+        },
+        "fields": {
+          "hireDate": "Date d'embauche",
+          "endDate": "Date de sortie",
+          "contractType": "Type de contrat",
+          "workTimeRatio": "Temps de travail (ex : 1.0)",
+          "annualLeaveDays": "CP annuels (jours)",
+          "referencePeriodStart": "Début période réf. (MM-DD)",
+          "initialLeaveBalance": "Solde CP initial"
+        },
+        "contract": {
+          "cdi": "CDI",
+          "cdd": "CDD",
+          "stage": "Stage",
+          "alternance": "Alternance",
+          "autre": "Autre"
+        }
+      }
+    },
+    "policies": {
+      "title": "Politiques d'absence",
+      "subtitle": "Réglez les défauts par type d'absence — convention de référence : Syntec (IDCC 1486), à confirmer selon le code APE.",
+      "type": "Type",
+      "daysPerYear": "Jours / an",
+      "daysPerEvent": "Jours / événement",
+      "justificationRequired": "Justificatif requis",
+      "noticeDays": "Délai prévenance (j)",
+      "countWorkingDaysOnly": "Jours ouvrés",
+      "active": "Actif",
+      "save": "Enregistrer"
+    },
+    "toast": {
+      "created": "Demande d'absence créée.",
+      "approved": "Demande validée.",
+      "rejected": "Demande refusée.",
+      "cancelled": "Demande annulée.",
+      "justificationUploaded": "Justificatif ajouté.",
+      "balanceAdjusted": "Solde ajusté.",
+      "policyUpdated": "Politique mise à jour."
+    }
+  },
+  "prospects": {
+    "created": "Prospect créé avec succès.",
+    "updated": "Prospect mis à jour avec succès.",
+    "deleted": "Prospect supprimé avec succès.",
+    "converted": "Prospect converti en client avec succès.",
+    "addProspect": "Ajouter un prospect",
+    "editProspect": "Modifier un prospect",
+    "convert": "Convertir en client",
+    "alreadyConverted": "Déjà converti en client",
+    "fields": {
+      "name": "Nom",
+      "company": "Société",
+      "email": "Email",
+      "phone": "Téléphone",
+      "street": "Rue",
+      "city": "Ville",
+      "postalCode": "Code postal",
+      "status": "Statut",
+      "source": "Source",
+      "notes": "Notes"
+    },
+    "status": {
+      "new": "Nouveau",
+      "contacted": "Contacté",
+      "qualified": "Qualifié",
+      "won": "Gagné",
+      "lost": "Perdu"
+    },
+    "validation": {
+      "nameRequired": "Le nom est requis"
+    }
+  },
+  "directory": {
+    "title": "Répertoire",
+    "tabs": {
+      "clients": "Clients",
+      "prospects": "Prospects"
+    },
+    "clients": {
+      "add": "Ajouter un client",
+      "empty": "Aucun client trouvé."
+    },
+    "prospects": {
+      "add": "Ajouter un prospect",
+      "empty": "Aucun prospect trouvé.",
+      "allStatuses": "Tous les statuts"
+    }
+  }
 }
diff --git a/frontend/components/client/ClientDrawer.vue b/frontend/modules/directory/components/ClientDrawer.vue
similarity index 95%
rename from frontend/components/client/ClientDrawer.vue
rename to frontend/modules/directory/components/ClientDrawer.vue
index 918b188..ecd8e27 100644
--- a/frontend/components/client/ClientDrawer.vue
+++ b/frontend/modules/directory/components/ClientDrawer.vue
@@ -50,8 +50,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Client, ClientWrite } from '~/services/dto/client'
-import { useClientService } from '~/services/clients'
+import type { Client, ClientWrite } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/modules/directory/components/ProspectDrawer.vue b/frontend/modules/directory/components/ProspectDrawer.vue
new file mode 100644
index 0000000..3921ef7
--- /dev/null
+++ b/frontend/modules/directory/components/ProspectDrawer.vue
@@ -0,0 +1,221 @@
+<template>
+    <MalioDrawer v-model="isOpen">
+        <template #header>
+            <h2 class="text-xl font-bold">{{ isEditing ? $t('prospects.editProspect') : $t('prospects.addProspect') }}</h2>
+        </template>
+        <form @submit.prevent="handleSubmit" class="flex flex-col gap-2">
+            <MalioInputText
+                v-model="form.name"
+                :label="$t('prospects.fields.name')"
+                input-class="w-full"
+                :error="touched.name && !form.name.trim() ? $t('prospects.validation.nameRequired') : ''"
+                @blur="touched.name = true"
+            />
+            <MalioInputText
+                v-model="form.company"
+                :label="$t('prospects.fields.company')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.email"
+                :label="$t('prospects.fields.email')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.phone"
+                :label="$t('prospects.fields.phone')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.street"
+                :label="$t('prospects.fields.street')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.city"
+                :label="$t('prospects.fields.city')"
+                input-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.postalCode"
+                :label="$t('prospects.fields.postalCode')"
+                input-class="w-full"
+            />
+            <MalioSelect
+                v-model="form.status"
+                :label="$t('prospects.fields.status')"
+                :options="statusOptions"
+                group-class="w-full"
+            />
+            <MalioInputText
+                v-model="form.source"
+                :label="$t('prospects.fields.source')"
+                input-class="w-full"
+            />
+            <MalioInputTextArea
+                v-model="form.notes"
+                :label="$t('prospects.fields.notes')"
+            />
+
+            <div class="mt-6 flex items-center justify-between gap-2">
+                <MalioButton
+                    v-if="isEditing && !isConverted"
+                    :label="$t('prospects.convert')"
+                    variant="secondary"
+                    icon-name="mdi:account-convert"
+                    icon-position="left"
+                    button-class="w-auto px-4"
+                    :disabled="isSubmitting"
+                    @click="handleConvert"
+                />
+                <span v-else-if="isConverted" class="text-sm text-green-700">
+                    {{ $t('prospects.alreadyConverted') }}
+                </span>
+                <span v-else />
+                <MalioButton
+                    :label="$t('common.save')"
+                    button-class="w-auto px-6"
+                    :disabled="isSubmitting"
+                    @click="handleSubmit"
+                />
+            </div>
+        </form>
+    </MalioDrawer>
+</template>
+
+<script setup lang="ts">
+import type { Prospect, ProspectStatus, ProspectWrite } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+const props = defineProps<{
+    modelValue: boolean
+    prospect: Prospect | null
+}>()
+
+const emit = defineEmits<{
+    (e: 'update:modelValue', value: boolean): void
+    (e: 'saved'): void
+}>()
+
+const { t } = useI18n()
+
+const isOpen = computed({
+    get: () => props.modelValue,
+    set: (v) => emit('update:modelValue', v),
+})
+
+const isEditing = computed(() => !!props.prospect)
+const isConverted = computed(() => !!props.prospect?.convertedClient)
+const isSubmitting = ref(false)
+
+const statusOptions = [
+    { label: t('prospects.status.new'), value: 'new' },
+    { label: t('prospects.status.contacted'), value: 'contacted' },
+    { label: t('prospects.status.qualified'), value: 'qualified' },
+    { label: t('prospects.status.won'), value: 'won' },
+    { label: t('prospects.status.lost'), value: 'lost' },
+]
+
+const form = reactive<{
+    name: string
+    company: string
+    email: string
+    phone: string
+    street: string
+    city: string
+    postalCode: string
+    status: ProspectStatus
+    source: string
+    notes: string
+}>({
+    name: '',
+    company: '',
+    email: '',
+    phone: '',
+    street: '',
+    city: '',
+    postalCode: '',
+    status: 'new',
+    source: '',
+    notes: '',
+})
+
+const touched = reactive({
+    name: false,
+})
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        if (props.prospect) {
+            form.name = props.prospect.name ?? ''
+            form.company = props.prospect.company ?? ''
+            form.email = props.prospect.email ?? ''
+            form.phone = props.prospect.phone ?? ''
+            form.street = props.prospect.street ?? ''
+            form.city = props.prospect.city ?? ''
+            form.postalCode = props.prospect.postalCode ?? ''
+            form.status = props.prospect.status ?? 'new'
+            form.source = props.prospect.source ?? ''
+            form.notes = props.prospect.notes ?? ''
+        } else {
+            form.name = ''
+            form.company = ''
+            form.email = ''
+            form.phone = ''
+            form.street = ''
+            form.city = ''
+            form.postalCode = ''
+            form.status = 'new'
+            form.source = ''
+            form.notes = ''
+        }
+        touched.name = false
+    }
+})
+
+const { create, update, convert } = useProspectService()
+
+async function handleSubmit() {
+    touched.name = true
+    if (!form.name.trim()) return
+
+    isSubmitting.value = true
+    try {
+        const payload: ProspectWrite = {
+            name: form.name.trim(),
+            company: form.company.trim() || null,
+            email: form.email.trim() || null,
+            phone: form.phone.trim() || null,
+            street: form.street.trim() || null,
+            city: form.city.trim() || null,
+            postalCode: form.postalCode.trim() || null,
+            status: form.status,
+            source: form.source.trim() || null,
+            notes: form.notes.trim() || null,
+        }
+
+        if (isEditing.value && props.prospect) {
+            await update(props.prospect.id, payload)
+        } else {
+            await create(payload)
+        }
+
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+
+async function handleConvert() {
+    if (!props.prospect) return
+    isSubmitting.value = true
+    try {
+        await convert(props.prospect.id)
+        emit('saved')
+        isOpen.value = false
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
diff --git a/frontend/modules/directory/nuxt.config.ts b/frontend/modules/directory/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/directory/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/modules/directory/pages/directory.vue b/frontend/modules/directory/pages/directory.vue
new file mode 100644
index 0000000..2bdaae3
--- /dev/null
+++ b/frontend/modules/directory/pages/directory.vue
@@ -0,0 +1,240 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <h1 class="text-2xl font-bold text-neutral-900">
+            {{ $t('directory.title') }}
+        </h1>
+
+        <MalioTabList v-model="activeTab" :tabs="tabs">
+            <!-- Clients -->
+            <template #clients>
+                <div class="flex min-h-[30rem] flex-col gap-4 pt-10">
+                    <div class="flex items-center justify-end">
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.clients.add')"
+                            @click="openCreateClient"
+                        />
+                    </div>
+
+                    <MalioDataTable
+                        :columns="clientColumns"
+                        :items="clients"
+                        :total-items="clients.length"
+                        :empty-message="$t('directory.clients.empty')"
+                        @row-click="openEditClient"
+                    >
+                        <template #cell-email="{ item }">
+                            {{ (item as Client).email ?? '—' }}
+                        </template>
+                        <template #cell-phone="{ item }">
+                            {{ (item as Client).phone ?? '—' }}
+                        </template>
+                        <template #cell-city="{ item }">
+                            {{ (item as Client).city ?? '—' }}
+                        </template>
+                    </MalioDataTable>
+                </div>
+            </template>
+
+            <!-- Prospects -->
+            <template #prospects>
+                <div class="flex min-h-[30rem] flex-col gap-4 pt-10">
+                    <div class="flex flex-wrap items-end justify-between gap-3">
+                        <MalioSelect
+                            v-model="statusFilter"
+                            :label="$t('prospects.fields.status')"
+                            :options="statusOptions"
+                            :empty-option-label="$t('directory.prospects.allStatuses')"
+                            group-class="w-48"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.prospects.add')"
+                            @click="openCreateProspect"
+                        />
+                    </div>
+
+                    <MalioDataTable
+                        :columns="prospectColumns"
+                        :items="prospectRows"
+                        :total-items="prospectRows.length"
+                        :empty-message="$t('directory.prospects.empty')"
+                        @row-click="openEditProspect"
+                    >
+                        <template #cell-status="{ item }">
+                            <StatusBadge
+                                :label="statusLabel((item as ProspectRow).status)"
+                                :variant="statusVariant((item as ProspectRow).status)"
+                            />
+                        </template>
+                        <template #cell-email="{ item }">
+                            {{ (item as ProspectRow).email ?? '—' }}
+                        </template>
+                        <template #cell-phone="{ item }">
+                            {{ (item as ProspectRow).phone ?? '—' }}
+                        </template>
+                        <template #cell-actions="{ item }">
+                            <div
+                                v-if="!(item as ProspectRow).convertedClient"
+                                class="flex justify-end"
+                                @click.stop
+                            >
+                                <MalioButtonIcon
+                                    icon="mdi:account-convert"
+                                    :aria-label="$t('prospects.convert')"
+                                    button-class="!bg-green-100 !text-green-700"
+                                    :icon-size="18"
+                                    @click="convertProspect(item as ProspectRow)"
+                                />
+                            </div>
+                            <span v-else class="text-neutral-300">—</span>
+                        </template>
+                    </MalioDataTable>
+                </div>
+            </template>
+        </MalioTabList>
+
+        <ClientDrawer
+            v-model="clientDrawerOpen"
+            :client="selectedClient"
+            @saved="loadClients"
+        />
+        <ProspectDrawer
+            v-model="prospectDrawerOpen"
+            :prospect="selectedProspect"
+            @saved="loadProspects"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
+import type { Prospect, ProspectStatus } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+definePageMeta({ middleware: ['admin'] })
+
+type ProspectRow = Prospect
+
+const { t } = useI18n()
+useHead({ title: t('directory.title') })
+
+const clientService = useClientService()
+const prospectService = useProspectService()
+
+const activeTab = ref('clients')
+const tabs = [
+    { key: 'clients', label: t('directory.tabs.clients'), icon: 'mdi:account-tie-outline' },
+    { key: 'prospects', label: t('directory.tabs.prospects'), icon: 'mdi:account-search-outline' },
+]
+
+// --- Clients ---
+const clients = ref<Client[]>([])
+const clientDrawerOpen = ref(false)
+const selectedClient = ref<Client | null>(null)
+
+const clientColumns = [
+    { key: 'name', label: t('prospects.fields.name') },
+    { key: 'email', label: t('prospects.fields.email') },
+    { key: 'phone', label: t('prospects.fields.phone') },
+    { key: 'city', label: t('prospects.fields.city') },
+]
+
+async function loadClients() {
+    clients.value = await clientService.getAll()
+}
+
+function openCreateClient() {
+    selectedClient.value = null
+    clientDrawerOpen.value = true
+}
+
+function openEditClient(item: Record<string, unknown>) {
+    selectedClient.value = item as Client
+    clientDrawerOpen.value = true
+}
+
+// --- Prospects ---
+const prospects = ref<Prospect[]>([])
+const prospectDrawerOpen = ref(false)
+const selectedProspect = ref<Prospect | null>(null)
+const statusFilter = ref<ProspectStatus | null>(null)
+
+const statusOptions = [
+    { label: t('prospects.status.new'), value: 'new' },
+    { label: t('prospects.status.contacted'), value: 'contacted' },
+    { label: t('prospects.status.qualified'), value: 'qualified' },
+    { label: t('prospects.status.won'), value: 'won' },
+    { label: t('prospects.status.lost'), value: 'lost' },
+]
+
+const prospectColumns = [
+    { key: 'name', label: t('prospects.fields.name') },
+    { key: 'company', label: t('prospects.fields.company') },
+    { key: 'status', label: t('prospects.fields.status') },
+    { key: 'email', label: t('prospects.fields.email') },
+    { key: 'phone', label: t('prospects.fields.phone') },
+    { key: 'actions', label: '' },
+]
+
+const prospectRows = computed<ProspectRow[]>(() => prospects.value)
+
+function statusLabel(status: ProspectStatus): string {
+    return t(`prospects.status.${status}`)
+}
+
+function statusVariant(status: ProspectStatus): 'neutral' | 'info' | 'success' | 'warning' | 'danger' {
+    switch (status) {
+        case 'new':
+            return 'info'
+        case 'contacted':
+            return 'warning'
+        case 'qualified':
+            return 'neutral'
+        case 'won':
+            return 'success'
+        case 'lost':
+            return 'danger'
+        default:
+            return 'neutral'
+    }
+}
+
+async function loadProspects() {
+    prospects.value = await prospectService.getAll(statusFilter.value ?? undefined)
+}
+
+function openCreateProspect() {
+    selectedProspect.value = null
+    prospectDrawerOpen.value = true
+}
+
+function openEditProspect(item: Record<string, unknown>) {
+    selectedProspect.value = item as Prospect
+    prospectDrawerOpen.value = true
+}
+
+async function convertProspect(row: ProspectRow) {
+    await prospectService.convert(row.id)
+    await loadProspects()
+}
+
+watch(statusFilter, loadProspects)
+
+onMounted(async () => {
+    await Promise.all([loadClients(), loadProspects()])
+})
+</script>
+
+<style scoped>
+/* MalioTabList (lib) : aère les onglets verticalement (espace haut/bas du texte) */
+:deep([role="tab"]) {
+    padding-top: 0.9rem;
+    padding-bottom: 0.25rem;
+}
+</style>
diff --git a/frontend/services/clients.ts b/frontend/modules/directory/services/clients.ts
similarity index 100%
rename from frontend/services/clients.ts
rename to frontend/modules/directory/services/clients.ts
diff --git a/frontend/services/dto/client.ts b/frontend/modules/directory/services/dto/client.ts
similarity index 100%
rename from frontend/services/dto/client.ts
rename to frontend/modules/directory/services/dto/client.ts
diff --git a/frontend/modules/directory/services/dto/prospect.ts b/frontend/modules/directory/services/dto/prospect.ts
new file mode 100644
index 0000000..17a8f66
--- /dev/null
+++ b/frontend/modules/directory/services/dto/prospect.ts
@@ -0,0 +1,34 @@
+import type { Client } from './client'
+
+export type ProspectStatus = 'new' | 'contacted' | 'qualified' | 'won' | 'lost'
+
+export type Prospect = {
+    id: number
+    '@id'?: string
+    name: string
+    company: string | null
+    email: string | null
+    phone: string | null
+    street: string | null
+    city: string | null
+    postalCode: string | null
+    status: ProspectStatus
+    source: string | null
+    notes: string | null
+    convertedClient: Client | string | null
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type ProspectWrite = {
+    name: string
+    company: string | null
+    email: string | null
+    phone: string | null
+    street: string | null
+    city: string | null
+    postalCode: string | null
+    status: ProspectStatus
+    source: string | null
+    notes: string | null
+}
diff --git a/frontend/modules/directory/services/prospects.ts b/frontend/modules/directory/services/prospects.ts
new file mode 100644
index 0000000..a07e9b0
--- /dev/null
+++ b/frontend/modules/directory/services/prospects.ts
@@ -0,0 +1,44 @@
+import type { Prospect, ProspectStatus, ProspectWrite } from './dto/prospect'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export function useProspectService() {
+    const api = useApi()
+
+    async function getAll(status?: ProspectStatus): Promise<Prospect[]> {
+        const query: Record<string, unknown> = {}
+        if (status) query.status = status
+        const data = await api.get<HydraCollection<Prospect>>('/prospects', query)
+        return extractHydraMembers(data)
+    }
+
+    async function getById(id: number): Promise<Prospect> {
+        return api.get<Prospect>(`/prospects/${id}`)
+    }
+
+    async function create(payload: ProspectWrite): Promise<Prospect> {
+        return api.post<Prospect>('/prospects', payload as Record<string, unknown>, {
+            toastSuccessKey: 'prospects.created',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ProspectWrite>): Promise<Prospect> {
+        return api.patch<Prospect>(`/prospects/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'prospects.updated',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/prospects/${id}`, {}, {
+            toastSuccessKey: 'prospects.deleted',
+        })
+    }
+
+    async function convert(id: number): Promise<Prospect> {
+        return api.post<Prospect>(`/prospects/${id}/convert`, {}, {
+            toastSuccessKey: 'prospects.converted',
+        })
+    }
+
+    return { getAll, getById, create, update, remove, convert }
+}
diff --git a/frontend/modules/project-management/components/ProjectDrawer.vue b/frontend/modules/project-management/components/ProjectDrawer.vue
index cd9aef4..0cef9b8 100644
--- a/frontend/modules/project-management/components/ProjectDrawer.vue
+++ b/frontend/modules/project-management/components/ProjectDrawer.vue
@@ -124,7 +124,7 @@
 
 <script setup lang="ts">
 import type { Project, ProjectWrite } from '~/modules/project-management/services/dto/project'
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import type { GiteaRepository } from '~/services/dto/gitea'
 import type { BookStackShelf } from '~/services/dto/bookstack'
 import { useProjectService } from '~/modules/project-management/services/projects'
diff --git a/frontend/modules/project-management/pages/projects/[id]/index.vue b/frontend/modules/project-management/pages/projects/[id]/index.vue
index 29ca735..b8165f0 100644
--- a/frontend/modules/project-management/pages/projects/[id]/index.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/index.vue
@@ -215,9 +215,9 @@ import type { TaskPriority } from '~/modules/project-management/services/dto/tas
 import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
 import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import { useProjectService } from '~/modules/project-management/services/projects'
-import { useClientService } from '~/services/clients'
+import { useClientService } from '~/modules/directory/services/clients'
 import { useTaskService } from '~/modules/project-management/services/tasks'
 import { useTaskEffortService } from '~/modules/project-management/services/task-efforts'
 import { useTaskPriorityService } from '~/modules/project-management/services/task-priorities'
diff --git a/frontend/modules/project-management/pages/projects/index.vue b/frontend/modules/project-management/pages/projects/index.vue
index 954d2ca..d4b1b99 100644
--- a/frontend/modules/project-management/pages/projects/index.vue
+++ b/frontend/modules/project-management/pages/projects/index.vue
@@ -77,9 +77,9 @@
 
 <script setup lang="ts">
 import type { Project } from '~/modules/project-management/services/dto/project'
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import { useProjectService } from '~/modules/project-management/services/projects'
-import { useClientService } from '~/services/clients'
+import { useClientService } from '~/modules/directory/services/clients'
 
 useHead({ title: 'Projets' })
 
diff --git a/frontend/modules/project-management/services/dto/project.ts b/frontend/modules/project-management/services/dto/project.ts
index 8e160d3..5d13625 100644
--- a/frontend/modules/project-management/services/dto/project.ts
+++ b/frontend/modules/project-management/services/dto/project.ts
@@ -1,4 +1,4 @@
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import type { Workflow } from './workflow'
 
 export type Project = {
diff --git a/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
index 77d4e7e..958b3af 100644
--- a/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
+++ b/frontend/modules/time-tracking/components/TimeTrackingExportDrawer.vue
@@ -110,7 +110,7 @@
 import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/modules/project-management/services/dto/project'
 import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 
 const props = defineProps<{
     users: UserData[]
diff --git a/frontend/modules/time-tracking/pages/time-tracking.vue b/frontend/modules/time-tracking/pages/time-tracking.vue
index fa29935..070c55b 100644
--- a/frontend/modules/time-tracking/pages/time-tracking.vue
+++ b/frontend/modules/time-tracking/pages/time-tracking.vue
@@ -154,7 +154,7 @@ import type { TimeEntry } from '~/modules/time-tracking/services/dto/time-entry'
 import type { UserData } from '~/services/dto/user-data'
 import type { Project } from '~/modules/project-management/services/dto/project'
 import type { TaskTag } from '~/modules/project-management/services/dto/task-tag'
-import type { Client } from '~/services/dto/client'
+import type { Client } from '~/modules/directory/services/dto/client'
 import { useTimeEntryService } from '~/modules/time-tracking/services/time-entries'
 import type { HydraCollection } from '~/utils/api'
 import { extractHydraMembers } from '~/utils/api'
-- 
2.39.5


From 25d3a693f9267c66fd0bfb1c50ebcb4474529a62 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 19:44:19 +0200
Subject: [PATCH 56/99] feat(mail) : migrate Mail integration into module
 (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-67 (2.5) backend. Behaviour-preserving move of the IMAP mail integration
into src/Module/Mail/. All /api/mail/* routes, securities (ROLE_CLIENT still
excluded via MailAccessChecker) and the async sync are unchanged.

- 4 entities + 4 repositories (Domain interfaces + Doctrine impls, bound).
  TaskMailLink.task now references TaskInterface (contract) instead of the
  concrete PM Task. Link/unlink/list-mails controllers load tasks via
  TaskRepositoryInterface; MailCreateTaskController keeps the concrete Task
  (instantiation) — documented Mail->PM coupling.
- Domain (MailProviderInterface, exception), Application (5 DTOs, MailSyncService,
  MailSyncRequested message + handler), Infrastructure (ImapMailProvider +
  MimeHeaderDecoder, MailAccessChecker, 2 console commands, 12 controllers,
  ApiPlatform state + MailSettings resource). TokenEncryptor stays shared.
- doctrine mapping Mail; messenger routing repointed; services.yaml repo +
  provider bindings; MailModule registered (id mail, mail.access/configure).
- #[Auditable] + Timestampable on MailConfiguration only (additive migration);
  IMAP data entities keep their own sync timestamps.

163 tests green, mapping valid, no route regression, cs-fixer clean.
---
 config/modules.php                            |  2 +
 config/packages/doctrine.yaml                 |  5 ++
 config/packages/messenger.yaml                |  2 +-
 config/services.yaml                          | 10 ++++
 migrations/Version20260620200000.php          | 54 +++++++++++++++++++
 src/DataFixtures/AppFixtures.php              |  2 +-
 .../Application}/Dto/MailAttachmentDto.php    |  2 +-
 .../Mail/Application}/Dto/MailFolderDto.php   |  2 +-
 .../Application}/Dto/MailMessageDetailDto.php |  2 +-
 .../Application}/Dto/MailMessageHeaderDto.php |  2 +-
 .../Mail/Application}/Dto/MailSyncReport.php  |  2 +-
 .../Message/MailSyncRequested.php             |  2 +-
 .../MailSyncRequestedHandler.php              | 10 ++--
 .../Application}/Service/MailSyncService.php  | 24 ++++-----
 .../Mail/Domain}/Entity/MailConfiguration.php | 15 ++++--
 .../Mail/Domain}/Entity/MailFolder.php        |  6 +--
 .../Mail/Domain}/Entity/MailMessage.php       |  6 +--
 .../Mail/Domain}/Entity/TaskMailLink.php      | 16 +++---
 .../Exception/MailProviderException.php       |  2 +-
 .../Provider}/MailProviderInterface.php       | 10 ++--
 .../MailConfigurationRepositoryInterface.php  | 12 +++++
 .../MailFolderRepositoryInterface.php         | 17 ++++++
 .../MailMessageRepositoryInterface.php        | 49 +++++++++++++++++
 .../TaskMailLinkRepositoryInterface.php       | 24 +++++++++
 .../ApiPlatform/Resource}/MailSettings.php    |  6 +--
 .../State}/MailSettingsProcessor.php          | 10 ++--
 .../State}/MailSettingsProvider.php           |  8 +--
 .../Console}/MailRedecodeHeadersCommand.php   |  8 +--
 .../Console}/MailSyncCommand.php              | 12 ++---
 .../MailAttachmentDownloadController.php      | 14 ++---
 .../Controller}/MailCreateTaskController.php  | 12 ++---
 .../Controller}/MailFoldersListController.php |  8 +--
 .../Controller}/MailLinkTaskController.php    | 21 ++++----
 .../MailMessageDetailController.php           | 14 ++---
 .../Controller}/MailMessageFlagController.php | 14 ++---
 .../Controller}/MailMessageReadController.php | 14 ++---
 .../MailMessagesListController.php            | 12 ++---
 .../Controller}/MailSyncTriggerController.php |  6 +--
 .../MailTestConnectionController.php          |  6 +--
 .../Controller}/MailUnlinkTaskController.php  | 19 +++----
 .../Controller}/TaskMailsListController.php   | 15 +++---
 .../DoctrineMailConfigurationRepository.php}  | 10 ++--
 .../DoctrineMailFolderRepository.php}         | 10 ++--
 .../DoctrineMailMessageRepository.php}        | 17 ++++--
 .../DoctrineTaskMailLinkRepository.php}       | 18 ++++---
 .../Infrastructure/Imap}/ImapMailProvider.php | 17 +++---
 .../Imap}/MimeHeaderDecoder.php               |  2 +-
 .../Security/MailAccessChecker.php            |  2 +-
 src/Module/Mail/MailModule.php                | 41 ++++++++++++++
 .../MailTaskIntegrationControllerTest.php     |  4 +-
 tests/Unit/Mail/ImapMailProviderTest.php      | 12 ++---
 tests/Unit/Mail/MailSyncReportTest.php        |  2 +-
 tests/Unit/Mail/MimeHeaderDecoderTest.php     |  2 +-
 .../MailConfigurationRepositoryTest.php       |  8 +--
 tests/Unit/Service/MailSyncServiceTest.php    | 40 +++++++-------
 55 files changed, 453 insertions(+), 209 deletions(-)
 create mode 100644 migrations/Version20260620200000.php
 rename src/{Mail => Module/Mail/Application}/Dto/MailAttachmentDto.php (85%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailFolderDto.php (86%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailMessageDetailDto.php (88%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailMessageHeaderDto.php (92%)
 rename src/{Mail => Module/Mail/Application}/Dto/MailSyncReport.php (91%)
 rename src/{ => Module/Mail/Application}/Message/MailSyncRequested.php (77%)
 rename src/{ => Module/Mail/Application}/MessageHandler/MailSyncRequestedHandler.php (85%)
 rename src/{ => Module/Mail/Application}/Service/MailSyncService.php (94%)
 rename src/{ => Module/Mail/Domain}/Entity/MailConfiguration.php (87%)
 rename src/{ => Module/Mail/Domain}/Entity/MailFolder.php (92%)
 rename src/{ => Module/Mail/Domain}/Entity/MailMessage.php (96%)
 rename src/{ => Module/Mail/Domain}/Entity/TaskMailLink.php (81%)
 rename src/{Mail => Module/Mail/Domain}/Exception/MailProviderException.php (91%)
 rename src/{Mail => Module/Mail/Domain/Provider}/MailProviderInterface.php (88%)
 create mode 100644 src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
 create mode 100644 src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
 rename src/{ApiResource => Module/Mail/Infrastructure/ApiPlatform/Resource}/MailSettings.php (90%)
 rename src/{State/Mail => Module/Mail/Infrastructure/ApiPlatform/State}/MailSettingsProcessor.php (89%)
 rename src/{State/Mail => Module/Mail/Infrastructure/ApiPlatform/State}/MailSettingsProvider.php (80%)
 rename src/{Command => Module/Mail/Infrastructure/Console}/MailRedecodeHeadersCommand.php (90%)
 rename src/{Command => Module/Mail/Infrastructure/Console}/MailSyncCommand.php (88%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailAttachmentDownloadController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailCreateTaskController.php (92%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailFoldersListController.php (83%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailLinkTaskController.php (74%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageDetailController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageFlagController.php (78%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessageReadController.php (78%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailMessagesListController.php (84%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailSyncTriggerController.php (87%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailTestConnectionController.php (88%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/MailUnlinkTaskController.php (69%)
 rename src/{Controller/Mail => Module/Mail/Infrastructure/Controller}/TaskMailsListController.php (79%)
 rename src/{Repository/MailConfigurationRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php} (58%)
 rename src/{Repository/MailFolderRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php} (66%)
 rename src/{Repository/MailMessageRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php} (90%)
 rename src/{Repository/TaskMailLinkRepository.php => Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php} (59%)
 rename src/{Mail => Module/Mail/Infrastructure/Imap}/ImapMailProvider.php (96%)
 rename src/{Mail => Module/Mail/Infrastructure/Imap}/MimeHeaderDecoder.php (96%)
 rename src/{ => Module/Mail/Infrastructure}/Security/MailAccessChecker.php (96%)
 create mode 100644 src/Module/Mail/MailModule.php

diff --git a/config/modules.php b/config/modules.php
index a799714..95abc5b 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -10,6 +10,7 @@ declare(strict_types=1);
 use App\Module\Absence\AbsenceModule;
 use App\Module\Core\CoreModule;
 use App\Module\Directory\DirectoryModule;
+use App\Module\Mail\MailModule;
 use App\Module\ProjectManagement\ProjectManagementModule;
 use App\Module\TimeTracking\TimeTrackingModule;
 
@@ -19,4 +20,5 @@ return [
     ProjectManagementModule::class,
     AbsenceModule::class,
     DirectoryModule::class,
+    MailModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 9157f14..fdb5142 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -58,6 +58,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Directory/Domain/Entity'
                 prefix: 'App\Module\Directory\Domain\Entity'
+            Mail:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Mail/Domain/Entity'
+                prefix: 'App\Module\Mail\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/packages/messenger.yaml b/config/packages/messenger.yaml
index 044057e..a8a9bf1 100644
--- a/config/packages/messenger.yaml
+++ b/config/packages/messenger.yaml
@@ -23,7 +23,7 @@ framework:
             # messenger:consume à maintenir. La sync de fond reste assurée par le cron OS
             # (app:mail:sync, synchrone, indépendant du bus). Repasser à `async` + worker si
             # la boîte grossit au point que la sync à la demande approche le timeout PHP.
-            'App\Message\MailSyncRequested': sync
+            'App\Module\Mail\Application\Message\MailSyncRequested': sync
 
 when@test:
     framework:
diff --git a/config/services.yaml b/config/services.yaml
index e3625b1..3900610 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -103,4 +103,14 @@ services:
 
     App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
 
+    App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'
+
+    App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailFolderRepository'
+
+    App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailMessageRepository'
+
+    App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineTaskMailLinkRepository'
+
+    App\Module\Mail\Domain\Provider\MailProviderInterface: '@App\Module\Mail\Infrastructure\Imap\ImapMailProvider'
+
     App\Shared\Domain\Contract\NotifierInterface: '@App\Module\Core\Infrastructure\Notifier'
diff --git a/migrations/Version20260620200000.php b/migrations/Version20260620200000.php
new file mode 100644
index 0000000..f750e91
--- /dev/null
+++ b/migrations/Version20260620200000.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Mail module: add Timestampable + Blamable tracking on mail_configuration.
+ *
+ * Purely additive — adds nullable audit columns to an existing table:
+ *   created_at / updated_at (Timestampable)
+ *   created_by / updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case.
+ * Hand-written to mirror the schema dump and guarantee zero destructive
+ * instruction. down() drops the new columns and their FKs/indexes.
+ */
+final class Version20260620200000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Mail: add Timestampable/Blamable columns on mail_configuration (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE mail_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE mail_configuration ADD CONSTRAINT FK_BFC0A7DBDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE mail_configuration ADD CONSTRAINT FK_BFC0A7DB16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_BFC0A7DBDE12AB56 ON mail_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_BFC0A7DB16FE72E1 ON mail_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN mail_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN mail_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE mail_configuration DROP CONSTRAINT FK_BFC0A7DBDE12AB56');
+        $this->addSql('ALTER TABLE mail_configuration DROP CONSTRAINT FK_BFC0A7DB16FE72E1');
+        $this->addSql('DROP INDEX IDX_BFC0A7DBDE12AB56');
+        $this->addSql('DROP INDEX IDX_BFC0A7DB16FE72E1');
+        $this->addSql('ALTER TABLE mail_configuration DROP created_at');
+        $this->addSql('ALTER TABLE mail_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE mail_configuration DROP created_by');
+        $this->addSql('ALTER TABLE mail_configuration DROP updated_by');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index da9cfab..2cb0be1 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Entity\MailConfiguration;
 use App\Entity\ZimbraConfiguration;
 use App\Enum\ContractType;
 use App\Module\Absence\Domain\Entity\AbsenceBalance;
@@ -17,6 +16,7 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
diff --git a/src/Mail/Dto/MailAttachmentDto.php b/src/Module/Mail/Application/Dto/MailAttachmentDto.php
similarity index 85%
rename from src/Mail/Dto/MailAttachmentDto.php
rename to src/Module/Mail/Application/Dto/MailAttachmentDto.php
index cb6362a..ce7146c 100644
--- a/src/Mail/Dto/MailAttachmentDto.php
+++ b/src/Module/Mail/Application/Dto/MailAttachmentDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailAttachmentDto
 {
diff --git a/src/Mail/Dto/MailFolderDto.php b/src/Module/Mail/Application/Dto/MailFolderDto.php
similarity index 86%
rename from src/Mail/Dto/MailFolderDto.php
rename to src/Module/Mail/Application/Dto/MailFolderDto.php
index d6ff8ff..5069774 100644
--- a/src/Mail/Dto/MailFolderDto.php
+++ b/src/Module/Mail/Application/Dto/MailFolderDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailFolderDto
 {
diff --git a/src/Mail/Dto/MailMessageDetailDto.php b/src/Module/Mail/Application/Dto/MailMessageDetailDto.php
similarity index 88%
rename from src/Mail/Dto/MailMessageDetailDto.php
rename to src/Module/Mail/Application/Dto/MailMessageDetailDto.php
index 76462e7..68587ba 100644
--- a/src/Mail/Dto/MailMessageDetailDto.php
+++ b/src/Module/Mail/Application/Dto/MailMessageDetailDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 final readonly class MailMessageDetailDto
 {
diff --git a/src/Mail/Dto/MailMessageHeaderDto.php b/src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
similarity index 92%
rename from src/Mail/Dto/MailMessageHeaderDto.php
rename to src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
index fe9d022..1418298 100644
--- a/src/Mail/Dto/MailMessageHeaderDto.php
+++ b/src/Module/Mail/Application/Dto/MailMessageHeaderDto.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 use DateTimeImmutable;
 
diff --git a/src/Mail/Dto/MailSyncReport.php b/src/Module/Mail/Application/Dto/MailSyncReport.php
similarity index 91%
rename from src/Mail/Dto/MailSyncReport.php
rename to src/Module/Mail/Application/Dto/MailSyncReport.php
index cee124b..c1c5f1a 100644
--- a/src/Mail/Dto/MailSyncReport.php
+++ b/src/Module/Mail/Application/Dto/MailSyncReport.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Dto;
+namespace App\Module\Mail\Application\Dto;
 
 use DateTimeImmutable;
 
diff --git a/src/Message/MailSyncRequested.php b/src/Module/Mail/Application/Message/MailSyncRequested.php
similarity index 77%
rename from src/Message/MailSyncRequested.php
rename to src/Module/Mail/Application/Message/MailSyncRequested.php
index 01ecb52..5c80a56 100644
--- a/src/Message/MailSyncRequested.php
+++ b/src/Module/Mail/Application/Message/MailSyncRequested.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Message;
+namespace App\Module\Mail\Application\Message;
 
 final readonly class MailSyncRequested
 {
diff --git a/src/MessageHandler/MailSyncRequestedHandler.php b/src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
similarity index 85%
rename from src/MessageHandler/MailSyncRequestedHandler.php
rename to src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
index d76e32b..89168eb 100644
--- a/src/MessageHandler/MailSyncRequestedHandler.php
+++ b/src/Module/Mail/Application/MessageHandler/MailSyncRequestedHandler.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\MessageHandler;
+namespace App\Module\Mail\Application\MessageHandler;
 
-use App\Message\MailSyncRequested;
-use App\Repository\MailFolderRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Message\MailSyncRequested;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Messenger\Attribute\AsMessageHandler;
 use Throwable;
@@ -16,7 +16,7 @@ final readonly class MailSyncRequestedHandler
 {
     public function __construct(
         private MailSyncService $mailSyncService,
-        private MailFolderRepository $folderRepository,
+        private MailFolderRepositoryInterface $folderRepository,
         private LoggerInterface $logger,
     ) {}
 
diff --git a/src/Service/MailSyncService.php b/src/Module/Mail/Application/Service/MailSyncService.php
similarity index 94%
rename from src/Service/MailSyncService.php
rename to src/Module/Mail/Application/Service/MailSyncService.php
index 2d0e329..ba90b9d 100644
--- a/src/Service/MailSyncService.php
+++ b/src/Module/Mail/Application/Service/MailSyncService.php
@@ -2,16 +2,16 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Mail\Application\Service;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
-use App\Mail\Dto\MailSyncReport;
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Application\Dto\MailSyncReport;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\Persistence\ManagerRegistry;
@@ -27,9 +27,9 @@ final class MailSyncService
 
     public function __construct(
         private readonly MailProviderInterface $provider,
-        private readonly MailConfigurationRepository $configRepository,
-        private readonly MailFolderRepository $folderRepository,
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $entityManager,
         private readonly LockFactory $lockFactory,
         private readonly LoggerInterface $logger,
diff --git a/src/Entity/MailConfiguration.php b/src/Module/Mail/Domain/Entity/MailConfiguration.php
similarity index 87%
rename from src/Entity/MailConfiguration.php
rename to src/Module/Mail/Domain/Entity/MailConfiguration.php
index b1af5b1..c63b120 100644
--- a/src/Entity/MailConfiguration.php
+++ b/src/Module/Mail/Domain/Entity/MailConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailConfigurationRepository::class)]
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineMailConfigurationRepository::class)]
 #[ORM\Table(name: 'mail_configuration')]
-class MailConfiguration
+class MailConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/MailFolder.php b/src/Module/Mail/Domain/Entity/MailFolder.php
similarity index 92%
rename from src/Entity/MailFolder.php
rename to src/Module/Mail/Domain/Entity/MailFolder.php
index 0b2462d..8131c48 100644
--- a/src/Entity/MailFolder.php
+++ b/src/Module/Mail/Domain/Entity/MailFolder.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailFolderRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailFolderRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailFolderRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineMailFolderRepository::class)]
 #[ORM\Table(name: 'mail_folder')]
 #[ORM\Index(columns: ['parent_path'], name: 'idx_mail_folder_parent_path')]
 class MailFolder
diff --git a/src/Entity/MailMessage.php b/src/Module/Mail/Domain/Entity/MailMessage.php
similarity index 96%
rename from src/Entity/MailMessage.php
rename to src/Module/Mail/Domain/Entity/MailMessage.php
index 8efee5f..711306d 100644
--- a/src/Entity/MailMessage.php
+++ b/src/Module/Mail/Domain/Entity/MailMessage.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailMessageRepository;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: MailMessageRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineMailMessageRepository::class)]
 #[ORM\Table(name: 'mail_message')]
 #[ORM\UniqueConstraint(name: 'uq_mail_message_folder_uid', columns: ['folder_id', 'uid'])]
 #[ORM\Index(columns: ['sent_at'], name: 'idx_mail_message_sent_at')]
diff --git a/src/Entity/TaskMailLink.php b/src/Module/Mail/Domain/Entity/TaskMailLink.php
similarity index 81%
rename from src/Entity/TaskMailLink.php
rename to src/Module/Mail/Domain/Entity/TaskMailLink.php
index 9ef6364..a55ed8e 100644
--- a/src/Entity/TaskMailLink.php
+++ b/src/Module/Mail/Domain/Entity/TaskMailLink.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Mail\Domain\Entity;
 
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\TaskMailLinkRepository;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineTaskMailLinkRepository;
+use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: TaskMailLinkRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskMailLinkRepository::class)]
 #[ORM\Table(name: 'task_mail_link')]
 #[ORM\UniqueConstraint(name: 'uq_task_mail_link', columns: ['task_id', 'mail_message_id'])]
 class TaskMailLink
@@ -20,9 +20,9 @@ class TaskMailLink
     #[ORM\Column]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
-    private Task $task;
+    private TaskInterface $task;
 
     #[ORM\ManyToOne(targetEntity: MailMessage::class)]
     #[ORM\JoinColumn(name: 'mail_message_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
@@ -40,12 +40,12 @@ class TaskMailLink
         return $this->id;
     }
 
-    public function getTask(): Task
+    public function getTask(): TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(Task $task): static
+    public function setTask(TaskInterface $task): static
     {
         $this->task = $task;
 
diff --git a/src/Mail/Exception/MailProviderException.php b/src/Module/Mail/Domain/Exception/MailProviderException.php
similarity index 91%
rename from src/Mail/Exception/MailProviderException.php
rename to src/Module/Mail/Domain/Exception/MailProviderException.php
index af4e6da..656d8a3 100644
--- a/src/Mail/Exception/MailProviderException.php
+++ b/src/Module/Mail/Domain/Exception/MailProviderException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail\Exception;
+namespace App\Module\Mail\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Mail/MailProviderInterface.php b/src/Module/Mail/Domain/Provider/MailProviderInterface.php
similarity index 88%
rename from src/Mail/MailProviderInterface.php
rename to src/Module/Mail/Domain/Provider/MailProviderInterface.php
index c233846..d5b698d 100644
--- a/src/Mail/MailProviderInterface.php
+++ b/src/Module/Mail/Domain/Provider/MailProviderInterface.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Domain\Provider;
 
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\Dto\MailMessageDetailDto;
-use App\Mail\Dto\MailMessageHeaderDto;
-use App\Mail\Exception\MailProviderException;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Dto\MailMessageDetailDto;
+use App\Module\Mail\Application\Dto\MailMessageHeaderDto;
+use App\Module\Mail\Domain\Exception\MailProviderException;
 
 interface MailProviderInterface
 {
diff --git a/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..479a5e1
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+
+interface MailConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?MailConfiguration;
+}
diff --git a/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
new file mode 100644
index 0000000..6b940a0
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailFolderRepositoryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailFolder;
+
+interface MailFolderRepositoryInterface
+{
+    /**
+     * @return list<MailFolder>
+     */
+    public function findAllOrderedByPath(): array;
+
+    public function findByPath(string $path): ?MailFolder;
+}
diff --git a/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php b/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
new file mode 100644
index 0000000..b55a1b2
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/MailMessageRepositoryInterface.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+
+interface MailMessageRepositoryInterface
+{
+    public function findById(int $id): ?MailMessage;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findAll(): array;
+
+    public function findByMessageId(string $messageId): ?MailMessage;
+
+    public function findByFolderAndUid(MailFolder $folder, int $uid): ?MailMessage;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findByFolderPaginated(MailFolder $folder, int $limit, int $offset): array;
+
+    public function countUnreadByFolder(MailFolder $folder): int;
+
+    public function findMaxUidInFolder(MailFolder $folder): int;
+
+    /**
+     * @return list<MailMessage>
+     */
+    public function findLastNByFolder(MailFolder $folder, int $limit): array;
+
+    /**
+     * @return list<int>
+     */
+    public function findAllUidsByFolder(MailFolder $folder): array;
+
+    /**
+     * Pagination cursor : retourne $limit messages apres le cursor (sentAt DESC, id DESC).
+     * Cursor format : base64url(sentAt_iso8601:id) - null pour la premiere page.
+     *
+     * @return array{messages: list<MailMessage>, nextCursor: ?string}
+     */
+    public function findByFolderCursor(MailFolder $folder, int $limit, ?string $cursor): array;
+}
diff --git a/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php b/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
new file mode 100644
index 0000000..092ecc0
--- /dev/null
+++ b/src/Module/Mail/Domain/Repository/TaskMailLinkRepositoryInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail\Domain\Repository;
+
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Shared\Domain\Contract\TaskInterface;
+
+interface TaskMailLinkRepositoryInterface
+{
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByTask(TaskInterface $task): array;
+
+    public function findByTaskAndMessage(TaskInterface $task, MailMessage $message): ?TaskMailLink;
+
+    /**
+     * @return list<TaskMailLink>
+     */
+    public function findByMessage(MailMessage $message): array;
+}
diff --git a/src/ApiResource/MailSettings.php b/src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
similarity index 90%
rename from src/ApiResource/MailSettings.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
index 615b9d1..aae9704 100644
--- a/src/ApiResource/MailSettings.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/Resource/MailSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Patch;
-use App\State\Mail\MailSettingsProcessor;
-use App\State\Mail\MailSettingsProvider;
+use App\Module\Mail\Infrastructure\ApiPlatform\State\MailSettingsProcessor;
+use App\Module\Mail\Infrastructure\ApiPlatform\State\MailSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/State/Mail/MailSettingsProcessor.php b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
similarity index 89%
rename from src/State/Mail/MailSettingsProcessor.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
index 9b7a7df..c08f3de 100644
--- a/src/State/Mail/MailSettingsProcessor.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State\Mail;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\MailSettings;
-use App\Entity\MailConfiguration;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\ApiPlatform\Resource\MailSettings;
 use App\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -16,7 +16,7 @@ final readonly class MailSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private MailConfigurationRepository $configRepository,
+        private MailConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/Mail/MailSettingsProvider.php b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
similarity index 80%
rename from src/State/Mail/MailSettingsProvider.php
rename to src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
index 9a60292..4274a69 100644
--- a/src/State/Mail/MailSettingsProvider.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State\Mail;
+namespace App\Module\Mail\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\MailSettings;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\ApiPlatform\Resource\MailSettings;
 
 final readonly class MailSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private MailConfigurationRepository $configRepository,
+        private MailConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): MailSettings
diff --git a/src/Command/MailRedecodeHeadersCommand.php b/src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
similarity index 90%
rename from src/Command/MailRedecodeHeadersCommand.php
rename to src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
index 5bb7f59..b4aaa9f 100644
--- a/src/Command/MailRedecodeHeadersCommand.php
+++ b/src/Module/Mail/Infrastructure/Console/MailRedecodeHeadersCommand.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Mail\Infrastructure\Console;
 
-use App\Mail\MimeHeaderDecoder;
-use App\Repository\MailMessageRepository;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Imap\MimeHeaderDecoder;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
@@ -21,7 +21,7 @@ use Symfony\Component\Console\Style\SymfonyStyle;
 final class MailRedecodeHeadersCommand extends Command
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $entityManager,
     ) {
         parent::__construct();
diff --git a/src/Command/MailSyncCommand.php b/src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
similarity index 88%
rename from src/Command/MailSyncCommand.php
rename to src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
index 1f787af..517f806 100644
--- a/src/Command/MailSyncCommand.php
+++ b/src/Module/Mail/Infrastructure/Console/MailSyncCommand.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Command;
+namespace App\Module\Mail\Infrastructure\Console;
 
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
@@ -22,8 +22,8 @@ final class MailSyncCommand extends Command
 {
     public function __construct(
         private readonly MailSyncService $mailSyncService,
-        private readonly MailConfigurationRepository $configRepository,
-        private readonly MailFolderRepository $folderRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
     ) {
         parent::__construct();
     }
diff --git a/src/Controller/Mail/MailAttachmentDownloadController.php b/src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
similarity index 87%
rename from src/Controller/Mail/MailAttachmentDownloadController.php
rename to src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
index f2be423..9a8ef2f 100644
--- a/src/Controller/Mail/MailAttachmentDownloadController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailAttachmentDownloadController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
@@ -20,7 +20,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailAttachmentDownloadController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -37,7 +37,7 @@ class MailAttachmentDownloadController extends AbstractController
         [$messageDbIdStr, $partNumber] = explode(':', $decoded, 2);
         $messageDbId                   = (int) $messageDbIdStr;
 
-        $message = $this->messageRepository->find($messageDbId);
+        $message = $this->messageRepository->findById($messageDbId);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailCreateTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
similarity index 92%
rename from src/Controller/Mail/MailCreateTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
index 3c283ac..7a515d0 100644
--- a/src/Controller/Mail/MailCreateTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailCreateTaskController.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\TaskMailLink;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
 use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -28,7 +28,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailCreateTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
         private readonly TaskRepositoryInterface $taskRepository,
@@ -38,7 +38,7 @@ class MailCreateTaskController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailFoldersListController.php b/src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
similarity index 83%
rename from src/Controller/Mail/MailFoldersListController.php
rename to src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
index 879ac19..3a91d6c 100644
--- a/src/Controller/Mail/MailFoldersListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailFoldersListController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Repository\MailFolderRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -17,7 +17,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailFoldersListController extends AbstractController
 {
     public function __construct(
-        private readonly MailFolderRepository $folderRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
diff --git a/src/Controller/Mail/MailLinkTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
similarity index 74%
rename from src/Controller/Mail/MailLinkTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
index 2cb3524..5496bc8 100644
--- a/src/Controller/Mail/MailLinkTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailLinkTaskController.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Entity\TaskMailLink;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\MailMessageRepository;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -24,8 +24,9 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailLinkTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -34,7 +35,7 @@ class MailLinkTaskController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
@@ -46,7 +47,7 @@ class MailLinkTaskController extends AbstractController
             throw new UnprocessableEntityHttpException('taskId is required');
         }
 
-        $task = $this->em->getRepository(Task::class)->find($taskId);
+        $task = $this->taskRepository->findById((int) $taskId);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Controller/Mail/MailMessageDetailController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
similarity index 87%
rename from src/Controller/Mail/MailMessageDetailController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
index c6a7e29..8fabc6b 100644
--- a/src/Controller/Mail/MailMessageDetailController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageDetailController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Psr\Cache\CacheItemPoolInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -22,7 +22,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageDetailController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly MailAccessChecker $accessChecker,
         private readonly CacheItemPoolInterface $cache,
@@ -32,7 +32,7 @@ class MailMessageDetailController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessageFlagController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
similarity index 78%
rename from src/Controller/Mail/MailMessageFlagController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
index 262b13a..6eedfbe 100644
--- a/src/Controller/Mail/MailMessageFlagController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageFlagController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,7 +21,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageFlagController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
@@ -31,7 +31,7 @@ class MailMessageFlagController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessageReadController.php b/src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
similarity index 78%
rename from src/Controller/Mail/MailMessageReadController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
index 3ec9504..cc6ad7e 100644
--- a/src/Controller/Mail/MailMessageReadController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessageReadController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,7 +21,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessageReadController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailProviderInterface $mailProvider,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
@@ -31,7 +31,7 @@ class MailMessageReadController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
diff --git a/src/Controller/Mail/MailMessagesListController.php b/src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
similarity index 84%
rename from src/Controller/Mail/MailMessagesListController.php
rename to src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
index ccb4e02..1600164 100644
--- a/src/Controller/Mail/MailMessagesListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailMessagesListController.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use DateTimeInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -20,8 +20,8 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailMessagesListController extends AbstractController
 {
     public function __construct(
-        private readonly MailFolderRepository $folderRepository,
-        private readonly MailMessageRepository $messageRepository,
+        private readonly MailFolderRepositoryInterface $folderRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
diff --git a/src/Controller/Mail/MailSyncTriggerController.php b/src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
similarity index 87%
rename from src/Controller/Mail/MailSyncTriggerController.php
rename to src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
index 165293b..3d35524 100644
--- a/src/Controller/Mail/MailSyncTriggerController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailSyncTriggerController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Message\MailSyncRequested;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Application\Message\MailSyncRequested;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
diff --git a/src/Controller/Mail/MailTestConnectionController.php b/src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
similarity index 88%
rename from src/Controller/Mail/MailTestConnectionController.php
rename to src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
index 6d25518..20d3f2d 100644
--- a/src/Controller/Mail/MailTestConnectionController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailTestConnectionController.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Mail\Exception\MailProviderException;
-use App\Mail\MailProviderInterface;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
diff --git a/src/Controller/Mail/MailUnlinkTaskController.php b/src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
similarity index 69%
rename from src/Controller/Mail/MailUnlinkTaskController.php
rename to src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
index 09f646b..c7db3d0 100644
--- a/src/Controller/Mail/MailUnlinkTaskController.php
+++ b/src/Module/Mail/Infrastructure/Controller/MailUnlinkTaskController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\MailMessageRepository;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -21,8 +21,9 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class MailUnlinkTaskController extends AbstractController
 {
     public function __construct(
-        private readonly MailMessageRepository $messageRepository,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly MailMessageRepositoryInterface $messageRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
         private readonly EntityManagerInterface $em,
         private readonly MailAccessChecker $accessChecker,
     ) {}
@@ -31,12 +32,12 @@ class MailUnlinkTaskController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $message = $this->messageRepository->find($id);
+        $message = $this->messageRepository->findById($id);
         if (null === $message) {
             throw new NotFoundHttpException('Message not found');
         }
 
-        $task = $this->em->getRepository(Task::class)->find($taskId);
+        $task = $this->taskRepository->findById($taskId);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Controller/Mail/TaskMailsListController.php b/src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
similarity index 79%
rename from src/Controller/Mail/TaskMailsListController.php
rename to src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
index 8a9b0a4..b7f3975 100644
--- a/src/Controller/Mail/TaskMailsListController.php
+++ b/src/Module/Mail/Infrastructure/Controller/TaskMailsListController.php
@@ -2,13 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Mail;
+namespace App\Module\Mail\Infrastructure\Controller;
 
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\TaskMailLinkRepository;
-use App\Security\MailAccessChecker;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Module\Mail\Infrastructure\Security\MailAccessChecker;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use DateTimeInterface;
-use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -20,8 +19,8 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class TaskMailsListController extends AbstractController
 {
     public function __construct(
-        private readonly EntityManagerInterface $em,
-        private readonly TaskMailLinkRepository $linkRepository,
+        private readonly TaskRepositoryInterface $taskRepository,
+        private readonly TaskMailLinkRepositoryInterface $linkRepository,
         private readonly MailAccessChecker $accessChecker,
     ) {}
 
@@ -29,7 +28,7 @@ class TaskMailsListController extends AbstractController
     {
         $this->accessChecker->ensureCanAccessMail($this->getUser());
 
-        $task = $this->em->getRepository(Task::class)->find($id);
+        $task = $this->taskRepository->findById($id);
         if (null === $task) {
             throw new NotFoundHttpException('Task not found');
         }
diff --git a/src/Repository/MailConfigurationRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
similarity index 58%
rename from src/Repository/MailConfigurationRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
index 9be3993..8852d15 100644
--- a/src/Repository/MailConfigurationRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailConfiguration>
+ */
+class DoctrineMailConfigurationRepository extends ServiceEntityRepository implements MailConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/MailFolderRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
similarity index 66%
rename from src/Repository/MailFolderRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
index d228d35..662fd77 100644
--- a/src/Repository/MailFolderRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailFolderRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailFolderRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailFolder>
+ */
+class DoctrineMailFolderRepository extends ServiceEntityRepository implements MailFolderRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/MailMessageRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
similarity index 90%
rename from src/Repository/MailMessageRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
index 78e07cd..f98c36b 100644
--- a/src/Repository/MailMessageRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineMailMessageRepository.php
@@ -2,22 +2,31 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use DateTimeImmutable;
 use DateTimeInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class MailMessageRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<MailMessage>
+ */
+class DoctrineMailMessageRepository extends ServiceEntityRepository implements MailMessageRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, MailMessage::class);
     }
 
+    public function findById(int $id): ?MailMessage
+    {
+        return $this->find($id);
+    }
+
     public function findByMessageId(string $messageId): ?MailMessage
     {
         return $this->findOneBy(['messageId' => $messageId]);
diff --git a/src/Repository/TaskMailLinkRepository.php b/src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
similarity index 59%
rename from src/Repository/TaskMailLinkRepository.php
rename to src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
index da49bd5..68b4eb2 100644
--- a/src/Repository/TaskMailLinkRepository.php
+++ b/src/Module/Mail/Infrastructure/Doctrine/DoctrineTaskMailLinkRepository.php
@@ -2,15 +2,19 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Mail\Infrastructure\Doctrine;
 
-use App\Entity\MailMessage;
-use App\Entity\TaskMailLink;
-use App\Module\ProjectManagement\Domain\Entity\Task;
+use App\Module\Mail\Domain\Entity\MailMessage;
+use App\Module\Mail\Domain\Entity\TaskMailLink;
+use App\Module\Mail\Domain\Repository\TaskMailLinkRepositoryInterface;
+use App\Shared\Domain\Contract\TaskInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class TaskMailLinkRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<TaskMailLink>
+ */
+class DoctrineTaskMailLinkRepository extends ServiceEntityRepository implements TaskMailLinkRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
@@ -20,7 +24,7 @@ class TaskMailLinkRepository extends ServiceEntityRepository
     /**
      * @return list<TaskMailLink>
      */
-    public function findByTask(Task $task): array
+    public function findByTask(TaskInterface $task): array
     {
         return $this->createQueryBuilder('l')
             ->andWhere('l.task = :task')
@@ -31,7 +35,7 @@ class TaskMailLinkRepository extends ServiceEntityRepository
         ;
     }
 
-    public function findByTaskAndMessage(Task $task, MailMessage $message): ?TaskMailLink
+    public function findByTaskAndMessage(TaskInterface $task, MailMessage $message): ?TaskMailLink
     {
         return $this->findOneBy(['task' => $task, 'mailMessage' => $message]);
     }
diff --git a/src/Mail/ImapMailProvider.php b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
similarity index 96%
rename from src/Mail/ImapMailProvider.php
rename to src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
index 5db92c8..f08c35e 100644
--- a/src/Mail/ImapMailProvider.php
+++ b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
@@ -2,14 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Infrastructure\Imap;
 
-use App\Mail\Dto\MailAttachmentDto;
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\Dto\MailMessageDetailDto;
-use App\Mail\Dto\MailMessageHeaderDto;
-use App\Mail\Exception\MailProviderException;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Application\Dto\MailAttachmentDto;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Dto\MailMessageDetailDto;
+use App\Module\Mail\Application\Dto\MailMessageHeaderDto;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
 use App\Service\TokenEncryptor;
 use DateTimeImmutable;
 use Psr\Log\LoggerInterface;
@@ -24,7 +25,7 @@ final class ImapMailProvider implements MailProviderInterface
     private ?Client $client = null;
 
     public function __construct(
-        private readonly MailConfigurationRepository $configRepository,
+        private readonly MailConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly LoggerInterface $logger,
     ) {}
diff --git a/src/Mail/MimeHeaderDecoder.php b/src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
similarity index 96%
rename from src/Mail/MimeHeaderDecoder.php
rename to src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
index 655282b..7809870 100644
--- a/src/Mail/MimeHeaderDecoder.php
+++ b/src/Module/Mail/Infrastructure/Imap/MimeHeaderDecoder.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mail;
+namespace App\Module\Mail\Infrastructure\Imap;
 
 use const ICONV_MIME_DECODE_CONTINUE_ON_ERROR;
 
diff --git a/src/Security/MailAccessChecker.php b/src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
similarity index 96%
rename from src/Security/MailAccessChecker.php
rename to src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
index 7055dbc..78e7f7a 100644
--- a/src/Security/MailAccessChecker.php
+++ b/src/Module/Mail/Infrastructure/Security/MailAccessChecker.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Security;
+namespace App\Module\Mail\Infrastructure\Security;
 
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
diff --git a/src/Module/Mail/MailModule.php b/src/Module/Mail/MailModule.php
new file mode 100644
index 0000000..3d6b555
--- /dev/null
+++ b/src/Module/Mail/MailModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Mail;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class MailModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'mail';
+    }
+
+    public static function label(): string
+    {
+        return 'Messagerie';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Mail.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'mail.access', 'label' => 'Accéder à la messagerie'],
+            ['code' => 'mail.configure', 'label' => 'Configurer la messagerie'],
+        ];
+    }
+}
diff --git a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
index 5d37334..52322fe 100644
--- a/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
+++ b/tests/Functional/Controller/Mail/MailTaskIntegrationControllerTest.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Tests\Functional\Controller\Mail;
 
-use App\Entity\MailFolder;
-use App\Entity\MailMessage;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Entity\MailMessage;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use DateTimeImmutable;
diff --git a/tests/Unit/Mail/ImapMailProviderTest.php b/tests/Unit/Mail/ImapMailProviderTest.php
index 3720d35..be7982c 100644
--- a/tests/Unit/Mail/ImapMailProviderTest.php
+++ b/tests/Unit/Mail/ImapMailProviderTest.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Entity\MailConfiguration;
-use App\Mail\Exception\MailProviderException;
-use App\Mail\ImapMailProvider;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Exception\MailProviderException;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Infrastructure\Imap\ImapMailProvider;
 use App\Service\TokenEncryptor;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\NullLogger;
@@ -22,7 +22,7 @@ class ImapMailProviderTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(false);
 
-        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $repo->method('findSingleton')->willReturn($config);
 
         $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
@@ -33,7 +33,7 @@ class ImapMailProviderTest extends TestCase
 
     public function testThrowsWhenConfigMissing(): void
     {
-        $repo = $this->createMock(MailConfigurationRepository::class);
+        $repo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $repo->method('findSingleton')->willReturn(null);
 
         $provider = new ImapMailProvider($repo, $this->makeEncryptor(), new NullLogger());
diff --git a/tests/Unit/Mail/MailSyncReportTest.php b/tests/Unit/Mail/MailSyncReportTest.php
index bea5283..032d5a2 100644
--- a/tests/Unit/Mail/MailSyncReportTest.php
+++ b/tests/Unit/Mail/MailSyncReportTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Mail\Dto\MailSyncReport;
+use App\Module\Mail\Application\Dto\MailSyncReport;
 use DateTimeImmutable;
 use PHPUnit\Framework\TestCase;
 
diff --git a/tests/Unit/Mail/MimeHeaderDecoderTest.php b/tests/Unit/Mail/MimeHeaderDecoderTest.php
index 75793e3..535b849 100644
--- a/tests/Unit/Mail/MimeHeaderDecoderTest.php
+++ b/tests/Unit/Mail/MimeHeaderDecoderTest.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Mail;
 
-use App\Mail\MimeHeaderDecoder;
+use App\Module\Mail\Infrastructure\Imap\MimeHeaderDecoder;
 use PHPUnit\Framework\TestCase;
 
 /**
diff --git a/tests/Unit/Repository/MailConfigurationRepositoryTest.php b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
index f903ee6..daec61c 100644
--- a/tests/Unit/Repository/MailConfigurationRepositoryTest.php
+++ b/tests/Unit/Repository/MailConfigurationRepositoryTest.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Repository;
 
-use App\Entity\MailConfiguration;
-use App\Repository\MailConfigurationRepository;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 
@@ -14,14 +14,14 @@ use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
  */
 class MailConfigurationRepositoryTest extends KernelTestCase
 {
-    private MailConfigurationRepository $repository;
+    private DoctrineMailConfigurationRepository $repository;
     private EntityManagerInterface $em;
 
     protected function setUp(): void
     {
         self::bootKernel();
         $container        = static::getContainer();
-        $this->repository = $container->get(MailConfigurationRepository::class);
+        $this->repository = $container->get(DoctrineMailConfigurationRepository::class);
         $this->em         = $container->get('doctrine.orm.entity_manager');
         $this->em->getConnection()->executeStatement('TRUNCATE TABLE mail_configuration RESTART IDENTITY CASCADE');
     }
diff --git a/tests/Unit/Service/MailSyncServiceTest.php b/tests/Unit/Service/MailSyncServiceTest.php
index 76abdf4..39c6eeb 100644
--- a/tests/Unit/Service/MailSyncServiceTest.php
+++ b/tests/Unit/Service/MailSyncServiceTest.php
@@ -4,14 +4,14 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Entity\MailConfiguration;
-use App\Entity\MailFolder;
-use App\Mail\Dto\MailFolderDto;
-use App\Mail\MailProviderInterface;
-use App\Repository\MailConfigurationRepository;
-use App\Repository\MailFolderRepository;
-use App\Repository\MailMessageRepository;
-use App\Service\MailSyncService;
+use App\Module\Mail\Application\Dto\MailFolderDto;
+use App\Module\Mail\Application\Service\MailSyncService;
+use App\Module\Mail\Domain\Entity\MailConfiguration;
+use App\Module\Mail\Domain\Entity\MailFolder;
+use App\Module\Mail\Domain\Provider\MailProviderInterface;
+use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface;
+use App\Module\Mail\Domain\Repository\MailMessageRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\Persistence\ManagerRegistry;
 use PHPUnit\Framework\TestCase;
@@ -29,12 +29,12 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(false);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $provider    = $this->createMock(MailProviderInterface::class);
-        $folderRepo  = $this->createMock(MailFolderRepository::class);
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $folderRepo  = $this->createMock(MailFolderRepositoryInterface::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $lockFactory = $this->makeLockFactory();
 
@@ -62,12 +62,12 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $provider    = $this->createMock(MailProviderInterface::class);
-        $folderRepo  = $this->createMock(MailFolderRepository::class);
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $folderRepo  = $this->createMock(MailFolderRepositoryInterface::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $lockFactory = $this->makeLockFactory(false);
 
@@ -93,7 +93,7 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $folderDto = new MailFolderDto(
@@ -107,11 +107,11 @@ class MailSyncServiceTest extends TestCase
         $provider = $this->createMock(MailProviderInterface::class);
         $provider->method('listFolders')->willReturn([$folderDto]);
 
-        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $folderRepo = $this->createMock(MailFolderRepositoryInterface::class);
         $folderRepo->method('findByPath')->willReturn(null);
         $folderRepo->method('findAllOrderedByPath')->willReturn([]);
 
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $em          = $this->createMock(EntityManagerInterface::class);
         $em->expects(self::once())->method('persist');
         $em->expects(self::once())->method('flush');
@@ -137,13 +137,13 @@ class MailSyncServiceTest extends TestCase
         $config = new MailConfiguration();
         $config->setEnabled(true);
 
-        $configRepo = $this->createMock(MailConfigurationRepository::class);
+        $configRepo = $this->createMock(MailConfigurationRepositoryInterface::class);
         $configRepo->method('findSingleton')->willReturn($config);
 
         $folder = new MailFolder();
         $folder->setPath('INBOX');
 
-        $messageRepo = $this->createMock(MailMessageRepository::class);
+        $messageRepo = $this->createMock(MailMessageRepositoryInterface::class);
         $messageRepo->method('findMaxUidInFolder')->willReturn(10);
         $messageRepo->method('findAllUidsByFolder')->willReturn([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]);
         $messageRepo->method('findLastNByFolder')->willReturn([]);
@@ -151,7 +151,7 @@ class MailSyncServiceTest extends TestCase
         $provider = $this->createMock(MailProviderInterface::class);
         $provider->method('listMessages')->willReturn([]);
 
-        $folderRepo = $this->createMock(MailFolderRepository::class);
+        $folderRepo = $this->createMock(MailFolderRepositoryInterface::class);
         $em         = $this->createMock(EntityManagerInterface::class);
         $em->expects(self::never())->method('remove');
 
-- 
2.39.5


From bb7d7e79532d207aba911a1e281fddc38eb3bcdc Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 19:52:13 +0200
Subject: [PATCH 57/99] feat(mail) : extract Mail front into Nuxt module layer

LST-67 (2.5) front. Completes the Mail module.

- New frontend/modules/mail/ layer (auto-detected): /mail page (3 columns),
  7 components, mail service + DTO, mail store (folders/messages/unread polling).
- sanitizeMailHtml util and useSystemFolderLabel composable stay global;
  AdminMailTab stays in /admin (service import repointed).
- Consumers repointed: AdminMailTab and PM TaskModal -> ~/modules/mail/...;
  the store is auto-imported (Pinia storesDirs) so the layout badge/polling is
  unchanged.
- /mail gated by the mail module: sidebar.php item with module=mail (so
  SidebarFilter disables /mail when the module is off); the layout filters /mail
  from the API sections to avoid a visual duplicate. ROLE_CLIENT exclusion kept.
- i18n key sidebar.general.mail added.

nuxt build passes; /mail and all other routes preserved.
---
 config/sidebar.php                                |  7 ++++++-
 frontend/app/layouts/default.vue                  | 15 ++++++++++-----
 frontend/components/admin/AdminMailTab.vue        |  2 +-
 frontend/i18n/locales/fr.json                     |  3 ++-
 .../mail/components}/MailAttachmentPreview.vue    |  0
 .../mail/components}/MailCreateTaskModal.vue      |  4 ++--
 .../mail/components}/MailFolderTree.vue           |  2 +-
 .../mail/components}/MailLinkTaskModal.vue        |  2 +-
 .../mail/components}/MailMessageList.vue          |  2 +-
 .../mail/components}/MailMessageViewer.vue        |  4 ++--
 .../mail/components}/MailRefreshButton.vue        |  2 +-
 frontend/modules/mail/nuxt.config.ts              |  1 +
 frontend/{ => modules/mail}/pages/mail.vue        |  2 +-
 frontend/{ => modules/mail}/services/dto/mail.ts  |  0
 frontend/{ => modules/mail}/services/mail.ts      |  2 +-
 frontend/{ => modules/mail}/stores/mail.ts        |  4 ++--
 .../project-management/components/TaskModal.vue   |  4 ++--
 17 files changed, 34 insertions(+), 22 deletions(-)
 rename frontend/{components/mail => modules/mail/components}/MailAttachmentPreview.vue (100%)
 rename frontend/{components/mail => modules/mail/components}/MailCreateTaskModal.vue (97%)
 rename frontend/{components/mail => modules/mail/components}/MailFolderTree.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailLinkTaskModal.vue (99%)
 rename frontend/{components/mail => modules/mail/components}/MailMessageList.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailMessageViewer.vue (98%)
 rename frontend/{components/mail => modules/mail/components}/MailRefreshButton.vue (89%)
 create mode 100644 frontend/modules/mail/nuxt.config.ts
 rename frontend/{ => modules/mail}/pages/mail.vue (99%)
 rename frontend/{ => modules/mail}/services/dto/mail.ts (100%)
 rename frontend/{ => modules/mail}/services/mail.ts (99%)
 rename frontend/{ => modules/mail}/stores/mail.ts (99%)

diff --git a/config/sidebar.php b/config/sidebar.php
index 12d9a50..835e132 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -10,8 +10,11 @@ declare(strict_types=1);
  *   - `permission` : section ou item masqué si la permission effective absente (RBAC fin —
  *                    `User::getEffectivePermissions()` ; ROLE_ADMIN bypasse via le voter, mais la
  *                    sidebar évalue les permissions effectives réelles — combiner avec `roles` au besoin).
- * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents, Mail) et user-flag
+ * Les items contextuels (Kanban/Groupes/Archives), feature-flag (Documents) et user-flag
  * (Mes absences) restent rendus côté layout, hors de cet endpoint.
+ * Mail est déclaré ici UNIQUEMENT pour le gating module (disabledRoutes si module inactif) ;
+ * son rendu visuel + badge non-lus reste géré côté layout, qui filtre `/mail` de translatedSections
+ * pour éviter le doublon.
  * Les labels sont des clés i18n (sidebar.<domaine>.<item>).
  */
 return [
@@ -23,6 +26,8 @@ return [
             ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
             ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
             ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
+            // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
+            ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
         ],
     ],
     [
diff --git a/frontend/app/layouts/default.vue b/frontend/app/layouts/default.vue
index 7ae9da6..a7c1729 100644
--- a/frontend/app/layouts/default.vue
+++ b/frontend/app/layouts/default.vue
@@ -139,15 +139,20 @@ const route = useRoute()
 const { t } = useI18n()
 const { sections } = useSidebar()
 
+// `/mail` est déclaré dans config/sidebar.php pour le gating module (disabledRoutes),
+// mais son rendu visuel + badge non-lus est géré manuellement ci-dessous (feature-flag Mail).
+// On le filtre des sections dynamiques pour éviter un doublon dans la nav.
 const translatedSections = computed(() =>
     sections.value.map((section) => ({
         label: t(section.label),
         icon: section.icon,
-        items: section.items.map((item) => ({
-            label: t(item.label),
-            to: item.to,
-            icon: item.icon,
-        })),
+        items: section.items
+            .filter((item) => item.to !== '/mail')
+            .map((item) => ({
+                label: t(item.label),
+                to: item.to,
+                icon: item.icon,
+            })),
     })),
 )
 
diff --git a/frontend/components/admin/AdminMailTab.vue b/frontend/components/admin/AdminMailTab.vue
index 0d54a64..a6cecd5 100644
--- a/frontend/components/admin/AdminMailTab.vue
+++ b/frontend/components/admin/AdminMailTab.vue
@@ -140,7 +140,7 @@
 </template>
 
 <script setup lang="ts">
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const { getConfiguration, updateConfiguration, testConfiguration } = useMailService()
 
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 9f167de..7d46a2a 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -353,7 +353,8 @@
       "dashboard": "Tableau de bord",
       "myTasks": "Mes tâches",
       "projects": "Projets",
-      "timeTracking": "Suivi de temps"
+      "timeTracking": "Suivi de temps",
+      "mail": "Messagerie"
     },
     "admin": {
       "section": "Administration",
diff --git a/frontend/components/mail/MailAttachmentPreview.vue b/frontend/modules/mail/components/MailAttachmentPreview.vue
similarity index 100%
rename from frontend/components/mail/MailAttachmentPreview.vue
rename to frontend/modules/mail/components/MailAttachmentPreview.vue
diff --git a/frontend/components/mail/MailCreateTaskModal.vue b/frontend/modules/mail/components/MailCreateTaskModal.vue
similarity index 97%
rename from frontend/components/mail/MailCreateTaskModal.vue
rename to frontend/modules/mail/components/MailCreateTaskModal.vue
index 93f666b..ad839f8 100644
--- a/frontend/components/mail/MailCreateTaskModal.vue
+++ b/frontend/modules/mail/components/MailCreateTaskModal.vue
@@ -1,10 +1,10 @@
 <script setup lang="ts">
-import type { MailMessageDetailDto } from '~/services/dto/mail'
+import type { MailMessageDetailDto } from '~/modules/mail/services/dto/mail'
 import type { Task } from '~/modules/project-management/services/dto/task'
 import type { Project } from '~/modules/project-management/services/dto/project'
 import type { TaskGroup } from '~/modules/project-management/services/dto/task-group'
 import type { UserData } from '~/services/dto/user-data'
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 import { useProjectService } from '~/modules/project-management/services/projects'
 import { useTaskGroupService } from '~/modules/project-management/services/task-groups'
 import { useUserService } from '~/services/users'
diff --git a/frontend/components/mail/MailFolderTree.vue b/frontend/modules/mail/components/MailFolderTree.vue
similarity index 98%
rename from frontend/components/mail/MailFolderTree.vue
rename to frontend/modules/mail/components/MailFolderTree.vue
index 604aaba..ac267ff 100644
--- a/frontend/components/mail/MailFolderTree.vue
+++ b/frontend/modules/mail/components/MailFolderTree.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { MailFolderDto } from '~/services/dto/mail'
+import type { MailFolderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     /** Arbre de dossiers (getter folderTree du store) */
diff --git a/frontend/components/mail/MailLinkTaskModal.vue b/frontend/modules/mail/components/MailLinkTaskModal.vue
similarity index 99%
rename from frontend/components/mail/MailLinkTaskModal.vue
rename to frontend/modules/mail/components/MailLinkTaskModal.vue
index 00c641c..2cbbfca 100644
--- a/frontend/components/mail/MailLinkTaskModal.vue
+++ b/frontend/modules/mail/components/MailLinkTaskModal.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
 import type { Project } from '~/modules/project-management/services/dto/project'
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 import { useTaskService } from '~/modules/project-management/services/tasks'
 import { useProjectService } from '~/modules/project-management/services/projects'
 
diff --git a/frontend/components/mail/MailMessageList.vue b/frontend/modules/mail/components/MailMessageList.vue
similarity index 98%
rename from frontend/components/mail/MailMessageList.vue
rename to frontend/modules/mail/components/MailMessageList.vue
index 1367ff1..f4099d2 100644
--- a/frontend/components/mail/MailMessageList.vue
+++ b/frontend/modules/mail/components/MailMessageList.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { MailMessageHeaderDto } from '~/services/dto/mail'
+import type { MailMessageHeaderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     messages: readonly MailMessageHeaderDto[]
diff --git a/frontend/components/mail/MailMessageViewer.vue b/frontend/modules/mail/components/MailMessageViewer.vue
similarity index 98%
rename from frontend/components/mail/MailMessageViewer.vue
rename to frontend/modules/mail/components/MailMessageViewer.vue
index 34467e1..51e0ef3 100644
--- a/frontend/components/mail/MailMessageViewer.vue
+++ b/frontend/modules/mail/components/MailMessageViewer.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
-import type { MailMessageDetailDto, MailAddressDto, MailAttachmentDto } from '~/services/dto/mail'
+import type { MailMessageDetailDto, MailAddressDto, MailAttachmentDto } from '~/modules/mail/services/dto/mail'
 import { sanitizeMailHtml } from '~/utils/sanitizeMailHtml'
-import { useMailService } from '~/services/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const props = defineProps<{
     /** Détail complet du message. null = aucun message sélectionné. */
diff --git a/frontend/components/mail/MailRefreshButton.vue b/frontend/modules/mail/components/MailRefreshButton.vue
similarity index 89%
rename from frontend/components/mail/MailRefreshButton.vue
rename to frontend/modules/mail/components/MailRefreshButton.vue
index 2d29e26..c3aaf01 100644
--- a/frontend/components/mail/MailRefreshButton.vue
+++ b/frontend/modules/mail/components/MailRefreshButton.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { useMailStore } from '~/stores/mail'
+import { useMailStore } from '~/modules/mail/stores/mail'
 
 const store = useMailStore()
 const { syncing } = storeToRefs(store)
diff --git a/frontend/modules/mail/nuxt.config.ts b/frontend/modules/mail/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/mail/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/pages/mail.vue b/frontend/modules/mail/pages/mail.vue
similarity index 99%
rename from frontend/pages/mail.vue
rename to frontend/modules/mail/pages/mail.vue
index 9673b03..2690254 100644
--- a/frontend/pages/mail.vue
+++ b/frontend/modules/mail/pages/mail.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
-import { useMailStore } from '~/stores/mail'
+import { useMailStore } from '~/modules/mail/stores/mail'
 
 const { t } = useI18n()
 const router = useRouter()
diff --git a/frontend/services/dto/mail.ts b/frontend/modules/mail/services/dto/mail.ts
similarity index 100%
rename from frontend/services/dto/mail.ts
rename to frontend/modules/mail/services/dto/mail.ts
diff --git a/frontend/services/mail.ts b/frontend/modules/mail/services/mail.ts
similarity index 99%
rename from frontend/services/mail.ts
rename to frontend/modules/mail/services/mail.ts
index c3215c7..944d6d9 100644
--- a/frontend/services/mail.ts
+++ b/frontend/modules/mail/services/mail.ts
@@ -11,7 +11,7 @@ import type {
     MailCreateTaskInput,
     MailLinkTaskInput,
     MailSyncResultDto,
-} from './dto/mail'
+} from '~/modules/mail/services/dto/mail'
 import type { Task } from '~/modules/project-management/services/dto/task'
 
 type BackendMailMessage = {
diff --git a/frontend/stores/mail.ts b/frontend/modules/mail/stores/mail.ts
similarity index 99%
rename from frontend/stores/mail.ts
rename to frontend/modules/mail/stores/mail.ts
index 05d89e0..c779c09 100644
--- a/frontend/stores/mail.ts
+++ b/frontend/modules/mail/stores/mail.ts
@@ -3,8 +3,8 @@ import type {
     MailFolderDto,
     MailMessageHeaderDto,
     MailMessageDetailDto,
-} from '~/services/dto/mail'
-import { useMailService } from '~/services/mail'
+} from '~/modules/mail/services/dto/mail'
+import { useMailService } from '~/modules/mail/services/mail'
 
 const POLL_INTERVAL_MS = 30 * 1000 // 30 secondes
 
diff --git a/frontend/modules/project-management/components/TaskModal.vue b/frontend/modules/project-management/components/TaskModal.vue
index 62e6309..7a42fef 100644
--- a/frontend/modules/project-management/components/TaskModal.vue
+++ b/frontend/modules/project-management/components/TaskModal.vue
@@ -551,8 +551,8 @@ import { useTaskService } from '~/modules/project-management/services/tasks'
 import { useTaskRecurrenceService } from '~/modules/project-management/services/task-recurrences'
 
 import type { Project } from '~/modules/project-management/services/dto/project'
-import { useMailService } from '~/services/mail'
-import type { MailMessageHeaderDto } from '~/services/dto/mail'
+import { useMailService } from '~/modules/mail/services/mail'
+import type { MailMessageHeaderDto } from '~/modules/mail/services/dto/mail'
 
 const props = defineProps<{
     modelValue: boolean
-- 
2.39.5


From 90682e809ca8a1048c086a65bd9ef20bb65af28a Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 20:16:20 +0200
Subject: [PATCH 58/99] feat(integration) : migrate
 Gitea/BookStack/Zimbra/Share into module (back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-68 (2.6) backend. Behaviour-preserving move of the external integrations
into src/Module/Integration/. All 26 routes and securities unchanged.

- 5 entities (4 *Configuration singletons + TaskBookStackLink) + 5 repositories
  (Domain interfaces + Doctrine impls, bound). TaskBookStackLink.task now
  references TaskInterface (contract).
- Domain (FileSource interface, SharePathResolver, share DTOs + exceptions);
  Infrastructure (GiteaApiService, BookStackApiService, SmbFileSource, 15
  ApiResources, 21 State, 4 Share controllers).
- Cross-module couplings via abstractions: CalDavService (PM) injects
  ZimbraConfigurationRepositoryInterface; PM TaskDocument consumers repointed
  to the module's FileSource/SharePathResolver; Gitea/BookStack State load
  tasks via TaskRepositoryInterface (concrete Project read for integration
  fields — documented). ZimbraTestConnection keeps CalDavService (no build
  cycle). TokenEncryptor stays shared.
- IntegrationModule registered; doctrine mapping added.
- #[Auditable] + Timestampable on the 4 Configuration entities (additive
  migration on the 4 *_configuration tables).

163 tests green, container compiles (no cycle), no route regression, cs-fixer clean.
---
 config/modules.php                            |   2 +
 config/packages/doctrine.yaml                 |   5 +
 config/services.yaml                          |  12 +-
 migrations/Version20260620201000.php          | 125 ++++++++++++++++++
 src/DataFixtures/AppFixtures.php              |   2 +-
 .../Domain}/Entity/BookStackConfiguration.php |  15 ++-
 .../Domain}/Entity/GiteaConfiguration.php     |  15 ++-
 .../Domain}/Entity/ShareConfiguration.php     |  15 ++-
 .../Domain}/Entity/TaskBookStackLink.php      |  16 +--
 .../Domain}/Entity/ZimbraConfiguration.php    |  15 ++-
 .../Exception/BookStackApiException.php       |   2 +-
 .../Domain}/Exception/GiteaApiException.php   |   2 +-
 .../Exception/InvalidPathException.php        |   2 +-
 .../Exception/ShareConnectionException.php    |   2 +-
 .../Exception/ShareNotConfiguredException.php |   2 +-
 ...kStackConfigurationRepositoryInterface.php |  12 ++
 .../GiteaConfigurationRepositoryInterface.php |  12 ++
 .../ShareConfigurationRepositoryInterface.php |  12 ++
 .../TaskBookStackLinkRepositoryInterface.php  |  17 +++
 ...ZimbraConfigurationRepositoryInterface.php |  12 ++
 .../Integration/Domain/Service}/FileEntry.php |   2 +-
 .../Domain/Service}/FileSource.php            |   2 +-
 .../Domain/Service}/SharePathResolver.php     |   4 +-
 .../Domain/Service}/ShareTestResult.php       |   2 +-
 .../ApiPlatform/Resource}/BookStackLink.php   |   8 +-
 .../Resource}/BookStackSearchResult.php       |   4 +-
 .../Resource}/BookStackSettings.php           |   6 +-
 .../ApiPlatform/Resource}/BookStackShelf.php  |   4 +-
 .../Resource}/BookStackTestConnection.php     |   4 +-
 .../ApiPlatform/Resource}/GiteaBranch.php     |   6 +-
 .../ApiPlatform/Resource}/GiteaBranchName.php |   4 +-
 .../Resource}/GiteaPullRequest.php            |   4 +-
 .../ApiPlatform/Resource}/GiteaRepository.php |   4 +-
 .../ApiPlatform/Resource}/GiteaSettings.php   |   6 +-
 .../Resource}/GiteaTestConnection.php         |   4 +-
 .../ApiPlatform/Resource}/ShareSettings.php   |   6 +-
 .../Resource}/ShareTestConnection.php         |   4 +-
 .../ApiPlatform/Resource}/ZimbraSettings.php  |   6 +-
 .../Resource}/ZimbraTestConnection.php        |   4 +-
 .../State/BookStackLinkProcessor.php          |  17 +--
 .../State/BookStackLinkProvider.php           |  10 +-
 .../State/BookStackSearchResultProvider.php   |  15 +--
 .../State/BookStackSettingsProcessor.php      |  10 +-
 .../State/BookStackSettingsProvider.php       |   8 +-
 .../State/BookStackShelfProvider.php          |   8 +-
 .../State/BookStackTestConnectionProvider.php |   6 +-
 .../State/GiteaBranchNameProvider.php         |  13 +-
 .../State/GiteaBranchProcessor.php            |  15 +--
 .../State/GiteaBranchProvider.php             |  15 +--
 .../State/GiteaPullRequestProvider.php        |  15 +--
 .../State/GiteaRepositoryProvider.php         |   8 +-
 .../State/GiteaSettingsProcessor.php          |  10 +-
 .../State/GiteaSettingsProvider.php           |   8 +-
 .../State/GiteaTestConnectionProvider.php     |   6 +-
 .../State/ShareSettingsProcessor.php          |  10 +-
 .../State/ShareSettingsProvider.php           |   8 +-
 .../State/ShareTestConnectionProvider.php     |   6 +-
 .../State/ZimbraSettingsProcessor.php         |  10 +-
 .../State/ZimbraSettingsProvider.php          |   8 +-
 .../State/ZimbraTestConnectionProvider.php    |   4 +-
 .../Controller}/ShareBrowseController.php     |  14 +-
 .../Controller}/ShareDownloadController.php   |  12 +-
 .../Controller}/ShareSearchController.php     |  10 +-
 .../Controller}/ShareStatusController.php     |   6 +-
 ...ctrineBookStackConfigurationRepository.php |  26 ++++
 .../DoctrineGiteaConfigurationRepository.php} |  10 +-
 .../DoctrineShareConfigurationRepository.php} |  10 +-
 .../DoctrineTaskBookStackLinkRepository.php   |  34 +++++
 ...DoctrineZimbraConfigurationRepository.php} |  10 +-
 .../Service/BookStackApiService.php           |  11 +-
 .../Service/GiteaApiService.php               |  11 +-
 .../Infrastructure/Service}/SmbFileSource.php |  16 ++-
 src/Module/Integration/IntegrationModule.php  |  41 ++++++
 .../State/TaskDocumentProcessor.php           |  12 +-
 .../TaskDocumentDownloadController.php        |   6 +-
 .../Infrastructure/Service/CalDavService.php  |   4 +-
 .../BookStackConfigurationRepository.php      |  22 ---
 .../TaskBookStackLinkRepository.php           |  23 ----
 tests/Unit/Service/SharePathResolverTest.php  |   4 +-
 79 files changed, 589 insertions(+), 284 deletions(-)
 create mode 100644 migrations/Version20260620201000.php
 rename src/{ => Module/Integration/Domain}/Entity/BookStackConfiguration.php (72%)
 rename src/{ => Module/Integration/Domain}/Entity/GiteaConfiguration.php (65%)
 rename src/{ => Module/Integration/Domain}/Entity/ShareConfiguration.php (83%)
 rename src/{ => Module/Integration/Domain}/Entity/TaskBookStackLink.php (81%)
 rename src/{ => Module/Integration/Domain}/Entity/ZimbraConfiguration.php (78%)
 rename src/{ => Module/Integration/Domain}/Exception/BookStackApiException.php (70%)
 rename src/{ => Module/Integration/Domain}/Exception/GiteaApiException.php (69%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/InvalidPathException.php (69%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/ShareConnectionException.php (70%)
 rename src/{Service/Share => Module/Integration/Domain}/Exception/ShareNotConfiguredException.php (71%)
 create mode 100644 src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
 create mode 100644 src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
 rename src/{Service/Share => Module/Integration/Domain/Service}/FileEntry.php (85%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/FileSource.php (92%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/SharePathResolver.php (90%)
 rename src/{Service/Share => Module/Integration/Domain/Service}/ShareTestResult.php (79%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackLink.php (88%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackSearchResult.php (86%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackSettings.php (83%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackShelf.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/BookStackTestConnection.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaBranch.php (84%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaBranchName.php (78%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaPullRequest.php (87%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaRepository.php (81%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaSettings.php (82%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/GiteaTestConnection.php (80%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ShareSettings.php (87%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ShareTestConnection.php (81%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ZimbraSettings.php (85%)
 rename src/{ApiResource => Module/Integration/Infrastructure/ApiPlatform/Resource}/ZimbraTestConnection.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackLinkProcessor.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackLinkProvider.php (81%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSearchResultProvider.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSettingsProcessor.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackSettingsProvider.php (66%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackShelfProvider.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/BookStackTestConnectionProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchNameProvider.php (72%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchProcessor.php (75%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaBranchProvider.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaPullRequestProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaRepositoryProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaSettingsProcessor.php (76%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaSettingsProvider.php (67%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/GiteaTestConnectionProvider.php (78%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareSettingsProcessor.php (81%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareSettingsProvider.php (74%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ShareTestConnectionProvider.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraSettingsProcessor.php (80%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraSettingsProvider.php (72%)
 rename src/{ => Module/Integration/Infrastructure/ApiPlatform}/State/ZimbraTestConnectionProvider.php (86%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareBrowseController.php (83%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareDownloadController.php (88%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareSearchController.php (85%)
 rename src/{Controller/Share => Module/Integration/Infrastructure/Controller}/ShareStatusController.php (75%)
 create mode 100644 src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
 rename src/{Repository/GiteaConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php} (50%)
 rename src/{Repository/ShareConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php} (56%)
 create mode 100644 src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
 rename src/{Repository/ZimbraConfigurationRepository.php => Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php} (56%)
 rename src/{ => Module/Integration/Infrastructure}/Service/BookStackApiService.php (94%)
 rename src/{ => Module/Integration/Infrastructure}/Service/GiteaApiService.php (95%)
 rename src/{Service/Share => Module/Integration/Infrastructure/Service}/SmbFileSource.php (90%)
 create mode 100644 src/Module/Integration/IntegrationModule.php
 delete mode 100644 src/Repository/BookStackConfigurationRepository.php
 delete mode 100644 src/Repository/TaskBookStackLinkRepository.php

diff --git a/config/modules.php b/config/modules.php
index 95abc5b..27ca805 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -10,6 +10,7 @@ declare(strict_types=1);
 use App\Module\Absence\AbsenceModule;
 use App\Module\Core\CoreModule;
 use App\Module\Directory\DirectoryModule;
+use App\Module\Integration\IntegrationModule;
 use App\Module\Mail\MailModule;
 use App\Module\ProjectManagement\ProjectManagementModule;
 use App\Module\TimeTracking\TimeTrackingModule;
@@ -21,4 +22,5 @@ return [
     AbsenceModule::class,
     DirectoryModule::class,
     MailModule::class,
+    IntegrationModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index fdb5142..51df119 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -63,6 +63,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Mail/Domain/Entity'
                 prefix: 'App\Module\Mail\Domain\Entity'
+            Integration:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
+                prefix: 'App\Module\Integration\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/services.yaml b/config/services.yaml
index 3900610..773dc08 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -65,7 +65,17 @@ services:
         arguments:
             $uploadDir: '%absence_justification_upload_dir%'
 
-    App\Service\Share\FileSource: '@App\Service\Share\SmbFileSource'
+    App\Module\Integration\Domain\Service\FileSource: '@App\Module\Integration\Infrastructure\Service\SmbFileSource'
+
+    App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineGiteaConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineBookStackConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineZimbraConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineShareConfigurationRepository'
+
+    App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface: '@App\Module\Integration\Infrastructure\Doctrine\DoctrineTaskBookStackLinkRepository'
 
     App\Module\Core\Domain\Repository\UserRepositoryInterface: '@App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository'
 
diff --git a/migrations/Version20260620201000.php b/migrations/Version20260620201000.php
new file mode 100644
index 0000000..5328ac5
--- /dev/null
+++ b/migrations/Version20260620201000.php
@@ -0,0 +1,125 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Integration module: add Timestampable + Blamable tracking on the four
+ * external-integration configuration tables (Gitea, BookStack, Zimbra, Share).
+ *
+ * Purely additive — adds nullable audit columns to existing tables:
+ *   created_at / updated_at (Timestampable)
+ *   created_by / updated_by -> "user"(id) ON DELETE SET NULL (Blamable)
+ * No DROP/ALTER on existing data. Columns are lowercase snake_case. FK/index
+ * names mirror Doctrine's generated identifiers so schema:validate stays clean.
+ * down() drops the new columns and their FKs/indexes.
+ */
+final class Version20260620201000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Integration: add Timestampable/Blamable columns on gitea/bookstack/zimbra/share configuration (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // gitea_configuration
+        $this->addSql('ALTER TABLE gitea_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE gitea_configuration ADD CONSTRAINT FK_901AB3BDDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE gitea_configuration ADD CONSTRAINT FK_901AB3BD16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_901AB3BDDE12AB56 ON gitea_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_901AB3BD16FE72E1 ON gitea_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN gitea_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // book_stack_configuration
+        $this->addSql('ALTER TABLE book_stack_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD CONSTRAINT FK_63A143E0DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE book_stack_configuration ADD CONSTRAINT FK_63A143E016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_63A143E0DE12AB56 ON book_stack_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_63A143E016FE72E1 ON book_stack_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN book_stack_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // zimbra_configuration
+        $this->addSql('ALTER TABLE zimbra_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD CONSTRAINT FK_E97E3357DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE zimbra_configuration ADD CONSTRAINT FK_E97E335716FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_E97E3357DE12AB56 ON zimbra_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_E97E335716FE72E1 ON zimbra_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN zimbra_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // share_configuration
+        $this->addSql('ALTER TABLE share_configuration ADD created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD created_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD updated_by INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE share_configuration ADD CONSTRAINT FK_F73FE5CDDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE share_configuration ADD CONSTRAINT FK_F73FE5CD16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_F73FE5CDDE12AB56 ON share_configuration (created_by)');
+        $this->addSql('CREATE INDEX IDX_F73FE5CD16FE72E1 ON share_configuration (updated_by)');
+        $this->addSql("COMMENT ON COLUMN share_configuration.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN share_configuration.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE gitea_configuration DROP CONSTRAINT FK_901AB3BDDE12AB56');
+        $this->addSql('ALTER TABLE gitea_configuration DROP CONSTRAINT FK_901AB3BD16FE72E1');
+        $this->addSql('DROP INDEX IDX_901AB3BDDE12AB56');
+        $this->addSql('DROP INDEX IDX_901AB3BD16FE72E1');
+        $this->addSql('ALTER TABLE gitea_configuration DROP created_at');
+        $this->addSql('ALTER TABLE gitea_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE gitea_configuration DROP created_by');
+        $this->addSql('ALTER TABLE gitea_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE book_stack_configuration DROP CONSTRAINT FK_63A143E0DE12AB56');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP CONSTRAINT FK_63A143E016FE72E1');
+        $this->addSql('DROP INDEX IDX_63A143E0DE12AB56');
+        $this->addSql('DROP INDEX IDX_63A143E016FE72E1');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP created_at');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP created_by');
+        $this->addSql('ALTER TABLE book_stack_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE zimbra_configuration DROP CONSTRAINT FK_E97E3357DE12AB56');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP CONSTRAINT FK_E97E335716FE72E1');
+        $this->addSql('DROP INDEX IDX_E97E3357DE12AB56');
+        $this->addSql('DROP INDEX IDX_E97E335716FE72E1');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP created_at');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP created_by');
+        $this->addSql('ALTER TABLE zimbra_configuration DROP updated_by');
+
+        $this->addSql('ALTER TABLE share_configuration DROP CONSTRAINT FK_F73FE5CDDE12AB56');
+        $this->addSql('ALTER TABLE share_configuration DROP CONSTRAINT FK_F73FE5CD16FE72E1');
+        $this->addSql('DROP INDEX IDX_F73FE5CDDE12AB56');
+        $this->addSql('DROP INDEX IDX_F73FE5CD16FE72E1');
+        $this->addSql('ALTER TABLE share_configuration DROP created_at');
+        $this->addSql('ALTER TABLE share_configuration DROP updated_at');
+        $this->addSql('ALTER TABLE share_configuration DROP created_by');
+        $this->addSql('ALTER TABLE share_configuration DROP updated_by');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 2cb0be1..d10ba67 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Entity\ZimbraConfiguration;
 use App\Enum\ContractType;
 use App\Module\Absence\Domain\Entity\AbsenceBalance;
 use App\Module\Absence\Domain\Entity\AbsencePolicy;
@@ -16,6 +15,7 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
 use App\Module\Mail\Domain\Entity\MailConfiguration;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
diff --git a/src/Entity/BookStackConfiguration.php b/src/Module/Integration/Domain/Entity/BookStackConfiguration.php
similarity index 72%
rename from src/Entity/BookStackConfiguration.php
rename to src/Module/Integration/Domain/Entity/BookStackConfiguration.php
index 5bc546e..66ed20f 100644
--- a/src/Entity/BookStackConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/BookStackConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineBookStackConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: BookStackConfigurationRepository::class)]
-class BookStackConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineBookStackConfigurationRepository::class)]
+class BookStackConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/GiteaConfiguration.php b/src/Module/Integration/Domain/Entity/GiteaConfiguration.php
similarity index 65%
rename from src/Entity/GiteaConfiguration.php
rename to src/Module/Integration/Domain/Entity/GiteaConfiguration.php
index 45345ad..00e1f00 100644
--- a/src/Entity/GiteaConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/GiteaConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineGiteaConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: GiteaConfigurationRepository::class)]
-class GiteaConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineGiteaConfigurationRepository::class)]
+class GiteaConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/ShareConfiguration.php b/src/Module/Integration/Domain/Entity/ShareConfiguration.php
similarity index 83%
rename from src/Entity/ShareConfiguration.php
rename to src/Module/Integration/Domain/Entity/ShareConfiguration.php
index 3ff8ea5..f32bc26 100644
--- a/src/Entity/ShareConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/ShareConfiguration.php
@@ -2,14 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineShareConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 
-#[ORM\Entity(repositoryClass: ShareConfigurationRepository::class)]
-class ShareConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineShareConfigurationRepository::class)]
+class ShareConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Entity/TaskBookStackLink.php b/src/Module/Integration/Domain/Entity/TaskBookStackLink.php
similarity index 81%
rename from src/Entity/TaskBookStackLink.php
rename to src/Module/Integration/Domain/Entity/TaskBookStackLink.php
index a9c6519..56fffa5 100644
--- a/src/Entity/TaskBookStackLink.php
+++ b/src/Module/Integration/Domain/Entity/TaskBookStackLink.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineTaskBookStackLinkRepository;
+use App\Shared\Domain\Contract\TaskInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: TaskBookStackLinkRepository::class)]
+#[ORM\Entity(repositoryClass: DoctrineTaskBookStackLinkRepository::class)]
 #[ORM\UniqueConstraint(name: 'UNIQ_task_bookstack_link', columns: ['task_id', 'bookstack_id', 'bookstack_type'])]
 class TaskBookStackLink
 {
@@ -19,9 +19,9 @@ class TaskBookStackLink
     #[ORM\Column]
     private ?int $id = null;
 
-    #[ORM\ManyToOne(targetEntity: Task::class)]
+    #[ORM\ManyToOne(targetEntity: TaskInterface::class)]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
-    private Task $task;
+    private TaskInterface $task;
 
     #[ORM\Column]
     private int $bookstackId;
@@ -49,12 +49,12 @@ class TaskBookStackLink
         return $this->id;
     }
 
-    public function getTask(): Task
+    public function getTask(): TaskInterface
     {
         return $this->task;
     }
 
-    public function setTask(Task $task): static
+    public function setTask(TaskInterface $task): static
     {
         $this->task = $task;
 
diff --git a/src/Entity/ZimbraConfiguration.php b/src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
similarity index 78%
rename from src/Entity/ZimbraConfiguration.php
rename to src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
index d867920..c5c4925 100644
--- a/src/Entity/ZimbraConfiguration.php
+++ b/src/Module/Integration/Domain/Entity/ZimbraConfiguration.php
@@ -2,15 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\Entity;
+namespace App\Module\Integration\Domain\Entity;
 
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Infrastructure\Doctrine\DoctrineZimbraConfigurationRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
-#[ORM\Entity(repositoryClass: ZimbraConfigurationRepository::class)]
-class ZimbraConfiguration
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineZimbraConfigurationRepository::class)]
+class ZimbraConfiguration implements TimestampableInterface, BlamableInterface
 {
+    use TimestampableBlamableTrait;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
diff --git a/src/Exception/BookStackApiException.php b/src/Module/Integration/Domain/Exception/BookStackApiException.php
similarity index 70%
rename from src/Exception/BookStackApiException.php
rename to src/Module/Integration/Domain/Exception/BookStackApiException.php
index 5b9691a..d288730 100644
--- a/src/Exception/BookStackApiException.php
+++ b/src/Module/Integration/Domain/Exception/BookStackApiException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Exception/GiteaApiException.php b/src/Module/Integration/Domain/Exception/GiteaApiException.php
similarity index 69%
rename from src/Exception/GiteaApiException.php
rename to src/Module/Integration/Domain/Exception/GiteaApiException.php
index d5174f0..39e4c05 100644
--- a/src/Exception/GiteaApiException.php
+++ b/src/Module/Integration/Domain/Exception/GiteaApiException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/InvalidPathException.php b/src/Module/Integration/Domain/Exception/InvalidPathException.php
similarity index 69%
rename from src/Service/Share/Exception/InvalidPathException.php
rename to src/Module/Integration/Domain/Exception/InvalidPathException.php
index 49d1280..23e20fe 100644
--- a/src/Service/Share/Exception/InvalidPathException.php
+++ b/src/Module/Integration/Domain/Exception/InvalidPathException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/ShareConnectionException.php b/src/Module/Integration/Domain/Exception/ShareConnectionException.php
similarity index 70%
rename from src/Service/Share/Exception/ShareConnectionException.php
rename to src/Module/Integration/Domain/Exception/ShareConnectionException.php
index c3bb11d..d5c9a3f 100644
--- a/src/Service/Share/Exception/ShareConnectionException.php
+++ b/src/Module/Integration/Domain/Exception/ShareConnectionException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Service/Share/Exception/ShareNotConfiguredException.php b/src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
similarity index 71%
rename from src/Service/Share/Exception/ShareNotConfiguredException.php
rename to src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
index b9a1406..67a1ff7 100644
--- a/src/Service/Share/Exception/ShareNotConfiguredException.php
+++ b/src/Module/Integration/Domain/Exception/ShareNotConfiguredException.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share\Exception;
+namespace App\Module\Integration\Domain\Exception;
 
 use RuntimeException;
 
diff --git a/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..30ba42f
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/BookStackConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+
+interface BookStackConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?BookStackConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..d0ddbe0
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/GiteaConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+
+interface GiteaConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?GiteaConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..c316d9d
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/ShareConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+
+interface ShareConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?ShareConfiguration;
+}
diff --git a/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php b/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
new file mode 100644
index 0000000..4184617
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/TaskBookStackLinkRepositoryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+
+interface TaskBookStackLinkRepositoryInterface
+{
+    public function findById(int $id): ?TaskBookStackLink;
+
+    /**
+     * @return TaskBookStackLink[]
+     */
+    public function findByTaskId(int $taskId): array;
+}
diff --git a/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php b/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
new file mode 100644
index 0000000..d967133
--- /dev/null
+++ b/src/Module/Integration/Domain/Repository/ZimbraConfigurationRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Domain\Repository;
+
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+
+interface ZimbraConfigurationRepositoryInterface
+{
+    public function findSingleton(): ?ZimbraConfiguration;
+}
diff --git a/src/Service/Share/FileEntry.php b/src/Module/Integration/Domain/Service/FileEntry.php
similarity index 85%
rename from src/Service/Share/FileEntry.php
rename to src/Module/Integration/Domain/Service/FileEntry.php
index 8fba713..ff04797 100644
--- a/src/Service/Share/FileEntry.php
+++ b/src/Module/Integration/Domain/Service/FileEntry.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 final readonly class FileEntry
 {
diff --git a/src/Service/Share/FileSource.php b/src/Module/Integration/Domain/Service/FileSource.php
similarity index 92%
rename from src/Service/Share/FileSource.php
rename to src/Module/Integration/Domain/Service/FileSource.php
index 4143f6a..f1e7022 100644
--- a/src/Service/Share/FileSource.php
+++ b/src/Module/Integration/Domain/Service/FileSource.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 interface FileSource
 {
diff --git a/src/Service/Share/SharePathResolver.php b/src/Module/Integration/Domain/Service/SharePathResolver.php
similarity index 90%
rename from src/Service/Share/SharePathResolver.php
rename to src/Module/Integration/Domain/Service/SharePathResolver.php
index 830d1a5..c569651 100644
--- a/src/Service/Share/SharePathResolver.php
+++ b/src/Module/Integration/Domain/Service/SharePathResolver.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
-use App\Service\Share\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
 
 final class SharePathResolver
 {
diff --git a/src/Service/Share/ShareTestResult.php b/src/Module/Integration/Domain/Service/ShareTestResult.php
similarity index 79%
rename from src/Service/Share/ShareTestResult.php
rename to src/Module/Integration/Domain/Service/ShareTestResult.php
index 9e63ef9..1f96133 100644
--- a/src/Service/Share/ShareTestResult.php
+++ b/src/Module/Integration/Domain/Service/ShareTestResult.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Domain\Service;
 
 final readonly class ShareTestResult
 {
diff --git a/src/ApiResource/BookStackLink.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
similarity index 88%
rename from src/ApiResource/BookStackLink.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
index 5414d22..fee1300 100644
--- a/src/ApiResource/BookStackLink.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Post;
-use App\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackLinkProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackLinkProvider;
 use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\State\BookStackLinkProcessor;
-use App\State\BookStackLinkProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackSearchResult.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
similarity index 86%
rename from src/ApiResource/BookStackSearchResult.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
index 2f1f6fb..dab079a 100644
--- a/src/ApiResource/BookStackSearchResult.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Link;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSearchResultProvider;
 use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\State\BookStackSearchResultProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
similarity index 83%
rename from src/ApiResource/BookStackSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
index 1ea3f20..a2bb3bc 100644
--- a/src/ApiResource/BookStackSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\BookStackSettingsProcessor;
-use App\State\BookStackSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackShelf.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
similarity index 80%
rename from src/ApiResource/BookStackShelf.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
index 6c434a9..b7a2c0c 100644
--- a/src/ApiResource/BookStackShelf.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackShelf.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\BookStackShelfProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackShelfProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/BookStackTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
similarity index 80%
rename from src/ApiResource/BookStackTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
index cbe472a..b2b68d8 100644
--- a/src/ApiResource/BookStackTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\BookStackTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\BookStackTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaBranch.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
similarity index 84%
rename from src/ApiResource/GiteaBranch.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
index 03de7df..1095b3b 100644
--- a/src/ApiResource/GiteaBranch.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranch.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
-use App\State\GiteaBranchProcessor;
-use App\State\GiteaBranchProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaBranchName.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
similarity index 78%
rename from src/ApiResource/GiteaBranchName.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
index 1310b69..1e4cb77 100644
--- a/src/ApiResource/GiteaBranchName.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaBranchName.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use App\State\GiteaBranchNameProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaBranchNameProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaPullRequest.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
similarity index 87%
rename from src/ApiResource/GiteaPullRequest.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
index 9992883..4d0b503 100644
--- a/src/ApiResource/GiteaPullRequest.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaPullRequest.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\GiteaPullRequestProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaPullRequestProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaRepository.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
similarity index 81%
rename from src/ApiResource/GiteaRepository.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
index 8022b74..2ea8636 100644
--- a/src/ApiResource/GiteaRepository.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaRepository.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\GetCollection;
-use App\State\GiteaRepositoryProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaRepositoryProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
similarity index 82%
rename from src/ApiResource/GiteaSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
index 7e1ae89..5b4cd20 100644
--- a/src/ApiResource/GiteaSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\GiteaSettingsProcessor;
-use App\State\GiteaSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/GiteaTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
similarity index 80%
rename from src/ApiResource/GiteaTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
index b7eea04..eb6ca44 100644
--- a/src/ApiResource/GiteaTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/GiteaTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\GiteaTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\GiteaTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ShareSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
similarity index 87%
rename from src/ApiResource/ShareSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
index 160511e..46ed120 100644
--- a/src/ApiResource/ShareSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\ShareSettingsProcessor;
-use App\State\ShareSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ShareTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
similarity index 81%
rename from src/ApiResource/ShareTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
index 74f947e..d2df88c 100644
--- a/src/ApiResource/ShareTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ShareTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\ShareTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ShareTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ZimbraSettings.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
similarity index 85%
rename from src/ApiResource/ZimbraSettings.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
index 5790a06..141770d 100644
--- a/src/ApiResource/ZimbraSettings.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraSettings.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\Put;
-use App\State\ZimbraSettingsProcessor;
-use App\State\ZimbraSettingsProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraSettingsProcessor;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraSettingsProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/ApiResource/ZimbraTestConnection.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
similarity index 80%
rename from src/ApiResource/ZimbraTestConnection.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
index 42e9012..d6d4b7e 100644
--- a/src/ApiResource/ZimbraTestConnection.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/ZimbraTestConnection.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Post;
-use App\State\ZimbraTestConnectionProvider;
+use App\Module\Integration\Infrastructure\ApiPlatform\State\ZimbraTestConnectionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/State/BookStackLinkProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
similarity index 76%
rename from src/State/BookStackLinkProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
index 13b9d85..60337f2 100644
--- a/src/State/BookStackLinkProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProcessor.php
@@ -2,15 +2,15 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\BookStackLink;
-use App\Entity\TaskBookStackLink;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackLink;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -18,7 +18,8 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private TaskBookStackLinkRepository $linkRepository,
+        private TaskBookStackLinkRepositoryInterface $linkRepository,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ?BookStackLink
@@ -35,7 +36,7 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
         assert($data instanceof BookStackLink);
 
         $taskId = $uriVariables['taskId'] ?? 0;
-        $task   = $this->em->getRepository(Task::class)->find($taskId);
+        $task   = $this->taskRepository->findById((int) $taskId);
 
         if (null === $task) {
             throw new NotFoundHttpException('Task not found.');
@@ -65,7 +66,7 @@ final readonly class BookStackLinkProcessor implements ProcessorInterface
     private function handleDelete(array $uriVariables): null
     {
         $linkId = $uriVariables['id'] ?? 0;
-        $link   = $this->linkRepository->find($linkId);
+        $link   = $this->linkRepository->findById((int) $linkId);
 
         if (null === $link) {
             throw new NotFoundHttpException('Link not found.');
diff --git a/src/State/BookStackLinkProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
similarity index 81%
rename from src/State/BookStackLinkProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
index e7a0cdf..33492b0 100644
--- a/src/State/BookStackLinkProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackLinkProvider.php
@@ -2,21 +2,21 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackLink;
-use App\Entity\TaskBookStackLink;
-use App\Repository\TaskBookStackLinkRepository;
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackLink;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 final readonly class BookStackLinkProvider implements ProviderInterface
 {
     public function __construct(
-        private TaskBookStackLinkRepository $linkRepository,
+        private TaskBookStackLinkRepositoryInterface $linkRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|BookStackLink
diff --git a/src/State/BookStackSearchResultProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
similarity index 76%
rename from src/State/BookStackSearchResultProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
index 014965d..377b101 100644
--- a/src/State/BookStackSearchResultProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSearchResultProvider.php
@@ -2,15 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackSearchResult;
-use App\Exception\BookStackApiException;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\BookStackApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSearchResult;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
@@ -18,14 +17,14 @@ final readonly class BookStackSearchResultProvider implements ProviderInterface
 {
     public function __construct(
         private BookStackApiService $bookStackApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
         private RequestStack $requestStack,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
     {
         $taskId = $uriVariables['taskId'] ?? 0;
-        $task   = $this->em->getRepository(Task::class)->find($taskId);
+        $task   = $this->taskRepository->findById((int) $taskId);
 
         if (null === $task || null === $task->getProject()) {
             return [];
diff --git a/src/State/BookStackSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
similarity index 78%
rename from src/State/BookStackSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
index d7d2217..7c591c5 100644
--- a/src/State/BookStackSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\BookStackSettings;
-use App\Entity\BookStackConfiguration;
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSettings;
 use App\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -16,7 +16,7 @@ final readonly class BookStackSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private BookStackConfigurationRepository $configRepository,
+        private BookStackConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/BookStackSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
similarity index 66%
rename from src/State/BookStackSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
index 5d0db34..82a4012 100644
--- a/src/State/BookStackSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackSettings;
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSettings;
 
 final readonly class BookStackSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private BookStackConfigurationRepository $configRepository,
+        private BookStackConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): BookStackSettings
diff --git a/src/State/BookStackShelfProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
similarity index 76%
rename from src/State/BookStackShelfProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
index 71252e2..6733740 100644
--- a/src/State/BookStackShelfProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackShelfProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackShelf;
-use App\Exception\BookStackApiException;
-use App\Service\BookStackApiService;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackShelf;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class BookStackShelfProvider implements ProviderInterface
diff --git a/src/State/BookStackTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
similarity index 78%
rename from src/State/BookStackTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
index 1eb88ee..8dcafc5 100644
--- a/src/State/BookStackTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\BookStackTestConnection;
-use App\Service\BookStackApiService;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackTestConnection;
+use App\Module\Integration\Infrastructure\Service\BookStackApiService;
 
 final readonly class BookStackTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/GiteaBranchNameProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
similarity index 72%
rename from src/State/GiteaBranchNameProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
index 377ec4d..21c9772 100644
--- a/src/State/GiteaBranchNameProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchNameProvider.php
@@ -2,14 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaBranchName;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranchName;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -20,12 +19,12 @@ final readonly class GiteaBranchNameProvider implements ProviderInterface
 
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): GiteaBranchName
     {
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task) {
             throw new NotFoundHttpException('Task not found.');
         }
diff --git a/src/State/GiteaBranchProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
similarity index 75%
rename from src/State/GiteaBranchProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
index 7496eba..b4771f1 100644
--- a/src/State/GiteaBranchProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProcessor.php
@@ -2,15 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\GiteaBranch;
-use App\Exception\GiteaApiException;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranch;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -20,14 +19,14 @@ final readonly class GiteaBranchProcessor implements ProcessorInterface
 
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): GiteaBranch
     {
         assert($data instanceof GiteaBranch);
 
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             throw new NotFoundHttpException('Task not found.');
         }
diff --git a/src/State/GiteaBranchProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
similarity index 80%
rename from src/State/GiteaBranchProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
index 908e49f..80d8abd 100644
--- a/src/State/GiteaBranchProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaBranchProvider.php
@@ -2,23 +2,22 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaBranch;
-use App\Exception\GiteaApiException;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaBranch;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaBranchProvider implements ProviderInterface
 {
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|GiteaBranch
@@ -27,7 +26,7 @@ final readonly class GiteaBranchProvider implements ProviderInterface
             return new GiteaBranch();
         }
 
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             return [];
         }
diff --git a/src/State/GiteaPullRequestProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
similarity index 78%
rename from src/State/GiteaPullRequestProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
index 0ca9b4a..a4933ac 100644
--- a/src/State/GiteaPullRequestProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaPullRequestProvider.php
@@ -2,27 +2,26 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaPullRequest;
-use App\Exception\GiteaApiException;
-use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\GiteaApiService;
-use Doctrine\ORM\EntityManagerInterface;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaPullRequest;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
+use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaPullRequestProvider implements ProviderInterface
 {
     public function __construct(
         private GiteaApiService $giteaApiService,
-        private EntityManagerInterface $em,
+        private TaskRepositoryInterface $taskRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
     {
-        $task = $this->em->getRepository(Task::class)->find($uriVariables['taskId'] ?? 0);
+        $task = $this->taskRepository->findById((int) ($uriVariables['taskId'] ?? 0));
         if (null === $task || null === $task->getProject()) {
             return [];
         }
diff --git a/src/State/GiteaRepositoryProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
similarity index 78%
rename from src/State/GiteaRepositoryProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
index e483897..5ecb119 100644
--- a/src/State/GiteaRepositoryProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaRepositoryProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaRepository;
-use App\Exception\GiteaApiException;
-use App\Service\GiteaApiService;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaRepository;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final readonly class GiteaRepositoryProvider implements ProviderInterface
diff --git a/src/State/GiteaSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
similarity index 76%
rename from src/State/GiteaSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
index 48e59e8..60363a5 100644
--- a/src/State/GiteaSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\GiteaSettings;
-use App\Entity\GiteaConfiguration;
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaSettings;
 use App\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -16,7 +16,7 @@ final readonly class GiteaSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/GiteaSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
similarity index 67%
rename from src/State/GiteaSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
index 7b3c76a..3e90274 100644
--- a/src/State/GiteaSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaSettings;
-use App\Repository\GiteaConfigurationRepository;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaSettings;
 
 final readonly class GiteaSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): GiteaSettings
diff --git a/src/State/GiteaTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
similarity index 78%
rename from src/State/GiteaTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
index 608c60f..d7d90bf 100644
--- a/src/State/GiteaTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\GiteaTestConnection;
-use App\Service\GiteaApiService;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaTestConnection;
+use App\Module\Integration\Infrastructure\Service\GiteaApiService;
 
 final readonly class GiteaTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/ShareSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
similarity index 81%
rename from src/State/ShareSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
index ce43f86..53a3868 100644
--- a/src/State/ShareSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\ShareSettings;
-use App\Entity\ShareConfiguration;
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareSettings;
 use App\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -16,7 +16,7 @@ final readonly class ShareSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private ShareConfigurationRepository $configRepository,
+        private ShareConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/ShareSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
similarity index 74%
rename from src/State/ShareSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
index 0b43e3c..3b8a316 100644
--- a/src/State/ShareSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ShareSettings;
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareSettings;
 
 final readonly class ShareSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private ShareConfigurationRepository $configRepository,
+        private ShareConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): ShareSettings
diff --git a/src/State/ShareTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
similarity index 80%
rename from src/State/ShareTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
index 4e1d393..1a600d8 100644
--- a/src/State/ShareTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareTestConnectionProvider.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ShareTestConnection;
-use App\Service\Share\FileSource;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareTestConnection;
 
 final readonly class ShareTestConnectionProvider implements ProviderInterface, ProcessorInterface
 {
diff --git a/src/State/ZimbraSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
similarity index 80%
rename from src/State/ZimbraSettingsProcessor.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
index 7825a6b..3d940b7 100644
--- a/src/State/ZimbraSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
-use App\ApiResource\ZimbraSettings;
-use App\Entity\ZimbraConfiguration;
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraSettings;
 use App\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
@@ -16,7 +16,7 @@ final readonly class ZimbraSettingsProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $em,
-        private ZimbraConfigurationRepository $configRepository,
+        private ZimbraConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/State/ZimbraSettingsProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
similarity index 72%
rename from src/State/ZimbraSettingsProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
index fe95719..a33f45d 100644
--- a/src/State/ZimbraSettingsProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProvider.php
@@ -2,17 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ZimbraSettings;
-use App\Repository\ZimbraConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraSettings;
 
 final readonly class ZimbraSettingsProvider implements ProviderInterface
 {
     public function __construct(
-        private ZimbraConfigurationRepository $configRepository,
+        private ZimbraConfigurationRepositoryInterface $configRepository,
     ) {}
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): ZimbraSettings
diff --git a/src/State/ZimbraTestConnectionProvider.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
similarity index 86%
rename from src/State/ZimbraTestConnectionProvider.php
rename to src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
index 0148f82..f10f72a 100644
--- a/src/State/ZimbraTestConnectionProvider.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraTestConnectionProvider.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Module\Integration\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\ZimbraTestConnection;
+use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraTestConnection;
 use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
 use Throwable;
 
diff --git a/src/Controller/Share/ShareBrowseController.php b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
similarity index 83%
rename from src/Controller/Share/ShareBrowseController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
index ce44962..dca367e 100644
--- a/src/Controller/Share/ShareBrowseController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
@@ -2,14 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
diff --git a/src/Controller/Share/ShareDownloadController.php b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
similarity index 88%
rename from src/Controller/Share/ShareDownloadController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
index b3eb5bd..9973f4f 100644
--- a/src/Controller/Share/ShareDownloadController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\HeaderUtils;
 use Symfony\Component\HttpFoundation\Request;
diff --git a/src/Controller/Share/ShareSearchController.php b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
similarity index 85%
rename from src/Controller/Share/ShareSearchController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
index aa5512b..7a955f9 100644
--- a/src/Controller/Share/ShareSearchController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
@@ -2,12 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
diff --git a/src/Controller/Share/ShareStatusController.php b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
similarity index 75%
rename from src/Controller/Share/ShareStatusController.php
rename to src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
index 4c226cb..3776160 100644
--- a/src/Controller/Share/ShareStatusController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
@@ -2,9 +2,9 @@
 
 declare(strict_types=1);
 
-namespace App\Controller\Share;
+namespace App\Module\Integration\Infrastructure\Controller;
 
-use App\Repository\ShareConfigurationRepository;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
@@ -13,7 +13,7 @@ use Symfony\Component\Security\Http\Attribute\IsGranted;
 class ShareStatusController extends AbstractController
 {
     public function __construct(
-        private readonly ShareConfigurationRepository $configRepository,
+        private readonly ShareConfigurationRepositoryInterface $configRepository,
     ) {}
 
     #[Route('/api/share/status', name: 'share_status', methods: ['GET'], priority: 1)]
diff --git a/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
new file mode 100644
index 0000000..32a5eb4
--- /dev/null
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineBookStackConfigurationRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Infrastructure\Doctrine;
+
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<BookStackConfiguration>
+ */
+class DoctrineBookStackConfigurationRepository extends ServiceEntityRepository implements BookStackConfigurationRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, BookStackConfiguration::class);
+    }
+
+    public function findSingleton(): ?BookStackConfiguration
+    {
+        return $this->findOneBy([]);
+    }
+}
diff --git a/src/Repository/GiteaConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
similarity index 50%
rename from src/Repository/GiteaConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
index 4f1096e..2b81fda 100644
--- a/src/Repository/GiteaConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineGiteaConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class GiteaConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<GiteaConfiguration>
+ */
+class DoctrineGiteaConfigurationRepository extends ServiceEntityRepository implements GiteaConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Repository/ShareConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
similarity index 56%
rename from src/Repository/ShareConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
index 066236b..13038bf 100644
--- a/src/Repository/ShareConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineShareConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class ShareConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<ShareConfiguration>
+ */
+class DoctrineShareConfigurationRepository extends ServiceEntityRepository implements ShareConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
new file mode 100644
index 0000000..00eef16
--- /dev/null
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineTaskBookStackLinkRepository.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration\Infrastructure\Doctrine;
+
+use App\Module\Integration\Domain\Entity\TaskBookStackLink;
+use App\Module\Integration\Domain\Repository\TaskBookStackLinkRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<TaskBookStackLink>
+ */
+class DoctrineTaskBookStackLinkRepository extends ServiceEntityRepository implements TaskBookStackLinkRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, TaskBookStackLink::class);
+    }
+
+    public function findById(int $id): ?TaskBookStackLink
+    {
+        return $this->find($id);
+    }
+
+    /**
+     * @return TaskBookStackLink[]
+     */
+    public function findByTaskId(int $taskId): array
+    {
+        return $this->findBy(['task' => $taskId], ['createdAt' => 'DESC']);
+    }
+}
diff --git a/src/Repository/ZimbraConfigurationRepository.php b/src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
similarity index 56%
rename from src/Repository/ZimbraConfigurationRepository.php
rename to src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
index 24a9b6c..fd5529a 100644
--- a/src/Repository/ZimbraConfigurationRepository.php
+++ b/src/Module/Integration/Infrastructure/Doctrine/DoctrineZimbraConfigurationRepository.php
@@ -2,13 +2,17 @@
 
 declare(strict_types=1);
 
-namespace App\Repository;
+namespace App\Module\Integration\Infrastructure\Doctrine;
 
-use App\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 
-class ZimbraConfigurationRepository extends ServiceEntityRepository
+/**
+ * @extends ServiceEntityRepository<ZimbraConfiguration>
+ */
+class DoctrineZimbraConfigurationRepository extends ServiceEntityRepository implements ZimbraConfigurationRepositoryInterface
 {
     public function __construct(ManagerRegistry $registry)
     {
diff --git a/src/Service/BookStackApiService.php b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
similarity index 94%
rename from src/Service/BookStackApiService.php
rename to src/Module/Integration/Infrastructure/Service/BookStackApiService.php
index cf4b66c..2589dd4 100644
--- a/src/Service/BookStackApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
@@ -2,11 +2,12 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\BookStackConfiguration;
-use App\Exception\BookStackApiException;
-use App\Repository\BookStackConfigurationRepository;
+use App\Module\Integration\Domain\Entity\BookStackConfiguration;
+use App\Module\Integration\Domain\Exception\BookStackApiException;
+use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
+use App\Service\TokenEncryptor;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
 use Symfony\Contracts\HttpClient\Exception\HttpExceptionInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
@@ -19,7 +20,7 @@ final class BookStackApiService
 
     public function __construct(
         private readonly HttpClientInterface $httpClient,
-        private readonly BookStackConfigurationRepository $configRepository,
+        private readonly BookStackConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
     ) {}
 
diff --git a/src/Service/GiteaApiService.php b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
similarity index 95%
rename from src/Service/GiteaApiService.php
rename to src/Module/Integration/Infrastructure/Service/GiteaApiService.php
index 95b6741..7162121 100644
--- a/src/Service/GiteaApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
@@ -2,13 +2,14 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\GiteaConfiguration;
-use App\Exception\GiteaApiException;
+use App\Module\Integration\Domain\Entity\GiteaConfiguration;
+use App\Module\Integration\Domain\Exception\GiteaApiException;
+use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Repository\GiteaConfigurationRepository;
+use App\Service\TokenEncryptor;
 use Symfony\Component\String\Slugger\AsciiSlugger;
 use Symfony\Component\String\Slugger\SluggerInterface;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
@@ -22,7 +23,7 @@ final readonly class GiteaApiService
 
     public function __construct(
         private HttpClientInterface $httpClient,
-        private GiteaConfigurationRepository $configRepository,
+        private GiteaConfigurationRepositoryInterface $configRepository,
         private TokenEncryptor $tokenEncryptor,
     ) {
         $this->slugger = new AsciiSlugger('fr');
diff --git a/src/Service/Share/SmbFileSource.php b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
similarity index 90%
rename from src/Service/Share/SmbFileSource.php
rename to src/Module/Integration/Infrastructure/Service/SmbFileSource.php
index d4f29fd..71dbe8b 100644
--- a/src/Service/Share/SmbFileSource.php
+++ b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
@@ -2,12 +2,16 @@
 
 declare(strict_types=1);
 
-namespace App\Service\Share;
+namespace App\Module\Integration\Infrastructure\Service;
 
-use App\Entity\ShareConfiguration;
-use App\Repository\ShareConfigurationRepository;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Entity\ShareConfiguration;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
+use App\Module\Integration\Domain\Service\ShareTestResult;
 use App\Service\TokenEncryptor;
 use Icewind\SMB\BasicAuth;
 use Icewind\SMB\IFileInfo;
@@ -24,7 +28,7 @@ final class SmbFileSource implements FileSource
     private const int SEARCH_MAX_DIRS = 2000;
 
     public function __construct(
-        private readonly ShareConfigurationRepository $configRepository,
+        private readonly ShareConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly SharePathResolver $pathResolver,
     ) {}
diff --git a/src/Module/Integration/IntegrationModule.php b/src/Module/Integration/IntegrationModule.php
new file mode 100644
index 0000000..1aacd90
--- /dev/null
+++ b/src/Module/Integration/IntegrationModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Integration;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class IntegrationModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'integration';
+    }
+
+    public static function label(): string
+    {
+        return 'Intégrations';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module Integration (Gitea, BookStack, Zimbra, Share).
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste en ROLE_USER/ROLE_ADMIN (non recâblée ici).
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'integration.settings.manage', 'label' => 'Gérer les intégrations externes'],
+            ['code' => 'integration.share.access', 'label' => 'Accéder au partage de fichiers'],
+        ];
+    }
+}
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index 47adceb..5c579c9 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -6,14 +6,14 @@ namespace App\Module\ProjectManagement\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileEntry;
+use App\Module\Integration\Domain\Service\FileSource;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileEntry;
-use App\Service\Share\FileSource;
-use App\Service\Share\SharePathResolver;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
index 6c93a7f..9d8e2b7 100644
--- a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
+++ b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Controller;
 
+use App\Module\Integration\Domain\Exception\ShareConnectionException;
+use App\Module\Integration\Domain\Exception\ShareNotConfiguredException;
+use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
-use App\Service\Share\Exception\ShareConnectionException;
-use App\Service\Share\Exception\ShareNotConfiguredException;
-use App\Service\Share\FileSource;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
diff --git a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
index 15b4db6..8cfbbe4 100644
--- a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Service;
 
+use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
 use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
-use App\Repository\ZimbraConfigurationRepository;
 use App\Service\TokenEncryptor;
 use DateTimeZone;
 use Psr\Log\LoggerInterface;
@@ -21,7 +21,7 @@ use const ENT_QUOTES;
 final class CalDavService
 {
     public function __construct(
-        private readonly ZimbraConfigurationRepository $configRepository,
+        private readonly ZimbraConfigurationRepositoryInterface $configRepository,
         private readonly TokenEncryptor $tokenEncryptor,
         private readonly HttpClientInterface $httpClient,
         private readonly LoggerInterface $logger,
diff --git a/src/Repository/BookStackConfigurationRepository.php b/src/Repository/BookStackConfigurationRepository.php
deleted file mode 100644
index 648321d..0000000
--- a/src/Repository/BookStackConfigurationRepository.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\BookStackConfiguration;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class BookStackConfigurationRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, BookStackConfiguration::class);
-    }
-
-    public function findSingleton(): ?BookStackConfiguration
-    {
-        return $this->findOneBy([]);
-    }
-}
diff --git a/src/Repository/TaskBookStackLinkRepository.php b/src/Repository/TaskBookStackLinkRepository.php
deleted file mode 100644
index 8096ccb..0000000
--- a/src/Repository/TaskBookStackLinkRepository.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Repository;
-
-use App\Entity\TaskBookStackLink;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-class TaskBookStackLinkRepository extends ServiceEntityRepository
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, TaskBookStackLink::class);
-    }
-
-    /** @return TaskBookStackLink[] */
-    public function findByTaskId(int $taskId): array
-    {
-        return $this->findBy(['task' => $taskId], ['createdAt' => 'DESC']);
-    }
-}
diff --git a/tests/Unit/Service/SharePathResolverTest.php b/tests/Unit/Service/SharePathResolverTest.php
index bc344ee..8e73819 100644
--- a/tests/Unit/Service/SharePathResolverTest.php
+++ b/tests/Unit/Service/SharePathResolverTest.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Tests\Unit\Service;
 
-use App\Service\Share\Exception\InvalidPathException;
-use App\Service\Share\SharePathResolver;
+use App\Module\Integration\Domain\Exception\InvalidPathException;
+use App\Module\Integration\Domain\Service\SharePathResolver;
 use PHPUnit\Framework\TestCase;
 
 /**
-- 
2.39.5


From 0761bbd8c16024bfa35c394c6c3fc4f91d4ca76a Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sat, 20 Jun 2026 23:53:11 +0200
Subject: [PATCH 59/99] feat(integration) : extract
 Gitea/BookStack/Zimbra/Share front into module layer

LST-68 (2.6) front. Completes the Integration module and Phase 2.

- New frontend/modules/integration/ layer (auto-detected): services
  (gitea, bookstack, zimbra, share, share-settings) + their DTOs, and the
  useShareStatus composable.
- Consumers repointed to ~/modules/integration/...: admin tabs
  (Gitea/BookStack/Zimbra/Share), PM task sections (TaskGitSection,
  TaskBookStackLinks, TaskDocumentShareLinker), ProjectDrawer, TaskModal,
  pages/documents.vue, components/share/SharedFilePreview.vue.
- Admin tabs, SharedFilePreview and documents/admin pages stay at their
  location (only imports updated). i18n stays global.

nuxt build passes; all routes preserved.
---
 frontend/components/admin/AdminBookStackTab.vue           | 2 +-
 frontend/components/admin/AdminGiteaTab.vue               | 2 +-
 frontend/components/admin/AdminShareTab.vue               | 2 +-
 frontend/components/admin/AdminZimbraTab.vue              | 2 +-
 frontend/components/share/SharedFilePreview.vue           | 4 ++--
 .../integration}/composables/useShareStatus.ts            | 2 +-
 frontend/modules/integration/nuxt.config.ts               | 1 +
 frontend/{ => modules/integration}/services/bookstack.ts  | 0
 .../{ => modules/integration}/services/dto/bookstack.ts   | 0
 frontend/{ => modules/integration}/services/dto/gitea.ts  | 0
 frontend/{ => modules/integration}/services/dto/share.ts  | 0
 frontend/{ => modules/integration}/services/dto/zimbra.ts | 0
 frontend/{ => modules/integration}/services/gitea.ts      | 0
 .../{ => modules/integration}/services/share-settings.ts  | 0
 frontend/{ => modules/integration}/services/share.ts      | 0
 frontend/{ => modules/integration}/services/zimbra.ts     | 0
 .../project-management/components/ProjectDrawer.vue       | 8 ++++----
 .../project-management/components/TaskBookStackLinks.vue  | 4 ++--
 .../components/TaskDocumentShareLinker.vue                | 4 ++--
 .../project-management/components/TaskGitSection.vue      | 4 ++--
 .../modules/project-management/components/TaskModal.vue   | 2 +-
 frontend/pages/documents.vue                              | 4 ++--
 22 files changed, 21 insertions(+), 20 deletions(-)
 rename frontend/{ => modules/integration}/composables/useShareStatus.ts (88%)
 create mode 100644 frontend/modules/integration/nuxt.config.ts
 rename frontend/{ => modules/integration}/services/bookstack.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/bookstack.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/gitea.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/share.ts (100%)
 rename frontend/{ => modules/integration}/services/dto/zimbra.ts (100%)
 rename frontend/{ => modules/integration}/services/gitea.ts (100%)
 rename frontend/{ => modules/integration}/services/share-settings.ts (100%)
 rename frontend/{ => modules/integration}/services/share.ts (100%)
 rename frontend/{ => modules/integration}/services/zimbra.ts (100%)

diff --git a/frontend/components/admin/AdminBookStackTab.vue b/frontend/components/admin/AdminBookStackTab.vue
index d0adbe4..5c80776 100644
--- a/frontend/components/admin/AdminBookStackTab.vue
+++ b/frontend/components/admin/AdminBookStackTab.vue
@@ -51,7 +51,7 @@
 </template>
 
 <script setup lang="ts">
-import { useBookStackService } from '~/services/bookstack'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const { getSettings, saveSettings, testConnection } = useBookStackService()
 
diff --git a/frontend/components/admin/AdminGiteaTab.vue b/frontend/components/admin/AdminGiteaTab.vue
index 7d093aa..ef79e9c 100644
--- a/frontend/components/admin/AdminGiteaTab.vue
+++ b/frontend/components/admin/AdminGiteaTab.vue
@@ -45,7 +45,7 @@
 </template>
 
 <script setup lang="ts">
-import { useGiteaService } from '~/services/gitea'
+import { useGiteaService } from '~/modules/integration/services/gitea'
 
 const { getSettings, saveSettings, testConnection } = useGiteaService()
 
diff --git a/frontend/components/admin/AdminShareTab.vue b/frontend/components/admin/AdminShareTab.vue
index e1f907d..468fc86 100644
--- a/frontend/components/admin/AdminShareTab.vue
+++ b/frontend/components/admin/AdminShareTab.vue
@@ -70,7 +70,7 @@
 </template>
 
 <script setup lang="ts">
-import { useShareSettingsService } from '~/services/share-settings'
+import { useShareSettingsService } from '~/modules/integration/services/share-settings'
 
 const { getSettings, saveSettings, testConnection } = useShareSettingsService()
 
diff --git a/frontend/components/admin/AdminZimbraTab.vue b/frontend/components/admin/AdminZimbraTab.vue
index fbe59ca..782f467 100644
--- a/frontend/components/admin/AdminZimbraTab.vue
+++ b/frontend/components/admin/AdminZimbraTab.vue
@@ -58,7 +58,7 @@
 </template>
 
 <script setup lang="ts">
-import { useZimbraService } from '~/services/zimbra'
+import { useZimbraService } from '~/modules/integration/services/zimbra'
 
 const { getSettings, saveSettings, testConnection } = useZimbraService()
 
diff --git a/frontend/components/share/SharedFilePreview.vue b/frontend/components/share/SharedFilePreview.vue
index ed3c0b2..60085ce 100644
--- a/frontend/components/share/SharedFilePreview.vue
+++ b/frontend/components/share/SharedFilePreview.vue
@@ -167,8 +167,8 @@
 </template>
 
 <script setup lang="ts">
-import type { FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
+import type { FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
 import { formatFileSize } from '~/utils/format'
 
 const props = defineProps<{
diff --git a/frontend/composables/useShareStatus.ts b/frontend/modules/integration/composables/useShareStatus.ts
similarity index 88%
rename from frontend/composables/useShareStatus.ts
rename to frontend/modules/integration/composables/useShareStatus.ts
index 92c734a..92bdc5d 100644
--- a/frontend/composables/useShareStatus.ts
+++ b/frontend/modules/integration/composables/useShareStatus.ts
@@ -1,4 +1,4 @@
-import { useShareService } from '~/services/share'
+import { useShareService } from '~/modules/integration/services/share'
 
 export function useShareStatus() {
     const enabled = useState<boolean | null>('share-enabled', () => null)
diff --git a/frontend/modules/integration/nuxt.config.ts b/frontend/modules/integration/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/integration/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/services/bookstack.ts b/frontend/modules/integration/services/bookstack.ts
similarity index 100%
rename from frontend/services/bookstack.ts
rename to frontend/modules/integration/services/bookstack.ts
diff --git a/frontend/services/dto/bookstack.ts b/frontend/modules/integration/services/dto/bookstack.ts
similarity index 100%
rename from frontend/services/dto/bookstack.ts
rename to frontend/modules/integration/services/dto/bookstack.ts
diff --git a/frontend/services/dto/gitea.ts b/frontend/modules/integration/services/dto/gitea.ts
similarity index 100%
rename from frontend/services/dto/gitea.ts
rename to frontend/modules/integration/services/dto/gitea.ts
diff --git a/frontend/services/dto/share.ts b/frontend/modules/integration/services/dto/share.ts
similarity index 100%
rename from frontend/services/dto/share.ts
rename to frontend/modules/integration/services/dto/share.ts
diff --git a/frontend/services/dto/zimbra.ts b/frontend/modules/integration/services/dto/zimbra.ts
similarity index 100%
rename from frontend/services/dto/zimbra.ts
rename to frontend/modules/integration/services/dto/zimbra.ts
diff --git a/frontend/services/gitea.ts b/frontend/modules/integration/services/gitea.ts
similarity index 100%
rename from frontend/services/gitea.ts
rename to frontend/modules/integration/services/gitea.ts
diff --git a/frontend/services/share-settings.ts b/frontend/modules/integration/services/share-settings.ts
similarity index 100%
rename from frontend/services/share-settings.ts
rename to frontend/modules/integration/services/share-settings.ts
diff --git a/frontend/services/share.ts b/frontend/modules/integration/services/share.ts
similarity index 100%
rename from frontend/services/share.ts
rename to frontend/modules/integration/services/share.ts
diff --git a/frontend/services/zimbra.ts b/frontend/modules/integration/services/zimbra.ts
similarity index 100%
rename from frontend/services/zimbra.ts
rename to frontend/modules/integration/services/zimbra.ts
diff --git a/frontend/modules/project-management/components/ProjectDrawer.vue b/frontend/modules/project-management/components/ProjectDrawer.vue
index 0cef9b8..eff00db 100644
--- a/frontend/modules/project-management/components/ProjectDrawer.vue
+++ b/frontend/modules/project-management/components/ProjectDrawer.vue
@@ -125,11 +125,11 @@
 <script setup lang="ts">
 import type { Project, ProjectWrite } from '~/modules/project-management/services/dto/project'
 import type { Client } from '~/modules/directory/services/dto/client'
-import type { GiteaRepository } from '~/services/dto/gitea'
-import type { BookStackShelf } from '~/services/dto/bookstack'
+import type { GiteaRepository } from '~/modules/integration/services/dto/gitea'
+import type { BookStackShelf } from '~/modules/integration/services/dto/bookstack'
 import { useProjectService } from '~/modules/project-management/services/projects'
-import { useGiteaService } from '~/services/gitea'
-import { useBookStackService } from '~/services/bookstack'
+import { useGiteaService } from '~/modules/integration/services/gitea'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const props = defineProps<{
     modelValue: boolean
diff --git a/frontend/modules/project-management/components/TaskBookStackLinks.vue b/frontend/modules/project-management/components/TaskBookStackLinks.vue
index 2986197..945a7d6 100644
--- a/frontend/modules/project-management/components/TaskBookStackLinks.vue
+++ b/frontend/modules/project-management/components/TaskBookStackLinks.vue
@@ -75,8 +75,8 @@
 </template>
 
 <script setup lang="ts">
-import type { BookStackLink, BookStackSearchResult } from '~/services/dto/bookstack'
-import { useBookStackService } from '~/services/bookstack'
+import type { BookStackLink, BookStackSearchResult } from '~/modules/integration/services/dto/bookstack'
+import { useBookStackService } from '~/modules/integration/services/bookstack'
 
 const props = defineProps<{
     taskId: number
diff --git a/frontend/modules/project-management/components/TaskDocumentShareLinker.vue b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
index 33008e2..11c2a9f 100644
--- a/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
+++ b/frontend/modules/project-management/components/TaskDocumentShareLinker.vue
@@ -56,8 +56,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Breadcrumb, FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
+import type { Breadcrumb, FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
 import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import { formatFileSize } from '~/utils/format'
 
diff --git a/frontend/modules/project-management/components/TaskGitSection.vue b/frontend/modules/project-management/components/TaskGitSection.vue
index 6a4216a..1b67859 100644
--- a/frontend/modules/project-management/components/TaskGitSection.vue
+++ b/frontend/modules/project-management/components/TaskGitSection.vue
@@ -227,8 +227,8 @@
 
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
-import type { GiteaBranch, GiteaPullRequest } from '~/services/dto/gitea'
-import { useGiteaService } from '~/services/gitea'
+import type { GiteaBranch, GiteaPullRequest } from '~/modules/integration/services/dto/gitea'
+import { useGiteaService } from '~/modules/integration/services/gitea'
 import { copyToClipboard } from '~/utils/clipboard'
 
 const { t } = useI18n()
diff --git a/frontend/modules/project-management/components/TaskModal.vue b/frontend/modules/project-management/components/TaskModal.vue
index 7a42fef..7f11066 100644
--- a/frontend/modules/project-management/components/TaskModal.vue
+++ b/frontend/modules/project-management/components/TaskModal.vue
@@ -538,7 +538,7 @@
 <script setup lang="ts">
 import type { Task, TaskWrite } from '~/modules/project-management/services/dto/task'
 import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
-import { useGiteaService } from '~/services/gitea'
+import { useGiteaService } from '~/modules/integration/services/gitea'
 import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
 import ConfirmDeleteDocumentModal from '~/components/ui/ConfirmDeleteDocumentModal.vue'
 import type { TaskStatus } from '~/modules/project-management/services/dto/task-status'
diff --git a/frontend/pages/documents.vue b/frontend/pages/documents.vue
index 05fec23..1a68bfe 100644
--- a/frontend/pages/documents.vue
+++ b/frontend/pages/documents.vue
@@ -81,8 +81,8 @@
 </template>
 
 <script setup lang="ts">
-import type { Breadcrumb, FileEntry } from '~/services/dto/share'
-import { useShareService } from '~/services/share'
+import type { Breadcrumb, FileEntry } from '~/modules/integration/services/dto/share'
+import { useShareService } from '~/modules/integration/services/share'
 import { formatFileSize } from '~/utils/format'
 
 useHead({ title: 'Documents' })
-- 
2.39.5


From b3b29fd75317a4010974a61d7c8a72b895304460 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 00:08:43 +0200
Subject: [PATCH 60/99] feat(reporting) : add transverse Reporting module (DBAL
 read-only, back)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-59 (3.1) backend. New native reporting module that aggregates across
TimeTracking/ProjectManagement/Absence with ZERO direct inter-module imports —
coupled only to the physical SQL schema via read-only DBAL (AuditLog provider
pattern).

- 4 read-only reports (ApiResource + DBAL provider + readonly DTO,
  paginationEnabled false, security reporting.view): /api/reports/
  {time-per-project, time-per-user, tasks-by-status, absences-by-type}.
  All filters bound-param, dates validated YYYY-MM-DD (default = current month),
  int filters validated by regex (cs-fixer-stable).
- No Doctrine entity, no migration. ReportFilterTrait centralises validation.
  Absence status compared by literal 'approved' to avoid importing the enum.
- ReportingModule registered (id reporting, reporting.view/export perms);
  sidebar /reporting item gated by module + permission (ROLE_ADMIN section).

169 tests green (163 + 6), 4 routes exposed, cs-fixer clean.
---
 config/modules.php                            |  2 +
 config/sidebar.php                            |  1 +
 .../Application/DTO/AbsencesByTypeOutput.php  | 17 ++++
 .../Application/DTO/TasksByStatusOutput.php   | 19 ++++
 .../Application/DTO/TimePerProjectOutput.php  | 19 ++++
 .../Application/DTO/TimePerUserOutput.php     | 19 ++++
 .../Resource/AbsencesByTypeResource.php       | 33 +++++++
 .../Resource/TasksByStatusResource.php        | 32 +++++++
 .../Resource/TimePerProjectResource.php       | 34 +++++++
 .../Resource/TimePerUserResource.php          | 33 +++++++
 .../State/AbsencesByTypeProvider.php          | 82 ++++++++++++++++
 .../ApiPlatform/State/ReportFilterTrait.php   | 89 +++++++++++++++++
 .../State/TasksByStatusProvider.php           | 67 +++++++++++++
 .../State/TimePerProjectProvider.php          | 81 ++++++++++++++++
 .../ApiPlatform/State/TimePerUserProvider.php | 79 +++++++++++++++
 src/Module/Reporting/ReportingModule.php      | 44 +++++++++
 .../Module/Reporting/ReportingApiTest.php     | 96 +++++++++++++++++++
 17 files changed, 747 insertions(+)
 create mode 100644 src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
 create mode 100644 src/Module/Reporting/Application/DTO/TimePerUserOutput.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
 create mode 100644 src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
 create mode 100644 src/Module/Reporting/ReportingModule.php
 create mode 100644 tests/Functional/Module/Reporting/ReportingApiTest.php

diff --git a/config/modules.php b/config/modules.php
index 27ca805..b0b6e90 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -13,6 +13,7 @@ use App\Module\Directory\DirectoryModule;
 use App\Module\Integration\IntegrationModule;
 use App\Module\Mail\MailModule;
 use App\Module\ProjectManagement\ProjectManagementModule;
+use App\Module\Reporting\ReportingModule;
 use App\Module\TimeTracking\TimeTrackingModule;
 
 return [
@@ -23,4 +24,5 @@ return [
     DirectoryModule::class,
     MailModule::class,
     IntegrationModule::class,
+    ReportingModule::class,
 ];
diff --git a/config/sidebar.php b/config/sidebar.php
index 835e132..2f1e15f 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -38,6 +38,7 @@ return [
             ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
             ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:contact-multiple-outline', 'module' => 'directory'],
             ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
+            ['label' => 'sidebar.admin.reporting', 'to' => '/reporting', 'icon' => 'mdi:chart-line', 'module' => 'reporting', 'permission' => 'reporting.view'],
         ],
     ],
 ];
diff --git a/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php b/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
new file mode 100644
index 0000000..2064eed
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/AbsencesByTypeOutput.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Absences approuvees agregees par type sur une periode.
+ */
+final readonly class AbsencesByTypeOutput
+{
+    public function __construct(
+        public string $type,
+        public int $count,
+        public float $totalDays,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php b/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
new file mode 100644
index 0000000..01fd0ab
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TasksByStatusOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Nombre de taches non archivees regroupees par statut.
+ *
+ * `statusId` peut etre null pour les taches sans statut (LEFT JOIN).
+ */
+final readonly class TasksByStatusOutput
+{
+    public function __construct(
+        public ?int $statusId,
+        public string $statusLabel,
+        public int $count,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php b/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
new file mode 100644
index 0000000..cacddd0
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TimePerProjectOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Heures travaillees agregees par projet sur une periode.
+ */
+final readonly class TimePerProjectOutput
+{
+    public function __construct(
+        public int $projectId,
+        public string $projectCode,
+        public string $projectName,
+        public float $hours,
+        public int $entryCount,
+    ) {}
+}
diff --git a/src/Module/Reporting/Application/DTO/TimePerUserOutput.php b/src/Module/Reporting/Application/DTO/TimePerUserOutput.php
new file mode 100644
index 0000000..07f2cfc
--- /dev/null
+++ b/src/Module/Reporting/Application/DTO/TimePerUserOutput.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Application\DTO;
+
+/**
+ * Heures travaillees agregees par utilisateur sur une periode.
+ */
+final readonly class TimePerUserOutput
+{
+    public function __construct(
+        public int $userId,
+        public string $username,
+        public string $fullName,
+        public float $hours,
+        public int $entryCount,
+    ) {}
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
new file mode 100644
index 0000000..5b90f1b
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/AbsencesByTypeResource.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\AbsencesByTypeOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\AbsencesByTypeProvider;
+
+/**
+ * Rapport en lecture seule : absences approuvees par type sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&userId=
+ * (bornes facultatives, sans defaut — un filtre absent n'applique pas la clause).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de AbsencesByTypeOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportAbsencesByType',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/absences-by-type',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: AbsencesByTypeProvider::class,
+        ),
+    ],
+    output: AbsencesByTypeOutput::class,
+)]
+final class AbsencesByTypeResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
new file mode 100644
index 0000000..b164f55
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TasksByStatusResource.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TasksByStatusOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TasksByStatusProvider;
+
+/**
+ * Rapport en lecture seule : nombre de taches non archivees par statut.
+ *
+ * Filtre query-param : ?projectId=
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TasksByStatusOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportTasksByStatus',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/tasks-by-status',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TasksByStatusProvider::class,
+        ),
+    ],
+    output: TasksByStatusOutput::class,
+)]
+final class TasksByStatusResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
new file mode 100644
index 0000000..14b1b97
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerProjectResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TimePerProjectOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TimePerProjectProvider;
+
+/**
+ * Rapport en lecture seule : heures travaillees par projet sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&userId=&projectId=
+ * (from/to par defaut = mois courant si absents).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TimePerProjectOutput. Pagination desactivee
+ * (volume borne par le nombre de projets).
+ */
+#[ApiResource(
+    shortName: 'ReportTimePerProject',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/time-per-project',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TimePerProjectProvider::class,
+        ),
+    ],
+    output: TimePerProjectOutput::class,
+)]
+final class TimePerProjectResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
new file mode 100644
index 0000000..b6eba8a
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/Resource/TimePerUserResource.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\Resource;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use App\Module\Reporting\Application\DTO\TimePerUserOutput;
+use App\Module\Reporting\Infrastructure\ApiPlatform\State\TimePerUserProvider;
+
+/**
+ * Rapport en lecture seule : heures travaillees par utilisateur sur une periode.
+ *
+ * Filtres query-param : ?from=YYYY-MM-DD&to=YYYY-MM-DD&projectId=
+ * (from/to par defaut = mois courant si absents).
+ *
+ * Aucune entite Doctrine sous-jacente : le provider lit via DBAL et retourne
+ * directement une liste de TimePerUserOutput. Pagination desactivee.
+ */
+#[ApiResource(
+    shortName: 'ReportTimePerUser',
+    operations: [
+        new GetCollection(
+            uriTemplate: '/reports/time-per-user',
+            paginationEnabled: false,
+            security: "is_granted('reporting.view')",
+            provider: TimePerUserProvider::class,
+        ),
+    ],
+    output: TimePerUserOutput::class,
+)]
+final class TimePerUserResource {}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
new file mode 100644
index 0000000..75cb4b1
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/AbsencesByTypeProvider.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\AbsencesByTypeOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport absences-par-type.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. La valeur du
+ * statut filtre ('approved') correspond au backing-value de
+ * App\Module\Absence\Domain\Enum\AbsenceStatus::Approved, mais est ecrite ici
+ * en litteral pour eviter tout import inter-module. Tous les filtres sont
+ * passes en bound params. Les bornes de date sont facultatives et sans defaut.
+ *
+ * @implements ProviderInterface<AbsencesByTypeOutput>
+ */
+final readonly class AbsencesByTypeProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    /**
+     * Backing-value de AbsenceStatus::Approved (litteral pour rester decouple).
+     */
+    private const string STATUS_APPROVED = 'approved';
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<AbsencesByTypeOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        $from   = $this->validateDate($filters['from'] ?? null, 'from');
+        $to     = $this->validateDate($filters['to'] ?? null, 'to');
+        $userId = $this->validatePositiveInt($filters['userId'] ?? null, 'userId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'ar.type AS type',
+                'COUNT(ar.id) AS cnt',
+                'COALESCE(SUM(ar.counted_days), 0) AS total_days',
+            )
+            ->from('absence_request', 'ar')
+            ->where('ar.status = :status')
+            ->setParameter('status', self::STATUS_APPROVED)
+            ->groupBy('ar.type')
+            ->orderBy('total_days', 'DESC')
+        ;
+
+        if (null !== $from) {
+            $qb->andWhere('ar.start_date >= :from')->setParameter('from', $from);
+        }
+        if (null !== $to) {
+            $qb->andWhere('ar.end_date < :to')->setParameter('to', $to);
+        }
+        if (null !== $userId) {
+            $qb->andWhere('ar.user_id = :userId')->setParameter('userId', $userId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): AbsencesByTypeOutput => new AbsencesByTypeOutput(
+            type: (string) $row['type'],
+            count: (int) $row['cnt'],
+            totalDays: round((float) $row['total_days'], 2),
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
new file mode 100644
index 0000000..82da962
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/ReportFilterTrait.php
@@ -0,0 +1,89 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use DateTimeImmutable;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Validation stricte des filtres query-param partages par les providers de reporting.
+ *
+ * Toutes les valeurs validees ici sont destinees a etre passees en bound params
+ * (jamais interpolees dans le SQL). On rejette en 400 explicite tout input
+ * malforme plutot que de laisser PostgreSQL lever une 500.
+ */
+trait ReportFilterTrait
+{
+    /**
+     * Valide une date au format strict YYYY-MM-DD.
+     *
+     * @param mixed $value valeur brute issue des query-params
+     *
+     * @return null|string la date validee, ou null si absente/vide
+     */
+    private function validateDate(mixed $value, string $paramName): ?string
+    {
+        if (null === $value || '' === $value) {
+            return null;
+        }
+
+        if (!is_string($value)) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : date YYYY-MM-DD attendue.', $paramName));
+        }
+
+        $date = DateTimeImmutable::createFromFormat('!Y-m-d', $value);
+
+        if (false === $date || $date->format('Y-m-d') !== $value) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : date YYYY-MM-DD attendue (recu: "%s").', $paramName, $value));
+        }
+
+        return $value;
+    }
+
+    /**
+     * Valide un identifiant entier strictement positif.
+     *
+     * @param mixed $value valeur brute issue des query-params
+     *
+     * @return null|int l'identifiant valide, ou null si absent/vide
+     */
+    private function validatePositiveInt(mixed $value, string $paramName): ?int
+    {
+        if (null === $value || '' === $value) {
+            return null;
+        }
+
+        // Les query-params arrivent sous forme de chaine : on valide donc le
+        // format decimal positif via regex (rejette "1.5", "abc", "-3", "01"...)
+        // plutot qu'une comparaison de type juggling sensible au cs-fixer.
+        if ((!is_string($value) && !is_int($value)) || 1 !== preg_match('/^[1-9][0-9]*$/', (string) $value)) {
+            throw new BadRequestHttpException(sprintf('Filtre "%s" invalide : entier positif attendu.', $paramName));
+        }
+
+        return (int) $value;
+    }
+
+    /**
+     * Resout la plage [from, to[ avec defaut = mois courant si les deux bornes sont absentes.
+     *
+     * @param array<string, mixed> $filters
+     *
+     * @return array{0: string, 1: string} [from inclus, to exclus] au format YYYY-MM-DD
+     */
+    private function resolveDateRange(array $filters): array
+    {
+        $from = $this->validateDate($filters['from'] ?? null, 'from');
+        $to   = $this->validateDate($filters['to'] ?? null, 'to');
+
+        if (null === $from) {
+            $from = new DateTimeImmutable('first day of this month')->format('Y-m-d');
+        }
+        if (null === $to) {
+            $to = new DateTimeImmutable('first day of next month')->format('Y-m-d');
+        }
+
+        return [$from, $to];
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
new file mode 100644
index 0000000..9727f50
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TasksByStatusProvider.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TasksByStatusOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport taches-par-statut.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. Le filtre
+ * projectId est passe en bound param.
+ *
+ * @implements ProviderInterface<TasksByStatusOutput>
+ */
+final readonly class TasksByStatusProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TasksByStatusOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        $projectId = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                's.id AS status_id',
+                's.label AS status_label',
+                'COUNT(t.id) AS cnt',
+            )
+            ->from('task', 't')
+            ->leftJoin('t', 'task_status', 's', 't.status_id = s.id')
+            ->where('t.archived = false')
+            ->groupBy('s.id')
+            ->addGroupBy('s.label')
+            ->orderBy('cnt', 'DESC')
+        ;
+
+        if (null !== $projectId) {
+            $qb->andWhere('t.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TasksByStatusOutput => new TasksByStatusOutput(
+            statusId: null !== $row['status_id'] ? (int) $row['status_id'] : null,
+            statusLabel: null !== $row['status_label'] ? (string) $row['status_label'] : 'Sans statut',
+            count: (int) $row['cnt'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
new file mode 100644
index 0000000..e7f217a
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerProjectProvider.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TimePerProjectOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport heures-par-projet.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. Tous les
+ * filtres sont passes en bound params (jamais interpoles).
+ *
+ * @implements ProviderInterface<TimePerProjectOutput>
+ */
+final readonly class TimePerProjectProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TimePerProjectOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        [$from, $to] = $this->resolveDateRange($filters);
+        $userId      = $this->validatePositiveInt($filters['userId'] ?? null, 'userId');
+        $projectId   = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'p.id AS project_id',
+                'p.code AS project_code',
+                'p.name AS project_name',
+                'COALESCE(SUM(EXTRACT(EPOCH FROM (te.stopped_at - te.started_at)) / 3600), 0) AS hours',
+                'COUNT(te.id) AS entry_count',
+            )
+            ->from('time_entry', 'te')
+            ->innerJoin('te', 'project', 'p', 'te.project_id = p.id')
+            ->where('te.stopped_at IS NOT NULL')
+            ->andWhere('te.started_at >= :from')
+            ->andWhere('te.started_at < :to')
+            ->setParameter('from', $from)
+            ->setParameter('to', $to)
+            ->groupBy('p.id')
+            ->addGroupBy('p.code')
+            ->addGroupBy('p.name')
+            ->orderBy('hours', 'DESC')
+        ;
+
+        if (null !== $userId) {
+            $qb->andWhere('te.user_id = :userId')->setParameter('userId', $userId);
+        }
+        if (null !== $projectId) {
+            $qb->andWhere('te.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TimePerProjectOutput => new TimePerProjectOutput(
+            projectId: (int) $row['project_id'],
+            projectCode: (string) $row['project_code'],
+            projectName: (string) $row['project_name'],
+            hours: round((float) $row['hours'], 2),
+            entryCount: (int) $row['entry_count'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
new file mode 100644
index 0000000..dc49581
--- /dev/null
+++ b/src/Module/Reporting/Infrastructure/ApiPlatform/State/TimePerUserProvider.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\Reporting\Application\DTO\TimePerUserOutput;
+use Doctrine\DBAL\Connection;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+
+/**
+ * Provider DBAL (lecture seule) du rapport heures-par-utilisateur.
+ *
+ * N'importe AUCUNE entite : couplage au seul schema SQL physique. La table
+ * "user" est un mot reserve PostgreSQL et reste systematiquement quotee. Tous
+ * les filtres sont passes en bound params.
+ *
+ * @implements ProviderInterface<TimePerUserOutput>
+ */
+final readonly class TimePerUserProvider implements ProviderInterface
+{
+    use ReportFilterTrait;
+
+    public function __construct(
+        #[Autowire(service: 'doctrine.dbal.default_connection')]
+        private Connection $connection,
+    ) {}
+
+    /**
+     * @return list<TimePerUserOutput>
+     */
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
+    {
+        /** @var array<string, mixed> $filters */
+        $filters = $context['filters'] ?? [];
+
+        [$from, $to] = $this->resolveDateRange($filters);
+        $projectId   = $this->validatePositiveInt($filters['projectId'] ?? null, 'projectId');
+
+        $qb = $this->connection->createQueryBuilder()
+            ->select(
+                'u.id AS user_id',
+                'u.username AS username',
+                "TRIM(COALESCE(u.first_name, '') || ' ' || COALESCE(u.last_name, '')) AS full_name",
+                'COALESCE(SUM(EXTRACT(EPOCH FROM (te.stopped_at - te.started_at)) / 3600), 0) AS hours',
+                'COUNT(te.id) AS entry_count',
+            )
+            ->from('time_entry', 'te')
+            ->innerJoin('te', '"user"', 'u', 'te.user_id = u.id')
+            ->where('te.stopped_at IS NOT NULL')
+            ->andWhere('te.started_at >= :from')
+            ->andWhere('te.started_at < :to')
+            ->setParameter('from', $from)
+            ->setParameter('to', $to)
+            ->groupBy('u.id')
+            ->addGroupBy('u.username')
+            ->addGroupBy('u.first_name')
+            ->addGroupBy('u.last_name')
+            ->orderBy('hours', 'DESC')
+        ;
+
+        if (null !== $projectId) {
+            $qb->andWhere('te.project_id = :projectId')->setParameter('projectId', $projectId);
+        }
+
+        /** @var list<array<string, mixed>> $rows */
+        $rows = $qb->executeQuery()->fetchAllAssociative();
+
+        return array_map(static fn (array $row): TimePerUserOutput => new TimePerUserOutput(
+            userId: (int) $row['user_id'],
+            username: (string) $row['username'],
+            fullName: (string) $row['full_name'],
+            hours: round((float) $row['hours'], 2),
+            entryCount: (int) $row['entry_count'],
+        ), $rows);
+    }
+}
diff --git a/src/Module/Reporting/ReportingModule.php b/src/Module/Reporting/ReportingModule.php
new file mode 100644
index 0000000..d5eca17
--- /dev/null
+++ b/src/Module/Reporting/ReportingModule.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Reporting;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+/**
+ * Module de reporting transverse en lecture seule.
+ *
+ * Ce module n'introduit AUCUNE entite Doctrine ni migration : il agrege les
+ * donnees existantes (time_entry, project, task, absence_request, "user") via
+ * des requetes DBAL en lecture seule. Il n'importe deliberement aucune entite
+ * d'un autre module — couplage uniquement au schema SQL physique partage.
+ */
+final class ReportingModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'reporting';
+    }
+
+    public static function label(): string
+    {
+        return 'Rapports';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'reporting.view', 'label' => 'Consulter les rapports'],
+            ['code' => 'reporting.export', 'label' => 'Exporter les rapports'],
+        ];
+    }
+}
diff --git a/tests/Functional/Module/Reporting/ReportingApiTest.php b/tests/Functional/Module/Reporting/ReportingApiTest.php
new file mode 100644
index 0000000..d67594b
--- /dev/null
+++ b/tests/Functional/Module/Reporting/ReportingApiTest.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\Reporting;
+
+use App\Module\Core\Domain\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+/**
+ * @internal
+ */
+final class ReportingApiTest extends WebTestCase
+{
+    public function testGetCollectionRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    public function testAdminCanListTimePerProject(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+
+        // Le rapport est non pagine : la structure hydra expose tout de meme un
+        // tableau `member`. Si des projets ont du temps logge, chaque membre
+        // porte au minimum projectId et hours.
+        foreach ($data['member'] as $row) {
+            self::assertArrayHasKey('projectId', $row);
+            self::assertArrayHasKey('hours', $row);
+            self::assertIsInt($row['projectId']);
+        }
+    }
+
+    public function testValidProjectIdFilterIsAccepted(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        // projectId arrive en chaine ("1") : la validation doit l'accepter (200),
+        // garde-fou contre une regression de type-juggling sur le filtre entier.
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01&projectId=1');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testInvalidProjectIdFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?projectId=abc');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    public function testInvalidDateFilterIsRejected(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'admin');
+
+        $client->request('GET', '/api/reports/time-per-project?from=not-a-date');
+
+        self::assertResponseStatusCodeSame(400);
+    }
+
+    public function testUserWithoutPermissionIsForbidden(): void
+    {
+        $client = self::createClient();
+        $this->loginUser($client, 'alice');
+
+        $client->request('GET', '/api/reports/time-per-project?from=2026-01-01&to=2027-01-01');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    private function loginUser(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
-- 
2.39.5


From f4ffc02028e9acdb93fc46f0e7d10fce43ce1fc2 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 00:16:03 +0200
Subject: [PATCH 61/99] feat(reporting) : add Reporting dashboard front layer

LST-59 (3.1) front. Completes the Reporting module.

- New frontend/modules/reporting/ layer (auto-detected): /reporting page
  (admin middleware) consuming the 4 read-only report endpoints.
- Filters (period presets + custom dates, project, user). 4 sections (time per
  project, time per user, tasks by status, absences by type) each with a
  DataTable + a Chart.js chart (reused global registration).
- Front-side CSV export per section (useCsvExport: BOM UTF-8, ; separator).
- i18n keys (reporting.*, sidebar.admin.reporting).

nuxt build passes; /reporting routed; no route regression.
---
 frontend/i18n/locales/fr.json                 |  47 ++-
 .../components/ReportingBarChart.vue          |  52 +++
 .../components/ReportingDoughnut.vue          |  56 +++
 .../reporting/composables/useCsvExport.ts     |  44 ++
 .../composables/useReportingFilters.ts        |  41 ++
 frontend/modules/reporting/nuxt.config.ts     |   1 +
 .../modules/reporting/pages/reporting.vue     | 388 ++++++++++++++++++
 .../reporting/services/dto/reporting.ts       |  34 ++
 .../modules/reporting/services/reporting.ts   |  51 +++
 9 files changed, 713 insertions(+), 1 deletion(-)
 create mode 100644 frontend/modules/reporting/components/ReportingBarChart.vue
 create mode 100644 frontend/modules/reporting/components/ReportingDoughnut.vue
 create mode 100644 frontend/modules/reporting/composables/useCsvExport.ts
 create mode 100644 frontend/modules/reporting/composables/useReportingFilters.ts
 create mode 100644 frontend/modules/reporting/nuxt.config.ts
 create mode 100644 frontend/modules/reporting/pages/reporting.vue
 create mode 100644 frontend/modules/reporting/services/dto/reporting.ts
 create mode 100644 frontend/modules/reporting/services/reporting.ts

diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 7d46a2a..3c3a49b 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -360,7 +360,52 @@
       "section": "Administration",
       "teamAbsences": "Absences équipe",
       "administration": "Administration",
-      "directory": "Répertoire"
+      "directory": "Répertoire",
+      "reporting": "Rapports"
+    }
+  },
+  "reporting": {
+    "title": "Rapports",
+    "export": "Exporter (CSV)",
+    "empty": "Aucune donnée pour cette période.",
+    "filters": {
+      "period": "Période",
+      "from": "Du",
+      "to": "Au",
+      "project": "Projet",
+      "allProjects": "Tous les projets",
+      "user": "Utilisateur",
+      "allUsers": "Tous les utilisateurs"
+    },
+    "periods": {
+      "thisMonth": "Mois courant",
+      "lastMonth": "Mois dernier",
+      "custom": "Personnalisé"
+    },
+    "sections": {
+      "timePerProject": "Temps par projet",
+      "timePerUser": "Temps par utilisateur",
+      "tasksByStatus": "Tâches par statut",
+      "absencesByType": "Absences par type"
+    },
+    "columns": {
+      "project": "Projet",
+      "code": "Code",
+      "user": "Utilisateur",
+      "status": "Statut",
+      "type": "Type",
+      "hours": "Heures",
+      "entries": "Nb saisies",
+      "count": "Nombre",
+      "days": "Jours"
+    },
+    "absenceTypes": {
+      "cp": "Congés payés",
+      "mariage_pacs": "Mariage / PACS",
+      "naissance": "Naissance",
+      "conge_parental": "Congé parental",
+      "deces": "Décès proche",
+      "maladie": "Arrêt maladie"
     }
   },
   "common": {
diff --git a/frontend/modules/reporting/components/ReportingBarChart.vue b/frontend/modules/reporting/components/ReportingBarChart.vue
new file mode 100644
index 0000000..0eb18e3
--- /dev/null
+++ b/frontend/modules/reporting/components/ReportingBarChart.vue
@@ -0,0 +1,52 @@
+<template>
+    <div class="h-64">
+        <Bar
+            v-if="hasData"
+            :data="chartData"
+            :options="options"
+        />
+        <p v-else class="flex h-full items-center justify-center text-sm text-neutral-400">
+            {{ emptyMessage ?? $t('reporting.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { Bar } from 'vue-chartjs'
+
+const props = defineProps<{
+    labels: string[]
+    values: number[]
+    color?: string
+    emptyMessage?: string
+}>()
+
+const hasData = computed(() => props.values.some(v => v > 0))
+
+const chartData = computed(() => ({
+    labels: props.labels,
+    datasets: [{
+        data: props.values,
+        backgroundColor: props.color ?? '#6366f1',
+        borderWidth: 0,
+        borderRadius: 6,
+    }],
+}))
+
+const options = {
+    responsive: true,
+    maintainAspectRatio: false,
+    plugins: {
+        legend: { display: false },
+    },
+    scales: {
+        y: {
+            beginAtZero: true,
+            grid: { color: '#f3f4f6' },
+        },
+        x: {
+            grid: { display: false },
+        },
+    },
+}
+</script>
diff --git a/frontend/modules/reporting/components/ReportingDoughnut.vue b/frontend/modules/reporting/components/ReportingDoughnut.vue
new file mode 100644
index 0000000..691faca
--- /dev/null
+++ b/frontend/modules/reporting/components/ReportingDoughnut.vue
@@ -0,0 +1,56 @@
+<template>
+    <div class="h-64">
+        <Doughnut
+            v-if="hasData"
+            :data="chartData"
+            :options="options"
+        />
+        <p v-else class="flex h-full items-center justify-center text-sm text-neutral-400">
+            {{ emptyMessage ?? $t('reporting.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { Doughnut } from 'vue-chartjs'
+
+const props = defineProps<{
+    labels: string[]
+    values: number[]
+    colors?: string[]
+    emptyMessage?: string
+}>()
+
+const palette = [
+    '#6366f1', '#10b981', '#f59e0b', '#ef4444', '#3b82f6',
+    '#8b5cf6', '#ec4899', '#14b8a6', '#f97316', '#84cc16',
+]
+
+const hasData = computed(() => props.values.some(v => v > 0))
+
+const chartData = computed(() => ({
+    labels: props.labels,
+    datasets: [{
+        data: props.values,
+        backgroundColor: props.colors ?? props.labels.map((_, i) => palette[i % palette.length]),
+        borderWidth: 0,
+    }],
+}))
+
+const options = {
+    responsive: true,
+    maintainAspectRatio: false,
+    cutout: '65%',
+    plugins: {
+        legend: {
+            position: 'bottom' as const,
+            labels: {
+                padding: 16,
+                usePointStyle: true,
+                pointStyle: 'circle',
+                font: { size: 12 },
+            },
+        },
+    },
+}
+</script>
diff --git a/frontend/modules/reporting/composables/useCsvExport.ts b/frontend/modules/reporting/composables/useCsvExport.ts
new file mode 100644
index 0000000..25c7a98
--- /dev/null
+++ b/frontend/modules/reporting/composables/useCsvExport.ts
@@ -0,0 +1,44 @@
+export type CsvColumn<T> = {
+    header: string
+    value: (row: T) => string | number
+}
+
+/** Escapes a single CSV cell (quotes wrapping + doubled inner quotes). */
+function escapeCell(value: string | number): string {
+    const str = String(value ?? '')
+    if (/[",\n;]/.test(str)) {
+        return `"${str.replace(/"/g, '""')}"`
+    }
+    return str
+}
+
+export function useCsvExport() {
+    /** Builds a CSV string from rows + column definitions (semicolon separator, FR-friendly). */
+    function toCsv<T>(rows: T[], columns: CsvColumn<T>[]): string {
+        const header = columns.map(c => escapeCell(c.header)).join(';')
+        const lines = rows.map(row =>
+            columns.map(c => escapeCell(c.value(row))).join(';'),
+        )
+        return [header, ...lines].join('\n')
+    }
+
+    /** Triggers a browser download of the given CSV content. */
+    function downloadCsv<T>(filename: string, rows: T[], columns: CsvColumn<T>[]): void {
+        if (typeof window === 'undefined') {
+            return
+        }
+        const csv = toCsv(rows, columns)
+        // Prepend BOM so Excel detects UTF-8.
+        const blob = new Blob([`${csv}`], { type: 'text/csv;charset=utf-8;' })
+        const url = URL.createObjectURL(blob)
+        const link = document.createElement('a')
+        link.href = url
+        link.download = filename.endsWith('.csv') ? filename : `${filename}.csv`
+        document.body.appendChild(link)
+        link.click()
+        document.body.removeChild(link)
+        URL.revokeObjectURL(url)
+    }
+
+    return { toCsv, downloadCsv }
+}
diff --git a/frontend/modules/reporting/composables/useReportingFilters.ts b/frontend/modules/reporting/composables/useReportingFilters.ts
new file mode 100644
index 0000000..bdc60de
--- /dev/null
+++ b/frontend/modules/reporting/composables/useReportingFilters.ts
@@ -0,0 +1,41 @@
+export type ReportPeriodKey = 'thisMonth' | 'lastMonth' | 'custom'
+
+export type ReportPeriodRange = {
+    from: string
+    to: string
+}
+
+/** Formats a Date as an ISO "YYYY-MM-DD" string (local time, no timezone shift). */
+function toIsoDate(date: Date): string {
+    const year = date.getFullYear()
+    const month = String(date.getMonth() + 1).padStart(2, '0')
+    const day = String(date.getDate()).padStart(2, '0')
+    return `${year}-${month}-${day}`
+}
+
+/** Returns the {from, to} range (inclusive) for a given month offset relative to now. */
+function getMonthRange(offset: number): ReportPeriodRange {
+    const now = new Date()
+    const start = new Date(now.getFullYear(), now.getMonth() + offset, 1)
+    const end = new Date(now.getFullYear(), now.getMonth() + offset + 1, 0)
+    return { from: toIsoDate(start), to: toIsoDate(end) }
+}
+
+export function useReportingFilters() {
+    const thisMonth = (): ReportPeriodRange => getMonthRange(0)
+    const lastMonth = (): ReportPeriodRange => getMonthRange(-1)
+
+    /** Resolves a preset key to a concrete range. `custom` keeps the provided range. */
+    function rangeForPreset(key: ReportPeriodKey, current: ReportPeriodRange): ReportPeriodRange {
+        switch (key) {
+            case 'thisMonth':
+                return thisMonth()
+            case 'lastMonth':
+                return lastMonth()
+            case 'custom':
+                return current
+        }
+    }
+
+    return { thisMonth, lastMonth, rangeForPreset, toIsoDate }
+}
diff --git a/frontend/modules/reporting/nuxt.config.ts b/frontend/modules/reporting/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/reporting/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/modules/reporting/pages/reporting.vue b/frontend/modules/reporting/pages/reporting.vue
new file mode 100644
index 0000000..8fc220b
--- /dev/null
+++ b/frontend/modules/reporting/pages/reporting.vue
@@ -0,0 +1,388 @@
+<template>
+    <div>
+        <div class="sticky top-8 z-20 bg-white pb-4 sm:top-12">
+            <h1 class="text-xl font-bold text-primary-500 sm:text-2xl">
+                {{ $t('reporting.title') }}
+            </h1>
+
+            <!-- Filters -->
+            <div class="mt-4 flex flex-wrap items-end gap-3">
+                <MalioSelect
+                    v-model="selectedPeriod"
+                    :options="periodOptions"
+                    :label="$t('reporting.filters.period')"
+                    group-class="!w-48"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+                <div class="w-40">
+                    <label class="mb-1 block text-sm font-medium text-neutral-700">
+                        {{ $t('reporting.filters.from') }}
+                    </label>
+                    <MalioDate
+                        v-model="customFrom"
+                        :disabled="selectedPeriod !== 'custom'"
+                        group-class="w-full"
+                    />
+                </div>
+                <div class="w-40">
+                    <label class="mb-1 block text-sm font-medium text-neutral-700">
+                        {{ $t('reporting.filters.to') }}
+                    </label>
+                    <MalioDate
+                        v-model="customTo"
+                        :disabled="selectedPeriod !== 'custom'"
+                        group-class="w-full"
+                    />
+                </div>
+                <MalioSelect
+                    v-model="selectedProjectId"
+                    :options="projectOptions"
+                    :label="$t('reporting.filters.project')"
+                    :empty-option-label="$t('reporting.filters.allProjects')"
+                    group-class="!w-44"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+                <MalioSelect
+                    v-model="selectedUserId"
+                    :options="userOptions"
+                    :label="$t('reporting.filters.user')"
+                    :empty-option-label="$t('reporting.filters.allUsers')"
+                    group-class="!w-44"
+                    text-field="text-sm"
+                    text-value="text-sm"
+                />
+            </div>
+        </div>
+
+        <!-- Loading -->
+        <div v-if="isLoading" class="mt-12 flex items-center justify-center">
+            <p class="text-neutral-400">{{ $t('common.loading') }}</p>
+        </div>
+
+        <template v-else>
+            <!-- Section 1 : Time per project -->
+            <section class="mt-8 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.timePerProject') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="timePerProject.length === 0"
+                        @click="exportTimePerProject"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="projectColumns"
+                        :items="timePerProject"
+                        :empty-message="$t('reporting.empty')"
+                    >
+                        <template #cell-hours="{ item }">
+                            {{ formatHours((item as TimePerProject).hours) }}
+                        </template>
+                    </DataTable>
+                    <ReportingDoughnut
+                        :labels="timePerProject.map(r => r.projectName)"
+                        :values="timePerProject.map(r => round(r.hours))"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 2 : Time per user -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.timePerUser') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="timePerUser.length === 0"
+                        @click="exportTimePerUser"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="userColumns"
+                        :items="timePerUser"
+                        :empty-message="$t('reporting.empty')"
+                    >
+                        <template #cell-hours="{ item }">
+                            {{ formatHours((item as TimePerUser).hours) }}
+                        </template>
+                    </DataTable>
+                    <ReportingBarChart
+                        :labels="timePerUser.map(r => r.fullName || r.username)"
+                        :values="timePerUser.map(r => round(r.hours))"
+                        color="#10b981"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 3 : Tasks by status -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.tasksByStatus') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="tasksByStatus.length === 0"
+                        @click="exportTasksByStatus"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="statusColumns"
+                        :items="tasksByStatus"
+                        :empty-message="$t('reporting.empty')"
+                    />
+                    <ReportingDoughnut
+                        :labels="tasksByStatus.map(r => r.statusLabel)"
+                        :values="tasksByStatus.map(r => r.count)"
+                    />
+                </div>
+            </section>
+
+            <!-- Section 4 : Absences by type -->
+            <section class="mt-6 rounded-xl border border-neutral-100 bg-neutral-50 p-5">
+                <div class="flex items-center justify-between">
+                    <h2 class="text-sm font-semibold text-neutral-700">
+                        {{ $t('reporting.sections.absencesByType') }}
+                    </h2>
+                    <MalioButton
+                        icon-name="mdi:download"
+                        icon-position="left"
+                        button-class="w-auto px-3 py-1.5 text-sm"
+                        :label="$t('reporting.export')"
+                        :disabled="absencesByType.length === 0"
+                        @click="exportAbsencesByType"
+                    />
+                </div>
+                <div class="mt-4 grid gap-6 lg:grid-cols-2">
+                    <DataTable
+                        :columns="absenceColumns"
+                        :items="absenceRows"
+                        :empty-message="$t('reporting.empty')"
+                    />
+                    <ReportingBarChart
+                        :labels="absencesByType.map(r => absenceTypeLabel(r.type))"
+                        :values="absencesByType.map(r => r.totalDays)"
+                        color="#f59e0b"
+                    />
+                </div>
+            </section>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+import type {
+    AbsencesByType,
+    ReportFilters,
+    TasksByStatus,
+    TimePerProject,
+    TimePerUser,
+} from '~/modules/reporting/services/dto/reporting'
+import { useReportingService } from '~/modules/reporting/services/reporting'
+import {
+    useReportingFilters,
+    type ReportPeriodKey,
+} from '~/modules/reporting/composables/useReportingFilters'
+import { useCsvExport } from '~/modules/reporting/composables/useCsvExport'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { UserData } from '~/services/dto/user-data'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useUserService } from '~/services/users'
+
+definePageMeta({ middleware: ['admin'] })
+
+const { t } = useI18n()
+useHead({ title: t('reporting.title') })
+
+const reportingService = useReportingService()
+const projectService = useProjectService()
+const userService = useUserService()
+const { rangeForPreset, thisMonth } = useReportingFilters()
+const { downloadCsv } = useCsvExport()
+
+// --- Filters state ---
+const selectedPeriod = ref<ReportPeriodKey>('thisMonth')
+const initialRange = thisMonth()
+const customFrom = ref<string | null>(initialRange.from)
+const customTo = ref<string | null>(initialRange.to)
+const selectedProjectId = ref<number | null>(null)
+const selectedUserId = ref<number | null>(null)
+
+const periodOptions = computed(() => [
+    { label: t('reporting.periods.thisMonth'), value: 'thisMonth' },
+    { label: t('reporting.periods.lastMonth'), value: 'lastMonth' },
+    { label: t('reporting.periods.custom'), value: 'custom' },
+])
+
+const projects = ref<Project[]>([])
+const users = ref<UserData[]>([])
+
+const projectOptions = computed(() =>
+    projects.value.map(p => ({ label: p.name, value: p.id })),
+)
+const userOptions = computed(() =>
+    users.value.map(u => ({
+        label: [u.firstName, u.lastName].filter(Boolean).join(' ') || u.username,
+        value: u.id,
+    })),
+)
+
+// --- Effective range (preset → concrete dates) ---
+const activeFilters = computed<ReportFilters>(() => ({
+    from: customFrom.value ?? initialRange.from,
+    to: customTo.value ?? initialRange.to,
+    projectId: selectedProjectId.value,
+    userId: selectedUserId.value,
+}))
+
+// When a non-custom preset is picked, sync the date pickers.
+watch(selectedPeriod, (key) => {
+    if (key !== 'custom') {
+        const range = rangeForPreset(key, {
+            from: customFrom.value ?? initialRange.from,
+            to: customTo.value ?? initialRange.to,
+        })
+        customFrom.value = range.from
+        customTo.value = range.to
+    }
+})
+
+// --- Report data ---
+const timePerProject = ref<TimePerProject[]>([])
+const timePerUser = ref<TimePerUser[]>([])
+const tasksByStatus = ref<TasksByStatus[]>([])
+const absencesByType = ref<AbsencesByType[]>([])
+const isLoading = ref(true)
+
+const absenceRows = computed(() =>
+    absencesByType.value.map(r => ({ ...r, typeLabel: absenceTypeLabel(r.type) })),
+)
+
+// --- Columns ---
+const projectColumns: DataTableColumn[] = [
+    { key: 'projectName', label: t('reporting.columns.project'), primary: true },
+    { key: 'hours', label: t('reporting.columns.hours') },
+    { key: 'entryCount', label: t('reporting.columns.entries') },
+]
+const userColumns: DataTableColumn[] = [
+    { key: 'fullName', label: t('reporting.columns.user'), primary: true },
+    { key: 'hours', label: t('reporting.columns.hours') },
+    { key: 'entryCount', label: t('reporting.columns.entries') },
+]
+const statusColumns: DataTableColumn[] = [
+    { key: 'statusLabel', label: t('reporting.columns.status'), primary: true },
+    { key: 'count', label: t('reporting.columns.count') },
+]
+const absenceColumns: DataTableColumn[] = [
+    { key: 'typeLabel', label: t('reporting.columns.type'), primary: true },
+    { key: 'count', label: t('reporting.columns.count') },
+    { key: 'totalDays', label: t('reporting.columns.days') },
+]
+
+// --- Helpers ---
+function round(value: number): number {
+    return Math.round(value * 100) / 100
+}
+
+function formatHours(h: number): string {
+    const hours = Math.floor(h)
+    const mins = Math.round((h - hours) * 60)
+    return mins > 0 ? `${hours}h${String(mins).padStart(2, '0')}` : `${hours}h`
+}
+
+function absenceTypeLabel(type: string): string {
+    const key = `reporting.absenceTypes.${type}`
+    const label = t(key)
+    return label === key ? type : label
+}
+
+// --- Loading ---
+async function loadReferenceData() {
+    const [proj, usr] = await Promise.all([
+        projectService.getAll(),
+        userService.getAll(),
+    ])
+    projects.value = proj
+    users.value = usr
+}
+
+async function loadReports() {
+    isLoading.value = true
+    try {
+        const filters = activeFilters.value
+        const [tpp, tpu, tbs, abt] = await Promise.all([
+            reportingService.timePerProject(filters),
+            reportingService.timePerUser(filters),
+            reportingService.tasksByStatus(filters),
+            reportingService.absencesByType(filters),
+        ])
+        timePerProject.value = tpp
+        timePerUser.value = tpu
+        tasksByStatus.value = tbs
+        absencesByType.value = abt
+    } finally {
+        isLoading.value = false
+    }
+}
+
+// Reload reports whenever the effective filters change.
+watch(activeFilters, () => {
+    loadReports()
+}, { deep: true })
+
+onMounted(async () => {
+    await loadReferenceData()
+    await loadReports()
+})
+
+// --- CSV export ---
+function exportTimePerProject() {
+    downloadCsv('rapport-temps-par-projet', timePerProject.value, [
+        { header: t('reporting.columns.project'), value: r => r.projectName },
+        { header: t('reporting.columns.code'), value: r => r.projectCode },
+        { header: t('reporting.columns.hours'), value: r => round(r.hours) },
+        { header: t('reporting.columns.entries'), value: r => r.entryCount },
+    ])
+}
+
+function exportTimePerUser() {
+    downloadCsv('rapport-temps-par-utilisateur', timePerUser.value, [
+        { header: t('reporting.columns.user'), value: r => r.fullName || r.username },
+        { header: t('reporting.columns.hours'), value: r => round(r.hours) },
+        { header: t('reporting.columns.entries'), value: r => r.entryCount },
+    ])
+}
+
+function exportTasksByStatus() {
+    downloadCsv('rapport-taches-par-statut', tasksByStatus.value, [
+        { header: t('reporting.columns.status'), value: r => r.statusLabel },
+        { header: t('reporting.columns.count'), value: r => r.count },
+    ])
+}
+
+function exportAbsencesByType() {
+    downloadCsv('rapport-absences-par-type', absencesByType.value, [
+        { header: t('reporting.columns.type'), value: r => absenceTypeLabel(r.type) },
+        { header: t('reporting.columns.count'), value: r => r.count },
+        { header: t('reporting.columns.days'), value: r => r.totalDays },
+    ])
+}
+</script>
diff --git a/frontend/modules/reporting/services/dto/reporting.ts b/frontend/modules/reporting/services/dto/reporting.ts
new file mode 100644
index 0000000..4494fd7
--- /dev/null
+++ b/frontend/modules/reporting/services/dto/reporting.ts
@@ -0,0 +1,34 @@
+export type TimePerProject = {
+    projectId: number
+    projectCode: string
+    projectName: string
+    hours: number
+    entryCount: number
+}
+
+export type TimePerUser = {
+    userId: number
+    username: string
+    fullName: string
+    hours: number
+    entryCount: number
+}
+
+export type TasksByStatus = {
+    statusId: number
+    statusLabel: string
+    count: number
+}
+
+export type AbsencesByType = {
+    type: string
+    count: number
+    totalDays: number
+}
+
+export type ReportFilters = {
+    from: string
+    to: string
+    userId?: number | null
+    projectId?: number | null
+}
diff --git a/frontend/modules/reporting/services/reporting.ts b/frontend/modules/reporting/services/reporting.ts
new file mode 100644
index 0000000..95aff37
--- /dev/null
+++ b/frontend/modules/reporting/services/reporting.ts
@@ -0,0 +1,51 @@
+import type {
+    AbsencesByType,
+    ReportFilters,
+    TasksByStatus,
+    TimePerProject,
+    TimePerUser,
+} from './dto/reporting'
+import type { AnyObject } from '~/shared/composables/useApi'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+function buildQuery(filters: Partial<ReportFilters>, keys: (keyof ReportFilters)[]): AnyObject {
+    const query: AnyObject = {}
+    for (const key of keys) {
+        const value = filters[key]
+        if (value !== undefined && value !== null && value !== '') {
+            query[key] = value
+        }
+    }
+    return query
+}
+
+export function useReportingService() {
+    const api = useApi()
+
+    async function timePerProject(filters: ReportFilters): Promise<TimePerProject[]> {
+        const query = buildQuery(filters, ['from', 'to', 'userId', 'projectId'])
+        const data = await api.get<HydraCollection<TimePerProject>>('/reports/time-per-project', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function timePerUser(filters: ReportFilters): Promise<TimePerUser[]> {
+        const query = buildQuery(filters, ['from', 'to', 'projectId'])
+        const data = await api.get<HydraCollection<TimePerUser>>('/reports/time-per-user', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function tasksByStatus(filters: ReportFilters): Promise<TasksByStatus[]> {
+        const query = buildQuery(filters, ['projectId'])
+        const data = await api.get<HydraCollection<TasksByStatus>>('/reports/tasks-by-status', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    async function absencesByType(filters: ReportFilters): Promise<AbsencesByType[]> {
+        const query = buildQuery(filters, ['from', 'to', 'userId'])
+        const data = await api.get<HydraCollection<AbsencesByType>>('/reports/absences-by-type', query, { toast: false })
+        return extractHydraMembers(data)
+    }
+
+    return { timePerProject, timePerUser, tasksByStatus, absencesByType }
+}
-- 
2.39.5


From 808a29084595873355ee254e5c5c767b9c8a488e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 00:46:26 +0200
Subject: [PATCH 62/99] =?UTF-8?q?feat(client-portal)=20:=20phase=201=20fou?=
 =?UTF-8?q?ndations=20=E2=80=94=20ROLE=5FCLIENT=20hardening=20+=20ClientTi?=
 =?UTF-8?q?cket=20(back)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-69 (3.2) phase 1. New ClientPortal module + security foundations for the
client portal (spec docs/superpowers/specs/2026-03-15-client-portal-design.md).

- Security: User::getRoles() no longer adds ROLE_USER to ROLE_CLIENT users;
  role_hierarchy ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]. Existing Task/Project/
  Client/TimeEntry/metadata endpoints already required ROLE_USER -> a pure
  ROLE_CLIENT is walled off (verified: 403).
- User (Core): client (ManyToOne ClientInterface, SET NULL) + allowedProjects
  (ManyToMany ProjectInterface). UserInterface extended (getClient/
  getAllowedProjects).
- New ClientTicket entity (module ClientPortal) + enums + repository + API with
  per-client isolation (ClientTicketProvider: own tickets ∩ allowedProjects),
  per-project numbering under advisory lock (rejects if user.client null),
  status transition rules. ClientTicketInterface contract for Task/TaskDocument.
- TaskDocument generalized: task nullable + clientTicket (CASCADE) + CHECK;
  per-role access. Task.clientTicket exposed in task:read.
- Additive migration; demo client fixtures.
- Tenancy tests assert the isolation invariant (a client never sees another
  client's tickets) rather than brittle absolute counts (shared test DB).

178 tests green, mapping valid, cs-fixer clean.
---
 config/modules.php                            |   2 +
 config/packages/doctrine.yaml                 |   6 +
 config/packages/security.yaml                 |   2 +-
 config/services.yaml                          |   2 +
 migrations/Version20260621120000.php          | 115 +++++++++
 src/DataFixtures/AppFixtures.php              |  50 ++++
 .../ClientPortal/ClientPortalModule.php       |  41 +++
 .../Domain/Entity/ClientTicket.php            | 244 ++++++++++++++++++
 .../Domain/Enum/ClientTicketStatus.php        |  37 +++
 .../Domain/Enum/ClientTicketType.php          |  21 ++
 .../ClientTicketRepositoryInterface.php       |  19 ++
 .../State/ClientTicketNumberProcessor.php     |  97 +++++++
 .../State/ClientTicketProvider.php            | 124 +++++++++
 .../State/ClientTicketStatusProcessor.php     |  58 +++++
 .../DoctrineClientTicketRepository.php        |  46 ++++
 src/Module/Core/Domain/Entity/User.php        |  70 ++++-
 .../ProjectManagement/Domain/Entity/Task.php  |  23 ++
 .../Domain/Entity/TaskDocument.php            |  31 ++-
 .../State/TaskDocumentProcessor.php           | 103 ++++++--
 .../State/TaskDocumentProvider.php            |  45 +++-
 .../Domain/Contract/ClientTicketInterface.php |  24 ++
 src/Shared/Domain/Contract/UserInterface.php  |  14 +
 .../ClientPortal/ClientTicketApiTest.php      | 183 +++++++++++++
 .../TimestampableBlamableSubscriberTest.php   |  13 +
 24 files changed, 1337 insertions(+), 33 deletions(-)
 create mode 100644 migrations/Version20260621120000.php
 create mode 100644 src/Module/ClientPortal/ClientPortalModule.php
 create mode 100644 src/Module/ClientPortal/Domain/Entity/ClientTicket.php
 create mode 100644 src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
 create mode 100644 src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
 create mode 100644 src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
 create mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
 create mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
 create mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
 create mode 100644 src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
 create mode 100644 src/Shared/Domain/Contract/ClientTicketInterface.php
 create mode 100644 tests/Functional/Module/ClientPortal/ClientTicketApiTest.php

diff --git a/config/modules.php b/config/modules.php
index b0b6e90..ffef4f3 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -8,6 +8,7 @@ declare(strict_types=1);
  */
 
 use App\Module\Absence\AbsenceModule;
+use App\Module\ClientPortal\ClientPortalModule;
 use App\Module\Core\CoreModule;
 use App\Module\Directory\DirectoryModule;
 use App\Module\Integration\IntegrationModule;
@@ -25,4 +26,5 @@ return [
     MailModule::class,
     IntegrationModule::class,
     ReportingModule::class,
+    ClientPortalModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 51df119..26b6458 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -26,6 +26,7 @@ doctrine:
             App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
             App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
             App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
+            App\Shared\Domain\Contract\ClientTicketInterface: App\Module\ClientPortal\Domain\Entity\ClientTicket
         mappings:
             App:
                 type: attribute
@@ -68,6 +69,11 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
                 prefix: 'App\Module\Integration\Domain\Entity'
+            ClientPortal:
+                type: attribute
+                is_bundle: false
+                dir: '%kernel.project_dir%/src/Module/ClientPortal/Domain/Entity'
+                prefix: 'App\Module\ClientPortal\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 24cb6de..18306fb 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -1,6 +1,6 @@
 security:
     role_hierarchy:
-        ROLE_ADMIN: [ROLE_USER]
+        ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]
 
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
diff --git a/config/services.yaml b/config/services.yaml
index 773dc08..d5b6c72 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -111,6 +111,8 @@ services:
 
     App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
 
+    App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface: '@App\Module\ClientPortal\Infrastructure\Doctrine\DoctrineClientTicketRepository'
+
     App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
 
     App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'
diff --git a/migrations/Version20260621120000.php b/migrations/Version20260621120000.php
new file mode 100644
index 0000000..e203b84
--- /dev/null
+++ b/migrations/Version20260621120000.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Client portal — phase 1 foundations (additive).
+ *
+ * - Creates the client_ticket table (per-project numbering, FK project/submittedBy,
+ *   Timestampable/Blamable columns, unique (project_id, number), filter indexes).
+ * - Adds user.client_id (FK client, SET NULL) and the user_allowed_projects join table.
+ * - Adds task.client_ticket_id (FK client_ticket, SET NULL).
+ * - Generalises task_document: task_id becomes nullable, adds client_ticket_id
+ *   (FK client_ticket, CASCADE) and a CHECK enforcing that a document is bound
+ *   to either a task or a client ticket.
+ *
+ * Lowercase SQL columns; "user" table is quoted. FK/index names mirror Doctrine's
+ * generated identifiers so doctrine:schema:validate stays clean. down() reverses.
+ */
+final class Version20260621120000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Client portal phase 1: client_ticket table, user.client_id, user_allowed_projects, task/task_document client ticket links (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // --- client_ticket ---
+        $this->addSql('CREATE TABLE client_ticket (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, number INT NOT NULL, type VARCHAR(16) NOT NULL, title VARCHAR(255) NOT NULL, description TEXT NOT NULL, url VARCHAR(1024) DEFAULT NULL, status VARCHAR(16) NOT NULL, status_comment TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, project_id INT NOT NULL, submitted_by_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX uniq_client_ticket_project_number ON client_ticket (project_id, number)');
+        $this->addSql('CREATE INDEX idx_client_ticket_project ON client_ticket (project_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_submitted_by ON client_ticket (submitted_by_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_status_project ON client_ticket (status, project_id)');
+        $this->addSql('CREATE INDEX IDX_C206E610DE12AB56 ON client_ticket (created_by)');
+        $this->addSql('CREATE INDEX IDX_C206E61016FE72E1 ON client_ticket (updated_by)');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61079F7D87D FOREIGN KEY (submitted_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql("COMMENT ON COLUMN client_ticket.number IS 'Numero incremental unique par projet (affiche CT-XXX).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.type IS 'Type de ticket : bug, improvement, other.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.status IS 'Statut : new, in_progress, done, rejected.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.status_comment IS 'Commentaire du manager lors d''un changement de statut (obligatoire si rejected).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.url IS 'URL de la page concernee, affichee uniquement pour les bugs.'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.submitted_by_id IS 'Utilisateur-client ayant soumis le ticket (FK user, SET NULL pour conserver l''historique).'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.created_at IS 'Creation timestamp (Timestampable, set on prePersist)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.updated_at IS 'Last update timestamp (Timestampable, set on prePersist/preUpdate)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.created_by IS 'User who created the entry (Blamable, FK user.id, SET NULL on delete)'");
+        $this->addSql("COMMENT ON COLUMN client_ticket.updated_by IS 'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)'");
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" ADD client_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE "user" ADD CONSTRAINT FK_8D93D64919EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_8D93D64919EB6921 ON "user" (client_id)');
+        $this->addSql('COMMENT ON COLUMN "user".client_id IS \'Client auquel appartient l\'\'utilisateur (FK client, SET NULL). null = utilisateur interne.\'');
+
+        // --- user_allowed_projects (ManyToMany) ---
+        $this->addSql('CREATE TABLE user_allowed_projects (user_id INT NOT NULL, project_id INT NOT NULL, PRIMARY KEY (user_id, project_id))');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97A76ED395 ON user_allowed_projects (user_id)');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97166D1F9C ON user_allowed_projects (project_id)');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB259B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB259B2097DD ON task (client_ticket_id)');
+        $this->addSql("COMMENT ON COLUMN task.client_ticket_id IS 'Lien manuel optionnel vers un ticket client (FK client_ticket, SET NULL).'");
+
+        // --- task_document generalisation ---
+        $this->addSql('ALTER TABLE task_document ALTER task_id DROP NOT NULL');
+        $this->addSql('ALTER TABLE task_document ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT FK_98A9603A9B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_98A9603A9B2097DD ON task_document (client_ticket_id)');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT chk_task_document_target CHECK (task_id IS NOT NULL OR client_ticket_id IS NOT NULL)');
+        $this->addSql("COMMENT ON COLUMN task_document.client_ticket_id IS 'Ticket client auquel le document est rattache (FK client_ticket, CASCADE). Alternative a task_id.'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // task_document
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT chk_task_document_target');
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT FK_98A9603A9B2097DD');
+        $this->addSql('DROP INDEX IDX_98A9603A9B2097DD');
+        $this->addSql('ALTER TABLE task_document DROP client_ticket_id');
+        $this->addSql('ALTER TABLE task_document ALTER task_id SET NOT NULL');
+
+        // task
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB259B2097DD');
+        $this->addSql('DROP INDEX IDX_527EDB259B2097DD');
+        $this->addSql('ALTER TABLE task DROP client_ticket_id');
+
+        // user_allowed_projects
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97A76ED395');
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97166D1F9C');
+        $this->addSql('DROP TABLE user_allowed_projects');
+
+        // user.client_id
+        $this->addSql('ALTER TABLE "user" DROP CONSTRAINT FK_8D93D64919EB6921');
+        $this->addSql('DROP INDEX IDX_8D93D64919EB6921');
+        $this->addSql('ALTER TABLE "user" DROP client_id');
+
+        // client_ticket
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610166D1F9C');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61079F7D87D');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610DE12AB56');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61016FE72E1');
+        $this->addSql('DROP TABLE client_ticket');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index d10ba67..fc6d9e3 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -10,6 +10,9 @@ use App\Module\Absence\Domain\Entity\AbsencePolicy;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Enum\AbsenceType;
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
@@ -215,6 +218,53 @@ class AppFixtures extends Fixture
         $projectInterne->setWorkflow($standardWorkflow);
         $manager->persist($projectInterne);
 
+        // Client portal users (ROLE_CLIENT) — linked to a client + allowed projects.
+        $clientUserLiot = new User();
+        $clientUserLiot->setUsername('client-liot');
+        $clientUserLiot->setFirstName('Camille');
+        $clientUserLiot->setLastName('LIOT');
+        $clientUserLiot->setRoles(['ROLE_CLIENT']);
+        $clientUserLiot->setPassword($this->passwordHasher->hashPassword($clientUserLiot, 'client-liot'));
+        $clientUserLiot->setClient($clientLiot);
+        $clientUserLiot->addAllowedProject($projectSirh);
+        $manager->persist($clientUserLiot);
+
+        $clientUserAcme = new User();
+        $clientUserAcme->setUsername('client-acme');
+        $clientUserAcme->setFirstName('Sophie');
+        $clientUserAcme->setLastName('ACME');
+        $clientUserAcme->setRoles(['ROLE_CLIENT']);
+        $clientUserAcme->setPassword($this->passwordHasher->hashPassword($clientUserAcme, 'client-acme'));
+        $clientUserAcme->setClient($clientAcme);
+        $clientUserAcme->addAllowedProject($projectCrm);
+        $manager->persist($clientUserAcme);
+
+        // Demo client tickets.
+        $ticketLiot = new ClientTicket();
+        $ticketLiot->setNumber(1);
+        $ticketLiot->setType(ClientTicketType::Bug);
+        $ticketLiot->setTitle('Erreur lors de l\'export des congés');
+        $ticketLiot->setDescription('L\'export PDF des congés échoue avec une erreur 500.');
+        $ticketLiot->setUrl('https://app.example.com/sirh/conges');
+        $ticketLiot->setStatus(ClientTicketStatus::New);
+        $ticketLiot->setProject($projectSirh);
+        $ticketLiot->setSubmittedBy($clientUserLiot);
+        $ticketLiot->setCreatedAt(new DateTimeImmutable());
+        $ticketLiot->setUpdatedAt(new DateTimeImmutable());
+        $manager->persist($ticketLiot);
+
+        $ticketAcme = new ClientTicket();
+        $ticketAcme->setNumber(1);
+        $ticketAcme->setType(ClientTicketType::Improvement);
+        $ticketAcme->setTitle('Ajouter un filtre par commercial');
+        $ticketAcme->setDescription('Pouvoir filtrer la liste des opportunités par commercial assigné.');
+        $ticketAcme->setStatus(ClientTicketStatus::InProgress);
+        $ticketAcme->setProject($projectCrm);
+        $ticketAcme->setSubmittedBy($clientUserAcme);
+        $ticketAcme->setCreatedAt(new DateTimeImmutable());
+        $ticketAcme->setUpdatedAt(new DateTimeImmutable());
+        $manager->persist($ticketAcme);
+
         // Task Efforts
         $effortS = new TaskEffort();
         $effortS->setLabel('S');
diff --git a/src/Module/ClientPortal/ClientPortalModule.php b/src/Module/ClientPortal/ClientPortalModule.php
new file mode 100644
index 0000000..86fa6ff
--- /dev/null
+++ b/src/Module/ClientPortal/ClientPortalModule.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal;
+
+use App\Shared\Domain\Module\ModuleInterface;
+
+final class ClientPortalModule implements ModuleInterface
+{
+    public static function id(): string
+    {
+        return 'client-portal';
+    }
+
+    public static function label(): string
+    {
+        return 'Portail client';
+    }
+
+    public static function isRequired(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Permissions RBAC fin du Module ClientPortal.
+     *
+     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
+     * reste pilotée par ROLE_CLIENT/ROLE_ADMIN sur les opérations.
+     *
+     * @return list<array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'client-portal.tickets.view', 'label' => 'Voir les tickets client'],
+            ['code' => 'client-portal.tickets.manage', 'label' => 'Gérer les tickets client'],
+        ];
+    }
+}
diff --git a/src/Module/ClientPortal/Domain/Entity/ClientTicket.php b/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
new file mode 100644
index 0000000..78ae3c6
--- /dev/null
+++ b/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
@@ -0,0 +1,244 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
+use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketNumberProcessor;
+use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketProvider;
+use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketStatusProcessor;
+use App\Module\ClientPortal\Infrastructure\Doctrine\DoctrineClientTicketRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientTicketInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+use Symfony\Component\Validator\Constraints as Assert;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(
+            security: "is_granted('ROLE_CLIENT') or is_granted('ROLE_ADMIN')",
+            provider: ClientTicketProvider::class,
+        ),
+        new Get(
+            security: "is_granted('ROLE_CLIENT') or is_granted('ROLE_ADMIN')",
+            provider: ClientTicketProvider::class,
+        ),
+        new Post(
+            security: "is_granted('ROLE_CLIENT')",
+            processor: ClientTicketNumberProcessor::class,
+        ),
+        new Patch(
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ClientTicketStatusProcessor::class,
+        ),
+        new Delete(
+            security: "is_granted('ROLE_ADMIN')",
+        ),
+    ],
+    normalizationContext: ['groups' => ['client_ticket:read']],
+    denormalizationContext: ['groups' => ['client_ticket:write']],
+    order: ['createdAt' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['project' => 'exact', 'status' => 'exact', 'submittedBy' => 'exact'])]
+#[Auditable]
+#[ORM\Entity(repositoryClass: DoctrineClientTicketRepository::class)]
+#[ORM\Table(name: 'client_ticket')]
+#[ORM\UniqueConstraint(name: 'uniq_client_ticket_project_number', columns: ['project_id', 'number'])]
+#[ORM\Index(name: 'idx_client_ticket_project', columns: ['project_id'])]
+#[ORM\Index(name: 'idx_client_ticket_submitted_by', columns: ['submitted_by_id'])]
+#[ORM\Index(name: 'idx_client_ticket_status_project', columns: ['status', 'project_id'])]
+class ClientTicket implements ClientTicketInterface, TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['client_ticket:read', 'task:read'])]
+    private ?int $id = null;
+
+    /** Incremental number, unique per project (formatted CT-XXX in the UI). */
+    #[ORM\Column(type: 'integer')]
+    #[Groups(['client_ticket:read', 'task:read'])]
+    private ?int $number = null;
+
+    #[ORM\Column(type: 'string', length: 16, enumType: ClientTicketType::class)]
+    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
+    #[Assert\NotNull]
+    private ?ClientTicketType $type = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
+    #[Assert\NotBlank]
+    private ?string $title = null;
+
+    #[ORM\Column(type: 'text')]
+    #[Groups(['client_ticket:read', 'client_ticket:write'])]
+    #[Assert\NotBlank]
+    private ?string $description = null;
+
+    /** Displayed only when type = bug (page concerned by the bug). */
+    #[ORM\Column(length: 1024, nullable: true)]
+    #[Groups(['client_ticket:read', 'client_ticket:write'])]
+    private ?string $url = null;
+
+    #[ORM\Column(type: 'string', length: 16, enumType: ClientTicketStatus::class)]
+    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
+    private ClientTicketStatus $status = ClientTicketStatus::New;
+
+    /** Manager comment set when the status changes (mandatory when rejecting). */
+    #[ORM\Column(type: 'text', nullable: true)]
+    #[Groups(['client_ticket:read', 'client_ticket:write'])]
+    private ?string $statusComment = null;
+
+    #[ORM\ManyToOne(targetEntity: ProjectInterface::class)]
+    #[ORM\JoinColumn(name: 'project_id', nullable: false, onDelete: 'CASCADE')]
+    #[Groups(['client_ticket:read', 'client_ticket:write'])]
+    #[Assert\NotNull]
+    private ?ProjectInterface $project = null;
+
+    /** Client user who submitted the ticket. ON DELETE SET NULL — keep history. */
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'submitted_by_id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['client_ticket:read'])]
+    private ?UserInterface $submittedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getNumber(): ?int
+    {
+        return $this->number;
+    }
+
+    public function setNumber(int $number): static
+    {
+        $this->number = $number;
+
+        return $this;
+    }
+
+    public function getTypeEnum(): ?ClientTicketType
+    {
+        return $this->type;
+    }
+
+    public function setType(?ClientTicketType $type): static
+    {
+        $this->type = $type;
+
+        return $this;
+    }
+
+    public function getType(): string
+    {
+        return $this->type?->value ?? '';
+    }
+
+    public function getTitle(): ?string
+    {
+        return $this->title;
+    }
+
+    public function setTitle(?string $title): static
+    {
+        $this->title = $title;
+
+        return $this;
+    }
+
+    public function getDescription(): ?string
+    {
+        return $this->description;
+    }
+
+    public function setDescription(?string $description): static
+    {
+        $this->description = $description;
+
+        return $this;
+    }
+
+    public function getUrl(): ?string
+    {
+        return $this->url;
+    }
+
+    public function setUrl(?string $url): static
+    {
+        $this->url = $url;
+
+        return $this;
+    }
+
+    public function getStatusEnum(): ClientTicketStatus
+    {
+        return $this->status;
+    }
+
+    public function setStatus(ClientTicketStatus $status): static
+    {
+        $this->status = $status;
+
+        return $this;
+    }
+
+    public function getStatus(): string
+    {
+        return $this->status->value;
+    }
+
+    public function getStatusComment(): ?string
+    {
+        return $this->statusComment;
+    }
+
+    public function setStatusComment(?string $statusComment): static
+    {
+        $this->statusComment = $statusComment;
+
+        return $this;
+    }
+
+    public function getProject(): ?ProjectInterface
+    {
+        return $this->project;
+    }
+
+    public function setProject(?ProjectInterface $project): static
+    {
+        $this->project = $project;
+
+        return $this;
+    }
+
+    public function getSubmittedBy(): ?UserInterface
+    {
+        return $this->submittedBy;
+    }
+
+    public function setSubmittedBy(?UserInterface $submittedBy): static
+    {
+        $this->submittedBy = $submittedBy;
+
+        return $this;
+    }
+}
diff --git a/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php b/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
new file mode 100644
index 0000000..4707168
--- /dev/null
+++ b/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Domain\Enum;
+
+enum ClientTicketStatus: string
+{
+    case New        = 'new';
+    case InProgress = 'in_progress';
+    case Done       = 'done';
+    case Rejected   = 'rejected';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::New        => 'Nouveau',
+            self::InProgress => 'En cours',
+            self::Done       => 'Terminé',
+            self::Rejected   => 'Rejeté',
+        };
+    }
+
+    /**
+     * Whether a transition from this status to $target is allowed.
+     *
+     * All transitions are allowed except `done` -> `new` and `rejected` -> `new`.
+     */
+    public function canTransitionTo(self $target): bool
+    {
+        if (self::New === $target && (self::Done === $this || self::Rejected === $this)) {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php b/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
new file mode 100644
index 0000000..463c0ba
--- /dev/null
+++ b/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Domain\Enum;
+
+enum ClientTicketType: string
+{
+    case Bug         = 'bug';
+    case Improvement = 'improvement';
+    case Other       = 'other';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::Bug         => 'Bug',
+            self::Improvement => 'Amélioration',
+            self::Other       => 'Autre',
+        };
+    }
+}
diff --git a/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php b/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
new file mode 100644
index 0000000..477eecd
--- /dev/null
+++ b/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Domain\Repository;
+
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+
+interface ClientTicketRepositoryInterface
+{
+    public function findById(int $id): ?ClientTicket;
+
+    /**
+     * Highest ticket number currently used on a given project, behind a
+     * PostgreSQL advisory transaction lock so concurrent inserts serialize.
+     * Returns 0 if the project has no ticket yet. Must run inside a transaction.
+     */
+    public function findMaxNumberByProjectForUpdate(int $projectId): int;
+}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
new file mode 100644
index 0000000..91ca856
--- /dev/null
+++ b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+
+/**
+ * Handles creation of a client ticket (POST).
+ *
+ * - Rejects users whose `client` is null (an admin inheriting ROLE_CLIENT via
+ *   the role hierarchy cannot create a ticket).
+ * - Enforces that the target project belongs to the user's allowed projects.
+ * - Sets submittedBy, status = new, timestamps.
+ * - Generates the per-project incremental number behind an advisory lock so the
+ *   unique constraint `(project_id, number)` is never violated by concurrency.
+ *
+ * @implements ProcessorInterface<ClientTicket, ClientTicket>
+ */
+final readonly class ClientTicketNumberProcessor implements ProcessorInterface
+{
+    /**
+     * @param ProcessorInterface<ClientTicket, ClientTicket> $persistProcessor
+     */
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
+        private ProcessorInterface $persistProcessor,
+        private ClientTicketRepositoryInterface $repository,
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
+    {
+        assert($data instanceof ClientTicket);
+
+        $user = $this->security->getUser();
+        assert($user instanceof UserInterface);
+
+        // An admin must not be able to create a ticket even though ROLE_ADMIN
+        // inherits ROLE_CLIENT in the role hierarchy.
+        if (null === $user->getClient()) {
+            throw new AccessDeniedHttpException('Only client users can submit tickets.');
+        }
+
+        $project = $data->getProject();
+        if (!$project instanceof ProjectInterface) {
+            throw new UnprocessableEntityHttpException('A project is required.');
+        }
+
+        if (!$this->userMayAccessProject($user, $project)) {
+            throw new AccessDeniedHttpException('You are not allowed to submit tickets on this project.');
+        }
+
+        $data->setSubmittedBy($user);
+        $data->setStatus(ClientTicketStatus::New);
+        $data->setStatusComment(null);
+
+        $now = new DateTimeImmutable();
+        $data->setCreatedAt($now);
+        $data->setUpdatedAt($now);
+
+        return $this->entityManager->wrapInTransaction(function () use ($data, $project, $operation, $uriVariables, $context): ClientTicket {
+            $maxNumber = $this->repository->findMaxNumberByProjectForUpdate((int) $project->getId());
+            $data->setNumber($maxNumber + 1);
+
+            $result = $this->persistProcessor->process($data, $operation, $uriVariables, $context);
+            assert($result instanceof ClientTicket);
+
+            return $result;
+        });
+    }
+
+    private function userMayAccessProject(UserInterface $user, ProjectInterface $project): bool
+    {
+        foreach ($user->getAllowedProjects() as $allowed) {
+            if ($allowed->getId() === $project->getId()) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
new file mode 100644
index 0000000..fb52021
--- /dev/null
+++ b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+
+/**
+ * Provider for ClientTicket read operations.
+ *
+ * - ROLE_ADMIN: no restriction.
+ * - ROLE_CLIENT: only tickets the user submitted, and only on projects the
+ *   user is allowed to access (allowedProjects).
+ *
+ * @implements ProviderInterface<ClientTicket>
+ */
+final readonly class ClientTicketProvider implements ProviderInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+    ) {}
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|ClientTicket|null
+    {
+        $user = $this->security->getUser();
+        assert($user instanceof UserInterface);
+
+        $isAdmin = $this->security->isGranted('ROLE_ADMIN');
+
+        $repo = $this->entityManager->getRepository(ClientTicket::class);
+
+        // Single item.
+        if (isset($uriVariables['id'])) {
+            $ticket = $repo->find($uriVariables['id']);
+            if (null === $ticket) {
+                return null;
+            }
+            if ($isAdmin) {
+                return $ticket;
+            }
+            if ($ticket->getSubmittedBy() !== $user) {
+                return null;
+            }
+            if (!$this->userMayAccessProject($user, $ticket->getProject())) {
+                return null;
+            }
+
+            return $ticket;
+        }
+
+        // Collection.
+        $qb = $repo->createQueryBuilder('t')
+            ->orderBy('t.createdAt', 'DESC')
+        ;
+
+        if (!$isAdmin) {
+            $qb->andWhere('t.submittedBy = :user')->setParameter('user', $user);
+
+            $allowedIds = $this->allowedProjectIds($user);
+            if ([] === $allowedIds) {
+                return [];
+            }
+            $qb->andWhere('IDENTITY(t.project) IN (:allowedProjects)')
+                ->setParameter('allowedProjects', $allowedIds)
+            ;
+        }
+
+        $filters = $context['filters'] ?? [];
+
+        if (isset($filters['project'])) {
+            $qb->andWhere('IDENTITY(t.project) = :project')
+                ->setParameter('project', self::extractId($filters['project']))
+            ;
+        }
+        if (isset($filters['status'])) {
+            $qb->andWhere('t.status = :status')->setParameter('status', $filters['status']);
+        }
+        if ($isAdmin && isset($filters['submittedBy'])) {
+            $qb->andWhere('t.submittedBy = :submittedBy')
+                ->setParameter('submittedBy', self::extractId($filters['submittedBy']))
+            ;
+        }
+
+        return $qb->getQuery()->getResult();
+    }
+
+    private function userMayAccessProject(UserInterface $user, ?ProjectInterface $project): bool
+    {
+        if (null === $project) {
+            return false;
+        }
+
+        return in_array($project->getId(), $this->allowedProjectIds($user), true);
+    }
+
+    /**
+     * @return list<int>
+     */
+    private function allowedProjectIds(UserInterface $user): array
+    {
+        $ids = [];
+        foreach ($user->getAllowedProjects() as $project) {
+            $id = $project->getId();
+            if (null !== $id) {
+                $ids[] = $id;
+            }
+        }
+
+        return $ids;
+    }
+
+    private static function extractId(string $value): int
+    {
+        return is_numeric($value) ? (int) $value : (int) basename($value);
+    }
+}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
new file mode 100644
index 0000000..508ffed
--- /dev/null
+++ b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+
+/**
+ * Handles status changes on a client ticket (PATCH, ROLE_ADMIN only).
+ *
+ * - Rejects the forbidden transitions `done` -> `new` and `rejected` -> `new`.
+ * - Requires a statusComment when moving to the `rejected` status.
+ * - Refreshes updatedAt.
+ *
+ * @implements ProcessorInterface<ClientTicket, ClientTicket>
+ */
+final readonly class ClientTicketStatusProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
+    {
+        assert($data instanceof ClientTicket);
+
+        $newStatus = $data->getStatusEnum();
+
+        $previous  = $context['previous_data'] ?? null;
+        $oldStatus = $previous instanceof ClientTicket ? $previous->getStatusEnum() : null;
+
+        if (null !== $oldStatus && !$oldStatus->canTransitionTo($newStatus)) {
+            throw new UnprocessableEntityHttpException(sprintf(
+                'Transition from "%s" to "%s" is not allowed.',
+                $oldStatus->value,
+                $newStatus->value,
+            ));
+        }
+
+        if (ClientTicketStatus::Rejected === $newStatus && '' === trim((string) $data->getStatusComment())) {
+            throw new UnprocessableEntityHttpException('A status comment is required to reject a ticket.');
+        }
+
+        $data->setUpdatedAt(new DateTimeImmutable());
+
+        $this->entityManager->persist($data);
+        $this->entityManager->flush();
+
+        return $data;
+    }
+}
diff --git a/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php b/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
new file mode 100644
index 0000000..14e4ba4
--- /dev/null
+++ b/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\ClientPortal\Infrastructure\Doctrine;
+
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<ClientTicket>
+ */
+final class DoctrineClientTicketRepository extends ServiceEntityRepository implements ClientTicketRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ClientTicket::class);
+    }
+
+    public function findById(int $id): ?ClientTicket
+    {
+        return $this->find($id);
+    }
+
+    public function findMaxNumberByProjectForUpdate(int $projectId): int
+    {
+        $conn = $this->getEntityManager()->getConnection();
+
+        // Use a PostgreSQL advisory lock (project ID as lock key) instead of
+        // FOR UPDATE because FOR UPDATE is not allowed with aggregate functions
+        // in PostgreSQL. The lock is held until the surrounding transaction ends.
+        $conn->executeStatement(
+            'SELECT pg_advisory_xact_lock(:project)',
+            ['project' => $projectId],
+        );
+
+        $result = $conn->fetchOne(
+            'SELECT COALESCE(MAX(number), 0) FROM client_ticket WHERE project_id = :project',
+            ['project' => $projectId],
+        );
+
+        return (int) $result;
+    }
+}
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 6c35a12..185901f 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -18,7 +18,9 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Attribute\Auditable;
 use App\Shared\Domain\Attribute\AuditIgnore;
+use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\LeaveProfileInterface;
+use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -173,11 +175,34 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     #[Groups(['user:rbac:read', 'user:rbac:write'])]
     private Collection $directPermissions;
 
+    // --- Client portal fields ---
+
+    /** Client this user belongs to. null = internal user, set = client user. */
+    #[ORM\ManyToOne(targetEntity: ClientInterface::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['me:read', 'user:read', 'user:write'])]
+    private ?ClientInterface $client = null;
+
+    /**
+     * Projects a client user is allowed to access (a subset of the client's projects).
+     *
+     * @var Collection<int, ProjectInterface>
+     */
+    #[ORM\ManyToMany(targetEntity: ProjectInterface::class)]
+    #[ORM\JoinTable(
+        name: 'user_allowed_projects',
+        joinColumns: [new ORM\JoinColumn(name: 'user_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
+        inverseJoinColumns: [new ORM\JoinColumn(name: 'project_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
+    )]
+    #[Groups(['me:read', 'user:read', 'user:write'])]
+    private Collection $allowedProjects;
+
     public function __construct()
     {
         $this->createdAt         = new DateTimeImmutable();
         $this->rbacRoles         = new ArrayCollection();
         $this->directPermissions = new ArrayCollection();
+        $this->allowedProjects   = new ArrayCollection();
     }
 
     public function getId(): ?int
@@ -229,8 +254,13 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     /** @return list<string> */
     public function getRoles(): array
     {
-        $roles   = $this->roles;
-        $roles[] = 'ROLE_USER';
+        $roles = $this->roles;
+
+        // A client user must NOT inherit ROLE_USER (which would grant access to
+        // the internal application). Only non-client users get ROLE_USER.
+        if (!in_array('ROLE_CLIENT', $roles, true)) {
+            $roles[] = 'ROLE_USER';
+        }
 
         return array_values(array_unique($roles));
     }
@@ -454,6 +484,42 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
         $this->directPermissions->removeElement($permission);
     }
 
+    public function getClient(): ?ClientInterface
+    {
+        return $this->client;
+    }
+
+    public function setClient(?ClientInterface $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    /**
+     * @return Collection<int, ProjectInterface>
+     */
+    public function getAllowedProjects(): Collection
+    {
+        return $this->allowedProjects;
+    }
+
+    public function addAllowedProject(ProjectInterface $project): static
+    {
+        if (!$this->allowedProjects->contains($project)) {
+            $this->allowedProjects->add($project);
+        }
+
+        return $this;
+    }
+
+    public function removeAllowedProject(ProjectInterface $project): static
+    {
+        $this->allowedProjects->removeElement($project);
+
+        return $this;
+    }
+
     /**
      * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
      *
diff --git a/src/Module/ProjectManagement/Domain/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
index 2795a95..3d9daf8 100644
--- a/src/Module/ProjectManagement/Domain/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -19,6 +19,7 @@ use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarPr
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
 use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
 use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
@@ -162,6 +163,16 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
     #[Groups(['task:read', 'task:write'])]
     private ?TaskRecurrence $recurrence = null;
 
+    /**
+     * Optional manual link to a client ticket. Exposed (number/type/status/title)
+     * in task:read so the kanban can show the linked-ticket icon without giving
+     * ROLE_USER access to the /api/client_tickets collection.
+     */
+    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
+    #[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['task:read', 'task:write'])]
+    private ?ClientTicketInterface $clientTicket = null;
+
     public function __construct()
     {
         $this->tags          = new ArrayCollection();
@@ -440,6 +451,18 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
         return $this;
     }
 
+    public function getClientTicket(): ?ClientTicketInterface
+    {
+        return $this->clientTicket;
+    }
+
+    public function setClientTicket(?ClientTicketInterface $clientTicket): static
+    {
+        $this->clientTicket = $clientTicket;
+
+        return $this;
+    }
+
     #[Assert\Callback]
     public function validateScheduledDates(ExecutionContextInterface $context): void
     {
diff --git a/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
index 3d2d5f3..6cb79eb 100644
--- a/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
@@ -14,6 +14,7 @@ use ApiPlatform\Metadata\Post;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProvider;
 use App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener;
+use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
@@ -21,10 +22,10 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
-        new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
+        new Get(security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
         new Post(
-            security: "is_granted('ROLE_ADMIN')",
+            security: "is_granted('ROLE_ADMIN') or is_granted('ROLE_CLIENT')",
             processor: TaskDocumentProcessor::class,
             deserialize: false,
         ),
@@ -34,9 +35,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_document:write']],
     order: ['id' => 'DESC'],
 )]
-#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact'])]
+#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact', 'clientTicket' => 'exact'])]
 #[ORM\Entity]
 #[ORM\EntityListeners([TaskDocumentListener::class])]
+// A document must be attached to either a task or a client ticket.
+#[ORM\Table(name: 'task_document')]
 class TaskDocument
 {
     #[ORM\Id]
@@ -46,10 +49,16 @@ class TaskDocument
     private ?int $id = null;
 
     #[ORM\ManyToOne(targetEntity: Task::class, inversedBy: 'documents')]
-    #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
+    #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
     #[Groups(['task_document:read', 'task_document:write'])]
     private ?Task $task = null;
 
+    /** Client ticket this document is attached to (alternative to task). */
+    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
+    #[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['task_document:read', 'task_document:write', 'client_ticket:read'])]
+    private ?ClientTicketInterface $clientTicket = null;
+
     #[ORM\Column(length: 255)]
     #[Groups(['task_document:read', 'task:read'])]
     private ?string $originalName = null;
@@ -100,6 +109,18 @@ class TaskDocument
         return $this;
     }
 
+    public function getClientTicket(): ?ClientTicketInterface
+    {
+        return $this->clientTicket;
+    }
+
+    public function setClientTicket(?ClientTicketInterface $clientTicket): static
+    {
+        $this->clientTicket = $clientTicket;
+
+        return $this;
+    }
+
     public function getOriginalName(): ?string
     {
         return $this->originalName;
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index 5c579c9..73a4420 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -14,6 +14,8 @@ use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\Integration\Domain\Service\SharePathResolver;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
+use App\Shared\Domain\Contract\ClientTicketInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -75,11 +77,12 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
      */
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TaskDocument
     {
-        // Défense en profondeur : l'opération Post est déjà protégée par ROLE_ADMIN, mais on
-        // re-vérifie ici pour que les deux chemins (upload ET lien partage) restent sûrs si la
-        // configuration de sécurité de l'opération venait à changer.
-        if (!$this->security->isGranted('ROLE_ADMIN')) {
-            throw new AccessDeniedHttpException('Creating task documents requires admin privileges.');
+        // Défense en profondeur : l'opération Post est déjà protégée par
+        // ROLE_ADMIN ou ROLE_CLIENT, mais on re-vérifie ici pour que les deux
+        // chemins (upload ET lien partage) restent sûrs si la configuration de
+        // sécurité de l'opération venait à changer.
+        if (!$this->security->isGranted('ROLE_ADMIN') && !$this->security->isGranted('ROLE_CLIENT')) {
+            throw new AccessDeniedHttpException('Creating documents requires admin or client privileges.');
         }
 
         $request = $this->requestStack->getCurrentRequest();
@@ -136,8 +139,6 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
             throw new BadRequestHttpException('File size exceeds 50 MB limit.');
         }
 
-        $task = $this->resolveTask($request->request->get('task', ''));
-
         // Use server-detected MIME type (finfo), not the client-supplied one
         $originalName = $file->getClientOriginalName();
         $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
@@ -157,7 +158,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         $file->move($this->uploadDir, $fileName);
 
         $document = new TaskDocument();
-        $document->setTask($task);
+        $this->attachTarget($document, $request);
         $document->setOriginalName($originalName);
         $document->setFileName($fileName);
         $document->setMimeType($mimeType);
@@ -168,15 +169,6 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
 
     private function createShareLink(Request $request, string $rawSharePath): TaskDocument
     {
-        $taskIri = $request->request->get('task');
-
-        if (!is_string($taskIri) || '' === $taskIri) {
-            $payload = json_decode($request->getContent() ?: '{}', true);
-            $taskIri = is_array($payload) ? ($payload['task'] ?? '') : '';
-        }
-
-        $task = $this->resolveTask((string) $taskIri);
-
         try {
             $path = $this->pathResolver->normalizeRelative($rawSharePath);
         } catch (InvalidPathException) {
@@ -198,7 +190,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         }
 
         $document = new TaskDocument();
-        $document->setTask($task);
+        $this->attachTarget($document, $request);
         $document->setOriginalName($entry->name);
         $document->setSharePath($path);
         $document->setMimeType($entry->mimeType);
@@ -233,12 +225,61 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         return null;
     }
 
-    private function resolveTask(string $taskIri): Task
+    /**
+     * Attaches the document to a task OR a client ticket, enforcing per-role
+     * access. Exactly one of the two targets must be provided.
+     *
+     * - ROLE_ADMIN may attach to any task or any client ticket.
+     * - ROLE_CLIENT may only attach to a client ticket they submitted, and may
+     *   never attach to a task.
+     */
+    private function attachTarget(TaskDocument $document, Request $request): void
     {
-        if ('' === $taskIri) {
-            throw new BadRequestHttpException('A task IRI is required.');
+        $taskIri         = $this->readField($request, 'task');
+        $clientTicketIri = $this->readField($request, 'clientTicket');
+
+        if ('' === $taskIri && '' === $clientTicketIri) {
+            throw new BadRequestHttpException('A task or a clientTicket IRI is required.');
+        }
+        if ('' !== $taskIri && '' !== $clientTicketIri) {
+            throw new BadRequestHttpException('Provide either a task or a clientTicket, not both.');
         }
 
+        $isClient = $this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN');
+
+        if ('' !== $clientTicketIri) {
+            $document->setClientTicket($this->resolveClientTicket($clientTicketIri, $isClient));
+
+            return;
+        }
+
+        if ($isClient) {
+            throw new AccessDeniedHttpException('Client users can only attach documents to a client ticket.');
+        }
+
+        $document->setTask($this->resolveTask($taskIri));
+    }
+
+    private function readField(Request $request, string $field): string
+    {
+        $value = $request->request->get($field);
+
+        if (is_string($value) && '' !== $value) {
+            return $value;
+        }
+
+        if (str_contains((string) $request->headers->get('Content-Type'), 'application/json')) {
+            $payload = json_decode($request->getContent() ?: '{}', true);
+            if (is_array($payload) && isset($payload[$field]) && is_string($payload[$field])) {
+                return $payload[$field];
+            }
+        }
+
+        return '';
+    }
+
+    private function resolveTask(string $taskIri): Task
+    {
         $task = $this->entityManager->getRepository(Task::class)->find((int) basename($taskIri));
 
         if (null === $task) {
@@ -247,4 +288,24 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
 
         return $task;
     }
+
+    private function resolveClientTicket(string $ticketIri, bool $isClient): ClientTicketInterface
+    {
+        $ticket = $this->entityManager->getRepository(ClientTicketInterface::class)->find((int) basename($ticketIri));
+
+        if (null === $ticket) {
+            throw new BadRequestHttpException('Client ticket not found.');
+        }
+
+        if ($isClient) {
+            $user = $this->security->getUser();
+            assert($user instanceof UserInterface);
+
+            if ($ticket->getSubmittedBy() !== $user) {
+                throw new AccessDeniedHttpException('You can only attach documents to your own tickets.');
+            }
+        }
+
+        return $ticket;
+    }
 }
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
index 4687569..042dd93 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
@@ -12,6 +12,12 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**
+ * Provider for TaskDocument read operations.
+ *
+ * - ROLE_ADMIN: every document.
+ * - ROLE_USER: documents attached to a task (task IS NOT NULL).
+ * - ROLE_CLIENT: documents attached to a client ticket the user submitted.
+ *
  * @implements ProviderInterface<TaskDocument>
  */
 final readonly class TaskDocumentProvider implements ProviderInterface
@@ -26,25 +32,56 @@ final readonly class TaskDocumentProvider implements ProviderInterface
         $user = $this->security->getUser();
         assert($user instanceof UserInterface);
 
+        $isAdmin  = $this->security->isGranted('ROLE_ADMIN');
+        $isClient = $this->security->isGranted('ROLE_CLIENT');
+
         $repo = $this->entityManager->getRepository(TaskDocument::class);
 
-        // Single item
+        // Single item.
         if (isset($uriVariables['id'])) {
-            return $repo->find($uriVariables['id']);
+            $document = $repo->find($uriVariables['id']);
+            if (null === $document) {
+                return null;
+            }
+            if ($isAdmin) {
+                return $document;
+            }
+            if ($isClient) {
+                $ticket = $document->getClientTicket();
+
+                return null !== $ticket && $ticket->getSubmittedBy() === $user ? $document : null;
+            }
+
+            // ROLE_USER: task-linked documents only.
+            return null !== $document->getTask() ? $document : null;
         }
 
-        // Collection
+        // Collection.
         $qb = $repo->createQueryBuilder('d')
             ->orderBy('d.id', 'DESC')
         ;
 
-        // Apply filters from query parameters
+        if ($isClient && !$isAdmin) {
+            $qb->innerJoin('d.clientTicket', 'ct')
+                ->andWhere('ct.submittedBy = :user')
+                ->setParameter('user', $user)
+            ;
+        } elseif (!$isAdmin) {
+            // ROLE_USER: only documents attached to a task.
+            $qb->andWhere('d.task IS NOT NULL');
+        }
+
         $filters = $context['filters'] ?? [];
         if (isset($filters['task'])) {
             $qb->andWhere('d.task = :task')
                 ->setParameter('task', self::extractId($filters['task']))
             ;
         }
+        if (isset($filters['clientTicket'])) {
+            $qb->andWhere('d.clientTicket = :clientTicket')
+                ->setParameter('clientTicket', self::extractId($filters['clientTicket']))
+            ;
+        }
 
         return $qb->getQuery()->getResult();
     }
diff --git a/src/Shared/Domain/Contract/ClientTicketInterface.php b/src/Shared/Domain/Contract/ClientTicketInterface.php
new file mode 100644
index 0000000..97435d8
--- /dev/null
+++ b/src/Shared/Domain/Contract/ClientTicketInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Shared\Domain\Contract;
+
+/**
+ * Contrat de LECTURE d'un ticket client, consommé hors du module ClientPortal.
+ *
+ * Permet à ProjectManagement (Task, TaskDocument) de référencer un ticket
+ * client sans dépendre directement de l'entité concrète du module ClientPortal.
+ */
+interface ClientTicketInterface
+{
+    public function getId(): ?int;
+
+    public function getNumber(): ?int;
+
+    public function getType(): string;
+
+    public function getStatus(): string;
+
+    public function getTitle(): ?string;
+}
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
index 7a3e89a..8844934 100644
--- a/src/Shared/Domain/Contract/UserInterface.php
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -4,6 +4,8 @@ declare(strict_types=1);
 
 namespace App\Shared\Domain\Contract;
 
+use Doctrine\Common\Collections\Collection;
+
 /**
  * Contrat de LECTURE de l'identité, consommé hors du module Core.
  * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
@@ -29,4 +31,16 @@ interface UserInterface
 
     /** @return list<string> */
     public function getEffectivePermissions(): array;
+
+    /**
+     * Client this user belongs to, or null for an internal user.
+     */
+    public function getClient(): ?ClientInterface;
+
+    /**
+     * Projects a client user is allowed to access.
+     *
+     * @return Collection<int, ProjectInterface>
+     */
+    public function getAllowedProjects(): Collection;
 }
diff --git a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
new file mode 100644
index 0000000..7986abd
--- /dev/null
+++ b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Functional\Module\ClientPortal;
+
+use App\Module\ClientPortal\Domain\Entity\ClientTicket;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\ProjectManagement\Domain\Entity\Project;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+use function count;
+
+/**
+ * Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
+ * internal API but can reach its own client portal collection.
+ *
+ * @internal
+ */
+final class ClientTicketApiTest extends WebTestCase
+{
+    public function testClientUserCannotListTasks(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/tasks');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testClientUserCannotListProjects(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/projects');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testClientUserCanListOwnClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertArrayHasKey('member', $data);
+        self::assertNotEmpty($data['member']);
+        // Tenancy invariant (robust to POST tests accumulating tickets in the
+        // shared test DB): client-liot sees its own SIRH ticket but NEVER the
+        // ticket submitted by another client (ACME, on the CRM project).
+        $titles = array_column($data['member'], 'title');
+        self::assertContains('Erreur lors de l\'export des congés', $titles);
+        self::assertNotContains('Ajouter un filtre par commercial', $titles);
+    }
+
+    public function testClientUserSeesOnlyOwnTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-acme');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertNotEmpty($data['member']);
+        // Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
+        // ticket submitted by client-liot (on the SIRH project).
+        $titles = array_column($data['member'], 'title');
+        self::assertContains('Ajouter un filtre par commercial', $titles);
+        self::assertNotContains('Erreur lors de l\'export des congés', $titles);
+    }
+
+    public function testInternalUserCannotListClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'alice');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testAdminCanListAllClientTickets(): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'admin');
+
+        $client->request('GET', '/api/client_tickets');
+
+        self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertGreaterThanOrEqual(2, count($data['member']));
+    }
+
+    public function testClientCanCreateTicketAndNumberIsGenerated(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $projectIri = $this->sirhProjectIri($em);
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('POST', '/api/client_tickets', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'type'        => 'other',
+            'title'       => 'Demande de fonctionnalité',
+            'description' => 'Une nouvelle option serait utile.',
+            'project'     => $projectIri,
+        ]));
+
+        self::assertResponseStatusCodeSame(201);
+        $data = json_decode($client->getResponse()->getContent(), true);
+        self::assertSame('new', $data['status']);
+        self::assertGreaterThanOrEqual(1, $data['number']);
+    }
+
+    public function testAdminCannotCreateTicket(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $projectIri = $this->sirhProjectIri($em);
+        $this->loginClient($client, 'admin');
+
+        $client->request('POST', '/api/client_tickets', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'type'        => 'other',
+            'title'       => 'Admin attempt',
+            'description' => 'Should be forbidden.',
+            'project'     => $projectIri,
+        ]));
+
+        // Admin has no client, so ticket creation is denied.
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testRejectingTicketRequiresStatusComment(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        $ticket = $em->getRepository(ClientTicket::class)
+            ->findOneBy(['status' => ClientTicketStatus::New])
+        ;
+        self::assertNotNull($ticket);
+        $id = $ticket->getId();
+
+        $this->loginClient($client, 'admin');
+
+        $client->request('PATCH', '/api/client_tickets/'.$id, server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['status' => 'rejected']));
+
+        self::assertResponseStatusCodeSame(422);
+    }
+
+    private function sirhProjectIri(EntityManagerInterface $em): string
+    {
+        $project = $em->getRepository(Project::class)
+            ->findOneBy(['code' => 'SIRH'])
+        ;
+        self::assertNotNull($project);
+
+        return '/api/projects/'.$project->getId();
+    }
+
+    private function loginClient(KernelBrowser $client, string $username): void
+    {
+        $em   = self::getContainer()->get(EntityManagerInterface::class);
+        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
+        self::assertInstanceOf(User::class, $user);
+        $client->loginUser($user);
+    }
+}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
index 750e9da..73780cc 100644
--- a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -6,11 +6,14 @@ namespace App\Tests\Unit\Shared\Doctrine;
 
 use App\Shared\Application\CurrentUserProviderInterface;
 use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
 use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
 use PHPUnit\Framework\TestCase;
 use stdClass;
 
@@ -120,6 +123,16 @@ final class TimestampableBlamableSubscriberTest extends TestCase
             {
                 return [];
             }
+
+            public function getClient(): ?ClientInterface
+            {
+                return null;
+            }
+
+            public function getAllowedProjects(): Collection
+            {
+                return new ArrayCollection();
+            }
         };
     }
 
-- 
2.39.5


From a2bbc8311d6f259ae696bdd2f277d31e1e38f1bb Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 01:03:24 +0200
Subject: [PATCH 63/99] fix(client-portal) : forbid SMB share-link document
 creation for client users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security hardening on the document POST that phase 1 widened to ROLE_CLIENT:
a client user could reach the share-link path (arbitrary SMB file reference)
instead of an upload. Now the sharePath branch is admin-only — client users
must upload. attachTarget already scopes documents to the client's own ticket.

178 tests green.
---
 .../ApiPlatform/State/TaskDocumentProcessor.php           | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index 73a4420..ed2b949 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -94,6 +94,14 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         // Deux modes de création : upload d'un fichier (multipart) ou lien vers un fichier du partage SMB (JSON).
         $sharePath = $this->extractSharePath($request);
 
+        // Sécurité : un utilisateur client ne peut PAS créer de lien vers le
+        // partage SMB interne (référence de fichier arbitraire hors de son
+        // périmètre) — seul le téléversement lui est permis. Le lien partage
+        // reste réservé aux administrateurs.
+        if (null !== $sharePath && !$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Les utilisateurs clients ne peuvent pas créer de lien vers le partage ; un téléversement est requis.');
+        }
+
         $document = null !== $sharePath
             ? $this->createShareLink($request, $sharePath)
             : $this->createUpload($request);
-- 
2.39.5


From 144a8a4685973b8afddf598235d8d8d2b2eb8499 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 01:03:58 +0200
Subject: [PATCH 64/99] feat(client-portal) : portal front + client account
 admin (phases 1-2 front)

LST-69 (3.2) front. Client portal UI on the phase-1 backend.

- New frontend/modules/client-portal/ layer: /portal (project cards from the
  client's allowedProjects via /me), /portal/projects/[id] (tickets list,
  detail modal, create modal with document upload), client-tickets service +
  DTO, CT-XXX formatting.
- Front tenancy: auth.global.ts redirects a pure ROLE_CLIENT to /portal and
  blocks internal routes; portal pages open to any authenticated user.
- Admin: UserDrawer manages client accounts (ROLE_CLIENT + client +
  allowedProjects); new "Tickets client" admin tab (list, filters, status
  change with required comment on reject, detail modal).
- Kanban/my-tasks: client-ticket icon + tooltip when task.clientTicket is set
  (data via task:read, no extra call). TaskDocument upload generalized with a
  clientTicketId prop. getContent uses native fetch (text response).
- i18n portal/clientTicket keys; sidebar /portal item (module client-portal).

nuxt build passes; /portal routes present, existing routes intact.
---
 config/sidebar.php                            |   1 +
 frontend/app/middleware/auth.global.ts        |  16 ++
 frontend/app/middleware/portal.ts             |  12 +
 .../components/admin/AdminClientTicketTab.vue | 256 ++++++++++++++++++
 frontend/components/user/UserDrawer.vue       | 129 +++++++--
 frontend/i18n/locales/fr.json                 |  56 +++-
 .../components/ClientTicketDetailModal.vue    | 132 +++++++++
 .../components/ClientTicketFormModal.vue      | 158 +++++++++++
 .../components/ClientTicketStatusBadge.vue    |  25 ++
 .../components/ClientTicketTypeBadge.vue      |  25 ++
 frontend/modules/client-portal/nuxt.config.ts |   1 +
 .../modules/client-portal/pages/portal.vue    |  93 +++++++
 .../pages/portal/projects/[id].vue            | 133 +++++++++
 .../client-portal/services/client-tickets.ts  |  60 ++++
 .../services/dto/client-ticket.ts             |  34 +++
 .../modules/client-portal/utils/ticket.ts     |  18 ++
 .../components/TaskCard.vue                   |   7 +
 .../components/TaskDocumentUpload.vue         |   5 +-
 .../components/TaskListItem.vue               |   7 +
 .../project-management/services/dto/task.ts   |   8 +
 .../services/task-documents.ts                |  18 +-
 frontend/pages/admin.vue                      |   2 +
 frontend/services/dto/user-data.ts            |  16 ++
 frontend/services/users.ts                    |   6 +-
 24 files changed, 1189 insertions(+), 29 deletions(-)
 create mode 100644 frontend/app/middleware/portal.ts
 create mode 100644 frontend/components/admin/AdminClientTicketTab.vue
 create mode 100644 frontend/modules/client-portal/components/ClientTicketDetailModal.vue
 create mode 100644 frontend/modules/client-portal/components/ClientTicketFormModal.vue
 create mode 100644 frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
 create mode 100644 frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
 create mode 100644 frontend/modules/client-portal/nuxt.config.ts
 create mode 100644 frontend/modules/client-portal/pages/portal.vue
 create mode 100644 frontend/modules/client-portal/pages/portal/projects/[id].vue
 create mode 100644 frontend/modules/client-portal/services/client-tickets.ts
 create mode 100644 frontend/modules/client-portal/services/dto/client-ticket.ts
 create mode 100644 frontend/modules/client-portal/utils/ticket.ts

diff --git a/config/sidebar.php b/config/sidebar.php
index 2f1e15f..945b5f9 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -25,6 +25,7 @@ return [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
             ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
             ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
+            ['label' => 'sidebar.general.portal', 'to' => '/portal', 'icon' => 'mdi:account-box-outline', 'module' => 'client-portal'],
             ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
             // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
             ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
diff --git a/frontend/app/middleware/auth.global.ts b/frontend/app/middleware/auth.global.ts
index 4c98f1e..0fec47c 100644
--- a/frontend/app/middleware/auth.global.ts
+++ b/frontend/app/middleware/auth.global.ts
@@ -14,6 +14,22 @@ export default defineNuxtRouteMiddleware(async (to) => {
         return navigateTo('/')
     }
 
+    // Cloisonnement portail client : un utilisateur ROLE_CLIENT "pur" (a ROLE_CLIENT
+    // mais PAS ROLE_USER) n'a accès qu'aux pages /portal. Toute autre route interne
+    // est redirigée vers /portal. Les ROLE_ADMIN / ROLE_USER ne sont pas concernés
+    // (ils peuvent aussi visiter /portal pour prévisualiser).
+    if (auth.isAuthenticated && !isLogin) {
+        const roles = auth.user?.roles ?? []
+        const isPureClient = roles.includes('ROLE_CLIENT') && !roles.includes('ROLE_USER')
+
+        if (isPureClient) {
+            const isPortalRoute = to.path === '/portal' || to.path.startsWith('/portal/')
+            if (!isPortalRoute) {
+                return navigateTo('/portal')
+            }
+        }
+    }
+
     const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
     const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
 
diff --git a/frontend/app/middleware/portal.ts b/frontend/app/middleware/portal.ts
new file mode 100644
index 0000000..4210bf2
--- /dev/null
+++ b/frontend/app/middleware/portal.ts
@@ -0,0 +1,12 @@
+/**
+ * Named middleware for portal pages (`/portal/**`).
+ * Ensures the user is authenticated. Access is open to every authenticated user
+ * (ROLE_CLIENT see their portal, ROLE_ADMIN/ROLE_USER may preview it).
+ */
+export default defineNuxtRouteMiddleware(() => {
+    const auth = useAuthStore()
+
+    if (!auth.isAuthenticated) {
+        return navigateTo('/login')
+    }
+})
diff --git a/frontend/components/admin/AdminClientTicketTab.vue b/frontend/components/admin/AdminClientTicketTab.vue
new file mode 100644
index 0000000..cdb744d
--- /dev/null
+++ b/frontend/components/admin/AdminClientTicketTab.vue
@@ -0,0 +1,256 @@
+<template>
+    <div>
+        <div class="flex flex-wrap items-center justify-between gap-3">
+            <h2 class="text-lg font-bold text-neutral-900">{{ $t('clientTicket.adminTitle') }}</h2>
+        </div>
+
+        <!-- Filtres -->
+        <div class="mt-4 flex flex-wrap gap-3">
+            <div class="[&>div]:!mt-0">
+                <MalioSelect
+                    v-model="filters.project"
+                    :options="projectOptions"
+                    :label="$t('clientTicket.filterProject')"
+                    group-class="!w-48"
+                    empty-option-label="—"
+                    @update:model-value="load"
+                />
+            </div>
+            <div class="[&>div]:!mt-0">
+                <MalioSelect
+                    v-model="filters.status"
+                    :options="statusOptions"
+                    :label="$t('clientTicket.filterStatus')"
+                    group-class="!w-48"
+                    empty-option-label="—"
+                    @update:model-value="load"
+                />
+            </div>
+        </div>
+
+        <DataTable
+            class="mt-4"
+            :columns="columns"
+            :items="tickets"
+            :loading="isLoading"
+            :empty-message="$t('portal.noTickets')"
+            @row-click="openDetail"
+        >
+            <template #cell-number="{ item }">
+                <span class="font-mono font-semibold text-primary-500">
+                    {{ formatTicketNumber((item as ClientTicket).number) }}
+                </span>
+            </template>
+            <template #cell-type="{ item }">
+                <ClientTicketTypeBadge :type="(item as ClientTicket).type" />
+            </template>
+            <template #cell-status="{ item }">
+                <ClientTicketStatusBadge :status="(item as ClientTicket).status" />
+            </template>
+            <template #cell-project="{ item }">
+                {{ projectName((item as ClientTicket).project) }}
+            </template>
+            <template #cell-submittedBy="{ item }">
+                {{ submitterName((item as ClientTicket).submittedBy) }}
+            </template>
+            <template #cell-createdAt="{ item }">
+                {{ formatDate((item as ClientTicket).createdAt) }}
+            </template>
+            <template #cell-actions="{ item }">
+                <MalioButton
+                    :label="$t('clientTicket.changeStatus')"
+                    button-class="w-auto px-3 py-1 text-xs"
+                    @click.stop="openStatus(item as ClientTicket)"
+                />
+            </template>
+        </DataTable>
+
+        <!-- Detail modal (read-only + documents) -->
+        <ClientTicketDetailModal
+            v-model="detailOpen"
+            :ticket="selectedTicket"
+        />
+
+        <!-- Status change modal -->
+        <AppModal v-model="statusOpen" :title="$t('clientTicket.changeStatus')" width="md">
+            <div v-if="statusTicket" class="flex flex-col gap-4">
+                <p class="text-sm text-neutral-500">
+                    {{ formatTicketNumber(statusTicket.number) }} — {{ statusTicket.title }}
+                </p>
+                <MalioSelect
+                    v-model="statusForm.status"
+                    :options="statusEditOptions"
+                    :label="$t('clientTicket.status.label')"
+                    group-class="w-full"
+                />
+                <MalioInputTextArea
+                    v-model="statusForm.statusComment"
+                    :label="$t('clientTicket.statusComment')"
+                    :rows="3"
+                    input-class="w-full"
+                    :error="statusError"
+                />
+            </div>
+            <template #footer>
+                <MalioButton
+                    :label="$t('common.cancel')"
+                    button-class="w-auto px-4"
+                    variant="secondary"
+                    @click="statusOpen = false"
+                />
+                <MalioButton
+                    :label="$t('common.save')"
+                    button-class="w-auto px-6"
+                    :disabled="isSavingStatus"
+                    @click="saveStatus"
+                />
+            </template>
+        </AppModal>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type {
+    ClientTicket,
+    ClientTicketStatus,
+} from '~/modules/client-portal/services/dto/client-ticket'
+import type { Project } from '~/modules/project-management/services/dto/project'
+import type { UserData } from '~/services/dto/user-data'
+import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { useUserService } from '~/services/users'
+import { formatTicketNumber, iriToId } from '~/modules/client-portal/utils/ticket'
+import type { DataTableColumn } from '~/components/ui/DataTable.vue'
+
+const { t } = useI18n()
+const { getAll, getById, updateStatus } = useClientTicketService()
+const { getAll: getProjects } = useProjectService()
+const { getAll: getUsers } = useUserService()
+
+const columns: DataTableColumn[] = [
+    { key: 'number', label: 'N°', primary: true },
+    { key: 'type', label: t('clientTicket.typeLabel') },
+    { key: 'title', label: t('clientTicket.title') },
+    { key: 'status', label: t('clientTicket.status.label') },
+    { key: 'project', label: t('clientTicket.project') },
+    { key: 'submittedBy', label: t('clientTicket.submittedBy') },
+    { key: 'createdAt', label: t('clientTicket.date') },
+    { key: 'actions', label: '' },
+]
+
+const STATUSES: ClientTicketStatus[] = ['new', 'in_progress', 'done', 'rejected']
+
+const statusOptions = computed(() =>
+    STATUSES.map((s) => ({ label: t(`clientTicket.status.${s}`), value: s })),
+)
+const statusEditOptions = statusOptions
+
+const tickets = ref<ClientTicket[]>([])
+const projects = ref<Project[]>([])
+const users = ref<UserData[]>([])
+const isLoading = ref(true)
+
+const filters = reactive({
+    project: null as string | null,
+    status: null as string | null,
+})
+
+const projectOptions = computed(() =>
+    projects.value.map((p) => ({
+        label: p.name,
+        value: p['@id'] ?? `/api/projects/${p.id}`,
+    })),
+)
+
+function projectName(iri: string): string {
+    const id = iriToId(iri)
+    return projects.value.find((p) => p.id === id)?.name ?? '—'
+}
+
+function submitterName(iri: string | null): string {
+    if (!iri) return '—'
+    const id = iriToId(iri)
+    return users.value.find((u) => u.id === id)?.username ?? '—'
+}
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleDateString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+    })
+}
+
+// Detail modal
+const detailOpen = ref(false)
+const selectedTicket = ref<ClientTicket | null>(null)
+
+async function openDetail(ticket: ClientTicket) {
+    try {
+        selectedTicket.value = await getById(ticket.id)
+    } catch {
+        selectedTicket.value = ticket
+    }
+    detailOpen.value = true
+}
+
+// Status modal
+const statusOpen = ref(false)
+const statusTicket = ref<ClientTicket | null>(null)
+const isSavingStatus = ref(false)
+const statusForm = reactive({
+    status: 'new' as ClientTicketStatus,
+    statusComment: '',
+})
+
+const statusError = computed(() => {
+    if (statusForm.status === 'rejected' && !statusForm.statusComment.trim()) {
+        return t('clientTicket.rejectionRequired')
+    }
+    return ''
+})
+
+function openStatus(ticket: ClientTicket) {
+    statusTicket.value = ticket
+    statusForm.status = ticket.status
+    statusForm.statusComment = ticket.statusComment ?? ''
+    statusOpen.value = true
+}
+
+async function saveStatus() {
+    if (!statusTicket.value) return
+    if (statusForm.status === 'rejected' && !statusForm.statusComment.trim()) {
+        return
+    }
+    isSavingStatus.value = true
+    try {
+        await updateStatus(statusTicket.value.id, {
+            status: statusForm.status,
+            statusComment: statusForm.statusComment.trim() || null,
+        })
+        statusOpen.value = false
+        await load()
+    } finally {
+        isSavingStatus.value = false
+    }
+}
+
+async function load() {
+    isLoading.value = true
+    try {
+        tickets.value = await getAll({
+            project: filters.project ?? undefined,
+            status: filters.status ?? undefined,
+        })
+    } finally {
+        isLoading.value = false
+    }
+}
+
+onMounted(async () => {
+    const [proj, usr] = await Promise.all([getProjects(), getUsers()])
+    projects.value = proj
+    users.value = usr
+    await load()
+})
+</script>
diff --git a/frontend/components/user/UserDrawer.vue b/frontend/components/user/UserDrawer.vue
index 964f818..beda546 100644
--- a/frontend/components/user/UserDrawer.vue
+++ b/frontend/components/user/UserDrawer.vue
@@ -48,6 +48,26 @@
                 </div>
             </div>
 
+            <!-- Compte client (portail) -->
+            <div v-if="isClient" class="mt-6 border-t border-neutral-200 pt-4">
+                <p class="mb-3 text-sm font-semibold text-neutral-700">{{ $t('users.clientAccount') }}</p>
+                <MalioSelect
+                    v-model="form.client"
+                    :options="clientOptions"
+                    :label="$t('users.client')"
+                    group-class="w-full"
+                    empty-option-label="—"
+                />
+                <div class="mt-3">
+                    <MalioSelectCheckbox
+                        v-model="form.allowedProjects"
+                        :options="projectOptions"
+                        :label="$t('users.allowedProjects')"
+                        group-class="w-full"
+                    />
+                </div>
+            </div>
+
             <!-- RH / Absences -->
             <div class="mt-6 border-t border-neutral-200 pt-4">
                 <MalioCheckbox v-model="form.isEmployee" label="Employé (soumis à la gestion des absences)" />
@@ -71,6 +91,8 @@
 <script setup lang="ts">
 import type { UserData, UserWrite } from '~/services/dto/user-data'
 import { useUserService } from '~/services/users'
+import { useClientService } from '~/modules/directory/services/clients'
+import { useProjectService } from '~/modules/project-management/services/projects'
 
 const props = defineProps<{
     modelValue: boolean
@@ -87,7 +109,7 @@ const isOpen = computed({
     set: (v) => emit('update:modelValue', v),
 })
 
-const availableRoles = ['ROLE_ADMIN', 'ROLE_USER']
+const availableRoles = ['ROLE_ADMIN', 'ROLE_USER', 'ROLE_CLIENT']
 
 const isEditing = computed(() => !!props.item)
 const isSubmitting = ref(false)
@@ -99,37 +121,93 @@ const form = reactive({
     password: '',
     roles: [] as string[],
     isEmployee: false,
+    client: null as string | null,
+    allowedProjects: [] as string[],
 })
 
+const isClient = computed(() => form.roles.includes('ROLE_CLIENT'))
+
 const touched = reactive({
     username: false,
     password: false,
 })
 
-watch(() => props.modelValue, (open) => {
-    if (open) {
-        if (props.item) {
-            form.username = props.item.username ?? ''
-            form.firstName = props.item.firstName ?? ''
-            form.lastName = props.item.lastName ?? ''
-            form.password = ''
-            form.roles = [...props.item.roles]
-            form.isEmployee = props.item.isEmployee ?? false
-        } else {
-            form.username = ''
-            form.firstName = ''
-            form.lastName = ''
-            form.password = ''
-            form.roles = ['ROLE_USER']
-            form.isEmployee = false
+const clientOptions = ref<{ label: string, value: string | null }[]>([])
+const projectOptions = ref<{ label: string, value: string }[]>([])
+
+const { getAll: getClients } = useClientService()
+const { getAll: getProjects } = useProjectService()
+const { create, update, getById } = useUserService()
+
+async function loadOptions() {
+    if (clientOptions.value.length && projectOptions.value.length) {
+        return
+    }
+    const [clients, projects] = await Promise.all([getClients(), getProjects()])
+    clientOptions.value = clients.map((c) => ({
+        label: c.name,
+        value: c['@id'] ?? `/api/clients/${c.id}`,
+    }))
+    projectOptions.value = projects.map((p) => ({
+        label: p.name,
+        value: p['@id'] ?? `/api/projects/${p.id}`,
+    }))
+}
+
+/** Normalize allowedProjects (embedded objects or bare IRIs) into IRI strings. */
+function toProjectIris(allowed: UserData['allowedProjects'] | undefined): string[] {
+    if (!allowed) {
+        return []
+    }
+    return allowed.map((p) => {
+        if (typeof p === 'string') {
+            return p
         }
-        touched.username = false
-        touched.password = false
+        return p['@id'] ?? `/api/projects/${p.id}`
+    })
+}
+
+function applyUser(user: UserData) {
+    form.username = user.username ?? ''
+    form.firstName = user.firstName ?? ''
+    form.lastName = user.lastName ?? ''
+    form.password = ''
+    form.roles = [...user.roles]
+    form.isEmployee = user.isEmployee ?? false
+    form.client = user.client ?? null
+    form.allowedProjects = toProjectIris(user.allowedProjects)
+}
+
+watch(() => props.modelValue, async (open) => {
+    if (!open) {
+        return
+    }
+
+    touched.username = false
+    touched.password = false
+    await loadOptions()
+
+    if (props.item) {
+        // The list payload (user:list) omits client / allowedProjects → fetch the full item.
+        applyUser(props.item)
+        try {
+            const full = await getById(props.item.id)
+            applyUser(full)
+        } catch {
+            // Keep the list data if the detailed fetch fails.
+        }
+    } else {
+        form.username = ''
+        form.firstName = ''
+        form.lastName = ''
+        form.password = ''
+        form.roles = ['ROLE_USER']
+        form.isEmployee = false
+        form.client = null
+        form.allowedProjects = []
     }
 })
 
-const { create, update } = useUserService()
-
 async function handleSubmit() {
     touched.username = true
     touched.password = true
@@ -149,6 +227,15 @@ async function handleSubmit() {
             payload.plainPassword = form.password
         }
 
+        // Client portal fields: only relevant when the user is a client.
+        if (isClient.value) {
+            payload.client = form.client
+            payload.allowedProjects = form.allowedProjects
+        } else {
+            payload.client = null
+            payload.allowedProjects = []
+        }
+
         if (isEditing.value && props.item) {
             await update(props.item.id, payload)
         } else {
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 3c3a49b..78019e3 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -193,7 +193,10 @@
     "updated": "Utilisateur mis à jour avec succès.",
     "deleted": "Utilisateur supprimé avec succès.",
     "addUser": "Ajouter un utilisateur",
-    "editUser": "Modifier un utilisateur"
+    "editUser": "Modifier un utilisateur",
+    "clientAccount": "Compte client (portail)",
+    "client": "Client",
+    "allowedProjects": "Projets autorisés"
   },
   "admin": {
     "roles": {
@@ -354,7 +357,8 @@
       "myTasks": "Mes tâches",
       "projects": "Projets",
       "timeTracking": "Suivi de temps",
-      "mail": "Messagerie"
+      "mail": "Messagerie",
+      "portal": "Portail client"
     },
     "admin": {
       "section": "Administration",
@@ -423,7 +427,9 @@
     "thisWeek": "Cette semaine",
     "clear": "Effacer",
     "day": "Jour",
-    "weekShort": "Sem."
+    "weekShort": "Sem.",
+    "submit": "Soumettre",
+    "close": "Fermer"
   },
   "gitea": {
     "settings": {
@@ -943,5 +949,49 @@
       "empty": "Aucun prospect trouvé.",
       "allStatuses": "Tous les statuts"
     }
+  },
+  "portal": {
+    "title": "Portail client",
+    "projects": "Mes projets",
+    "openTickets": "tickets ouverts",
+    "newTicket": "Nouveau ticket",
+    "ticketDetail": "Détail du ticket",
+    "noProjects": "Aucun projet accessible.",
+    "noTickets": "Aucun ticket pour le moment."
+  },
+  "clientTicket": {
+    "typeLabel": "Type",
+    "type": {
+      "bug": "Bug",
+      "improvement": "Amélioration",
+      "other": "Autre"
+    },
+    "status": {
+      "label": "Statut",
+      "new": "Nouveau",
+      "in_progress": "En cours",
+      "done": "Terminé",
+      "rejected": "Rejeté"
+    },
+    "title": "Titre",
+    "titleRequired": "Le titre est requis",
+    "description": "Description",
+    "descriptionRequired": "La description est requise",
+    "url": "URL (page concernée)",
+    "statusComment": "Commentaire de statut",
+    "project": "Projet",
+    "submittedBy": "Soumis par",
+    "date": "Date",
+    "created": "Ticket créé",
+    "statusChanged": "Statut mis à jour",
+    "confirmDelete": "Supprimer ce ticket ?",
+    "deleted": "Ticket supprimé",
+    "linkedTooltip": "Lié au ticket client {number}",
+    "rejectionRequired": "Un commentaire est requis pour rejeter un ticket",
+    "changeStatus": "Changer le statut",
+    "adminTab": "Tickets client",
+    "adminTitle": "Tickets client",
+    "filterProject": "Projet",
+    "filterStatus": "Statut"
   }
 }
diff --git a/frontend/modules/client-portal/components/ClientTicketDetailModal.vue b/frontend/modules/client-portal/components/ClientTicketDetailModal.vue
new file mode 100644
index 0000000..d988126
--- /dev/null
+++ b/frontend/modules/client-portal/components/ClientTicketDetailModal.vue
@@ -0,0 +1,132 @@
+<template>
+    <AppModal
+        :model-value="modelValue"
+        width="lg"
+        @update:model-value="$emit('update:modelValue', $event)"
+    >
+        <template #title>
+            <span v-if="ticket" class="flex items-center gap-2">
+                <span class="font-mono text-primary-500">{{ formatTicketNumber(ticket.number) }}</span>
+                <ClientTicketTypeBadge :type="ticket.type" />
+            </span>
+            <span v-else>{{ $t('portal.ticketDetail') }}</span>
+        </template>
+
+        <div v-if="ticket" class="flex flex-col gap-4">
+            <div class="flex items-start justify-between gap-3">
+                <h3 class="text-lg font-bold text-neutral-900">{{ ticket.title }}</h3>
+                <ClientTicketStatusBadge :status="ticket.status" />
+            </div>
+
+            <div>
+                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
+                    {{ $t('clientTicket.description') }}
+                </p>
+                <p class="whitespace-pre-wrap text-sm text-neutral-700">{{ ticket.description }}</p>
+            </div>
+
+            <div v-if="ticket.url">
+                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
+                    {{ $t('clientTicket.url') }}
+                </p>
+                <a
+                    :href="ticket.url"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    class="break-all text-sm text-blue-600 hover:underline"
+                >{{ ticket.url }}</a>
+            </div>
+
+            <div v-if="ticket.statusComment">
+                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
+                    {{ $t('clientTicket.statusComment') }}
+                </p>
+                <p class="whitespace-pre-wrap rounded-lg bg-neutral-50 p-3 text-sm text-neutral-700">
+                    {{ ticket.statusComment }}
+                </p>
+            </div>
+
+            <div class="text-xs text-neutral-400">
+                {{ $t('clientTicket.created') }} : {{ formatDate(ticket.createdAt) }}
+            </div>
+
+            <!-- Documents -->
+            <div class="border-t border-neutral-100 pt-2">
+                <div v-if="loadingDocs" class="flex justify-center py-4">
+                    <Icon name="heroicons:arrow-path" class="h-5 w-5 animate-spin text-neutral-400" />
+                </div>
+                <TaskDocumentList
+                    v-else
+                    :documents="documents"
+                    :is-admin="false"
+                    @preview="previewDoc = $event"
+                />
+            </div>
+        </div>
+
+        <TaskDocumentPreview
+            :document="previewDoc"
+            :has-prev="false"
+            :has-next="false"
+            @close="previewDoc = null"
+        />
+    </AppModal>
+</template>
+
+<script setup lang="ts">
+import type { ClientTicket } from '~/modules/client-portal/services/dto/client-ticket'
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
+import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
+
+const props = defineProps<{
+    modelValue: boolean
+    ticket: ClientTicket | null
+}>()
+
+defineEmits<{
+    'update:modelValue': [value: boolean]
+}>()
+
+const { getByClientTicket } = useTaskDocumentService()
+
+const documents = ref<TaskDocument[]>([])
+const loadingDocs = ref(false)
+const previewDoc = ref<TaskDocument | null>(null)
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleDateString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+    })
+}
+
+async function loadDocuments(ticketId: number) {
+    loadingDocs.value = true
+    try {
+        documents.value = await getByClientTicket(ticketId)
+    } catch {
+        documents.value = []
+    } finally {
+        loadingDocs.value = false
+    }
+}
+
+watch(
+    () => [props.modelValue, props.ticket?.id] as const,
+    ([open, id]) => {
+        previewDoc.value = null
+        if (open && id) {
+            // Prefer documents embedded in the ticket, fall back to a dedicated fetch.
+            if (props.ticket?.documents?.length) {
+                documents.value = props.ticket.documents
+            } else {
+                documents.value = []
+                loadDocuments(id)
+            }
+        }
+    },
+    { immediate: true },
+)
+</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketFormModal.vue b/frontend/modules/client-portal/components/ClientTicketFormModal.vue
new file mode 100644
index 0000000..4d5d496
--- /dev/null
+++ b/frontend/modules/client-portal/components/ClientTicketFormModal.vue
@@ -0,0 +1,158 @@
+<template>
+    <AppModal
+        :model-value="modelValue"
+        width="lg"
+        :title="$t('portal.newTicket')"
+        @update:model-value="onModalUpdate"
+    >
+        <form class="flex flex-col gap-4" @submit.prevent="handleSubmit">
+            <MalioSelect
+                v-model="form.type"
+                :options="typeOptions"
+                :label="$t('clientTicket.typeLabel')"
+                group-class="w-full"
+            />
+
+            <MalioInputText
+                v-model="form.title"
+                :label="$t('clientTicket.title')"
+                input-class="w-full"
+                :error="touched.title && !form.title.trim() ? $t('clientTicket.titleRequired') : ''"
+                @blur="touched.title = true"
+            />
+
+            <MalioInputTextArea
+                v-model="form.description"
+                :label="$t('clientTicket.description')"
+                :rows="5"
+                input-class="w-full"
+                :error="touched.description && !form.description.trim() ? $t('clientTicket.descriptionRequired') : ''"
+                @blur="touched.description = true"
+            />
+
+            <MalioInputText
+                v-if="form.type === 'bug'"
+                v-model="form.url"
+                :label="$t('clientTicket.url')"
+                input-class="w-full"
+            />
+
+            <!-- Documents : uploadable only once the ticket exists -->
+            <div v-if="createdTicketId">
+                <p class="text-sm font-semibold text-neutral-700">{{ $t('taskDocuments.title') }}</p>
+                <TaskDocumentUpload :client-ticket-id="createdTicketId" />
+            </div>
+        </form>
+
+        <template #footer>
+            <MalioButton
+                v-if="!createdTicketId"
+                :label="$t('common.submit')"
+                button-class="w-auto px-6"
+                :disabled="isSubmitting"
+                @click="handleSubmit"
+            />
+            <MalioButton
+                v-else
+                :label="$t('common.close')"
+                button-class="w-auto px-6"
+                @click="finish"
+            />
+        </template>
+    </AppModal>
+</template>
+
+<script setup lang="ts">
+import type {
+    ClientTicketCreate,
+    ClientTicketType,
+} from '~/modules/client-portal/services/dto/client-ticket'
+import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
+
+const props = defineProps<{
+    modelValue: boolean
+    projectIri: string
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: boolean]
+    created: []
+}>()
+
+const { t } = useI18n()
+const { create } = useClientTicketService()
+
+const typeOptions = computed(() => ([
+    { label: t('clientTicket.type.bug'), value: 'bug' },
+    { label: t('clientTicket.type.improvement'), value: 'improvement' },
+    { label: t('clientTicket.type.other'), value: 'other' },
+]))
+
+const isSubmitting = ref(false)
+const createdTicketId = ref<number | null>(null)
+
+const form = reactive({
+    type: 'bug' as ClientTicketType,
+    title: '',
+    description: '',
+    url: '',
+})
+
+const touched = reactive({
+    title: false,
+    description: false,
+})
+
+function resetForm() {
+    form.type = 'bug'
+    form.title = ''
+    form.description = ''
+    form.url = ''
+    touched.title = false
+    touched.description = false
+    createdTicketId.value = null
+    isSubmitting.value = false
+}
+
+watch(() => props.modelValue, (open) => {
+    if (open) {
+        resetForm()
+    }
+})
+
+function onModalUpdate(value: boolean) {
+    emit('update:modelValue', value)
+    if (!value && createdTicketId.value) {
+        // A ticket was created before closing → refresh the list.
+        emit('created')
+    }
+}
+
+function finish() {
+    emit('update:modelValue', false)
+    emit('created')
+}
+
+async function handleSubmit() {
+    touched.title = true
+    touched.description = true
+    if (!form.title.trim() || !form.description.trim()) {
+        return
+    }
+
+    isSubmitting.value = true
+    try {
+        const payload: ClientTicketCreate = {
+            type: form.type,
+            title: form.title.trim(),
+            description: form.description.trim(),
+            url: form.type === 'bug' && form.url.trim() ? form.url.trim() : null,
+            project: props.projectIri,
+        }
+        const ticket = await create(payload)
+        createdTicketId.value = ticket.id
+    } finally {
+        isSubmitting.value = false
+    }
+}
+</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue b/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
new file mode 100644
index 0000000..f7d35b9
--- /dev/null
+++ b/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
@@ -0,0 +1,25 @@
+<template>
+    <span
+        class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-semibold"
+        :class="classes"
+    >
+        {{ $t(`clientTicket.status.${status}`) }}
+    </span>
+</template>
+
+<script setup lang="ts">
+import type { ClientTicketStatus } from '~/modules/client-portal/services/dto/client-ticket'
+
+const props = defineProps<{
+    status: ClientTicketStatus
+}>()
+
+const STATUS_CONFIG: Record<ClientTicketStatus, string> = {
+    new: 'bg-sky-100 text-sky-700',
+    in_progress: 'bg-amber-100 text-amber-700',
+    done: 'bg-green-100 text-green-700',
+    rejected: 'bg-neutral-200 text-neutral-600',
+}
+
+const classes = computed(() => STATUS_CONFIG[props.status] ?? STATUS_CONFIG.new)
+</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue b/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
new file mode 100644
index 0000000..ed9d76c
--- /dev/null
+++ b/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
@@ -0,0 +1,25 @@
+<template>
+    <span
+        class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-semibold"
+        :class="config.classes"
+    >
+        <Icon :name="config.icon" class="h-3 w-3" />
+        {{ $t(`clientTicket.type.${type}`) }}
+    </span>
+</template>
+
+<script setup lang="ts">
+import type { ClientTicketType } from '~/modules/client-portal/services/dto/client-ticket'
+
+const props = defineProps<{
+    type: ClientTicketType
+}>()
+
+const TYPE_CONFIG: Record<ClientTicketType, { icon: string, classes: string }> = {
+    bug: { icon: 'mdi:bug-outline', classes: 'bg-red-100 text-red-700' },
+    improvement: { icon: 'mdi:lightbulb-on-outline', classes: 'bg-blue-100 text-blue-700' },
+    other: { icon: 'mdi:dots-horizontal-circle-outline', classes: 'bg-neutral-100 text-neutral-700' },
+}
+
+const config = computed(() => TYPE_CONFIG[props.type] ?? TYPE_CONFIG.other)
+</script>
diff --git a/frontend/modules/client-portal/nuxt.config.ts b/frontend/modules/client-portal/nuxt.config.ts
new file mode 100644
index 0000000..268da7f
--- /dev/null
+++ b/frontend/modules/client-portal/nuxt.config.ts
@@ -0,0 +1 @@
+export default defineNuxtConfig({})
diff --git a/frontend/modules/client-portal/pages/portal.vue b/frontend/modules/client-portal/pages/portal.vue
new file mode 100644
index 0000000..b1d5de4
--- /dev/null
+++ b/frontend/modules/client-portal/pages/portal.vue
@@ -0,0 +1,93 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div>
+            <h1 class="text-2xl font-bold text-neutral-900">{{ $t('portal.title') }}</h1>
+            <p class="mt-1 text-sm text-neutral-500">{{ $t('portal.projects') }}</p>
+        </div>
+
+        <div v-if="isLoading" class="flex justify-center py-16">
+            <Icon name="heroicons:arrow-path" class="h-7 w-7 animate-spin text-neutral-400" />
+        </div>
+
+        <div v-else-if="!projects.length" class="rounded-xl border border-dashed border-neutral-300 py-16 text-center text-neutral-400">
+            {{ $t('portal.noProjects') }}
+        </div>
+
+        <div v-else class="grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-3">
+            <NuxtLink
+                v-for="project in projects"
+                :key="project.id"
+                :to="`/portal/projects/${project.id}`"
+                class="group flex flex-col gap-3 rounded-xl border border-neutral-200 bg-white p-5 shadow-sm transition hover:border-primary-300 hover:shadow-md"
+            >
+                <div class="flex items-start justify-between gap-2">
+                    <h2 class="text-lg font-bold text-neutral-900 group-hover:text-primary-500">
+                        {{ project.name }}
+                    </h2>
+                    <Icon name="mdi:folder-outline" class="h-6 w-6 text-neutral-300" />
+                </div>
+                <div class="mt-auto flex items-center gap-1.5 text-sm text-neutral-500">
+                    <span class="text-base font-bold text-primary-500">{{ openCount(project.id) }}</span>
+                    {{ $t('portal.openTickets') }}
+                </div>
+            </NuxtLink>
+        </div>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { AllowedProject } from '~/services/dto/user-data'
+import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { iriToId } from '~/modules/client-portal/utils/ticket'
+
+definePageMeta({ middleware: ['portal'] })
+useHead({ title: 'Portail client' })
+
+const auth = useAuthStore()
+const { getAll: getTickets } = useClientTicketService()
+const { getAll: getProjects } = useProjectService()
+
+const isLoading = ref(true)
+const projects = ref<AllowedProject[]>([])
+const openCounts = ref<Record<number, number>>({})
+
+function openCount(projectId: number): number {
+    return openCounts.value[projectId] ?? 0
+}
+
+async function load() {
+    isLoading.value = true
+    try {
+        // Client users get their projects from `/me` (allowedProjects, embedded id + name).
+        // Internal users (admin/user) previewing the portal fall back to the full project list.
+        const allowed = auth.user?.allowedProjects ?? []
+        if (allowed.length) {
+            projects.value = allowed
+        } else if (auth.user?.roles?.some((r) => r === 'ROLE_ADMIN' || r === 'ROLE_USER')) {
+            const all = await getProjects({ archived: false })
+            projects.value = all.map((p) => ({ id: p.id, name: p.name, '@id': p['@id'] }))
+        } else {
+            projects.value = []
+        }
+
+        // Count open tickets (status new / in_progress) per project.
+        const tickets = await getTickets()
+        const counts: Record<number, number> = {}
+        for (const ticket of tickets) {
+            if (ticket.status !== 'new' && ticket.status !== 'in_progress') {
+                continue
+            }
+            const pid = iriToId(ticket.project)
+            if (pid !== null) {
+                counts[pid] = (counts[pid] ?? 0) + 1
+            }
+        }
+        openCounts.value = counts
+    } finally {
+        isLoading.value = false
+    }
+}
+
+onMounted(load)
+</script>
diff --git a/frontend/modules/client-portal/pages/portal/projects/[id].vue b/frontend/modules/client-portal/pages/portal/projects/[id].vue
new file mode 100644
index 0000000..c3efba8
--- /dev/null
+++ b/frontend/modules/client-portal/pages/portal/projects/[id].vue
@@ -0,0 +1,133 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex flex-wrap items-center justify-between gap-3">
+            <div class="flex items-center gap-3">
+                <NuxtLink
+                    to="/portal"
+                    class="flex h-8 w-8 items-center justify-center rounded-full text-neutral-400 transition hover:bg-neutral-100 hover:text-neutral-600"
+                >
+                    <Icon name="mdi:arrow-left" class="h-5 w-5" />
+                </NuxtLink>
+                <h1 class="text-2xl font-bold text-neutral-900">{{ projectName }}</h1>
+            </div>
+            <MalioButton
+                icon-name="mdi:plus"
+                icon-position="left"
+                button-class="w-auto px-4"
+                :label="$t('portal.newTicket')"
+                @click="formOpen = true"
+            />
+        </div>
+
+        <div v-if="isLoading" class="flex justify-center py-16">
+            <Icon name="heroicons:arrow-path" class="h-7 w-7 animate-spin text-neutral-400" />
+        </div>
+
+        <div v-else-if="!tickets.length" class="rounded-xl border border-dashed border-neutral-300 py-16 text-center text-neutral-400">
+            {{ $t('portal.noTickets') }}
+        </div>
+
+        <div v-else class="flex flex-col gap-2">
+            <button
+                v-for="ticket in tickets"
+                :key="ticket.id"
+                type="button"
+                class="flex flex-wrap items-center gap-3 rounded-xl border border-neutral-200 bg-white px-4 py-3 text-left shadow-sm transition hover:border-primary-300 hover:shadow-md"
+                @click="openDetail(ticket)"
+            >
+                <span class="font-mono text-sm font-semibold text-primary-500">
+                    {{ formatTicketNumber(ticket.number) }}
+                </span>
+                <ClientTicketTypeBadge :type="ticket.type" />
+                <span class="min-w-0 flex-1 truncate font-semibold text-neutral-900">{{ ticket.title }}</span>
+                <ClientTicketStatusBadge :status="ticket.status" />
+                <span class="text-xs text-neutral-400">{{ formatDate(ticket.createdAt) }}</span>
+            </button>
+        </div>
+
+        <ClientTicketFormModal
+            v-model="formOpen"
+            :project-iri="projectIri"
+            @created="load"
+        />
+
+        <ClientTicketDetailModal
+            v-model="detailOpen"
+            :ticket="selectedTicket"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { ClientTicket } from '~/modules/client-portal/services/dto/client-ticket'
+import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
+import { useProjectService } from '~/modules/project-management/services/projects'
+import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
+
+definePageMeta({ middleware: ['portal'] })
+
+const route = useRoute()
+const auth = useAuthStore()
+const { getAll, getById } = useClientTicketService()
+const { getById: getProject } = useProjectService()
+
+const projectId = computed(() => Number(route.params.id))
+const projectIri = computed(() => `/api/projects/${projectId.value}`)
+
+const isLoading = ref(true)
+const tickets = ref<ClientTicket[]>([])
+const projectName = ref('')
+const formOpen = ref(false)
+const detailOpen = ref(false)
+const selectedTicket = ref<ClientTicket | null>(null)
+
+useHead(() => ({ title: projectName.value || 'Portail client' }))
+
+function formatDate(value: string): string {
+    return new Date(value).toLocaleDateString('fr-FR', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+    })
+}
+
+async function openDetail(ticket: ClientTicket) {
+    // Re-fetch to get embedded documents (collection items may omit them).
+    try {
+        selectedTicket.value = await getById(ticket.id)
+    } catch {
+        selectedTicket.value = ticket
+    }
+    detailOpen.value = true
+}
+
+function resolveProjectName() {
+    const allowed = auth.user?.allowedProjects ?? []
+    const match = allowed.find((p) => p.id === projectId.value)
+    if (match) {
+        projectName.value = match.name
+    }
+}
+
+async function load() {
+    isLoading.value = true
+    try {
+        resolveProjectName()
+        tickets.value = await getAll({ project: projectId.value })
+
+        // Internal users (admin/user) have no allowedProjects → fetch the name directly.
+        if (!projectName.value && auth.user?.roles?.some((r) => r === 'ROLE_ADMIN' || r === 'ROLE_USER')) {
+            try {
+                const project = await getProject(projectId.value)
+                projectName.value = project.name
+            } catch {
+                projectName.value = ''
+            }
+        }
+    } finally {
+        isLoading.value = false
+    }
+}
+
+onMounted(load)
+</script>
diff --git a/frontend/modules/client-portal/services/client-tickets.ts b/frontend/modules/client-portal/services/client-tickets.ts
new file mode 100644
index 0000000..2bbd652
--- /dev/null
+++ b/frontend/modules/client-portal/services/client-tickets.ts
@@ -0,0 +1,60 @@
+import type {
+    ClientTicket,
+    ClientTicketCreate,
+    ClientTicketStatusUpdate,
+} from './dto/client-ticket'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+export type ClientTicketFilters = {
+    project?: number | string
+    status?: string
+    submittedBy?: number | string
+}
+
+export function useClientTicketService() {
+    const api = useApi()
+
+    async function getAll(params?: ClientTicketFilters): Promise<ClientTicket[]> {
+        const query: Record<string, unknown> = {}
+        if (params?.project !== undefined && params.project !== '') {
+            query.project = typeof params.project === 'number'
+                ? `/api/projects/${params.project}`
+                : params.project
+        }
+        if (params?.status) {
+            query.status = params.status
+        }
+        if (params?.submittedBy !== undefined && params.submittedBy !== '') {
+            query.submittedBy = typeof params.submittedBy === 'number'
+                ? `/api/users/${params.submittedBy}`
+                : params.submittedBy
+        }
+        const data = await api.get<HydraCollection<ClientTicket>>('/client_tickets', query)
+        return extractHydraMembers(data)
+    }
+
+    async function getById(id: number): Promise<ClientTicket> {
+        return api.get<ClientTicket>(`/client_tickets/${id}`)
+    }
+
+    async function create(payload: ClientTicketCreate): Promise<ClientTicket> {
+        return api.post<ClientTicket>('/client_tickets', payload as Record<string, unknown>, {
+            toastSuccessKey: 'clientTicket.created',
+        })
+    }
+
+    async function updateStatus(id: number, payload: ClientTicketStatusUpdate): Promise<ClientTicket> {
+        return api.patch<ClientTicket>(`/client_tickets/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'clientTicket.statusChanged',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/client_tickets/${id}`, {}, {
+            toastSuccessKey: 'clientTicket.deleted',
+        })
+    }
+
+    return { getAll, getById, create, updateStatus, remove }
+}
diff --git a/frontend/modules/client-portal/services/dto/client-ticket.ts b/frontend/modules/client-portal/services/dto/client-ticket.ts
new file mode 100644
index 0000000..25f90e0
--- /dev/null
+++ b/frontend/modules/client-portal/services/dto/client-ticket.ts
@@ -0,0 +1,34 @@
+import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
+
+export type ClientTicketType = 'bug' | 'improvement' | 'other'
+export type ClientTicketStatus = 'new' | 'in_progress' | 'done' | 'rejected'
+
+export type ClientTicket = {
+    '@id'?: string
+    id: number
+    number: number
+    type: ClientTicketType
+    title: string
+    description: string
+    url: string | null
+    status: ClientTicketStatus
+    statusComment: string | null
+    project: string             // IRI
+    submittedBy: string | null  // IRI, nullable (ON DELETE SET NULL)
+    createdAt: string
+    updatedAt: string
+    documents?: TaskDocument[]
+}
+
+export type ClientTicketCreate = {
+    type: ClientTicketType
+    title: string
+    description: string
+    url?: string | null
+    project: string             // IRI
+}
+
+export type ClientTicketStatusUpdate = {
+    status: ClientTicketStatus
+    statusComment?: string | null
+}
diff --git a/frontend/modules/client-portal/utils/ticket.ts b/frontend/modules/client-portal/utils/ticket.ts
new file mode 100644
index 0000000..04bc09c
--- /dev/null
+++ b/frontend/modules/client-portal/utils/ticket.ts
@@ -0,0 +1,18 @@
+/**
+ * Format a client-ticket number for display, e.g. `CT-001`.
+ */
+export function formatTicketNumber(value: number): string {
+    return `CT-${String(value).padStart(3, '0')}`
+}
+
+/**
+ * Extract the numeric id from an API Platform IRI (e.g. `/api/projects/5` → 5).
+ * Returns null when the IRI cannot be parsed.
+ */
+export function iriToId(iri: string | null | undefined): number | null {
+    if (!iri) {
+        return null
+    }
+    const match = iri.match(/(\d+)$/)
+    return match ? Number(match[1]) : null
+}
diff --git a/frontend/modules/project-management/components/TaskCard.vue b/frontend/modules/project-management/components/TaskCard.vue
index 777087c..4c8a970 100644
--- a/frontend/modules/project-management/components/TaskCard.vue
+++ b/frontend/modules/project-management/components/TaskCard.vue
@@ -20,6 +20,12 @@
                         name="mdi:flag-variant"
                         class="h-3.5 w-3.5 text-red-600"
                     />
+                    <Icon
+                        v-if="task.clientTicket"
+                        name="heroicons:user-circle"
+                        class="h-3.5 w-3.5 text-primary-500"
+                        :title="$t('clientTicket.linkedTooltip', { number: formatTicketNumber(task.clientTicket.number) })"
+                    />
                 </div>
                 <h4 class="line-clamp-2 text-sm font-semibold text-neutral-900">{{ task.title }}</h4>
             </div>
@@ -103,6 +109,7 @@
 
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
+import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/modules/project-management/components/TaskDocumentUpload.vue b/frontend/modules/project-management/components/TaskDocumentUpload.vue
index d818665..951f8ef 100644
--- a/frontend/modules/project-management/components/TaskDocumentUpload.vue
+++ b/frontend/modules/project-management/components/TaskDocumentUpload.vue
@@ -50,13 +50,14 @@ import { useTaskDocumentService } from '~/modules/project-management/services/ta
 
 const props = defineProps<{
     taskId?: number
+    clientTicketId?: number
 }>()
 
 const emit = defineEmits<{
     uploaded: []
 }>()
 
-const { upload: uploadFile } = useTaskDocumentService()
+const { upload: uploadFile, uploadForClientTicket } = useTaskDocumentService()
 const toast = useToast()
 const { t } = useI18n()
 
@@ -111,6 +112,8 @@ async function processFiles(files: File[]) {
         try {
             if (props.taskId) {
                 await uploadFile(props.taskId, file)
+            } else if (props.clientTicketId) {
+                await uploadForClientTicket(props.clientTicketId, file)
             }
             state.uploading = false
             state.progress = 100
diff --git a/frontend/modules/project-management/components/TaskListItem.vue b/frontend/modules/project-management/components/TaskListItem.vue
index e978073..943dab3 100644
--- a/frontend/modules/project-management/components/TaskListItem.vue
+++ b/frontend/modules/project-management/components/TaskListItem.vue
@@ -28,6 +28,12 @@
                     name="mdi:flag-variant"
                     class="h-3.5 w-3.5 text-red-600"
                 />
+                <Icon
+                    v-if="task.clientTicket"
+                    name="heroicons:user-circle"
+                    class="h-3.5 w-3.5 text-primary-500"
+                    :title="$t('clientTicket.linkedTooltip', { number: formatTicketNumber(task.clientTicket.number) })"
+                />
             </div>
             <!-- Row 2: title -->
             <h4 class="mt-1 text-sm font-semibold text-neutral-900">{{ task.title }}</h4>
@@ -111,6 +117,7 @@
 
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
+import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/modules/project-management/services/dto/task.ts b/frontend/modules/project-management/services/dto/task.ts
index 3a20502..211cf2d 100644
--- a/frontend/modules/project-management/services/dto/task.ts
+++ b/frontend/modules/project-management/services/dto/task.ts
@@ -28,6 +28,14 @@ export type Task = {
     deadline: string | null
     syncToCalendar: boolean
     calendarSyncError: string | null
+    clientTicket: {
+        id: number
+        '@id'?: string
+        number: number
+        type: 'bug' | 'improvement' | 'other'
+        status: 'new' | 'in_progress' | 'done' | 'rejected'
+        title: string
+    } | null
     recurrence: {
         id: number
         '@id'?: string
diff --git a/frontend/modules/project-management/services/task-documents.ts b/frontend/modules/project-management/services/task-documents.ts
index 0daf539..d3e2ddd 100644
--- a/frontend/modules/project-management/services/task-documents.ts
+++ b/frontend/modules/project-management/services/task-documents.ts
@@ -15,6 +15,13 @@ export function useTaskDocumentService() {
         return extractHydraMembers(data)
     }
 
+    async function getByClientTicket(clientTicketId: number): Promise<TaskDocument[]> {
+        const data = await api.get<HydraCollection<TaskDocument>>('/task_documents', {
+            clientTicket: `/api/client_tickets/${clientTicketId}`,
+        })
+        return extractHydraMembers(data)
+    }
+
     async function uploadWithRelation(relationField: string, relationIri: string, file: File): Promise<TaskDocument> {
         const formData = new FormData()
         formData.append('file', file)
@@ -31,6 +38,10 @@ export function useTaskDocumentService() {
         return uploadWithRelation('task', `/api/tasks/${taskId}`, file)
     }
 
+    async function uploadForClientTicket(clientTicketId: number, file: File): Promise<TaskDocument> {
+        return uploadWithRelation('clientTicket', `/api/client_tickets/${clientTicketId}`, file)
+    }
+
     async function linkShare(taskId: number, sharePath: string): Promise<TaskDocument> {
         return $fetch<TaskDocument>(`${baseURL}/task_documents`, {
             method: 'POST',
@@ -51,11 +62,12 @@ export function useTaskDocumentService() {
     }
 
     async function getContent(id: number): Promise<string> {
-        return $fetch<string>(`${baseURL}/task_documents/${id}/download`, {
+        const response = await fetch(`${baseURL}/task_documents/${id}/download`, {
             credentials: 'include',
-            responseType: 'text',
         })
+
+        return response.text()
     }
 
-    return { getByTask, upload, linkShare, remove, getDownloadUrl, getContent }
+    return { getByTask, getByClientTicket, upload, uploadForClientTicket, linkShare, remove, getDownloadUrl, getContent }
 }
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index 668db4e..1132c1f 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -27,6 +27,7 @@
             <AdminPriorityTab v-if="activeTab === 'priorities'" />
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
+            <AdminClientTicketTab v-if="activeTab === 'clientTickets'" />
             <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
             <AdminAuditTab v-if="activeTab === 'audit' && canViewAudit" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
@@ -56,6 +57,7 @@ const tabs = [
     { key: 'priorities', label: 'Priorités' },
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
+    { key: 'clientTickets', label: t('clientTicket.adminTab') },
     { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
     { key: 'audit', label: t('admin.audit.title'), permission: 'core.audit_log.view' },
     { key: 'gitea', label: 'Gitea' },
diff --git a/frontend/services/dto/user-data.ts b/frontend/services/dto/user-data.ts
index 148bac0..3b126b3 100644
--- a/frontend/services/dto/user-data.ts
+++ b/frontend/services/dto/user-data.ts
@@ -1,5 +1,15 @@
 export type ContractType = 'CDI' | 'CDD' | 'STAGE' | 'ALTERNANCE' | 'AUTRE'
 
+/**
+ * Project as embedded in the `me:read` serialization group (id + name).
+ * On `/me`, `allowedProjects` is returned as embedded objects, not bare IRIs.
+ */
+export type AllowedProject = {
+    '@id'?: string
+    id: number
+    name: string
+}
+
 export type UserData = {
     id: number
     '@id'?: string
@@ -10,6 +20,9 @@ export type UserData = {
     effectivePermissions?: string[]
     avatarUrl?: string | null
     apiToken?: string | null
+    // Client portal
+    client?: string | null                  // IRI of the linked Client (null = internal user)
+    allowedProjects?: AllowedProject[]      // Projects a client user can access (embedded id + name)
     // HR / absence management
     isEmployee?: boolean
     hireDate?: string | null
@@ -27,6 +40,9 @@ export type UserWrite = {
     lastName?: string | null
     plainPassword?: string
     roles: string[]
+    // Client portal
+    client?: string | null
+    allowedProjects?: string[]
     // HR / absence management
     isEmployee?: boolean
     hireDate?: string | null
diff --git a/frontend/services/users.ts b/frontend/services/users.ts
index 69e02f0..ce64cd3 100644
--- a/frontend/services/users.ts
+++ b/frontend/services/users.ts
@@ -10,6 +10,10 @@ export function useUserService() {
         return extractHydraMembers(data)
     }
 
+    async function getById(id: number): Promise<UserData> {
+        return api.get<UserData>(`/users/${id}`)
+    }
+
     async function create(payload: UserWrite): Promise<UserData> {
         return api.post<UserData>('/users', payload as Record<string, unknown>, {
             toastSuccessKey: 'users.created',
@@ -28,5 +32,5 @@ export function useUserService() {
         })
     }
 
-    return { getAll, create, update, remove }
+    return { getAll, getById, create, update, remove }
 }
-- 
2.39.5


From 0cce586a1f5a0df5bab1c2f5695d1ce16cb9b983 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 01:15:05 +0200
Subject: [PATCH 65/99] =?UTF-8?q?feat(client-portal)=20:=20phase=203=20?=
 =?UTF-8?q?=E2=80=94=20ticket=20notifications?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-69 (3.2) phase 3. Wires the existing notification system to client-ticket
events (the bell/useNotifications/endpoints already existed).

- Notification.relatedTicket (ManyToOne ClientTicketInterface, SET NULL) +
  additive migration + notification:read group.
- NotifierInterface::notify() gains a backward-compatible optional
  relatedTicket param (existing callers unchanged).
- ClientTicketNumberProcessor (POST): notifies all ROLE_ADMIN users
  (ticket_created), tolerant try/catch after flush. ClientTicketStatusProcessor
  (PATCH): notifies submittedBy on status change (ticket_status_changed).
- Front: notification DTO relatedTicket; NotificationBell navigates to /admin
  (admin) or /portal (client) on ticket notifications.

180 tests green (178 + 2), nuxt build passes, cs-fixer clean.
---
 .../notification/NotificationBell.vue         | 11 +++
 frontend/services/dto/notification.ts         |  1 +
 migrations/Version20260621130000.php          | 41 ++++++++++
 .../State/ClientTicketNumberProcessor.php     | 31 ++++++-
 .../State/ClientTicketStatusProcessor.php     | 30 +++++++
 .../Core/Domain/Entity/Notification.php       | 20 +++++
 src/Module/Core/Infrastructure/Notifier.php   | 11 ++-
 .../Domain/Contract/NotifierInterface.php     |  8 +-
 .../ClientPortal/ClientTicketApiTest.php      | 81 +++++++++++++++++++
 9 files changed, 230 insertions(+), 4 deletions(-)
 create mode 100644 migrations/Version20260621130000.php

diff --git a/frontend/components/notification/NotificationBell.vue b/frontend/components/notification/NotificationBell.vue
index 38383e9..e3e9b6d 100644
--- a/frontend/components/notification/NotificationBell.vue
+++ b/frontend/components/notification/NotificationBell.vue
@@ -102,11 +102,22 @@ function toggleDropdown() {
     }
 }
 
+const auth = useAuthStore()
+
+const isAdmin = computed(() => (auth.user?.roles ?? []).includes('ROLE_ADMIN'))
+
 function handleClick(notif: Notification) {
     if (!notif.isRead) {
         markAsRead(notif.id)
     }
     isOpen.value = false
+
+    // Deep-link to the related ticket when present. The notification payload does
+    // not carry the ticket's project, so we route to the relevant list view:
+    // admins to the client-tickets admin tab, clients to their portal.
+    if (notif.relatedTicket) {
+        navigateTo(isAdmin.value ? '/admin' : '/portal')
+    }
 }
 
 async function handleMarkAllRead() {
diff --git a/frontend/services/dto/notification.ts b/frontend/services/dto/notification.ts
index 9b8fe43..4c8e293 100644
--- a/frontend/services/dto/notification.ts
+++ b/frontend/services/dto/notification.ts
@@ -7,6 +7,7 @@ export type Notification = {
     type: NotificationType
     title: string
     message: string
+    relatedTicket: string | null
     isRead: boolean
     createdAt: string
 }
diff --git a/migrations/Version20260621130000.php b/migrations/Version20260621130000.php
new file mode 100644
index 0000000..cb565c4
--- /dev/null
+++ b/migrations/Version20260621130000.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Client portal — phase 3: link notifications to client tickets (additive).
+ *
+ * - Adds notification.related_ticket_id (FK client_ticket, SET NULL) plus its index,
+ *   so a notification can deep-link to the ticket it concerns without breaking the
+ *   existing task-based notifications (column is nullable).
+ *
+ * Lowercase SQL columns; FK/index names mirror Doctrine's generated identifiers.
+ * down() reverses.
+ */
+final class Version20260621130000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Client portal phase 3: notification.related_ticket_id link to client_ticket (additive)';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE notification ADD related_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE notification ADD CONSTRAINT FK_BF5476CA98F144DB FOREIGN KEY (related_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX idx_notification_related_ticket ON notification (related_ticket_id)');
+        $this->addSql("COMMENT ON COLUMN notification.related_ticket_id IS 'Ticket client lie a la notification (FK client_ticket, SET NULL). null = notification non liee a un ticket.'");
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE notification DROP CONSTRAINT FK_BF5476CA98F144DB');
+        $this->addSql('DROP INDEX idx_notification_related_ticket');
+        $this->addSql('ALTER TABLE notification DROP related_ticket_id');
+    }
+}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
index 91ca856..44b5c47 100644
--- a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
+++ b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
@@ -9,6 +9,8 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\ClientPortal\Domain\Entity\ClientTicket;
 use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
 use App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Domain\Contract\NotifierInterface;
 use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
@@ -17,6 +19,7 @@ use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+use Throwable;
 
 /**
  * Handles creation of a client ticket (POST).
@@ -41,6 +44,8 @@ final readonly class ClientTicketNumberProcessor implements ProcessorInterface
         private ClientTicketRepositoryInterface $repository,
         private EntityManagerInterface $entityManager,
         private Security $security,
+        private NotifierInterface $notifier,
+        private UserRepositoryInterface $userRepository,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
@@ -73,7 +78,7 @@ final readonly class ClientTicketNumberProcessor implements ProcessorInterface
         $data->setCreatedAt($now);
         $data->setUpdatedAt($now);
 
-        return $this->entityManager->wrapInTransaction(function () use ($data, $project, $operation, $uriVariables, $context): ClientTicket {
+        $ticket = $this->entityManager->wrapInTransaction(function () use ($data, $project, $operation, $uriVariables, $context): ClientTicket {
             $maxNumber = $this->repository->findMaxNumberByProjectForUpdate((int) $project->getId());
             $data->setNumber($maxNumber + 1);
 
@@ -82,6 +87,30 @@ final readonly class ClientTicketNumberProcessor implements ProcessorInterface
 
             return $result;
         });
+
+        // Notify admins after the ticket is committed; never let a notification
+        // failure roll back or break the creation.
+        $this->notifyAdmins($ticket, $project);
+
+        return $ticket;
+    }
+
+    private function notifyAdmins(ClientTicket $ticket, ProjectInterface $project): void
+    {
+        try {
+            $number      = sprintf('CT-%03d', (int) $ticket->getNumber());
+            $projectName = $project->getName() ?? '';
+            $title       = sprintf('Nouveau ticket client %s', $number);
+            $message     = '' !== $projectName
+                ? sprintf('« %s » — %s', (string) $ticket->getTitle(), $projectName)
+                : sprintf('« %s »', (string) $ticket->getTitle());
+
+            foreach ($this->userRepository->findByRole('ROLE_ADMIN') as $admin) {
+                $this->notifier->notify($admin, 'ticket_created', $title, $message, $ticket);
+            }
+        } catch (Throwable) {
+            // Tolerant: ticket creation must succeed even if notifications fail.
+        }
     }
 
     private function userMayAccessProject(UserInterface $user, ProjectInterface $project): bool
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
index 508ffed..64a78de 100644
--- a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
+++ b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
@@ -8,9 +8,12 @@ use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Module\ClientPortal\Domain\Entity\ClientTicket;
 use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Shared\Domain\Contract\NotifierInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+use Throwable;
 
 /**
  * Handles status changes on a client ticket (PATCH, ROLE_ADMIN only).
@@ -25,6 +28,7 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
 {
     public function __construct(
         private EntityManagerInterface $entityManager,
+        private NotifierInterface $notifier,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
@@ -53,6 +57,32 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
         $this->entityManager->persist($data);
         $this->entityManager->flush();
 
+        // Notify the submitter when the status actually changed.
+        if ($oldStatus !== $newStatus) {
+            $this->notifySubmitter($data, $newStatus);
+        }
+
         return $data;
     }
+
+    private function notifySubmitter(ClientTicket $ticket, ClientTicketStatus $newStatus): void
+    {
+        $submitter = $ticket->getSubmittedBy();
+        if (!$submitter instanceof UserInterface) {
+            return;
+        }
+
+        try {
+            $number  = sprintf('CT-%03d', (int) $ticket->getNumber());
+            $title   = sprintf('Ticket %s mis à jour', $number);
+            $comment = trim((string) $ticket->getStatusComment());
+            $message = '' !== $comment
+                ? sprintf('%s — %s', $newStatus->label(), $comment)
+                : $newStatus->label();
+
+            $this->notifier->notify($submitter, 'ticket_status_changed', $title, $message, $ticket);
+        } catch (Throwable) {
+            // Tolerant: the status change must succeed even if notifications fail.
+        }
+    }
 }
diff --git a/src/Module/Core/Domain/Entity/Notification.php b/src/Module/Core/Domain/Entity/Notification.php
index 1eded34..41756ff 100644
--- a/src/Module/Core/Domain/Entity/Notification.php
+++ b/src/Module/Core/Domain/Entity/Notification.php
@@ -9,6 +9,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use App\Module\Core\Infrastructure\ApiPlatform\State\NotificationProvider;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
+use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
@@ -32,6 +33,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: DoctrineNotificationRepository::class)]
 #[ORM\Index(columns: ['user_id'], name: 'idx_notification_user')]
 #[ORM\Index(columns: ['user_id', 'is_read'], name: 'idx_notification_user_read')]
+#[ORM\Index(columns: ['related_ticket_id'], name: 'idx_notification_related_ticket')]
 class Notification
 {
     #[ORM\Id]
@@ -57,6 +59,12 @@ class Notification
     #[Groups(['notification:read'])]
     private ?string $message = null;
 
+    /** Optional link to the client ticket this notification relates to. */
+    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
+    #[ORM\JoinColumn(name: 'related_ticket_id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['notification:read'])]
+    private ?ClientTicketInterface $relatedTicket = null;
+
     #[ORM\Column]
     #[Groups(['notification:read', 'notification:write'])]
     private bool $isRead = false;
@@ -118,6 +126,18 @@ class Notification
         return $this;
     }
 
+    public function getRelatedTicket(): ?ClientTicketInterface
+    {
+        return $this->relatedTicket;
+    }
+
+    public function setRelatedTicket(?ClientTicketInterface $relatedTicket): static
+    {
+        $this->relatedTicket = $relatedTicket;
+
+        return $this;
+    }
+
     public function isRead(): bool
     {
         return $this->isRead;
diff --git a/src/Module/Core/Infrastructure/Notifier.php b/src/Module/Core/Infrastructure/Notifier.php
index 8be13e6..38a1cbf 100644
--- a/src/Module/Core/Infrastructure/Notifier.php
+++ b/src/Module/Core/Infrastructure/Notifier.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Module\Core\Infrastructure;
 
 use App\Module\Core\Domain\Entity\Notification;
+use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\NotifierInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
@@ -14,13 +15,19 @@ final readonly class Notifier implements NotifierInterface
 {
     public function __construct(private EntityManagerInterface $em) {}
 
-    public function notify(UserInterface $user, string $type, string $title, string $message): void
-    {
+    public function notify(
+        UserInterface $user,
+        string $type,
+        string $title,
+        string $message,
+        ?ClientTicketInterface $relatedTicket = null,
+    ): void {
         $notification = new Notification();
         $notification->setUser($user);
         $notification->setType($type);
         $notification->setTitle($title);
         $notification->setMessage($message);
+        $notification->setRelatedTicket($relatedTicket);
         $notification->setCreatedAt(new DateTimeImmutable());
 
         $this->em->persist($notification);
diff --git a/src/Shared/Domain/Contract/NotifierInterface.php b/src/Shared/Domain/Contract/NotifierInterface.php
index 59872b2..ec6225e 100644
--- a/src/Shared/Domain/Contract/NotifierInterface.php
+++ b/src/Shared/Domain/Contract/NotifierInterface.php
@@ -6,5 +6,11 @@ namespace App\Shared\Domain\Contract;
 
 interface NotifierInterface
 {
-    public function notify(UserInterface $user, string $type, string $title, string $message): void;
+    public function notify(
+        UserInterface $user,
+        string $type,
+        string $title,
+        string $message,
+        ?ClientTicketInterface $relatedTicket = null,
+    ): void;
 }
diff --git a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
index 7986abd..12f08d3 100644
--- a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
+++ b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
@@ -6,8 +6,11 @@ namespace App\Tests\Functional\Module\ClientPortal;
 
 use App\Module\ClientPortal\Domain\Entity\ClientTicket;
 use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
+use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
+use App\Module\Core\Domain\Entity\Notification;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
+use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
@@ -123,6 +126,84 @@ final class ClientTicketApiTest extends WebTestCase
         self::assertGreaterThanOrEqual(1, $data['number']);
     }
 
+    public function testCreatingTicketNotifiesAdmins(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        $projectIri = $this->sirhProjectIri($em);
+        $this->loginClient($client, 'client-liot');
+
+        $title = 'Notif test '.uniqid('', true);
+        $client->request('POST', '/api/client_tickets', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'type'        => 'other',
+            'title'       => $title,
+            'description' => 'Trigger an admin notification.',
+            'project'     => $projectIri,
+        ]));
+
+        self::assertResponseStatusCodeSame(201);
+        $data     = json_decode($client->getResponse()->getContent(), true);
+        $ticketId = $data['id'];
+
+        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertNotNull($admin);
+
+        $notification = $em->getRepository(Notification::class)->findOneBy([
+            'user' => $admin,
+            'type' => 'ticket_created',
+        ], ['createdAt' => 'DESC']);
+
+        self::assertInstanceOf(Notification::class, $notification);
+        self::assertNotNull($notification->getRelatedTicket());
+        self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
+    }
+
+    public function testChangingStatusNotifiesSubmitter(): void
+    {
+        $client = self::createClient();
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+
+        // Set up a fresh `new` ticket whose submitter is a known client user,
+        // so we can assert the submitter is the notification recipient.
+        $submitter = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
+        self::assertNotNull($submitter);
+        $project = $em->getRepository(Project::class)->findOneBy(['code' => 'SIRH']);
+        self::assertNotNull($project);
+
+        $ticket = new ClientTicket();
+        $ticket->setType(ClientTicketType::Other);
+        $ticket->setTitle('Status notif '.uniqid('', true));
+        $ticket->setDescription('Will be moved to in_progress.');
+        $ticket->setProject($project);
+        $ticket->setSubmittedBy($submitter);
+        $ticket->setStatus(ClientTicketStatus::New);
+        $ticket->setNumber(9000 + random_int(1, 999));
+        $ticket->setCreatedAt(new DateTimeImmutable());
+        $ticket->setUpdatedAt(new DateTimeImmutable());
+        $em->persist($ticket);
+        $em->flush();
+        $ticketId = $ticket->getId();
+
+        // Admin moves it to in_progress.
+        $this->loginClient($client, 'admin');
+        $client->request('PATCH', '/api/client_tickets/'.$ticketId, server: [
+            'CONTENT_TYPE' => 'application/merge-patch+json',
+        ], content: json_encode(['status' => 'in_progress']));
+        self::assertResponseIsSuccessful();
+
+        $notification = $em->getRepository(Notification::class)->findOneBy([
+            'user' => $submitter,
+            'type' => 'ticket_status_changed',
+        ], ['createdAt' => 'DESC']);
+
+        self::assertInstanceOf(Notification::class, $notification);
+        self::assertNotNull($notification->getRelatedTicket());
+        self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
+    }
+
     public function testAdminCannotCreateTicket(): void
     {
         $client = self::createClient();
-- 
2.39.5


From da3d1902160577a0cd8482f931304dead1f5ad01 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 01:25:19 +0200
Subject: [PATCH 66/99] =?UTF-8?q?refactor(core)=20:=20final=20legacy=20cle?=
 =?UTF-8?q?anup=20=E2=80=94=20app=20is=20100%=20modular?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LST-60 (3.3). Closes the modular-monolith migration. src/Entity was already
empty; this removes the last legacy residue.

- Doctrine: drop the legacy "App" mapping (empty src/Entity). resolve_target_
  entities already targets modules only.
- MCP User tools (Reference/) -> Core/Infrastructure/Mcp/Tool; MCP Serializer
  -> Shared/Infrastructure/Mcp (33 usages repointed).
- Controllers (mark-all-read, notification unread-count, regenerate-api-token,
  user-avatar) -> Core/Infrastructure/Controller. TokenEncryptor -> Shared/
  Infrastructure/Service (11 usages). AppVersion resource+provider -> Shared.
  ContractType enum -> Core/Domain/Enum.
- src/{Entity,State,Controller,Service,Enum,ApiResource} now empty; routes,
  MCP tool names and public API unchanged.

180 tests green, mapping valid, no route regression, cs-fixer clean.
Note: final Malio visual harmonisation (subjective) left to the PO.
---
 config/packages/doctrine.yaml                               | 6 ------
 config/services.yaml                                        | 2 +-
 src/DataFixtures/AppFixtures.php                            | 2 +-
 .../Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php       | 2 +-
 .../Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php     | 2 +-
 .../Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php     | 2 +-
 .../Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php     | 2 +-
 .../Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php     | 2 +-
 src/Module/Core/Domain/Entity/User.php                      | 2 +-
 src/{ => Module/Core/Domain}/Enum/ContractType.php          | 2 +-
 .../Infrastructure}/Controller/MarkAllReadController.php    | 2 +-
 .../Controller/NotificationUnreadCountController.php        | 2 +-
 .../Controller/RegenerateApiTokenController.php             | 2 +-
 .../Infrastructure}/Controller/UserAvatarController.php     | 2 +-
 .../Core/Infrastructure/Mcp/Tool}/GetUserTool.php           | 4 ++--
 .../Core/Infrastructure/Mcp/Tool}/ListUsersTool.php         | 2 +-
 .../Core/Infrastructure/Mcp/Tool}/UpdateUserTool.php        | 6 +++---
 .../Infrastructure/Mcp/Tool/ConvertProspectTool.php         | 2 +-
 .../Directory/Infrastructure/Mcp/Tool/CreateClientTool.php  | 2 +-
 .../Infrastructure/Mcp/Tool/CreateProspectTool.php          | 2 +-
 .../Directory/Infrastructure/Mcp/Tool/GetClientTool.php     | 2 +-
 .../Directory/Infrastructure/Mcp/Tool/GetProspectTool.php   | 2 +-
 .../Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php | 2 +-
 .../Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php  | 2 +-
 .../Infrastructure/Mcp/Tool/UpdateProspectTool.php          | 2 +-
 .../ApiPlatform/State/BookStackSettingsProcessor.php        | 2 +-
 .../ApiPlatform/State/GiteaSettingsProcessor.php            | 2 +-
 .../ApiPlatform/State/ShareSettingsProcessor.php            | 2 +-
 .../ApiPlatform/State/ZimbraSettingsProcessor.php           | 2 +-
 .../Infrastructure/Service/BookStackApiService.php          | 2 +-
 .../Integration/Infrastructure/Service/GiteaApiService.php  | 2 +-
 .../Integration/Infrastructure/Service/SmbFileSource.php    | 2 +-
 .../ApiPlatform/State/MailSettingsProcessor.php             | 2 +-
 src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php    | 2 +-
 .../Infrastructure/Mcp/Tool/Project/CreateProjectTool.php   | 2 +-
 .../Infrastructure/Mcp/Tool/Project/GetProjectTool.php      | 2 +-
 .../Infrastructure/Mcp/Tool/Project/ListProjectsTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php   | 2 +-
 .../Infrastructure/Mcp/Tool/Task/CreateTaskTool.php         | 2 +-
 .../Infrastructure/Mcp/Tool/Task/GetTaskTool.php            | 2 +-
 .../Infrastructure/Mcp/Tool/Task/ListTasksTool.php          | 2 +-
 .../Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php         | 2 +-
 .../Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php    | 2 +-
 .../Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php     | 2 +-
 .../Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php    | 2 +-
 .../Infrastructure/Service/CalDavService.php                | 2 +-
 .../Infrastructure/Mcp/Tool/CreateTimeEntryTool.php         | 2 +-
 .../Infrastructure/Mcp/Tool/ListTimeEntriesTool.php         | 2 +-
 .../Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php         | 2 +-
 .../Infrastructure/ApiPlatform/Resource}/AppVersion.php     | 4 ++--
 .../ApiPlatform}/State/AppVersionProvider.php               | 4 ++--
 src/{Mcp/Tool => Shared/Infrastructure/Mcp}/Serializer.php  | 2 +-
 src/{ => Shared/Infrastructure}/Service/TokenEncryptor.php  | 2 +-
 tests/Unit/Mail/ImapMailProviderTest.php                    | 2 +-
 58 files changed, 62 insertions(+), 68 deletions(-)
 rename src/{ => Module/Core/Domain}/Enum/ContractType.php (92%)
 rename src/{ => Module/Core/Infrastructure}/Controller/MarkAllReadController.php (94%)
 rename src/{ => Module/Core/Infrastructure}/Controller/NotificationUnreadCountController.php (94%)
 rename src/{ => Module/Core/Infrastructure}/Controller/RegenerateApiTokenController.php (94%)
 rename src/{ => Module/Core/Infrastructure}/Controller/UserAvatarController.php (98%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/GetUserTool.php (92%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/ListUsersTool.php (95%)
 rename src/{Mcp/Tool/Reference => Module/Core/Infrastructure/Mcp/Tool}/UpdateUserTool.php (94%)
 rename src/{ApiResource => Shared/Infrastructure/ApiPlatform/Resource}/AppVersion.php (78%)
 rename src/{ => Shared/Infrastructure/ApiPlatform}/State/AppVersionProvider.php (83%)
 rename src/{Mcp/Tool => Shared/Infrastructure/Mcp}/Serializer.php (99%)
 rename src/{ => Shared/Infrastructure}/Service/TokenEncryptor.php (97%)

diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 26b6458..48948ad 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -28,12 +28,6 @@ doctrine:
             App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
             App\Shared\Domain\Contract\ClientTicketInterface: App\Module\ClientPortal\Domain\Entity\ClientTicket
         mappings:
-            App:
-                type: attribute
-                is_bundle: false
-                dir: '%kernel.project_dir%/src/Entity'
-                prefix: 'App\Entity'
-                alias: App
             Core:
                 type: attribute
                 is_bundle: false
diff --git a/config/services.yaml b/config/services.yaml
index d5b6c72..4e2b5af 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -53,7 +53,7 @@ services:
         arguments:
             $uploadDir: '%task_document_upload_dir%'
 
-    App\Controller\UserAvatarController:
+    App\Module\Core\Infrastructure\Controller\UserAvatarController:
         arguments:
             $avatarUploadDir: '%avatar_upload_dir%'
 
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index fc6d9e3..1dbbfa2 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\DataFixtures;
 
-use App\Enum\ContractType;
 use App\Module\Absence\Domain\Entity\AbsenceBalance;
 use App\Module\Absence\Domain\Entity\AbsencePolicy;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
@@ -15,6 +14,7 @@ use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
 use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Enum\ContractType;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
index 5dd3ea3..2c65812 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CancelAbsenceRequestTool.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Application\Service\AbsenceBalanceService;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
index 97ac0f6..f645ac5 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/CreateAbsenceRequestTool.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Application\Service\AbsenceBalanceService;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
@@ -14,6 +13,7 @@ use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
 use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Module\Absence\Domain\Service\AbsenceDayCalculator;
 use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
index d7f6b14..9aed1c8 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/GetAbsenceRequestTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
index 61415cd..8445a36 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceBalancesTool.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
 use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
index 4d2507d..8ec32b0 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsencePoliciesTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
index af4c701..a5b21b4 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ListAbsenceRequestsTool.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
index 1ddd61f..2b3372e 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/ReviewAbsenceRequestTool.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Application\Service\AbsenceBalanceService;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Repository\AbsenceRequestRepositoryInterface;
 use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
index 2c06144..c3726fa 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsenceBalanceTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Repository\AbsenceBalanceRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
index 0e803fe..b0a3ee7 100644
--- a/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
+++ b/src/Module/Absence/Infrastructure/Mcp/Tool/UpdateAbsencePolicyTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Absence\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Absence\Domain\Repository\AbsencePolicyRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 185901f..dfab344 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -11,7 +11,7 @@ use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
-use App\Enum\ContractType;
+use App\Module\Core\Domain\Enum\ContractType;
 use App\Module\Core\Infrastructure\ApiPlatform\State\MeProvider;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor;
diff --git a/src/Enum/ContractType.php b/src/Module/Core/Domain/Enum/ContractType.php
similarity index 92%
rename from src/Enum/ContractType.php
rename to src/Module/Core/Domain/Enum/ContractType.php
index fe1d7b1..5963572 100644
--- a/src/Enum/ContractType.php
+++ b/src/Module/Core/Domain/Enum/ContractType.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Enum;
+namespace App\Module\Core\Domain\Enum;
 
 enum ContractType: string
 {
diff --git a/src/Controller/MarkAllReadController.php b/src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
similarity index 94%
rename from src/Controller/MarkAllReadController.php
rename to src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
index 9c076c9..cd0ea0c 100644
--- a/src/Controller/MarkAllReadController.php
+++ b/src/Module/Core/Infrastructure/Controller/MarkAllReadController.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
 use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use App\Shared\Domain\Contract\UserInterface;
diff --git a/src/Controller/NotificationUnreadCountController.php b/src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
similarity index 94%
rename from src/Controller/NotificationUnreadCountController.php
rename to src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
index b26512f..db9bde9 100644
--- a/src/Controller/NotificationUnreadCountController.php
+++ b/src/Module/Core/Infrastructure/Controller/NotificationUnreadCountController.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
 use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
 use App\Shared\Domain\Contract\UserInterface;
diff --git a/src/Controller/RegenerateApiTokenController.php b/src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
similarity index 94%
rename from src/Controller/RegenerateApiTokenController.php
rename to src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
index 2593811..00ad222 100644
--- a/src/Controller/RegenerateApiTokenController.php
+++ b/src/Module/Core/Infrastructure/Controller/RegenerateApiTokenController.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
diff --git a/src/Controller/UserAvatarController.php b/src/Module/Core/Infrastructure/Controller/UserAvatarController.php
similarity index 98%
rename from src/Controller/UserAvatarController.php
rename to src/Module/Core/Infrastructure/Controller/UserAvatarController.php
index 2c586fa..ebfde04 100644
--- a/src/Controller/UserAvatarController.php
+++ b/src/Module/Core/Infrastructure/Controller/UserAvatarController.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Controller;
+namespace App\Module\Core\Infrastructure\Controller;
 
 use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
diff --git a/src/Mcp/Tool/Reference/GetUserTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
similarity index 92%
rename from src/Mcp/Tool/Reference/GetUserTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
index 74d0e55..45de3d2 100644
--- a/src/Mcp/Tool/Reference/GetUserTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/GetUserTool.php
@@ -2,10 +2,10 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Mcp/Tool/Reference/ListUsersTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
similarity index 95%
rename from src/Mcp/Tool/Reference/ListUsersTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
index c2badca..d40b9f4 100644
--- a/src/Mcp/Tool/Reference/ListUsersTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/ListUsersTool.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Mcp/Tool/Reference/UpdateUserTool.php b/src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
similarity index 94%
rename from src/Mcp/Tool/Reference/UpdateUserTool.php
rename to src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
index 58cf1fb..c532a54 100644
--- a/src/Mcp/Tool/Reference/UpdateUserTool.php
+++ b/src/Module/Core/Infrastructure/Mcp/Tool/UpdateUserTool.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool\Reference;
+namespace App\Module\Core\Infrastructure\Mcp\Tool;
 
-use App\Enum\ContractType;
-use App\Mcp\Tool\Serializer;
+use App\Module\Core\Domain\Enum\ContractType;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
index a80cf60..22d81d3 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
@@ -4,10 +4,10 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
index 087d30b..af39f52 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Entity\Client;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
index 3663fc4..ddce7c0 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
index de37db3..676c1b0 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetClientTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
index b19e14c..06db797 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/GetProspectTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
index 671a55b..d7473de 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ListProspectsTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
index f6ff65b..145cd6c 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
index e155112..e411200 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
index 7c591c5..5fd2fc9 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/BookStackSettingsProcessor.php
@@ -9,7 +9,7 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Integration\Domain\Entity\BookStackConfiguration;
 use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
 use App\Module\Integration\Infrastructure\ApiPlatform\Resource\BookStackSettings;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class BookStackSettingsProcessor implements ProcessorInterface
diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
index 60363a5..31ee8b2 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/GiteaSettingsProcessor.php
@@ -9,7 +9,7 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Integration\Domain\Entity\GiteaConfiguration;
 use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
 use App\Module\Integration\Infrastructure\ApiPlatform\Resource\GiteaSettings;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class GiteaSettingsProcessor implements ProcessorInterface
diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
index 53a3868..9044ba1 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ShareSettingsProcessor.php
@@ -9,7 +9,7 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Integration\Domain\Entity\ShareConfiguration;
 use App\Module\Integration\Domain\Repository\ShareConfigurationRepositoryInterface;
 use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ShareSettings;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class ShareSettingsProcessor implements ProcessorInterface
diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
index 3d940b7..14f96c8 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/State/ZimbraSettingsProcessor.php
@@ -9,7 +9,7 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Integration\Domain\Entity\ZimbraConfiguration;
 use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterface;
 use App\Module\Integration\Infrastructure\ApiPlatform\Resource\ZimbraSettings;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class ZimbraSettingsProcessor implements ProcessorInterface
diff --git a/src/Module/Integration/Infrastructure/Service/BookStackApiService.php b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
index 2589dd4..5a5fa17 100644
--- a/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
@@ -7,7 +7,7 @@ namespace App\Module\Integration\Infrastructure\Service;
 use App\Module\Integration\Domain\Entity\BookStackConfiguration;
 use App\Module\Integration\Domain\Exception\BookStackApiException;
 use App\Module\Integration\Domain\Repository\BookStackConfigurationRepositoryInterface;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
 use Symfony\Contracts\HttpClient\Exception\HttpExceptionInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
diff --git a/src/Module/Integration/Infrastructure/Service/GiteaApiService.php b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
index 7162121..78e0949 100644
--- a/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/GiteaApiService.php
@@ -9,7 +9,7 @@ use App\Module\Integration\Domain\Exception\GiteaApiException;
 use App\Module\Integration\Domain\Repository\GiteaConfigurationRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use App\Module\ProjectManagement\Domain\Entity\Task;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Symfony\Component\String\Slugger\AsciiSlugger;
 use Symfony\Component\String\Slugger\SluggerInterface;
 use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
diff --git a/src/Module/Integration/Infrastructure/Service/SmbFileSource.php b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
index 71dbe8b..2bb25be 100644
--- a/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
+++ b/src/Module/Integration/Infrastructure/Service/SmbFileSource.php
@@ -12,7 +12,7 @@ use App\Module\Integration\Domain\Service\FileEntry;
 use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\Integration\Domain\Service\SharePathResolver;
 use App\Module\Integration\Domain\Service\ShareTestResult;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Icewind\SMB\BasicAuth;
 use Icewind\SMB\IFileInfo;
 use Icewind\SMB\IShare;
diff --git a/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
index c08f3de..5b05420 100644
--- a/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
+++ b/src/Module/Mail/Infrastructure/ApiPlatform/State/MailSettingsProcessor.php
@@ -9,7 +9,7 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Mail\Domain\Entity\MailConfiguration;
 use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
 use App\Module\Mail\Infrastructure\ApiPlatform\Resource\MailSettings;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use Doctrine\ORM\EntityManagerInterface;
 
 final readonly class MailSettingsProcessor implements ProcessorInterface
diff --git a/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
index f08c35e..57e9b69 100644
--- a/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
+++ b/src/Module/Mail/Infrastructure/Imap/ImapMailProvider.php
@@ -11,7 +11,7 @@ use App\Module\Mail\Application\Dto\MailMessageHeaderDto;
 use App\Module\Mail\Domain\Exception\MailProviderException;
 use App\Module\Mail\Domain\Provider\MailProviderInterface;
 use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use DateTimeImmutable;
 use Psr\Log\LoggerInterface;
 use SodiumException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
index 25c2fae..a423644 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/CreateProjectTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
index 96b3652..fa4b13a 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/GetProjectTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
index a15c886..4e4b1be 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/ListProjectsTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
index d3bb783..6214297 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Project/UpdateProjectTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Project;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Directory\Domain\Repository\ClientRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
index 7cd3fbd..bc41c7e 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/CreateTaskTool.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
@@ -15,6 +14,7 @@ use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
index 2c88709..8440f05 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/GetTaskTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
index 3d3b3db..addaa9f 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/ListTasksTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
index 10e8b6d..4954240 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/Task/UpdateTaskTool.php
@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\Task;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Module\ProjectManagement\Domain\Repository\TaskEffortRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
@@ -13,6 +12,7 @@ use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskStatusRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\ProjectManagement\Infrastructure\Service\CalDavService;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
index 4e40a3e..17a8a0d 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/CreateGroupTool.php
@@ -4,9 +4,9 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
index 5b6f658..6f42412 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/ListGroupsTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
diff --git a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
index 967ed42..67362e2 100644
--- a/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
+++ b/src/Module/ProjectManagement/Infrastructure/Mcp/Tool/TaskMeta/UpdateGroupTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\ProjectManagement\Infrastructure\Mcp\Tool\TaskMeta;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\TaskGroupRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
 use Mcp\Capability\Attribute\McpTool;
diff --git a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
index 8cfbbe4..8be1017 100644
--- a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
@@ -8,7 +8,7 @@ use App\Module\Integration\Domain\Repository\ZimbraConfigurationRepositoryInterf
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskRecurrence;
 use App\Module\ProjectManagement\Domain\Enum\RecurrenceType;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use DateTimeZone;
 use Psr\Log\LoggerInterface;
 use Sabre\VObject\Component\VCalendar;
diff --git a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
index 0403015..464f4df 100644
--- a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/CreateTimeEntryTool.php
@@ -4,13 +4,13 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
index 50a54b3..2fb7612 100644
--- a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/ListTimeEntriesTool.php
@@ -4,8 +4,8 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Mcp\Capability\Attribute\McpTool;
 use Symfony\Bundle\SecurityBundle\Security;
diff --git a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
index e1f3a9c..8d70bab 100644
--- a/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
+++ b/src/Module/TimeTracking/Infrastructure/Mcp/Tool/UpdateTimeEntryTool.php
@@ -4,11 +4,11 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Mcp\Tool;
 
-use App\Mcp\Tool\Serializer;
 use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskRepositoryInterface;
 use App\Module\ProjectManagement\Domain\Repository\TaskTagRepositoryInterface;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
+use App\Shared\Infrastructure\Mcp\Serializer;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use InvalidArgumentException;
diff --git a/src/ApiResource/AppVersion.php b/src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
similarity index 78%
rename from src/ApiResource/AppVersion.php
rename to src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
index ba3c071..583e22c 100644
--- a/src/ApiResource/AppVersion.php
+++ b/src/Shared/Infrastructure/ApiPlatform/Resource/AppVersion.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\ApiResource;
+namespace App\Shared\Infrastructure\ApiPlatform\Resource;
 
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use App\State\AppVersionProvider;
+use App\Shared\Infrastructure\ApiPlatform\State\AppVersionProvider;
 use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
diff --git a/src/State/AppVersionProvider.php b/src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
similarity index 83%
rename from src/State/AppVersionProvider.php
rename to src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
index cc65752..5ef11be 100644
--- a/src/State/AppVersionProvider.php
+++ b/src/Shared/Infrastructure/ApiPlatform/State/AppVersionProvider.php
@@ -2,11 +2,11 @@
 
 declare(strict_types=1);
 
-namespace App\State;
+namespace App\Shared\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
-use App\ApiResource\AppVersion;
+use App\Shared\Infrastructure\ApiPlatform\Resource\AppVersion;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 
 final readonly class AppVersionProvider implements ProviderInterface
diff --git a/src/Mcp/Tool/Serializer.php b/src/Shared/Infrastructure/Mcp/Serializer.php
similarity index 99%
rename from src/Mcp/Tool/Serializer.php
rename to src/Shared/Infrastructure/Mcp/Serializer.php
index 2871484..f6660a0 100644
--- a/src/Mcp/Tool/Serializer.php
+++ b/src/Shared/Infrastructure/Mcp/Serializer.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Mcp\Tool;
+namespace App\Shared\Infrastructure\Mcp;
 
 use App\Module\Absence\Domain\Entity\AbsenceBalance;
 use App\Module\Absence\Domain\Entity\AbsencePolicy;
diff --git a/src/Service/TokenEncryptor.php b/src/Shared/Infrastructure/Service/TokenEncryptor.php
similarity index 97%
rename from src/Service/TokenEncryptor.php
rename to src/Shared/Infrastructure/Service/TokenEncryptor.php
index 4ba94ce..cdcebc9 100644
--- a/src/Service/TokenEncryptor.php
+++ b/src/Shared/Infrastructure/Service/TokenEncryptor.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace App\Service;
+namespace App\Shared\Infrastructure\Service;
 
 use RuntimeException;
 use SodiumException;
diff --git a/tests/Unit/Mail/ImapMailProviderTest.php b/tests/Unit/Mail/ImapMailProviderTest.php
index be7982c..311bbbf 100644
--- a/tests/Unit/Mail/ImapMailProviderTest.php
+++ b/tests/Unit/Mail/ImapMailProviderTest.php
@@ -8,7 +8,7 @@ use App\Module\Mail\Domain\Entity\MailConfiguration;
 use App\Module\Mail\Domain\Exception\MailProviderException;
 use App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface;
 use App\Module\Mail\Infrastructure\Imap\ImapMailProvider;
-use App\Service\TokenEncryptor;
+use App\Shared\Infrastructure\Service\TokenEncryptor;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\NullLogger;
 
-- 
2.39.5


From 96ef1bf436fcc47e12cf28d2aa61cc93b2c084de Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 19:31:09 +0200
Subject: [PATCH 67/99] fix(security) : harden ROLE_CLIENT isolation + tighten
 cross-module contracts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Findings from the post-migration code review. The arrival of ROLE_CLIENT
exposed internal endpoints still guarded only by IS_AUTHENTICATED_FULLY (or no
security), reachable by a client. Verified by re-running a multi-role smoke
test (client -> 403, internal roles -> 200).

Security (closed real client-isolation holes):
- TaskDocumentDownloadController: add ownership check (admin all / client only
  own clientTicket docs / user only task-linked docs) — the custom download
  bypassed the cloistered provider.
- Share browse/download/search/status controllers: IS_AUTHENTICATED_FULLY ->
  ROLE_USER (SMB share is internal).
- User Get/GetCollection: add security ROLE_USER (was exposing the internal
  directory to clients).
- BookStackLink GetCollection/Post/Delete: IS_AUTHENTICATED_FULLY -> ROLE_USER.

Contracts / robustness:
- TaskInterface gains getProject(): ?ProjectInterface; TimeTracking export
  controller/service drop concrete cross-module entities for repo interfaces.
- Shared MCP Serializer signatures widened to the contracts (user/projectRef/
  taskRef/tags/users); project()/userFull()/etc. kept concrete (use getters
  outside the contracts).
- RecurrenceHandler: null-guard before findMaxNumberByProjectForUpdate().

180 tests green, cs-fixer clean, routes unchanged.
---
 src/Module/Core/Domain/Entity/User.php        |  2 ++
 .../Repository/UserRepositoryInterface.php    |  7 ++++++
 .../Doctrine/DoctrineUserRepository.php       | 19 ++++++++++++++++
 .../ApiPlatform/Resource/BookStackLink.php    |  6 ++---
 .../Controller/ShareBrowseController.php      |  2 +-
 .../Controller/ShareDownloadController.php    |  2 +-
 .../Controller/ShareSearchController.php      |  2 +-
 .../Controller/ShareStatusController.php      |  2 +-
 .../ApiPlatform/State/RecurrenceHandler.php   |  8 +++++--
 .../TaskDocumentDownloadController.php        | 16 ++++++++++++++
 .../Controller/TimeEntryExportController.php  | 22 ++++++++++---------
 .../Export/TimeEntryExportService.php         |  2 ++
 src/Shared/Domain/Contract/TaskInterface.php  |  2 ++
 src/Shared/Infrastructure/Mcp/Serializer.php  | 19 +++++++++-------
 14 files changed, 84 insertions(+), 27 deletions(-)

diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index dfab344..88f104e 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -39,10 +39,12 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['me:read']],
         ),
         new Get(
+            security: "is_granted('ROLE_USER')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new GetCollection(
             paginationEnabled: false,
+            security: "is_granted('ROLE_USER')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
diff --git a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
index 4545c08..6308542 100644
--- a/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
+++ b/src/Module/Core/Domain/Repository/UserRepositoryInterface.php
@@ -11,6 +11,13 @@ interface UserRepositoryInterface
 {
     public function findById(int $id): ?UserInterface;
 
+    /**
+     * @param int[] $ids
+     *
+     * @return list<UserInterface>
+     */
+    public function findByIds(array $ids): array;
+
     /**
      * @return list<UserInterface>
      */
diff --git a/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
index c1d9777..d69e010 100644
--- a/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
+++ b/src/Module/Core/Infrastructure/Doctrine/DoctrineUserRepository.php
@@ -26,6 +26,25 @@ class DoctrineUserRepository extends ServiceEntityRepository implements UserRepo
         return $this->find($id);
     }
 
+    /**
+     * @param int[] $ids
+     *
+     * @return list<UserInterface>
+     */
+    public function findByIds(array $ids): array
+    {
+        if ([] === $ids) {
+            return [];
+        }
+
+        return $this->createQueryBuilder('u')
+            ->where('u.id IN (:ids)')
+            ->setParameter('ids', $ids)
+            ->getQuery()
+            ->getResult()
+        ;
+    }
+
     /**
      * @return list<UserInterface>
      */
diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
index fee1300..6dac12a 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackLink.php
@@ -24,7 +24,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             normalizationContext: ['groups' => ['bookstack_link:read']],
             provider: BookStackLinkProvider::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
         new Post(
             uriTemplate: '/tasks/{taskId}/bookstack/links',
@@ -35,7 +35,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             normalizationContext: ['groups' => ['bookstack_link:read']],
             provider: BookStackLinkProvider::class,
             processor: BookStackLinkProcessor::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
         new Delete(
             uriTemplate: '/tasks/{taskId}/bookstack/links/{id}',
@@ -45,7 +45,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             provider: BookStackLinkProvider::class,
             processor: BookStackLinkProcessor::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]
diff --git a/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
index dca367e..a464765 100644
--- a/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareBrowseController.php
@@ -24,7 +24,7 @@ class ShareBrowseController extends AbstractController
     ) {}
 
     #[Route('/api/share/browse', name: 'share_browse', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): JsonResponse
     {
         $rawPath = (string) $request->query->get('path', '');
diff --git a/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
index 9973f4f..27292a3 100644
--- a/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareDownloadController.php
@@ -29,7 +29,7 @@ class ShareDownloadController extends AbstractController
     ) {}
 
     #[Route('/api/share/download', name: 'share_download', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): Response
     {
         $rawPath = (string) $request->query->get('path', '');
diff --git a/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
index 7a955f9..eae046e 100644
--- a/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareSearchController.php
@@ -24,7 +24,7 @@ class ShareSearchController extends AbstractController
     ) {}
 
     #[Route('/api/share/search', name: 'share_search', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(Request $request): JsonResponse
     {
         $query = trim((string) $request->query->get('q', ''));
diff --git a/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
index 3776160..0743f6c 100644
--- a/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
+++ b/src/Module/Integration/Infrastructure/Controller/ShareStatusController.php
@@ -17,7 +17,7 @@ class ShareStatusController extends AbstractController
     ) {}
 
     #[Route('/api/share/status', name: 'share_status', methods: ['GET'], priority: 1)]
-    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    #[IsGranted('ROLE_USER')]
     public function __invoke(): JsonResponse
     {
         $config = $this->configRepository->findSingleton();
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
index 82ad1d6..7a98b7f 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/RecurrenceHandler.php
@@ -81,8 +81,12 @@ final readonly class RecurrenceHandler
         $newTask->setCalendarEventUid($savedEventUid);
 
         // Generate task number in transaction
-        $this->entityManager->wrapInTransaction(function () use ($newTask): void {
-            $maxNumber = $this->taskRepository->findMaxNumberByProjectForUpdate($newTask->getProject());
+        $project = $newTask->getProject();
+        if (null === $project) {
+            return;
+        }
+        $this->entityManager->wrapInTransaction(function () use ($newTask, $project): void {
+            $maxNumber = $this->taskRepository->findMaxNumberByProjectForUpdate($project);
             $newTask->setNumber($maxNumber + 1);
             $this->entityManager->persist($newTask);
             $this->entityManager->flush();
diff --git a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
index 9d8e2b7..fb705f5 100644
--- a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
+++ b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
@@ -10,11 +10,13 @@ use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
 use Symfony\Component\HttpFoundation\HeaderUtils;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Symfony\Component\HttpFoundation\StreamedResponse;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\Routing\Attribute\Route;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
@@ -26,6 +28,7 @@ class TaskDocumentDownloadController extends AbstractController
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly FileSource $fileSource,
+        private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
 
@@ -39,6 +42,19 @@ class TaskDocumentDownloadController extends AbstractController
             throw new NotFoundHttpException('Document not found.');
         }
 
+        $isAdmin  = $this->security->isGranted('ROLE_ADMIN');
+        $isClient = $this->security->isGranted('ROLE_CLIENT') && !$isAdmin;
+        if (!$isAdmin) {
+            if ($isClient) {
+                $ticket = $document->getClientTicket();
+                if (null === $ticket || $ticket->getSubmittedBy() !== $this->security->getUser()) {
+                    throw new AccessDeniedHttpException();
+                }
+            } elseif (null === $document->getTask()) {
+                throw new AccessDeniedHttpException();
+            }
+        }
+
         $mimeType = $document->getMimeType() ?? 'application/octet-stream';
 
         // Inline for images (except SVG) and PDFs, attachment for everything else.
diff --git a/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
index 6808436..cd4894a 100644
--- a/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
+++ b/src/Module/TimeTracking/Infrastructure/Controller/TimeEntryExportController.php
@@ -4,12 +4,13 @@ declare(strict_types=1);
 
 namespace App\Module\TimeTracking\Infrastructure\Controller;
 
-use App\Module\Core\Domain\Entity\User;
-use App\Module\ProjectManagement\Domain\Entity\Project;
+use App\Module\Core\Domain\Repository\UserRepositoryInterface;
+use App\Module\ProjectManagement\Domain\Repository\ProjectRepositoryInterface;
 use App\Module\TimeTracking\Domain\Repository\TimeEntryRepositoryInterface;
 use App\Module\TimeTracking\Infrastructure\Export\TimeEntryExportService;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
-use Doctrine\ORM\EntityManagerInterface;
 use Exception;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -25,7 +26,8 @@ class TimeEntryExportController extends AbstractController
     public function __construct(
         private readonly TimeEntryRepositoryInterface $timeEntryRepository,
         private readonly TimeEntryExportService $exportService,
-        private readonly EntityManagerInterface $entityManager,
+        private readonly ProjectRepositoryInterface $projectRepository,
+        private readonly UserRepositoryInterface $userRepository,
         private readonly Security $security,
     ) {}
 
@@ -54,7 +56,7 @@ class TimeEntryExportController extends AbstractController
         // --- Users ---
         $users = null;
         if (!$this->security->isGranted('ROLE_ADMIN')) {
-            /** @var User $currentUser */
+            /** @var UserInterface $currentUser */
             $currentUser = $this->security->getUser();
             $users       = [$currentUser];
         } else {
@@ -64,7 +66,7 @@ class TimeEntryExportController extends AbstractController
                 fn (int $id) => $id > 0,
             );
             if ([] !== $userIds) {
-                $users = $this->entityManager->getRepository(User::class)->findBy(['id' => $userIds]);
+                $users = $this->userRepository->findByIds($userIds);
             }
         }
 
@@ -72,7 +74,7 @@ class TimeEntryExportController extends AbstractController
         $clientId       = $request->query->getInt('client');
         $clientProjects = null;
         if ($clientId > 0) {
-            $clientProjects = $this->entityManager->getRepository(Project::class)->findBy(['client' => $clientId]);
+            $clientProjects = $this->projectRepository->findBy(['client' => $clientId]);
         }
 
         // --- Projects ---
@@ -84,13 +86,13 @@ class TimeEntryExportController extends AbstractController
             fn (int $id) => $id > 0,
         );
         if ([] !== $projectIds) {
-            $projects = $this->entityManager->getRepository(Project::class)->findBy(['id' => $projectIds]);
+            $projects = $this->projectRepository->findBy(['id' => $projectIds]);
         }
 
         // Merge: if both client and projects are set, intersect; if only client, use client projects
         if (null !== $clientProjects && null !== $projects) {
-            $clientProjectIds = array_map(fn (Project $p) => $p->getId(), $clientProjects);
-            $projects         = array_values(array_filter($projects, fn (Project $p) => in_array($p->getId(), $clientProjectIds, true)));
+            $clientProjectIds = array_map(fn (ProjectInterface $p) => $p->getId(), $clientProjects);
+            $projects         = array_values(array_filter($projects, fn (ProjectInterface $p) => in_array($p->getId(), $clientProjectIds, true)));
             if ([] === $projects) {
                 $projects = null;
                 // No matching projects — force empty result by using a dummy condition
diff --git a/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
index 031776c..ebbbf8f 100644
--- a/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
+++ b/src/Module/TimeTracking/Infrastructure/Export/TimeEntryExportService.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Module\TimeTracking\Infrastructure\Export;
 
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
 use DateTimeImmutable;
 use PhpOffice\PhpSpreadsheet\Cell\Coordinate;
 use PhpOffice\PhpSpreadsheet\Spreadsheet;
@@ -70,6 +71,7 @@ class TimeEntryExportService
             $task      = $entry->getTask();
             $taskLabel = '';
             if (null !== $task) {
+                /** @var null|ProjectInterface $project */
                 $project   = $task->getProject();
                 $code      = $project?->getCode() ?? '';
                 $taskLabel = $code.'-'.$task->getNumber().' - '.$task->getTitle();
diff --git a/src/Shared/Domain/Contract/TaskInterface.php b/src/Shared/Domain/Contract/TaskInterface.php
index 127b233..4742c4a 100644
--- a/src/Shared/Domain/Contract/TaskInterface.php
+++ b/src/Shared/Domain/Contract/TaskInterface.php
@@ -14,4 +14,6 @@ interface TaskInterface
     public function getNumber(): ?int;
 
     public function getTitle(): ?string;
+
+    public function getProject(): ?ProjectInterface;
 }
diff --git a/src/Shared/Infrastructure/Mcp/Serializer.php b/src/Shared/Infrastructure/Mcp/Serializer.php
index f6660a0..74ff602 100644
--- a/src/Shared/Infrastructure/Mcp/Serializer.php
+++ b/src/Shared/Infrastructure/Mcp/Serializer.php
@@ -11,7 +11,6 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\ProjectManagement\Domain\Entity\Project;
-use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use App\Module\ProjectManagement\Domain\Entity\TaskEffort;
 use App\Module\ProjectManagement\Domain\Entity\TaskGroup;
@@ -19,6 +18,10 @@ use App\Module\ProjectManagement\Domain\Entity\TaskPriority;
 use App\Module\ProjectManagement\Domain\Entity\TaskStatus;
 use App\Module\ProjectManagement\Domain\Entity\TaskTag;
 use App\Module\TimeTracking\Domain\Entity\TimeEntry;
+use App\Shared\Domain\Contract\ProjectInterface;
+use App\Shared\Domain\Contract\TaskInterface;
+use App\Shared\Domain\Contract\TaskTagInterface;
+use App\Shared\Domain\Contract\UserInterface;
 use Doctrine\Common\Collections\Collection;
 
 /**
@@ -31,7 +34,7 @@ final class Serializer
     /**
      * @return array{id: ?int, code: ?string, name: ?string}
      */
-    public static function projectRef(Project $project): array
+    public static function projectRef(ProjectInterface $project): array
     {
         return [
             'id'   => $project->getId(),
@@ -126,7 +129,7 @@ final class Serializer
     /**
      * @return null|array{id: ?int, username: ?string}
      */
-    public static function user(?User $user): ?array
+    public static function user(?UserInterface $user): ?array
     {
         if (null === $user) {
             return null;
@@ -139,13 +142,13 @@ final class Serializer
     }
 
     /**
-     * @param Collection<int, User> $users
+     * @param Collection<int, UserInterface> $users
      *
      * @return list<array{id: ?int, username: ?string}>
      */
     public static function users(Collection $users): array
     {
-        return $users->map(fn (User $u) => [
+        return $users->map(fn (UserInterface $u) => [
             'id'       => $u->getId(),
             'username' => $u->getUsername(),
         ])->toArray();
@@ -200,13 +203,13 @@ final class Serializer
     }
 
     /**
-     * @param Collection<int, TaskTag> $tags
+     * @param Collection<int, TaskTagInterface> $tags
      *
      * @return list<array{id: ?int, label: ?string}>
      */
     public static function tags(Collection $tags): array
     {
-        return $tags->map(fn (TaskTag $t) => [
+        return $tags->map(fn (TaskTagInterface $t) => [
             'id'    => $t->getId(),
             'label' => $t->getLabel(),
         ])->toArray();
@@ -244,7 +247,7 @@ final class Serializer
     /**
      * @return null|array{id: ?int, number: ?int, title: ?string}
      */
-    public static function taskRef(?Task $task): ?array
+    public static function taskRef(?TaskInterface $task): ?array
     {
         if (null === $task) {
             return null;
-- 
2.39.5


From a547fd38c23d0581d167970ae94b6b7abf9dd387 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Sun, 21 Jun 2026 19:33:13 +0200
Subject: [PATCH 68/99] test(client-portal) : regression guard for ROLE_CLIENT
 endpoint isolation

Data-provided test asserting a pure ROLE_CLIENT gets 403 on the internal
endpoints hardened after the review (/api/users, /api/share/browse,
/api/share/status, bookstack links), so the fixes can't silently regress.
---
 .../ClientPortal/ClientTicketApiTest.php      | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
index 12f08d3..7ae3cb7 100644
--- a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
+++ b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
@@ -12,6 +12,7 @@ use App\Module\Core\Domain\Entity\User;
 use App\Module\ProjectManagement\Domain\Entity\Project;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Framework\Attributes\DataProvider;
 use Symfony\Bundle\FrameworkBundle\KernelBrowser;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
@@ -45,6 +46,34 @@ final class ClientTicketApiTest extends WebTestCase
         self::assertResponseStatusCodeSame(403);
     }
 
+    /**
+     * Regression guard for the post-migration security review: internal
+     * endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
+     * security) must reject a pure ROLE_CLIENT.
+     */
+    #[DataProvider('internalEndpointsForbiddenToClients')]
+    public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
+    {
+        $client = self::createClient();
+        $this->loginClient($client, 'client-liot');
+
+        $client->request('GET', $uri);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    /** @return iterable<string, array{string}> */
+    public static function internalEndpointsForbiddenToClients(): iterable
+    {
+        yield 'users directory' => ['/api/users'];
+
+        yield 'smb share browse' => ['/api/share/browse'];
+
+        yield 'smb share status' => ['/api/share/status'];
+
+        yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
+    }
+
     public function testClientUserCanListOwnClientTickets(): void
     {
         $client = self::createClient();
-- 
2.39.5


From 4a9977e19955e566273e711f453bbb630f26ab85 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:02:52 +0200
Subject: [PATCH 69/99] fix(security) : restrict bookstack search endpoint to
 ROLE_USER

---
 .../ApiPlatform/Resource/BookStackSearchResult.php              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
index dab079a..e4c99ca 100644
--- a/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
+++ b/src/Module/Integration/Infrastructure/ApiPlatform/Resource/BookStackSearchResult.php
@@ -20,7 +20,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
             ],
             normalizationContext: ['groups' => ['bookstack_search:read']],
             provider: BookStackSearchResultProvider::class,
-            security: "is_granted('IS_AUTHENTICATED_FULLY')",
+            security: "is_granted('ROLE_USER')",
         ),
     ],
 )]
-- 
2.39.5


From 62cdd4614a4e216c5ed598a84a8e1ab91d2d4c1d Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:03:47 +0200
Subject: [PATCH 70/99] fix(client-portal) : restore project detail route and
 unpaginate ticket collection

---
 .../modules/client-portal/pages/{portal.vue => portal/index.vue} | 0
 src/Module/ClientPortal/Domain/Entity/ClientTicket.php           | 1 +
 2 files changed, 1 insertion(+)
 rename frontend/modules/client-portal/pages/{portal.vue => portal/index.vue} (100%)

diff --git a/frontend/modules/client-portal/pages/portal.vue b/frontend/modules/client-portal/pages/portal/index.vue
similarity index 100%
rename from frontend/modules/client-portal/pages/portal.vue
rename to frontend/modules/client-portal/pages/portal/index.vue
diff --git a/src/Module/ClientPortal/Domain/Entity/ClientTicket.php b/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
index 78ae3c6..6884e75 100644
--- a/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
+++ b/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
@@ -32,6 +32,7 @@ use Symfony\Component\Validator\Constraints as Assert;
 #[ApiResource(
     operations: [
         new GetCollection(
+            paginationEnabled: false,
             security: "is_granted('ROLE_CLIENT') or is_granted('ROLE_ADMIN')",
             provider: ClientTicketProvider::class,
         ),
-- 
2.39.5


From a76facbf4c81434ae2a49b5b9836a3177bf99513 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:04:34 +0200
Subject: [PATCH 71/99] fix(absence) : authorize cancellation before releasing
 the leave balance

---
 .../ApiPlatform/State/AbsenceCancelProcessor.php      | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
index c960b23..b52c33a 100644
--- a/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
@@ -50,6 +50,12 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
         $status  = $data->getStatus();
 
+        // Authorize before mutating the balance: an employee may only cancel
+        // their own request (admins can cancel any).
+        if (!$isAdmin && $data->getUser() !== $user) {
+            throw new AccessDeniedHttpException('You can only cancel your own requests.');
+        }
+
         if (AbsenceStatus::Pending === $status) {
             $this->balanceService->release($data, false);
         } elseif (AbsenceStatus::Approved === $status) {
@@ -61,11 +67,6 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
             throw new ConflictHttpException('This request can no longer be cancelled.');
         }
 
-        // An employee may only cancel their own request (admins can cancel any).
-        if (!$isAdmin && $data->getUser() !== $user) {
-            throw new AccessDeniedHttpException('You can only cancel your own requests.');
-        }
-
         $data->setStatus(AbsenceStatus::Cancelled);
 
         $this->entityManager->flush();
-- 
2.39.5


From 987df541757ac4adca657b322ca7227efec8af09 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:05:16 +0200
Subject: [PATCH 72/99] fix(project-management) : skip caldav sync when
 unconfigured and require task project

---
 src/Module/ProjectManagement/Domain/Entity/Task.php         | 1 +
 .../Infrastructure/Service/CalDavService.php                | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/src/Module/ProjectManagement/Domain/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
index 3d9daf8..28b0b72 100644
--- a/src/Module/ProjectManagement/Domain/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -111,6 +111,7 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
     #[ORM\ManyToOne(targetEntity: Project::class, inversedBy: 'tasks')]
     #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['task:read', 'task:write'])]
+    #[Assert\NotNull]
     private ?Project $project = null;
 
     /** @var Collection<int, TaskTag> */
diff --git a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
index 8be1017..a35ef38 100644
--- a/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
+++ b/src/Module/ProjectManagement/Infrastructure/Service/CalDavService.php
@@ -134,6 +134,12 @@ final class CalDavService
 
     public function syncTask(Task $task): void
     {
+        // No CalDAV server configured/enabled: skip all remote interaction so a
+        // task save never triggers a doomed HTTP request nor stores a sync error.
+        if (!$this->isConfigured()) {
+            return;
+        }
+
         if (!$task->isSyncToCalendar()) {
             $this->deleteEvent($task->getCalendarEventUid());
             $this->deleteTodo($task->getCalendarTodoUid());
-- 
2.39.5


From 478b5ec15dde5f4d6453aff4147f07d5c0730a90 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:06:00 +0200
Subject: [PATCH 73/99] refactor(integration) : drop unused bookstack shelf-id
 cache

---
 .../Service/BookStackApiService.php           | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/src/Module/Integration/Infrastructure/Service/BookStackApiService.php b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
index 5a5fa17..ec918da 100644
--- a/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
+++ b/src/Module/Integration/Infrastructure/Service/BookStackApiService.php
@@ -15,9 +15,6 @@ use Throwable;
 
 final class BookStackApiService
 {
-    /** @var array<int, int[]> */
-    private array $shelfBookCache = [];
-
     public function __construct(
         private readonly HttpClientInterface $httpClient,
         private readonly BookStackConfigurationRepositoryInterface $configRepository,
@@ -81,9 +78,6 @@ final class BookStackApiService
             $bookSlugs[$book['id']] = $book['slug'] ?? '';
         }
 
-        // Update cache for getShelfBookIds
-        $this->shelfBookCache[$shelfId] = $bookIds;
-
         $config  = $this->getConfiguration();
         $baseUrl = rtrim($config->getUrl() ?? '', '/');
         $trimmed = trim($query);
@@ -141,24 +135,6 @@ final class BookStackApiService
         return $this->request('GET', sprintf('/api/books/%d', $id));
     }
 
-    /**
-     * @return int[]
-     */
-    private function getShelfBookIds(int $shelfId): array
-    {
-        if (isset($this->shelfBookCache[$shelfId])) {
-            return $this->shelfBookCache[$shelfId];
-        }
-
-        $data  = $this->request('GET', sprintf('/api/shelves/%d', $shelfId));
-        $books = $data['books'] ?? [];
-
-        $ids                            = array_map(static fn (array $book): int => $book['id'], $books);
-        $this->shelfBookCache[$shelfId] = $ids;
-
-        return $ids;
-    }
-
     private function getConfiguration(): BookStackConfiguration
     {
         $config = $this->configRepository->findSingleton();
-- 
2.39.5


From 8a5b115ccd326593d8275bdbd1d11acd1b8a0cb6 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:07:09 +0200
Subject: [PATCH 74/99] ci : add pull request quality gate workflow targeting
 develop

---
 .gitea/workflows/pull-request.yml | 115 ++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 .gitea/workflows/pull-request.yml

diff --git a/.gitea/workflows/pull-request.yml b/.gitea/workflows/pull-request.yml
new file mode 100644
index 0000000..f0cba23
--- /dev/null
+++ b/.gitea/workflows/pull-request.yml
@@ -0,0 +1,115 @@
+name: Pull Request — Quality gate
+
+# Lance les tests back + le build front sur chaque PR ciblant develop.
+# Deux jobs en parallele (backend / frontend) pour reduire le temps de feedback.
+# Pas d'E2E ici : la quality gate se limite a "le back passe les tests, le front compile".
+
+on:
+  pull_request:
+    branches:
+      - develop
+
+# Annule les runs obsoletes quand on repush sur la meme PR.
+concurrency:
+  group: pr-${{ gitea.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  backend:
+    name: Backend (PHP CS + PHPUnit)
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          # Doivent matcher la DATABASE_URL ci-dessous. Doctrine ajoute le
+          # suffixe `_test` automatiquement en APP_ENV=test (when@test
+          # dbname_suffix) → la base reellement utilisee est `app_test`.
+          POSTGRES_USER: app
+          POSTGRES_PASSWORD: '!ChangeMe!'
+          POSTGRES_DB: app
+        # Pas de `ports:` host mapping : les jobs Gitea Actions tournent en
+        # container sur un reseau Docker dedie, le service est joignable via
+        # son nom (`postgres`), pas via 127.0.0.1.
+        options: >-
+          --health-cmd "pg_isready -U app"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+
+    env:
+      APP_ENV: test
+      APP_SECRET: ci-secret-not-used
+      APP_DEBUG: 0
+      DEFAULT_URI: http://localhost/
+      DATABASE_URL: postgresql://app:!ChangeMe!@postgres:5432/app?serverVersion=16&charset=utf8
+      JWT_SECRET_KEY: '%kernel.project_dir%/config/jwt/private.pem'
+      JWT_PUBLIC_KEY: '%kernel.project_dir%/config/jwt/public.pem'
+      JWT_PASSPHRASE: ci-passphrase
+      # Cle de chiffrement (sodium) des secrets Mail / Integration / CalDav que
+      # les fixtures persistent (ZimbraConfiguration, tokens...). Valeur de test
+      # alignee sur phpunit.dist.xml.
+      ENCRYPTION_KEY: ccd250183ea853179562d458e645585f3d46ddebb0701743236196f60fc1a0b8
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP 8.4
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          # zip + gd requis par phpoffice/phpspreadsheet (export XLSX), sodium par
+          # le chiffrement des secrets, ctype/iconv par le require de composer.json.
+          extensions: pdo, pdo_pgsql, intl, opcache, zip, mbstring, sodium, gd, ctype, iconv
+          coverage: none
+          tools: composer:v2
+
+      - name: Install PHP dependencies
+        run: composer install --no-interaction --no-progress --prefer-dist
+
+      - name: Generate JWT keypair
+        run: php bin/console lexik:jwt:generate-keypair --skip-if-exists --no-interaction
+
+      - name: PHP CS Fixer (dry-run)
+        run: vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.dist.php --allow-risky=yes --dry-run --diff
+
+      - name: Bootstrap test database
+        # Miroir de la cible `db-reset` du makefile (create + migrate + fixtures),
+        # en --env=test. Les fixtures sement les roles systeme (RbacSeeder) ;
+        # sync-permissions complete le catalogue de permissions comme en install reelle.
+        run: |
+          php bin/console doctrine:database:create --env=test --if-not-exists --no-interaction
+          php bin/console doctrine:migrations:migrate --env=test --no-interaction
+          php bin/console doctrine:fixtures:load --env=test --no-interaction
+          php bin/console app:sync-permissions --env=test --no-interaction
+
+      - name: Run PHPUnit
+        run: php -d memory_limit=512M vendor/bin/phpunit
+
+  frontend:
+    name: Frontend (build)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node 24
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      # `npm ci` declenche le postinstall `nuxt prepare` (genere .nuxt/).
+      - name: Install Node dependencies
+        run: npm ci
+
+      # `nuxt build` (et non `build:dist`/`nuxt generate`) : l'app est en SSR off
+      # (SPA), le prerender n'apporte rien a une quality gate — on valide seulement
+      # que le bundle compile.
+      - name: Build production (nuxt build)
+        run: npm run build
-- 
2.39.5


From a18e1f575ff734828c4deb4c771cd124866ca5f3 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:49:44 +0200
Subject: [PATCH 75/99] refactor(client-portal) : remove client portal feature
 entirely

- drop ClientPortal module, ClientTicket entity, ROLE_CLIENT and all couplings (Task, TaskDocument, User, Notification) back to an internal-only model

- migration drops client_ticket / user_allowed_projects / related FK columns and removes leftover external client accounts (would otherwise be promoted to ROLE_USER)

- remove client-portal frontend module, admin tickets tab, user portal section, portal nav item and portal/clientTicket i18n keys

- fix directory nav icon (invalid mdi:contact-multiple-outline -> mdi:card-account-details-outline)

- add 'make sync-permissions' target, wire it into install/db-reset and the prod deploy script
---
 config/modules.php                            |   2 -
 config/packages/doctrine.yaml                 |   6 -
 config/packages/security.yaml                 |   2 +-
 config/services.yaml                          |   2 -
 config/sidebar.php                            |   3 +-
 frontend/app/middleware/auth.global.ts        |  16 -
 frontend/app/middleware/portal.ts             |  12 -
 .../components/admin/AdminClientTicketTab.vue | 256 ---------------
 .../notification/NotificationBell.vue         |  11 -
 frontend/components/user/UserDrawer.vue       |  76 +----
 frontend/i18n/locales/fr.json                 |  52 +---
 .../components/ClientTicketDetailModal.vue    | 132 --------
 .../components/ClientTicketFormModal.vue      | 158 ----------
 .../components/ClientTicketStatusBadge.vue    |  25 --
 .../components/ClientTicketTypeBadge.vue      |  25 --
 frontend/modules/client-portal/nuxt.config.ts |   1 -
 .../client-portal/pages/portal/index.vue      |  93 ------
 .../pages/portal/projects/[id].vue            | 133 --------
 .../client-portal/services/client-tickets.ts  |  60 ----
 .../services/dto/client-ticket.ts             |  34 --
 .../modules/client-portal/utils/ticket.ts     |  18 --
 .../components/TaskCard.vue                   |   7 -
 .../components/TaskDocumentUpload.vue         |   5 +-
 .../components/TaskListItem.vue               |   7 -
 .../project-management/services/dto/task.ts   |   8 -
 .../services/task-documents.ts                |  13 +-
 frontend/pages/admin.vue                      |   2 -
 frontend/services/dto/notification.ts         |   3 +-
 frontend/services/dto/user-data.ts            |  16 -
 infra/prod/deploy.sh                          |   3 +
 makefile                                      |   7 +-
 migrations/Version20260622090000.php          | 120 +++++++
 src/DataFixtures/AppFixtures.php              |  50 ---
 .../ClientPortal/ClientPortalModule.php       |  41 ---
 .../Domain/Entity/ClientTicket.php            | 245 ---------------
 .../Domain/Enum/ClientTicketStatus.php        |  37 ---
 .../Domain/Enum/ClientTicketType.php          |  21 --
 .../ClientTicketRepositoryInterface.php       |  19 --
 .../State/ClientTicketNumberProcessor.php     | 126 --------
 .../State/ClientTicketProvider.php            | 124 --------
 .../State/ClientTicketStatusProcessor.php     |  88 ------
 .../DoctrineClientTicketRepository.php        |  46 ---
 .../Core/Domain/Entity/Notification.php       |  20 --
 src/Module/Core/Domain/Entity/User.php        |  68 +---
 src/Module/Core/Infrastructure/Notifier.php   |   3 -
 .../ProjectManagement/Domain/Entity/Task.php  |  23 --
 .../Domain/Entity/TaskDocument.php            |  31 +-
 .../State/TaskDocumentProcessor.php           | 113 ++-----
 .../State/TaskDocumentProvider.php            |  45 +--
 .../TaskDocumentDownloadController.php        |  16 -
 .../Domain/Contract/ClientTicketInterface.php |  24 --
 .../Domain/Contract/NotifierInterface.php     |   1 -
 src/Shared/Domain/Contract/UserInterface.php  |  14 -
 .../ClientPortal/ClientTicketApiTest.php      | 293 ------------------
 .../TimestampableBlamableSubscriberTest.php   |  13 -
 55 files changed, 170 insertions(+), 2599 deletions(-)
 delete mode 100644 frontend/app/middleware/portal.ts
 delete mode 100644 frontend/components/admin/AdminClientTicketTab.vue
 delete mode 100644 frontend/modules/client-portal/components/ClientTicketDetailModal.vue
 delete mode 100644 frontend/modules/client-portal/components/ClientTicketFormModal.vue
 delete mode 100644 frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
 delete mode 100644 frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
 delete mode 100644 frontend/modules/client-portal/nuxt.config.ts
 delete mode 100644 frontend/modules/client-portal/pages/portal/index.vue
 delete mode 100644 frontend/modules/client-portal/pages/portal/projects/[id].vue
 delete mode 100644 frontend/modules/client-portal/services/client-tickets.ts
 delete mode 100644 frontend/modules/client-portal/services/dto/client-ticket.ts
 delete mode 100644 frontend/modules/client-portal/utils/ticket.ts
 create mode 100644 migrations/Version20260622090000.php
 delete mode 100644 src/Module/ClientPortal/ClientPortalModule.php
 delete mode 100644 src/Module/ClientPortal/Domain/Entity/ClientTicket.php
 delete mode 100644 src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
 delete mode 100644 src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
 delete mode 100644 src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
 delete mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
 delete mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
 delete mode 100644 src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
 delete mode 100644 src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
 delete mode 100644 src/Shared/Domain/Contract/ClientTicketInterface.php
 delete mode 100644 tests/Functional/Module/ClientPortal/ClientTicketApiTest.php

diff --git a/config/modules.php b/config/modules.php
index ffef4f3..b0b6e90 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -8,7 +8,6 @@ declare(strict_types=1);
  */
 
 use App\Module\Absence\AbsenceModule;
-use App\Module\ClientPortal\ClientPortalModule;
 use App\Module\Core\CoreModule;
 use App\Module\Directory\DirectoryModule;
 use App\Module\Integration\IntegrationModule;
@@ -26,5 +25,4 @@ return [
     MailModule::class,
     IntegrationModule::class,
     ReportingModule::class,
-    ClientPortalModule::class,
 ];
diff --git a/config/packages/doctrine.yaml b/config/packages/doctrine.yaml
index 48948ad..2aeef63 100644
--- a/config/packages/doctrine.yaml
+++ b/config/packages/doctrine.yaml
@@ -26,7 +26,6 @@ doctrine:
             App\Shared\Domain\Contract\TaskInterface: App\Module\ProjectManagement\Domain\Entity\Task
             App\Shared\Domain\Contract\TaskTagInterface: App\Module\ProjectManagement\Domain\Entity\TaskTag
             App\Shared\Domain\Contract\ClientInterface: App\Module\Directory\Domain\Entity\Client
-            App\Shared\Domain\Contract\ClientTicketInterface: App\Module\ClientPortal\Domain\Entity\ClientTicket
         mappings:
             Core:
                 type: attribute
@@ -63,11 +62,6 @@ doctrine:
                 is_bundle: false
                 dir: '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
                 prefix: 'App\Module\Integration\Domain\Entity'
-            ClientPortal:
-                type: attribute
-                is_bundle: false
-                dir: '%kernel.project_dir%/src/Module/ClientPortal/Domain/Entity'
-                prefix: 'App\Module\ClientPortal\Domain\Entity'
         controller_resolver:
             auto_mapping: false
 
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 18306fb..24cb6de 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -1,6 +1,6 @@
 security:
     role_hierarchy:
-        ROLE_ADMIN: [ROLE_USER, ROLE_CLIENT]
+        ROLE_ADMIN: [ROLE_USER]
 
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
diff --git a/config/services.yaml b/config/services.yaml
index 4e2b5af..6d11bb1 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -111,8 +111,6 @@ services:
 
     App\Module\Directory\Domain\Repository\ClientRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineClientRepository'
 
-    App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface: '@App\Module\ClientPortal\Infrastructure\Doctrine\DoctrineClientTicketRepository'
-
     App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
 
     App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'
diff --git a/config/sidebar.php b/config/sidebar.php
index 945b5f9..1d9ad69 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -25,7 +25,6 @@ return [
             ['label' => 'sidebar.general.dashboard', 'to' => '/', 'icon' => 'mdi:view-dashboard-outline'],
             ['label' => 'sidebar.general.myTasks', 'to' => '/my-tasks', 'icon' => 'mdi:clipboard-check-outline', 'module' => 'project-management'],
             ['label' => 'sidebar.general.projects', 'to' => '/projects', 'icon' => 'mdi:folder-outline', 'module' => 'project-management'],
-            ['label' => 'sidebar.general.portal', 'to' => '/portal', 'icon' => 'mdi:account-box-outline', 'module' => 'client-portal'],
             ['label' => 'sidebar.general.timeTracking', 'to' => '/time-tracking', 'icon' => 'mdi:calendar-edit-outline', 'module' => 'time-tracking'],
             // Gating module uniquement (cf. en-tête) : rendu visuel + badge gérés côté layout.
             ['label' => 'sidebar.general.mail', 'to' => '/mail', 'icon' => 'mdi:email-outline', 'module' => 'mail'],
@@ -37,7 +36,7 @@ return [
         'roles' => ['ROLE_ADMIN'],
         'items' => [
             ['label' => 'sidebar.admin.teamAbsences', 'to' => '/team-absences', 'icon' => 'mdi:calendar-account-outline', 'module' => 'absence'],
-            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:contact-multiple-outline', 'module' => 'directory'],
+            ['label' => 'sidebar.admin.directory', 'to' => '/directory', 'icon' => 'mdi:card-account-details-outline', 'module' => 'directory'],
             ['label' => 'sidebar.admin.administration', 'to' => '/admin', 'icon' => 'mdi:cog-outline', 'permission' => 'core.users.view'],
             ['label' => 'sidebar.admin.reporting', 'to' => '/reporting', 'icon' => 'mdi:chart-line', 'module' => 'reporting', 'permission' => 'reporting.view'],
         ],
diff --git a/frontend/app/middleware/auth.global.ts b/frontend/app/middleware/auth.global.ts
index 0fec47c..4c98f1e 100644
--- a/frontend/app/middleware/auth.global.ts
+++ b/frontend/app/middleware/auth.global.ts
@@ -14,22 +14,6 @@ export default defineNuxtRouteMiddleware(async (to) => {
         return navigateTo('/')
     }
 
-    // Cloisonnement portail client : un utilisateur ROLE_CLIENT "pur" (a ROLE_CLIENT
-    // mais PAS ROLE_USER) n'a accès qu'aux pages /portal. Toute autre route interne
-    // est redirigée vers /portal. Les ROLE_ADMIN / ROLE_USER ne sont pas concernés
-    // (ils peuvent aussi visiter /portal pour prévisualiser).
-    if (auth.isAuthenticated && !isLogin) {
-        const roles = auth.user?.roles ?? []
-        const isPureClient = roles.includes('ROLE_CLIENT') && !roles.includes('ROLE_USER')
-
-        if (isPureClient) {
-            const isPortalRoute = to.path === '/portal' || to.path.startsWith('/portal/')
-            if (!isPortalRoute) {
-                return navigateTo('/portal')
-            }
-        }
-    }
-
     const { loaded: sidebarLoaded, loadSidebar, resetSidebar } = useSidebar()
     const { loaded: modulesLoaded, loadModules, resetModules } = useModules()
 
diff --git a/frontend/app/middleware/portal.ts b/frontend/app/middleware/portal.ts
deleted file mode 100644
index 4210bf2..0000000
--- a/frontend/app/middleware/portal.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Named middleware for portal pages (`/portal/**`).
- * Ensures the user is authenticated. Access is open to every authenticated user
- * (ROLE_CLIENT see their portal, ROLE_ADMIN/ROLE_USER may preview it).
- */
-export default defineNuxtRouteMiddleware(() => {
-    const auth = useAuthStore()
-
-    if (!auth.isAuthenticated) {
-        return navigateTo('/login')
-    }
-})
diff --git a/frontend/components/admin/AdminClientTicketTab.vue b/frontend/components/admin/AdminClientTicketTab.vue
deleted file mode 100644
index cdb744d..0000000
--- a/frontend/components/admin/AdminClientTicketTab.vue
+++ /dev/null
@@ -1,256 +0,0 @@
-<template>
-    <div>
-        <div class="flex flex-wrap items-center justify-between gap-3">
-            <h2 class="text-lg font-bold text-neutral-900">{{ $t('clientTicket.adminTitle') }}</h2>
-        </div>
-
-        <!-- Filtres -->
-        <div class="mt-4 flex flex-wrap gap-3">
-            <div class="[&>div]:!mt-0">
-                <MalioSelect
-                    v-model="filters.project"
-                    :options="projectOptions"
-                    :label="$t('clientTicket.filterProject')"
-                    group-class="!w-48"
-                    empty-option-label="—"
-                    @update:model-value="load"
-                />
-            </div>
-            <div class="[&>div]:!mt-0">
-                <MalioSelect
-                    v-model="filters.status"
-                    :options="statusOptions"
-                    :label="$t('clientTicket.filterStatus')"
-                    group-class="!w-48"
-                    empty-option-label="—"
-                    @update:model-value="load"
-                />
-            </div>
-        </div>
-
-        <DataTable
-            class="mt-4"
-            :columns="columns"
-            :items="tickets"
-            :loading="isLoading"
-            :empty-message="$t('portal.noTickets')"
-            @row-click="openDetail"
-        >
-            <template #cell-number="{ item }">
-                <span class="font-mono font-semibold text-primary-500">
-                    {{ formatTicketNumber((item as ClientTicket).number) }}
-                </span>
-            </template>
-            <template #cell-type="{ item }">
-                <ClientTicketTypeBadge :type="(item as ClientTicket).type" />
-            </template>
-            <template #cell-status="{ item }">
-                <ClientTicketStatusBadge :status="(item as ClientTicket).status" />
-            </template>
-            <template #cell-project="{ item }">
-                {{ projectName((item as ClientTicket).project) }}
-            </template>
-            <template #cell-submittedBy="{ item }">
-                {{ submitterName((item as ClientTicket).submittedBy) }}
-            </template>
-            <template #cell-createdAt="{ item }">
-                {{ formatDate((item as ClientTicket).createdAt) }}
-            </template>
-            <template #cell-actions="{ item }">
-                <MalioButton
-                    :label="$t('clientTicket.changeStatus')"
-                    button-class="w-auto px-3 py-1 text-xs"
-                    @click.stop="openStatus(item as ClientTicket)"
-                />
-            </template>
-        </DataTable>
-
-        <!-- Detail modal (read-only + documents) -->
-        <ClientTicketDetailModal
-            v-model="detailOpen"
-            :ticket="selectedTicket"
-        />
-
-        <!-- Status change modal -->
-        <AppModal v-model="statusOpen" :title="$t('clientTicket.changeStatus')" width="md">
-            <div v-if="statusTicket" class="flex flex-col gap-4">
-                <p class="text-sm text-neutral-500">
-                    {{ formatTicketNumber(statusTicket.number) }} — {{ statusTicket.title }}
-                </p>
-                <MalioSelect
-                    v-model="statusForm.status"
-                    :options="statusEditOptions"
-                    :label="$t('clientTicket.status.label')"
-                    group-class="w-full"
-                />
-                <MalioInputTextArea
-                    v-model="statusForm.statusComment"
-                    :label="$t('clientTicket.statusComment')"
-                    :rows="3"
-                    input-class="w-full"
-                    :error="statusError"
-                />
-            </div>
-            <template #footer>
-                <MalioButton
-                    :label="$t('common.cancel')"
-                    button-class="w-auto px-4"
-                    variant="secondary"
-                    @click="statusOpen = false"
-                />
-                <MalioButton
-                    :label="$t('common.save')"
-                    button-class="w-auto px-6"
-                    :disabled="isSavingStatus"
-                    @click="saveStatus"
-                />
-            </template>
-        </AppModal>
-    </div>
-</template>
-
-<script setup lang="ts">
-import type {
-    ClientTicket,
-    ClientTicketStatus,
-} from '~/modules/client-portal/services/dto/client-ticket'
-import type { Project } from '~/modules/project-management/services/dto/project'
-import type { UserData } from '~/services/dto/user-data'
-import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
-import { useProjectService } from '~/modules/project-management/services/projects'
-import { useUserService } from '~/services/users'
-import { formatTicketNumber, iriToId } from '~/modules/client-portal/utils/ticket'
-import type { DataTableColumn } from '~/components/ui/DataTable.vue'
-
-const { t } = useI18n()
-const { getAll, getById, updateStatus } = useClientTicketService()
-const { getAll: getProjects } = useProjectService()
-const { getAll: getUsers } = useUserService()
-
-const columns: DataTableColumn[] = [
-    { key: 'number', label: 'N°', primary: true },
-    { key: 'type', label: t('clientTicket.typeLabel') },
-    { key: 'title', label: t('clientTicket.title') },
-    { key: 'status', label: t('clientTicket.status.label') },
-    { key: 'project', label: t('clientTicket.project') },
-    { key: 'submittedBy', label: t('clientTicket.submittedBy') },
-    { key: 'createdAt', label: t('clientTicket.date') },
-    { key: 'actions', label: '' },
-]
-
-const STATUSES: ClientTicketStatus[] = ['new', 'in_progress', 'done', 'rejected']
-
-const statusOptions = computed(() =>
-    STATUSES.map((s) => ({ label: t(`clientTicket.status.${s}`), value: s })),
-)
-const statusEditOptions = statusOptions
-
-const tickets = ref<ClientTicket[]>([])
-const projects = ref<Project[]>([])
-const users = ref<UserData[]>([])
-const isLoading = ref(true)
-
-const filters = reactive({
-    project: null as string | null,
-    status: null as string | null,
-})
-
-const projectOptions = computed(() =>
-    projects.value.map((p) => ({
-        label: p.name,
-        value: p['@id'] ?? `/api/projects/${p.id}`,
-    })),
-)
-
-function projectName(iri: string): string {
-    const id = iriToId(iri)
-    return projects.value.find((p) => p.id === id)?.name ?? '—'
-}
-
-function submitterName(iri: string | null): string {
-    if (!iri) return '—'
-    const id = iriToId(iri)
-    return users.value.find((u) => u.id === id)?.username ?? '—'
-}
-
-function formatDate(value: string): string {
-    return new Date(value).toLocaleDateString('fr-FR', {
-        day: '2-digit',
-        month: '2-digit',
-        year: 'numeric',
-    })
-}
-
-// Detail modal
-const detailOpen = ref(false)
-const selectedTicket = ref<ClientTicket | null>(null)
-
-async function openDetail(ticket: ClientTicket) {
-    try {
-        selectedTicket.value = await getById(ticket.id)
-    } catch {
-        selectedTicket.value = ticket
-    }
-    detailOpen.value = true
-}
-
-// Status modal
-const statusOpen = ref(false)
-const statusTicket = ref<ClientTicket | null>(null)
-const isSavingStatus = ref(false)
-const statusForm = reactive({
-    status: 'new' as ClientTicketStatus,
-    statusComment: '',
-})
-
-const statusError = computed(() => {
-    if (statusForm.status === 'rejected' && !statusForm.statusComment.trim()) {
-        return t('clientTicket.rejectionRequired')
-    }
-    return ''
-})
-
-function openStatus(ticket: ClientTicket) {
-    statusTicket.value = ticket
-    statusForm.status = ticket.status
-    statusForm.statusComment = ticket.statusComment ?? ''
-    statusOpen.value = true
-}
-
-async function saveStatus() {
-    if (!statusTicket.value) return
-    if (statusForm.status === 'rejected' && !statusForm.statusComment.trim()) {
-        return
-    }
-    isSavingStatus.value = true
-    try {
-        await updateStatus(statusTicket.value.id, {
-            status: statusForm.status,
-            statusComment: statusForm.statusComment.trim() || null,
-        })
-        statusOpen.value = false
-        await load()
-    } finally {
-        isSavingStatus.value = false
-    }
-}
-
-async function load() {
-    isLoading.value = true
-    try {
-        tickets.value = await getAll({
-            project: filters.project ?? undefined,
-            status: filters.status ?? undefined,
-        })
-    } finally {
-        isLoading.value = false
-    }
-}
-
-onMounted(async () => {
-    const [proj, usr] = await Promise.all([getProjects(), getUsers()])
-    projects.value = proj
-    users.value = usr
-    await load()
-})
-</script>
diff --git a/frontend/components/notification/NotificationBell.vue b/frontend/components/notification/NotificationBell.vue
index e3e9b6d..38383e9 100644
--- a/frontend/components/notification/NotificationBell.vue
+++ b/frontend/components/notification/NotificationBell.vue
@@ -102,22 +102,11 @@ function toggleDropdown() {
     }
 }
 
-const auth = useAuthStore()
-
-const isAdmin = computed(() => (auth.user?.roles ?? []).includes('ROLE_ADMIN'))
-
 function handleClick(notif: Notification) {
     if (!notif.isRead) {
         markAsRead(notif.id)
     }
     isOpen.value = false
-
-    // Deep-link to the related ticket when present. The notification payload does
-    // not carry the ticket's project, so we route to the relevant list view:
-    // admins to the client-tickets admin tab, clients to their portal.
-    if (notif.relatedTicket) {
-        navigateTo(isAdmin.value ? '/admin' : '/portal')
-    }
 }
 
 async function handleMarkAllRead() {
diff --git a/frontend/components/user/UserDrawer.vue b/frontend/components/user/UserDrawer.vue
index beda546..149f7e3 100644
--- a/frontend/components/user/UserDrawer.vue
+++ b/frontend/components/user/UserDrawer.vue
@@ -48,26 +48,6 @@
                 </div>
             </div>
 
-            <!-- Compte client (portail) -->
-            <div v-if="isClient" class="mt-6 border-t border-neutral-200 pt-4">
-                <p class="mb-3 text-sm font-semibold text-neutral-700">{{ $t('users.clientAccount') }}</p>
-                <MalioSelect
-                    v-model="form.client"
-                    :options="clientOptions"
-                    :label="$t('users.client')"
-                    group-class="w-full"
-                    empty-option-label="—"
-                />
-                <div class="mt-3">
-                    <MalioSelectCheckbox
-                        v-model="form.allowedProjects"
-                        :options="projectOptions"
-                        :label="$t('users.allowedProjects')"
-                        group-class="w-full"
-                    />
-                </div>
-            </div>
-
             <!-- RH / Absences -->
             <div class="mt-6 border-t border-neutral-200 pt-4">
                 <MalioCheckbox v-model="form.isEmployee" label="Employé (soumis à la gestion des absences)" />
@@ -91,8 +71,6 @@
 <script setup lang="ts">
 import type { UserData, UserWrite } from '~/services/dto/user-data'
 import { useUserService } from '~/services/users'
-import { useClientService } from '~/modules/directory/services/clients'
-import { useProjectService } from '~/modules/project-management/services/projects'
 
 const props = defineProps<{
     modelValue: boolean
@@ -109,7 +87,7 @@ const isOpen = computed({
     set: (v) => emit('update:modelValue', v),
 })
 
-const availableRoles = ['ROLE_ADMIN', 'ROLE_USER', 'ROLE_CLIENT']
+const availableRoles = ['ROLE_ADMIN', 'ROLE_USER']
 
 const isEditing = computed(() => !!props.item)
 const isSubmitting = ref(false)
@@ -121,52 +99,15 @@ const form = reactive({
     password: '',
     roles: [] as string[],
     isEmployee: false,
-    client: null as string | null,
-    allowedProjects: [] as string[],
 })
 
-const isClient = computed(() => form.roles.includes('ROLE_CLIENT'))
-
 const touched = reactive({
     username: false,
     password: false,
 })
 
-const clientOptions = ref<{ label: string, value: string | null }[]>([])
-const projectOptions = ref<{ label: string, value: string }[]>([])
-
-const { getAll: getClients } = useClientService()
-const { getAll: getProjects } = useProjectService()
 const { create, update, getById } = useUserService()
 
-async function loadOptions() {
-    if (clientOptions.value.length && projectOptions.value.length) {
-        return
-    }
-    const [clients, projects] = await Promise.all([getClients(), getProjects()])
-    clientOptions.value = clients.map((c) => ({
-        label: c.name,
-        value: c['@id'] ?? `/api/clients/${c.id}`,
-    }))
-    projectOptions.value = projects.map((p) => ({
-        label: p.name,
-        value: p['@id'] ?? `/api/projects/${p.id}`,
-    }))
-}
-
-/** Normalize allowedProjects (embedded objects or bare IRIs) into IRI strings. */
-function toProjectIris(allowed: UserData['allowedProjects'] | undefined): string[] {
-    if (!allowed) {
-        return []
-    }
-    return allowed.map((p) => {
-        if (typeof p === 'string') {
-            return p
-        }
-        return p['@id'] ?? `/api/projects/${p.id}`
-    })
-}
-
 function applyUser(user: UserData) {
     form.username = user.username ?? ''
     form.firstName = user.firstName ?? ''
@@ -174,8 +115,6 @@ function applyUser(user: UserData) {
     form.password = ''
     form.roles = [...user.roles]
     form.isEmployee = user.isEmployee ?? false
-    form.client = user.client ?? null
-    form.allowedProjects = toProjectIris(user.allowedProjects)
 }
 
 watch(() => props.modelValue, async (open) => {
@@ -185,10 +124,8 @@ watch(() => props.modelValue, async (open) => {
 
     touched.username = false
     touched.password = false
-    await loadOptions()
 
     if (props.item) {
-        // The list payload (user:list) omits client / allowedProjects → fetch the full item.
         applyUser(props.item)
         try {
             const full = await getById(props.item.id)
@@ -203,8 +140,6 @@ watch(() => props.modelValue, async (open) => {
         form.password = ''
         form.roles = ['ROLE_USER']
         form.isEmployee = false
-        form.client = null
-        form.allowedProjects = []
     }
 })
 
@@ -227,15 +162,6 @@ async function handleSubmit() {
             payload.plainPassword = form.password
         }
 
-        // Client portal fields: only relevant when the user is a client.
-        if (isClient.value) {
-            payload.client = form.client
-            payload.allowedProjects = form.allowedProjects
-        } else {
-            payload.client = null
-            payload.allowedProjects = []
-        }
-
         if (isEditing.value && props.item) {
             await update(props.item.id, payload)
         } else {
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 78019e3..db34baa 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -193,10 +193,7 @@
     "updated": "Utilisateur mis à jour avec succès.",
     "deleted": "Utilisateur supprimé avec succès.",
     "addUser": "Ajouter un utilisateur",
-    "editUser": "Modifier un utilisateur",
-    "clientAccount": "Compte client (portail)",
-    "client": "Client",
-    "allowedProjects": "Projets autorisés"
+    "editUser": "Modifier un utilisateur"
   },
   "admin": {
     "roles": {
@@ -357,8 +354,7 @@
       "myTasks": "Mes tâches",
       "projects": "Projets",
       "timeTracking": "Suivi de temps",
-      "mail": "Messagerie",
-      "portal": "Portail client"
+      "mail": "Messagerie"
     },
     "admin": {
       "section": "Administration",
@@ -949,49 +945,5 @@
       "empty": "Aucun prospect trouvé.",
       "allStatuses": "Tous les statuts"
     }
-  },
-  "portal": {
-    "title": "Portail client",
-    "projects": "Mes projets",
-    "openTickets": "tickets ouverts",
-    "newTicket": "Nouveau ticket",
-    "ticketDetail": "Détail du ticket",
-    "noProjects": "Aucun projet accessible.",
-    "noTickets": "Aucun ticket pour le moment."
-  },
-  "clientTicket": {
-    "typeLabel": "Type",
-    "type": {
-      "bug": "Bug",
-      "improvement": "Amélioration",
-      "other": "Autre"
-    },
-    "status": {
-      "label": "Statut",
-      "new": "Nouveau",
-      "in_progress": "En cours",
-      "done": "Terminé",
-      "rejected": "Rejeté"
-    },
-    "title": "Titre",
-    "titleRequired": "Le titre est requis",
-    "description": "Description",
-    "descriptionRequired": "La description est requise",
-    "url": "URL (page concernée)",
-    "statusComment": "Commentaire de statut",
-    "project": "Projet",
-    "submittedBy": "Soumis par",
-    "date": "Date",
-    "created": "Ticket créé",
-    "statusChanged": "Statut mis à jour",
-    "confirmDelete": "Supprimer ce ticket ?",
-    "deleted": "Ticket supprimé",
-    "linkedTooltip": "Lié au ticket client {number}",
-    "rejectionRequired": "Un commentaire est requis pour rejeter un ticket",
-    "changeStatus": "Changer le statut",
-    "adminTab": "Tickets client",
-    "adminTitle": "Tickets client",
-    "filterProject": "Projet",
-    "filterStatus": "Statut"
   }
 }
diff --git a/frontend/modules/client-portal/components/ClientTicketDetailModal.vue b/frontend/modules/client-portal/components/ClientTicketDetailModal.vue
deleted file mode 100644
index d988126..0000000
--- a/frontend/modules/client-portal/components/ClientTicketDetailModal.vue
+++ /dev/null
@@ -1,132 +0,0 @@
-<template>
-    <AppModal
-        :model-value="modelValue"
-        width="lg"
-        @update:model-value="$emit('update:modelValue', $event)"
-    >
-        <template #title>
-            <span v-if="ticket" class="flex items-center gap-2">
-                <span class="font-mono text-primary-500">{{ formatTicketNumber(ticket.number) }}</span>
-                <ClientTicketTypeBadge :type="ticket.type" />
-            </span>
-            <span v-else>{{ $t('portal.ticketDetail') }}</span>
-        </template>
-
-        <div v-if="ticket" class="flex flex-col gap-4">
-            <div class="flex items-start justify-between gap-3">
-                <h3 class="text-lg font-bold text-neutral-900">{{ ticket.title }}</h3>
-                <ClientTicketStatusBadge :status="ticket.status" />
-            </div>
-
-            <div>
-                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
-                    {{ $t('clientTicket.description') }}
-                </p>
-                <p class="whitespace-pre-wrap text-sm text-neutral-700">{{ ticket.description }}</p>
-            </div>
-
-            <div v-if="ticket.url">
-                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
-                    {{ $t('clientTicket.url') }}
-                </p>
-                <a
-                    :href="ticket.url"
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    class="break-all text-sm text-blue-600 hover:underline"
-                >{{ ticket.url }}</a>
-            </div>
-
-            <div v-if="ticket.statusComment">
-                <p class="mb-1 text-xs font-semibold uppercase text-neutral-400">
-                    {{ $t('clientTicket.statusComment') }}
-                </p>
-                <p class="whitespace-pre-wrap rounded-lg bg-neutral-50 p-3 text-sm text-neutral-700">
-                    {{ ticket.statusComment }}
-                </p>
-            </div>
-
-            <div class="text-xs text-neutral-400">
-                {{ $t('clientTicket.created') }} : {{ formatDate(ticket.createdAt) }}
-            </div>
-
-            <!-- Documents -->
-            <div class="border-t border-neutral-100 pt-2">
-                <div v-if="loadingDocs" class="flex justify-center py-4">
-                    <Icon name="heroicons:arrow-path" class="h-5 w-5 animate-spin text-neutral-400" />
-                </div>
-                <TaskDocumentList
-                    v-else
-                    :documents="documents"
-                    :is-admin="false"
-                    @preview="previewDoc = $event"
-                />
-            </div>
-        </div>
-
-        <TaskDocumentPreview
-            :document="previewDoc"
-            :has-prev="false"
-            :has-next="false"
-            @close="previewDoc = null"
-        />
-    </AppModal>
-</template>
-
-<script setup lang="ts">
-import type { ClientTicket } from '~/modules/client-portal/services/dto/client-ticket'
-import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
-import { useTaskDocumentService } from '~/modules/project-management/services/task-documents'
-import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
-
-const props = defineProps<{
-    modelValue: boolean
-    ticket: ClientTicket | null
-}>()
-
-defineEmits<{
-    'update:modelValue': [value: boolean]
-}>()
-
-const { getByClientTicket } = useTaskDocumentService()
-
-const documents = ref<TaskDocument[]>([])
-const loadingDocs = ref(false)
-const previewDoc = ref<TaskDocument | null>(null)
-
-function formatDate(value: string): string {
-    return new Date(value).toLocaleDateString('fr-FR', {
-        day: '2-digit',
-        month: '2-digit',
-        year: 'numeric',
-    })
-}
-
-async function loadDocuments(ticketId: number) {
-    loadingDocs.value = true
-    try {
-        documents.value = await getByClientTicket(ticketId)
-    } catch {
-        documents.value = []
-    } finally {
-        loadingDocs.value = false
-    }
-}
-
-watch(
-    () => [props.modelValue, props.ticket?.id] as const,
-    ([open, id]) => {
-        previewDoc.value = null
-        if (open && id) {
-            // Prefer documents embedded in the ticket, fall back to a dedicated fetch.
-            if (props.ticket?.documents?.length) {
-                documents.value = props.ticket.documents
-            } else {
-                documents.value = []
-                loadDocuments(id)
-            }
-        }
-    },
-    { immediate: true },
-)
-</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketFormModal.vue b/frontend/modules/client-portal/components/ClientTicketFormModal.vue
deleted file mode 100644
index 4d5d496..0000000
--- a/frontend/modules/client-portal/components/ClientTicketFormModal.vue
+++ /dev/null
@@ -1,158 +0,0 @@
-<template>
-    <AppModal
-        :model-value="modelValue"
-        width="lg"
-        :title="$t('portal.newTicket')"
-        @update:model-value="onModalUpdate"
-    >
-        <form class="flex flex-col gap-4" @submit.prevent="handleSubmit">
-            <MalioSelect
-                v-model="form.type"
-                :options="typeOptions"
-                :label="$t('clientTicket.typeLabel')"
-                group-class="w-full"
-            />
-
-            <MalioInputText
-                v-model="form.title"
-                :label="$t('clientTicket.title')"
-                input-class="w-full"
-                :error="touched.title && !form.title.trim() ? $t('clientTicket.titleRequired') : ''"
-                @blur="touched.title = true"
-            />
-
-            <MalioInputTextArea
-                v-model="form.description"
-                :label="$t('clientTicket.description')"
-                :rows="5"
-                input-class="w-full"
-                :error="touched.description && !form.description.trim() ? $t('clientTicket.descriptionRequired') : ''"
-                @blur="touched.description = true"
-            />
-
-            <MalioInputText
-                v-if="form.type === 'bug'"
-                v-model="form.url"
-                :label="$t('clientTicket.url')"
-                input-class="w-full"
-            />
-
-            <!-- Documents : uploadable only once the ticket exists -->
-            <div v-if="createdTicketId">
-                <p class="text-sm font-semibold text-neutral-700">{{ $t('taskDocuments.title') }}</p>
-                <TaskDocumentUpload :client-ticket-id="createdTicketId" />
-            </div>
-        </form>
-
-        <template #footer>
-            <MalioButton
-                v-if="!createdTicketId"
-                :label="$t('common.submit')"
-                button-class="w-auto px-6"
-                :disabled="isSubmitting"
-                @click="handleSubmit"
-            />
-            <MalioButton
-                v-else
-                :label="$t('common.close')"
-                button-class="w-auto px-6"
-                @click="finish"
-            />
-        </template>
-    </AppModal>
-</template>
-
-<script setup lang="ts">
-import type {
-    ClientTicketCreate,
-    ClientTicketType,
-} from '~/modules/client-portal/services/dto/client-ticket'
-import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
-
-const props = defineProps<{
-    modelValue: boolean
-    projectIri: string
-}>()
-
-const emit = defineEmits<{
-    'update:modelValue': [value: boolean]
-    created: []
-}>()
-
-const { t } = useI18n()
-const { create } = useClientTicketService()
-
-const typeOptions = computed(() => ([
-    { label: t('clientTicket.type.bug'), value: 'bug' },
-    { label: t('clientTicket.type.improvement'), value: 'improvement' },
-    { label: t('clientTicket.type.other'), value: 'other' },
-]))
-
-const isSubmitting = ref(false)
-const createdTicketId = ref<number | null>(null)
-
-const form = reactive({
-    type: 'bug' as ClientTicketType,
-    title: '',
-    description: '',
-    url: '',
-})
-
-const touched = reactive({
-    title: false,
-    description: false,
-})
-
-function resetForm() {
-    form.type = 'bug'
-    form.title = ''
-    form.description = ''
-    form.url = ''
-    touched.title = false
-    touched.description = false
-    createdTicketId.value = null
-    isSubmitting.value = false
-}
-
-watch(() => props.modelValue, (open) => {
-    if (open) {
-        resetForm()
-    }
-})
-
-function onModalUpdate(value: boolean) {
-    emit('update:modelValue', value)
-    if (!value && createdTicketId.value) {
-        // A ticket was created before closing → refresh the list.
-        emit('created')
-    }
-}
-
-function finish() {
-    emit('update:modelValue', false)
-    emit('created')
-}
-
-async function handleSubmit() {
-    touched.title = true
-    touched.description = true
-    if (!form.title.trim() || !form.description.trim()) {
-        return
-    }
-
-    isSubmitting.value = true
-    try {
-        const payload: ClientTicketCreate = {
-            type: form.type,
-            title: form.title.trim(),
-            description: form.description.trim(),
-            url: form.type === 'bug' && form.url.trim() ? form.url.trim() : null,
-            project: props.projectIri,
-        }
-        const ticket = await create(payload)
-        createdTicketId.value = ticket.id
-    } finally {
-        isSubmitting.value = false
-    }
-}
-</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue b/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
deleted file mode 100644
index f7d35b9..0000000
--- a/frontend/modules/client-portal/components/ClientTicketStatusBadge.vue
+++ /dev/null
@@ -1,25 +0,0 @@
-<template>
-    <span
-        class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-semibold"
-        :class="classes"
-    >
-        {{ $t(`clientTicket.status.${status}`) }}
-    </span>
-</template>
-
-<script setup lang="ts">
-import type { ClientTicketStatus } from '~/modules/client-portal/services/dto/client-ticket'
-
-const props = defineProps<{
-    status: ClientTicketStatus
-}>()
-
-const STATUS_CONFIG: Record<ClientTicketStatus, string> = {
-    new: 'bg-sky-100 text-sky-700',
-    in_progress: 'bg-amber-100 text-amber-700',
-    done: 'bg-green-100 text-green-700',
-    rejected: 'bg-neutral-200 text-neutral-600',
-}
-
-const classes = computed(() => STATUS_CONFIG[props.status] ?? STATUS_CONFIG.new)
-</script>
diff --git a/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue b/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
deleted file mode 100644
index ed9d76c..0000000
--- a/frontend/modules/client-portal/components/ClientTicketTypeBadge.vue
+++ /dev/null
@@ -1,25 +0,0 @@
-<template>
-    <span
-        class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-semibold"
-        :class="config.classes"
-    >
-        <Icon :name="config.icon" class="h-3 w-3" />
-        {{ $t(`clientTicket.type.${type}`) }}
-    </span>
-</template>
-
-<script setup lang="ts">
-import type { ClientTicketType } from '~/modules/client-portal/services/dto/client-ticket'
-
-const props = defineProps<{
-    type: ClientTicketType
-}>()
-
-const TYPE_CONFIG: Record<ClientTicketType, { icon: string, classes: string }> = {
-    bug: { icon: 'mdi:bug-outline', classes: 'bg-red-100 text-red-700' },
-    improvement: { icon: 'mdi:lightbulb-on-outline', classes: 'bg-blue-100 text-blue-700' },
-    other: { icon: 'mdi:dots-horizontal-circle-outline', classes: 'bg-neutral-100 text-neutral-700' },
-}
-
-const config = computed(() => TYPE_CONFIG[props.type] ?? TYPE_CONFIG.other)
-</script>
diff --git a/frontend/modules/client-portal/nuxt.config.ts b/frontend/modules/client-portal/nuxt.config.ts
deleted file mode 100644
index 268da7f..0000000
--- a/frontend/modules/client-portal/nuxt.config.ts
+++ /dev/null
@@ -1 +0,0 @@
-export default defineNuxtConfig({})
diff --git a/frontend/modules/client-portal/pages/portal/index.vue b/frontend/modules/client-portal/pages/portal/index.vue
deleted file mode 100644
index b1d5de4..0000000
--- a/frontend/modules/client-portal/pages/portal/index.vue
+++ /dev/null
@@ -1,93 +0,0 @@
-<template>
-    <div class="flex flex-col gap-6">
-        <div>
-            <h1 class="text-2xl font-bold text-neutral-900">{{ $t('portal.title') }}</h1>
-            <p class="mt-1 text-sm text-neutral-500">{{ $t('portal.projects') }}</p>
-        </div>
-
-        <div v-if="isLoading" class="flex justify-center py-16">
-            <Icon name="heroicons:arrow-path" class="h-7 w-7 animate-spin text-neutral-400" />
-        </div>
-
-        <div v-else-if="!projects.length" class="rounded-xl border border-dashed border-neutral-300 py-16 text-center text-neutral-400">
-            {{ $t('portal.noProjects') }}
-        </div>
-
-        <div v-else class="grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-3">
-            <NuxtLink
-                v-for="project in projects"
-                :key="project.id"
-                :to="`/portal/projects/${project.id}`"
-                class="group flex flex-col gap-3 rounded-xl border border-neutral-200 bg-white p-5 shadow-sm transition hover:border-primary-300 hover:shadow-md"
-            >
-                <div class="flex items-start justify-between gap-2">
-                    <h2 class="text-lg font-bold text-neutral-900 group-hover:text-primary-500">
-                        {{ project.name }}
-                    </h2>
-                    <Icon name="mdi:folder-outline" class="h-6 w-6 text-neutral-300" />
-                </div>
-                <div class="mt-auto flex items-center gap-1.5 text-sm text-neutral-500">
-                    <span class="text-base font-bold text-primary-500">{{ openCount(project.id) }}</span>
-                    {{ $t('portal.openTickets') }}
-                </div>
-            </NuxtLink>
-        </div>
-    </div>
-</template>
-
-<script setup lang="ts">
-import type { AllowedProject } from '~/services/dto/user-data'
-import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
-import { useProjectService } from '~/modules/project-management/services/projects'
-import { iriToId } from '~/modules/client-portal/utils/ticket'
-
-definePageMeta({ middleware: ['portal'] })
-useHead({ title: 'Portail client' })
-
-const auth = useAuthStore()
-const { getAll: getTickets } = useClientTicketService()
-const { getAll: getProjects } = useProjectService()
-
-const isLoading = ref(true)
-const projects = ref<AllowedProject[]>([])
-const openCounts = ref<Record<number, number>>({})
-
-function openCount(projectId: number): number {
-    return openCounts.value[projectId] ?? 0
-}
-
-async function load() {
-    isLoading.value = true
-    try {
-        // Client users get their projects from `/me` (allowedProjects, embedded id + name).
-        // Internal users (admin/user) previewing the portal fall back to the full project list.
-        const allowed = auth.user?.allowedProjects ?? []
-        if (allowed.length) {
-            projects.value = allowed
-        } else if (auth.user?.roles?.some((r) => r === 'ROLE_ADMIN' || r === 'ROLE_USER')) {
-            const all = await getProjects({ archived: false })
-            projects.value = all.map((p) => ({ id: p.id, name: p.name, '@id': p['@id'] }))
-        } else {
-            projects.value = []
-        }
-
-        // Count open tickets (status new / in_progress) per project.
-        const tickets = await getTickets()
-        const counts: Record<number, number> = {}
-        for (const ticket of tickets) {
-            if (ticket.status !== 'new' && ticket.status !== 'in_progress') {
-                continue
-            }
-            const pid = iriToId(ticket.project)
-            if (pid !== null) {
-                counts[pid] = (counts[pid] ?? 0) + 1
-            }
-        }
-        openCounts.value = counts
-    } finally {
-        isLoading.value = false
-    }
-}
-
-onMounted(load)
-</script>
diff --git a/frontend/modules/client-portal/pages/portal/projects/[id].vue b/frontend/modules/client-portal/pages/portal/projects/[id].vue
deleted file mode 100644
index c3efba8..0000000
--- a/frontend/modules/client-portal/pages/portal/projects/[id].vue
+++ /dev/null
@@ -1,133 +0,0 @@
-<template>
-    <div class="flex flex-col gap-6">
-        <div class="flex flex-wrap items-center justify-between gap-3">
-            <div class="flex items-center gap-3">
-                <NuxtLink
-                    to="/portal"
-                    class="flex h-8 w-8 items-center justify-center rounded-full text-neutral-400 transition hover:bg-neutral-100 hover:text-neutral-600"
-                >
-                    <Icon name="mdi:arrow-left" class="h-5 w-5" />
-                </NuxtLink>
-                <h1 class="text-2xl font-bold text-neutral-900">{{ projectName }}</h1>
-            </div>
-            <MalioButton
-                icon-name="mdi:plus"
-                icon-position="left"
-                button-class="w-auto px-4"
-                :label="$t('portal.newTicket')"
-                @click="formOpen = true"
-            />
-        </div>
-
-        <div v-if="isLoading" class="flex justify-center py-16">
-            <Icon name="heroicons:arrow-path" class="h-7 w-7 animate-spin text-neutral-400" />
-        </div>
-
-        <div v-else-if="!tickets.length" class="rounded-xl border border-dashed border-neutral-300 py-16 text-center text-neutral-400">
-            {{ $t('portal.noTickets') }}
-        </div>
-
-        <div v-else class="flex flex-col gap-2">
-            <button
-                v-for="ticket in tickets"
-                :key="ticket.id"
-                type="button"
-                class="flex flex-wrap items-center gap-3 rounded-xl border border-neutral-200 bg-white px-4 py-3 text-left shadow-sm transition hover:border-primary-300 hover:shadow-md"
-                @click="openDetail(ticket)"
-            >
-                <span class="font-mono text-sm font-semibold text-primary-500">
-                    {{ formatTicketNumber(ticket.number) }}
-                </span>
-                <ClientTicketTypeBadge :type="ticket.type" />
-                <span class="min-w-0 flex-1 truncate font-semibold text-neutral-900">{{ ticket.title }}</span>
-                <ClientTicketStatusBadge :status="ticket.status" />
-                <span class="text-xs text-neutral-400">{{ formatDate(ticket.createdAt) }}</span>
-            </button>
-        </div>
-
-        <ClientTicketFormModal
-            v-model="formOpen"
-            :project-iri="projectIri"
-            @created="load"
-        />
-
-        <ClientTicketDetailModal
-            v-model="detailOpen"
-            :ticket="selectedTicket"
-        />
-    </div>
-</template>
-
-<script setup lang="ts">
-import type { ClientTicket } from '~/modules/client-portal/services/dto/client-ticket'
-import { useClientTicketService } from '~/modules/client-portal/services/client-tickets'
-import { useProjectService } from '~/modules/project-management/services/projects'
-import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
-
-definePageMeta({ middleware: ['portal'] })
-
-const route = useRoute()
-const auth = useAuthStore()
-const { getAll, getById } = useClientTicketService()
-const { getById: getProject } = useProjectService()
-
-const projectId = computed(() => Number(route.params.id))
-const projectIri = computed(() => `/api/projects/${projectId.value}`)
-
-const isLoading = ref(true)
-const tickets = ref<ClientTicket[]>([])
-const projectName = ref('')
-const formOpen = ref(false)
-const detailOpen = ref(false)
-const selectedTicket = ref<ClientTicket | null>(null)
-
-useHead(() => ({ title: projectName.value || 'Portail client' }))
-
-function formatDate(value: string): string {
-    return new Date(value).toLocaleDateString('fr-FR', {
-        day: '2-digit',
-        month: '2-digit',
-        year: 'numeric',
-    })
-}
-
-async function openDetail(ticket: ClientTicket) {
-    // Re-fetch to get embedded documents (collection items may omit them).
-    try {
-        selectedTicket.value = await getById(ticket.id)
-    } catch {
-        selectedTicket.value = ticket
-    }
-    detailOpen.value = true
-}
-
-function resolveProjectName() {
-    const allowed = auth.user?.allowedProjects ?? []
-    const match = allowed.find((p) => p.id === projectId.value)
-    if (match) {
-        projectName.value = match.name
-    }
-}
-
-async function load() {
-    isLoading.value = true
-    try {
-        resolveProjectName()
-        tickets.value = await getAll({ project: projectId.value })
-
-        // Internal users (admin/user) have no allowedProjects → fetch the name directly.
-        if (!projectName.value && auth.user?.roles?.some((r) => r === 'ROLE_ADMIN' || r === 'ROLE_USER')) {
-            try {
-                const project = await getProject(projectId.value)
-                projectName.value = project.name
-            } catch {
-                projectName.value = ''
-            }
-        }
-    } finally {
-        isLoading.value = false
-    }
-}
-
-onMounted(load)
-</script>
diff --git a/frontend/modules/client-portal/services/client-tickets.ts b/frontend/modules/client-portal/services/client-tickets.ts
deleted file mode 100644
index 2bbd652..0000000
--- a/frontend/modules/client-portal/services/client-tickets.ts
+++ /dev/null
@@ -1,60 +0,0 @@
-import type {
-    ClientTicket,
-    ClientTicketCreate,
-    ClientTicketStatusUpdate,
-} from './dto/client-ticket'
-import type { HydraCollection } from '~/utils/api'
-import { extractHydraMembers } from '~/utils/api'
-
-export type ClientTicketFilters = {
-    project?: number | string
-    status?: string
-    submittedBy?: number | string
-}
-
-export function useClientTicketService() {
-    const api = useApi()
-
-    async function getAll(params?: ClientTicketFilters): Promise<ClientTicket[]> {
-        const query: Record<string, unknown> = {}
-        if (params?.project !== undefined && params.project !== '') {
-            query.project = typeof params.project === 'number'
-                ? `/api/projects/${params.project}`
-                : params.project
-        }
-        if (params?.status) {
-            query.status = params.status
-        }
-        if (params?.submittedBy !== undefined && params.submittedBy !== '') {
-            query.submittedBy = typeof params.submittedBy === 'number'
-                ? `/api/users/${params.submittedBy}`
-                : params.submittedBy
-        }
-        const data = await api.get<HydraCollection<ClientTicket>>('/client_tickets', query)
-        return extractHydraMembers(data)
-    }
-
-    async function getById(id: number): Promise<ClientTicket> {
-        return api.get<ClientTicket>(`/client_tickets/${id}`)
-    }
-
-    async function create(payload: ClientTicketCreate): Promise<ClientTicket> {
-        return api.post<ClientTicket>('/client_tickets', payload as Record<string, unknown>, {
-            toastSuccessKey: 'clientTicket.created',
-        })
-    }
-
-    async function updateStatus(id: number, payload: ClientTicketStatusUpdate): Promise<ClientTicket> {
-        return api.patch<ClientTicket>(`/client_tickets/${id}`, payload as Record<string, unknown>, {
-            toastSuccessKey: 'clientTicket.statusChanged',
-        })
-    }
-
-    async function remove(id: number): Promise<void> {
-        await api.delete(`/client_tickets/${id}`, {}, {
-            toastSuccessKey: 'clientTicket.deleted',
-        })
-    }
-
-    return { getAll, getById, create, updateStatus, remove }
-}
diff --git a/frontend/modules/client-portal/services/dto/client-ticket.ts b/frontend/modules/client-portal/services/dto/client-ticket.ts
deleted file mode 100644
index 25f90e0..0000000
--- a/frontend/modules/client-portal/services/dto/client-ticket.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import type { TaskDocument } from '~/modules/project-management/services/dto/task-document'
-
-export type ClientTicketType = 'bug' | 'improvement' | 'other'
-export type ClientTicketStatus = 'new' | 'in_progress' | 'done' | 'rejected'
-
-export type ClientTicket = {
-    '@id'?: string
-    id: number
-    number: number
-    type: ClientTicketType
-    title: string
-    description: string
-    url: string | null
-    status: ClientTicketStatus
-    statusComment: string | null
-    project: string             // IRI
-    submittedBy: string | null  // IRI, nullable (ON DELETE SET NULL)
-    createdAt: string
-    updatedAt: string
-    documents?: TaskDocument[]
-}
-
-export type ClientTicketCreate = {
-    type: ClientTicketType
-    title: string
-    description: string
-    url?: string | null
-    project: string             // IRI
-}
-
-export type ClientTicketStatusUpdate = {
-    status: ClientTicketStatus
-    statusComment?: string | null
-}
diff --git a/frontend/modules/client-portal/utils/ticket.ts b/frontend/modules/client-portal/utils/ticket.ts
deleted file mode 100644
index 04bc09c..0000000
--- a/frontend/modules/client-portal/utils/ticket.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-/**
- * Format a client-ticket number for display, e.g. `CT-001`.
- */
-export function formatTicketNumber(value: number): string {
-    return `CT-${String(value).padStart(3, '0')}`
-}
-
-/**
- * Extract the numeric id from an API Platform IRI (e.g. `/api/projects/5` → 5).
- * Returns null when the IRI cannot be parsed.
- */
-export function iriToId(iri: string | null | undefined): number | null {
-    if (!iri) {
-        return null
-    }
-    const match = iri.match(/(\d+)$/)
-    return match ? Number(match[1]) : null
-}
diff --git a/frontend/modules/project-management/components/TaskCard.vue b/frontend/modules/project-management/components/TaskCard.vue
index 4c8a970..777087c 100644
--- a/frontend/modules/project-management/components/TaskCard.vue
+++ b/frontend/modules/project-management/components/TaskCard.vue
@@ -20,12 +20,6 @@
                         name="mdi:flag-variant"
                         class="h-3.5 w-3.5 text-red-600"
                     />
-                    <Icon
-                        v-if="task.clientTicket"
-                        name="heroicons:user-circle"
-                        class="h-3.5 w-3.5 text-primary-500"
-                        :title="$t('clientTicket.linkedTooltip', { number: formatTicketNumber(task.clientTicket.number) })"
-                    />
                 </div>
                 <h4 class="line-clamp-2 text-sm font-semibold text-neutral-900">{{ task.title }}</h4>
             </div>
@@ -109,7 +103,6 @@
 
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
-import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/modules/project-management/components/TaskDocumentUpload.vue b/frontend/modules/project-management/components/TaskDocumentUpload.vue
index 951f8ef..d818665 100644
--- a/frontend/modules/project-management/components/TaskDocumentUpload.vue
+++ b/frontend/modules/project-management/components/TaskDocumentUpload.vue
@@ -50,14 +50,13 @@ import { useTaskDocumentService } from '~/modules/project-management/services/ta
 
 const props = defineProps<{
     taskId?: number
-    clientTicketId?: number
 }>()
 
 const emit = defineEmits<{
     uploaded: []
 }>()
 
-const { upload: uploadFile, uploadForClientTicket } = useTaskDocumentService()
+const { upload: uploadFile } = useTaskDocumentService()
 const toast = useToast()
 const { t } = useI18n()
 
@@ -112,8 +111,6 @@ async function processFiles(files: File[]) {
         try {
             if (props.taskId) {
                 await uploadFile(props.taskId, file)
-            } else if (props.clientTicketId) {
-                await uploadForClientTicket(props.clientTicketId, file)
             }
             state.uploading = false
             state.progress = 100
diff --git a/frontend/modules/project-management/components/TaskListItem.vue b/frontend/modules/project-management/components/TaskListItem.vue
index 943dab3..e978073 100644
--- a/frontend/modules/project-management/components/TaskListItem.vue
+++ b/frontend/modules/project-management/components/TaskListItem.vue
@@ -28,12 +28,6 @@
                     name="mdi:flag-variant"
                     class="h-3.5 w-3.5 text-red-600"
                 />
-                <Icon
-                    v-if="task.clientTicket"
-                    name="heroicons:user-circle"
-                    class="h-3.5 w-3.5 text-primary-500"
-                    :title="$t('clientTicket.linkedTooltip', { number: formatTicketNumber(task.clientTicket.number) })"
-                />
             </div>
             <!-- Row 2: title -->
             <h4 class="mt-1 text-sm font-semibold text-neutral-900">{{ task.title }}</h4>
@@ -117,7 +111,6 @@
 
 <script setup lang="ts">
 import type { Task } from '~/modules/project-management/services/dto/task'
-import { formatTicketNumber } from '~/modules/client-portal/utils/ticket'
 
 const props = withDefaults(defineProps<{
     task: Task
diff --git a/frontend/modules/project-management/services/dto/task.ts b/frontend/modules/project-management/services/dto/task.ts
index 211cf2d..3a20502 100644
--- a/frontend/modules/project-management/services/dto/task.ts
+++ b/frontend/modules/project-management/services/dto/task.ts
@@ -28,14 +28,6 @@ export type Task = {
     deadline: string | null
     syncToCalendar: boolean
     calendarSyncError: string | null
-    clientTicket: {
-        id: number
-        '@id'?: string
-        number: number
-        type: 'bug' | 'improvement' | 'other'
-        status: 'new' | 'in_progress' | 'done' | 'rejected'
-        title: string
-    } | null
     recurrence: {
         id: number
         '@id'?: string
diff --git a/frontend/modules/project-management/services/task-documents.ts b/frontend/modules/project-management/services/task-documents.ts
index d3e2ddd..285cc81 100644
--- a/frontend/modules/project-management/services/task-documents.ts
+++ b/frontend/modules/project-management/services/task-documents.ts
@@ -15,13 +15,6 @@ export function useTaskDocumentService() {
         return extractHydraMembers(data)
     }
 
-    async function getByClientTicket(clientTicketId: number): Promise<TaskDocument[]> {
-        const data = await api.get<HydraCollection<TaskDocument>>('/task_documents', {
-            clientTicket: `/api/client_tickets/${clientTicketId}`,
-        })
-        return extractHydraMembers(data)
-    }
-
     async function uploadWithRelation(relationField: string, relationIri: string, file: File): Promise<TaskDocument> {
         const formData = new FormData()
         formData.append('file', file)
@@ -38,10 +31,6 @@ export function useTaskDocumentService() {
         return uploadWithRelation('task', `/api/tasks/${taskId}`, file)
     }
 
-    async function uploadForClientTicket(clientTicketId: number, file: File): Promise<TaskDocument> {
-        return uploadWithRelation('clientTicket', `/api/client_tickets/${clientTicketId}`, file)
-    }
-
     async function linkShare(taskId: number, sharePath: string): Promise<TaskDocument> {
         return $fetch<TaskDocument>(`${baseURL}/task_documents`, {
             method: 'POST',
@@ -69,5 +58,5 @@ export function useTaskDocumentService() {
         return response.text()
     }
 
-    return { getByTask, getByClientTicket, upload, uploadForClientTicket, linkShare, remove, getDownloadUrl, getContent }
+    return { getByTask, upload, linkShare, remove, getDownloadUrl, getContent }
 }
diff --git a/frontend/pages/admin.vue b/frontend/pages/admin.vue
index 1132c1f..668db4e 100644
--- a/frontend/pages/admin.vue
+++ b/frontend/pages/admin.vue
@@ -27,7 +27,6 @@
             <AdminPriorityTab v-if="activeTab === 'priorities'" />
             <AdminTagTab v-if="activeTab === 'tags'" />
             <AdminUserTab v-if="activeTab === 'users'" />
-            <AdminClientTicketTab v-if="activeTab === 'clientTickets'" />
             <AdminRoleTab v-if="activeTab === 'roles' && canViewRoles" />
             <AdminAuditTab v-if="activeTab === 'audit' && canViewAudit" />
             <AdminGiteaTab v-if="activeTab === 'gitea'" />
@@ -57,7 +56,6 @@ const tabs = [
     { key: 'priorities', label: 'Priorités' },
     { key: 'tags', label: 'Tags' },
     { key: 'users', label: 'Utilisateurs' },
-    { key: 'clientTickets', label: t('clientTicket.adminTab') },
     { key: 'roles', label: t('admin.roles.title'), permission: 'core.roles.view' },
     { key: 'audit', label: t('admin.audit.title'), permission: 'core.audit_log.view' },
     { key: 'gitea', label: 'Gitea' },
diff --git a/frontend/services/dto/notification.ts b/frontend/services/dto/notification.ts
index 4c8e293..37d3d45 100644
--- a/frontend/services/dto/notification.ts
+++ b/frontend/services/dto/notification.ts
@@ -1,4 +1,4 @@
-export type NotificationType = 'ticket_created' | 'ticket_status_changed'
+export type NotificationType = 'task_assigned' | 'task_collaborator_added'
 
 export type Notification = {
     '@id'?: string
@@ -7,7 +7,6 @@ export type Notification = {
     type: NotificationType
     title: string
     message: string
-    relatedTicket: string | null
     isRead: boolean
     createdAt: string
 }
diff --git a/frontend/services/dto/user-data.ts b/frontend/services/dto/user-data.ts
index 3b126b3..148bac0 100644
--- a/frontend/services/dto/user-data.ts
+++ b/frontend/services/dto/user-data.ts
@@ -1,15 +1,5 @@
 export type ContractType = 'CDI' | 'CDD' | 'STAGE' | 'ALTERNANCE' | 'AUTRE'
 
-/**
- * Project as embedded in the `me:read` serialization group (id + name).
- * On `/me`, `allowedProjects` is returned as embedded objects, not bare IRIs.
- */
-export type AllowedProject = {
-    '@id'?: string
-    id: number
-    name: string
-}
-
 export type UserData = {
     id: number
     '@id'?: string
@@ -20,9 +10,6 @@ export type UserData = {
     effectivePermissions?: string[]
     avatarUrl?: string | null
     apiToken?: string | null
-    // Client portal
-    client?: string | null                  // IRI of the linked Client (null = internal user)
-    allowedProjects?: AllowedProject[]      // Projects a client user can access (embedded id + name)
     // HR / absence management
     isEmployee?: boolean
     hireDate?: string | null
@@ -40,9 +27,6 @@ export type UserWrite = {
     lastName?: string | null
     plainPassword?: string
     roles: string[]
-    // Client portal
-    client?: string | null
-    allowedProjects?: string[]
     // HR / absence management
     isEmployee?: boolean
     hireDate?: string | null
diff --git a/infra/prod/deploy.sh b/infra/prod/deploy.sh
index e8f189c..1027034 100755
--- a/infra/prod/deploy.sh
+++ b/infra/prod/deploy.sh
@@ -27,6 +27,9 @@ sudo docker compose cp app:/var/www/html/public/maintenance.html public/maintena
 echo "==> Running migrations..."
 sudo docker compose exec -T -u www-data app php bin/console doctrine:migrations:migrate --no-interaction
 
+echo "==> Syncing RBAC permissions catalog..."
+sudo docker compose exec -T -u www-data app php bin/console app:sync-permissions
+
 echo "==> Clearing cache..."
 sudo docker compose exec -T -u www-data app php bin/console cache:clear --env=prod
 sudo docker compose exec -T -u www-data app php bin/console cache:warmup --env=prod
diff --git a/makefile b/makefile
index 9cc9803..440a548 100644
--- a/makefile
+++ b/makefile
@@ -38,7 +38,7 @@ restart: env-init
 	$(DOCKER_COMPOSE) down
 	CURRENT_UID=$(shell id -u) CURRENT_GID=$(shell id -g) $(DOCKER_COMPOSE) up -d
 
-install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate
+install: copy-git-hook composer-install cache-clear node-use build-nuxtJS migration-migrate sync-permissions
 
 # Supprime tout est réinstalle tout (Attention ça supprime la bdd aussi)
 reset: delete_built_dir remove_orphans build-without-cache start wait install
@@ -77,6 +77,10 @@ build-without-cache:
 migration-migrate:
 	$(SYMFONY_CONSOLE) doctrine:migrations:migrate --no-interaction
 
+# Synchronise le catalogue des permissions RBAC depuis les modules actifs
+sync-permissions:
+	$(SYMFONY_CONSOLE) app:sync-permissions
+
 fixtures:
 	$(SYMFONY_CONSOLE) --no-interaction doctrine:fixtures:load
 
@@ -87,6 +91,7 @@ db-reset:
 	$(MAKE) wait
 	$(SYMFONY_CONSOLE) doctrine:database:create --if-not-exists
 	$(MAKE) migration-migrate
+	$(MAKE) sync-permissions
 	$(MAKE) fixtures
 
 # Restart la bdd
diff --git a/migrations/Version20260622090000.php b/migrations/Version20260622090000.php
new file mode 100644
index 0000000..37e8c00
--- /dev/null
+++ b/migrations/Version20260622090000.php
@@ -0,0 +1,120 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Remove the client portal entirely (reverses phases 1 & 3).
+ *
+ * - Drops notification.related_ticket_id (FK/index/column).
+ * - Restores task_document to a task-only model: drops the CHECK constraint and
+ *   client_ticket_id, removes orphan client-ticket-only documents, makes task_id
+ *   NOT NULL again.
+ * - Drops task.client_ticket_id.
+ * - Drops the user_allowed_projects join table and user.client_id.
+ * - Drops the client_ticket table.
+ * - Deletes leftover client accounts (roles contains ROLE_CLIENT): with the portal
+ *   gone every user now resolves to ROLE_USER, so external client accounts MUST be
+ *   removed to avoid silently granting them internal access.
+ *
+ * Lowercase SQL columns; "user" table is quoted. down() recreates the schema
+ * (structure only — deleted client accounts/tickets are not restored).
+ */
+final class Version20260622090000 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Remove client portal: drop client_ticket, related portal columns/links and external client accounts';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // --- notification.related_ticket_id (phase 3) ---
+        $this->addSql('ALTER TABLE notification DROP CONSTRAINT FK_BF5476CA98F144DB');
+        $this->addSql('DROP INDEX idx_notification_related_ticket');
+        $this->addSql('ALTER TABLE notification DROP related_ticket_id');
+
+        // --- task_document: back to task-only ---
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT chk_task_document_target');
+        $this->addSql('ALTER TABLE task_document DROP CONSTRAINT FK_98A9603A9B2097DD');
+        $this->addSql('DROP INDEX IDX_98A9603A9B2097DD');
+        // Remove documents attached only to a client ticket before re-enforcing NOT NULL.
+        $this->addSql('DELETE FROM task_document WHERE task_id IS NULL');
+        $this->addSql('ALTER TABLE task_document DROP client_ticket_id');
+        $this->addSql('ALTER TABLE task_document ALTER task_id SET NOT NULL');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task DROP CONSTRAINT FK_527EDB259B2097DD');
+        $this->addSql('DROP INDEX IDX_527EDB259B2097DD');
+        $this->addSql('ALTER TABLE task DROP client_ticket_id');
+
+        // --- user_allowed_projects ---
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97A76ED395');
+        $this->addSql('ALTER TABLE user_allowed_projects DROP CONSTRAINT FK_B3E0FC97166D1F9C');
+        $this->addSql('DROP TABLE user_allowed_projects');
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" DROP CONSTRAINT FK_8D93D64919EB6921');
+        $this->addSql('DROP INDEX IDX_8D93D64919EB6921');
+        $this->addSql('ALTER TABLE "user" DROP client_id');
+
+        // --- client_ticket table ---
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610166D1F9C');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61079F7D87D');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E610DE12AB56');
+        $this->addSql('ALTER TABLE client_ticket DROP CONSTRAINT FK_C206E61016FE72E1');
+        $this->addSql('DROP TABLE client_ticket');
+
+        // --- external client accounts ---
+        $this->addSql('DELETE FROM "user" WHERE roles::text LIKE \'%ROLE_CLIENT%\'');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // --- client_ticket table ---
+        $this->addSql('CREATE TABLE client_ticket (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, number INT NOT NULL, type VARCHAR(16) NOT NULL, title VARCHAR(255) NOT NULL, description TEXT NOT NULL, url VARCHAR(1024) DEFAULT NULL, status VARCHAR(16) NOT NULL, status_comment TEXT DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, project_id INT NOT NULL, submitted_by_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX uniq_client_ticket_project_number ON client_ticket (project_id, number)');
+        $this->addSql('CREATE INDEX idx_client_ticket_project ON client_ticket (project_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_submitted_by ON client_ticket (submitted_by_id)');
+        $this->addSql('CREATE INDEX idx_client_ticket_status_project ON client_ticket (status, project_id)');
+        $this->addSql('CREATE INDEX IDX_C206E610DE12AB56 ON client_ticket (created_by)');
+        $this->addSql('CREATE INDEX IDX_C206E61016FE72E1 ON client_ticket (updated_by)');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61079F7D87D FOREIGN KEY (submitted_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E610DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE client_ticket ADD CONSTRAINT FK_C206E61016FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+
+        // --- user.client_id ---
+        $this->addSql('ALTER TABLE "user" ADD client_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE "user" ADD CONSTRAINT FK_8D93D64919EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_8D93D64919EB6921 ON "user" (client_id)');
+
+        // --- user_allowed_projects ---
+        $this->addSql('CREATE TABLE user_allowed_projects (user_id INT NOT NULL, project_id INT NOT NULL, PRIMARY KEY (user_id, project_id))');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97A76ED395 ON user_allowed_projects (user_id)');
+        $this->addSql('CREATE INDEX IDX_B3E0FC97166D1F9C ON user_allowed_projects (project_id)');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97A76ED395 FOREIGN KEY (user_id) REFERENCES "user" (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE user_allowed_projects ADD CONSTRAINT FK_B3E0FC97166D1F9C FOREIGN KEY (project_id) REFERENCES project (id) ON DELETE CASCADE NOT DEFERRABLE');
+
+        // --- task.client_ticket_id ---
+        $this->addSql('ALTER TABLE task ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task ADD CONSTRAINT FK_527EDB259B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_527EDB259B2097DD ON task (client_ticket_id)');
+
+        // --- task_document generalisation ---
+        $this->addSql('ALTER TABLE task_document ALTER task_id DROP NOT NULL');
+        $this->addSql('ALTER TABLE task_document ADD client_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT FK_98A9603A9B2097DD FOREIGN KEY (client_ticket_id) REFERENCES client_ticket (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX IDX_98A9603A9B2097DD ON task_document (client_ticket_id)');
+        $this->addSql('ALTER TABLE task_document ADD CONSTRAINT chk_task_document_target CHECK (task_id IS NOT NULL OR client_ticket_id IS NOT NULL)');
+
+        // --- notification.related_ticket_id ---
+        $this->addSql('ALTER TABLE notification ADD related_ticket_id INT DEFAULT NULL');
+        $this->addSql('ALTER TABLE notification ADD CONSTRAINT FK_BF5476CA98F144DB FOREIGN KEY (related_ticket_id) REFERENCES client_ticket (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('CREATE INDEX idx_notification_related_ticket ON notification (related_ticket_id)');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index 1dbbfa2..e6fd000 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -9,9 +9,6 @@ use App\Module\Absence\Domain\Entity\AbsencePolicy;
 use App\Module\Absence\Domain\Entity\AbsenceRequest;
 use App\Module\Absence\Domain\Enum\AbsenceStatus;
 use App\Module\Absence\Domain\Enum\AbsenceType;
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Core\Domain\Enum\ContractType;
@@ -218,53 +215,6 @@ class AppFixtures extends Fixture
         $projectInterne->setWorkflow($standardWorkflow);
         $manager->persist($projectInterne);
 
-        // Client portal users (ROLE_CLIENT) — linked to a client + allowed projects.
-        $clientUserLiot = new User();
-        $clientUserLiot->setUsername('client-liot');
-        $clientUserLiot->setFirstName('Camille');
-        $clientUserLiot->setLastName('LIOT');
-        $clientUserLiot->setRoles(['ROLE_CLIENT']);
-        $clientUserLiot->setPassword($this->passwordHasher->hashPassword($clientUserLiot, 'client-liot'));
-        $clientUserLiot->setClient($clientLiot);
-        $clientUserLiot->addAllowedProject($projectSirh);
-        $manager->persist($clientUserLiot);
-
-        $clientUserAcme = new User();
-        $clientUserAcme->setUsername('client-acme');
-        $clientUserAcme->setFirstName('Sophie');
-        $clientUserAcme->setLastName('ACME');
-        $clientUserAcme->setRoles(['ROLE_CLIENT']);
-        $clientUserAcme->setPassword($this->passwordHasher->hashPassword($clientUserAcme, 'client-acme'));
-        $clientUserAcme->setClient($clientAcme);
-        $clientUserAcme->addAllowedProject($projectCrm);
-        $manager->persist($clientUserAcme);
-
-        // Demo client tickets.
-        $ticketLiot = new ClientTicket();
-        $ticketLiot->setNumber(1);
-        $ticketLiot->setType(ClientTicketType::Bug);
-        $ticketLiot->setTitle('Erreur lors de l\'export des congés');
-        $ticketLiot->setDescription('L\'export PDF des congés échoue avec une erreur 500.');
-        $ticketLiot->setUrl('https://app.example.com/sirh/conges');
-        $ticketLiot->setStatus(ClientTicketStatus::New);
-        $ticketLiot->setProject($projectSirh);
-        $ticketLiot->setSubmittedBy($clientUserLiot);
-        $ticketLiot->setCreatedAt(new DateTimeImmutable());
-        $ticketLiot->setUpdatedAt(new DateTimeImmutable());
-        $manager->persist($ticketLiot);
-
-        $ticketAcme = new ClientTicket();
-        $ticketAcme->setNumber(1);
-        $ticketAcme->setType(ClientTicketType::Improvement);
-        $ticketAcme->setTitle('Ajouter un filtre par commercial');
-        $ticketAcme->setDescription('Pouvoir filtrer la liste des opportunités par commercial assigné.');
-        $ticketAcme->setStatus(ClientTicketStatus::InProgress);
-        $ticketAcme->setProject($projectCrm);
-        $ticketAcme->setSubmittedBy($clientUserAcme);
-        $ticketAcme->setCreatedAt(new DateTimeImmutable());
-        $ticketAcme->setUpdatedAt(new DateTimeImmutable());
-        $manager->persist($ticketAcme);
-
         // Task Efforts
         $effortS = new TaskEffort();
         $effortS->setLabel('S');
diff --git a/src/Module/ClientPortal/ClientPortalModule.php b/src/Module/ClientPortal/ClientPortalModule.php
deleted file mode 100644
index 86fa6ff..0000000
--- a/src/Module/ClientPortal/ClientPortalModule.php
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal;
-
-use App\Shared\Domain\Module\ModuleInterface;
-
-final class ClientPortalModule implements ModuleInterface
-{
-    public static function id(): string
-    {
-        return 'client-portal';
-    }
-
-    public static function label(): string
-    {
-        return 'Portail client';
-    }
-
-    public static function isRequired(): bool
-    {
-        return false;
-    }
-
-    /**
-     * Permissions RBAC fin du Module ClientPortal.
-     *
-     * Additif : alimente le catalogue RBAC. La sécurité des opérations API
-     * reste pilotée par ROLE_CLIENT/ROLE_ADMIN sur les opérations.
-     *
-     * @return list<array{code: string, label: string}>
-     */
-    public static function permissions(): array
-    {
-        return [
-            ['code' => 'client-portal.tickets.view', 'label' => 'Voir les tickets client'],
-            ['code' => 'client-portal.tickets.manage', 'label' => 'Gérer les tickets client'],
-        ];
-    }
-}
diff --git a/src/Module/ClientPortal/Domain/Entity/ClientTicket.php b/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
deleted file mode 100644
index 6884e75..0000000
--- a/src/Module/ClientPortal/Domain/Entity/ClientTicket.php
+++ /dev/null
@@ -1,245 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Domain\Entity;
-
-use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
-use ApiPlatform\Metadata\ApiFilter;
-use ApiPlatform\Metadata\ApiResource;
-use ApiPlatform\Metadata\Delete;
-use ApiPlatform\Metadata\Get;
-use ApiPlatform\Metadata\GetCollection;
-use ApiPlatform\Metadata\Patch;
-use ApiPlatform\Metadata\Post;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
-use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketNumberProcessor;
-use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketProvider;
-use App\Module\ClientPortal\Infrastructure\ApiPlatform\State\ClientTicketStatusProcessor;
-use App\Module\ClientPortal\Infrastructure\Doctrine\DoctrineClientTicketRepository;
-use App\Shared\Domain\Attribute\Auditable;
-use App\Shared\Domain\Contract\BlamableInterface;
-use App\Shared\Domain\Contract\ClientTicketInterface;
-use App\Shared\Domain\Contract\ProjectInterface;
-use App\Shared\Domain\Contract\TimestampableInterface;
-use App\Shared\Domain\Contract\UserInterface;
-use App\Shared\Domain\Trait\TimestampableBlamableTrait;
-use Doctrine\ORM\Mapping as ORM;
-use Symfony\Component\Serializer\Attribute\Groups;
-use Symfony\Component\Validator\Constraints as Assert;
-
-#[ApiResource(
-    operations: [
-        new GetCollection(
-            paginationEnabled: false,
-            security: "is_granted('ROLE_CLIENT') or is_granted('ROLE_ADMIN')",
-            provider: ClientTicketProvider::class,
-        ),
-        new Get(
-            security: "is_granted('ROLE_CLIENT') or is_granted('ROLE_ADMIN')",
-            provider: ClientTicketProvider::class,
-        ),
-        new Post(
-            security: "is_granted('ROLE_CLIENT')",
-            processor: ClientTicketNumberProcessor::class,
-        ),
-        new Patch(
-            security: "is_granted('ROLE_ADMIN')",
-            processor: ClientTicketStatusProcessor::class,
-        ),
-        new Delete(
-            security: "is_granted('ROLE_ADMIN')",
-        ),
-    ],
-    normalizationContext: ['groups' => ['client_ticket:read']],
-    denormalizationContext: ['groups' => ['client_ticket:write']],
-    order: ['createdAt' => 'DESC'],
-)]
-#[ApiFilter(SearchFilter::class, properties: ['project' => 'exact', 'status' => 'exact', 'submittedBy' => 'exact'])]
-#[Auditable]
-#[ORM\Entity(repositoryClass: DoctrineClientTicketRepository::class)]
-#[ORM\Table(name: 'client_ticket')]
-#[ORM\UniqueConstraint(name: 'uniq_client_ticket_project_number', columns: ['project_id', 'number'])]
-#[ORM\Index(name: 'idx_client_ticket_project', columns: ['project_id'])]
-#[ORM\Index(name: 'idx_client_ticket_submitted_by', columns: ['submitted_by_id'])]
-#[ORM\Index(name: 'idx_client_ticket_status_project', columns: ['status', 'project_id'])]
-class ClientTicket implements ClientTicketInterface, TimestampableInterface, BlamableInterface
-{
-    use TimestampableBlamableTrait;
-
-    #[ORM\Id]
-    #[ORM\GeneratedValue]
-    #[ORM\Column]
-    #[Groups(['client_ticket:read', 'task:read'])]
-    private ?int $id = null;
-
-    /** Incremental number, unique per project (formatted CT-XXX in the UI). */
-    #[ORM\Column(type: 'integer')]
-    #[Groups(['client_ticket:read', 'task:read'])]
-    private ?int $number = null;
-
-    #[ORM\Column(type: 'string', length: 16, enumType: ClientTicketType::class)]
-    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
-    #[Assert\NotNull]
-    private ?ClientTicketType $type = null;
-
-    #[ORM\Column(length: 255)]
-    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
-    #[Assert\NotBlank]
-    private ?string $title = null;
-
-    #[ORM\Column(type: 'text')]
-    #[Groups(['client_ticket:read', 'client_ticket:write'])]
-    #[Assert\NotBlank]
-    private ?string $description = null;
-
-    /** Displayed only when type = bug (page concerned by the bug). */
-    #[ORM\Column(length: 1024, nullable: true)]
-    #[Groups(['client_ticket:read', 'client_ticket:write'])]
-    private ?string $url = null;
-
-    #[ORM\Column(type: 'string', length: 16, enumType: ClientTicketStatus::class)]
-    #[Groups(['client_ticket:read', 'client_ticket:write', 'task:read'])]
-    private ClientTicketStatus $status = ClientTicketStatus::New;
-
-    /** Manager comment set when the status changes (mandatory when rejecting). */
-    #[ORM\Column(type: 'text', nullable: true)]
-    #[Groups(['client_ticket:read', 'client_ticket:write'])]
-    private ?string $statusComment = null;
-
-    #[ORM\ManyToOne(targetEntity: ProjectInterface::class)]
-    #[ORM\JoinColumn(name: 'project_id', nullable: false, onDelete: 'CASCADE')]
-    #[Groups(['client_ticket:read', 'client_ticket:write'])]
-    #[Assert\NotNull]
-    private ?ProjectInterface $project = null;
-
-    /** Client user who submitted the ticket. ON DELETE SET NULL — keep history. */
-    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
-    #[ORM\JoinColumn(name: 'submitted_by_id', nullable: true, onDelete: 'SET NULL')]
-    #[Groups(['client_ticket:read'])]
-    private ?UserInterface $submittedBy = null;
-
-    public function getId(): ?int
-    {
-        return $this->id;
-    }
-
-    public function getNumber(): ?int
-    {
-        return $this->number;
-    }
-
-    public function setNumber(int $number): static
-    {
-        $this->number = $number;
-
-        return $this;
-    }
-
-    public function getTypeEnum(): ?ClientTicketType
-    {
-        return $this->type;
-    }
-
-    public function setType(?ClientTicketType $type): static
-    {
-        $this->type = $type;
-
-        return $this;
-    }
-
-    public function getType(): string
-    {
-        return $this->type?->value ?? '';
-    }
-
-    public function getTitle(): ?string
-    {
-        return $this->title;
-    }
-
-    public function setTitle(?string $title): static
-    {
-        $this->title = $title;
-
-        return $this;
-    }
-
-    public function getDescription(): ?string
-    {
-        return $this->description;
-    }
-
-    public function setDescription(?string $description): static
-    {
-        $this->description = $description;
-
-        return $this;
-    }
-
-    public function getUrl(): ?string
-    {
-        return $this->url;
-    }
-
-    public function setUrl(?string $url): static
-    {
-        $this->url = $url;
-
-        return $this;
-    }
-
-    public function getStatusEnum(): ClientTicketStatus
-    {
-        return $this->status;
-    }
-
-    public function setStatus(ClientTicketStatus $status): static
-    {
-        $this->status = $status;
-
-        return $this;
-    }
-
-    public function getStatus(): string
-    {
-        return $this->status->value;
-    }
-
-    public function getStatusComment(): ?string
-    {
-        return $this->statusComment;
-    }
-
-    public function setStatusComment(?string $statusComment): static
-    {
-        $this->statusComment = $statusComment;
-
-        return $this;
-    }
-
-    public function getProject(): ?ProjectInterface
-    {
-        return $this->project;
-    }
-
-    public function setProject(?ProjectInterface $project): static
-    {
-        $this->project = $project;
-
-        return $this;
-    }
-
-    public function getSubmittedBy(): ?UserInterface
-    {
-        return $this->submittedBy;
-    }
-
-    public function setSubmittedBy(?UserInterface $submittedBy): static
-    {
-        $this->submittedBy = $submittedBy;
-
-        return $this;
-    }
-}
diff --git a/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php b/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
deleted file mode 100644
index 4707168..0000000
--- a/src/Module/ClientPortal/Domain/Enum/ClientTicketStatus.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Domain\Enum;
-
-enum ClientTicketStatus: string
-{
-    case New        = 'new';
-    case InProgress = 'in_progress';
-    case Done       = 'done';
-    case Rejected   = 'rejected';
-
-    public function label(): string
-    {
-        return match ($this) {
-            self::New        => 'Nouveau',
-            self::InProgress => 'En cours',
-            self::Done       => 'Terminé',
-            self::Rejected   => 'Rejeté',
-        };
-    }
-
-    /**
-     * Whether a transition from this status to $target is allowed.
-     *
-     * All transitions are allowed except `done` -> `new` and `rejected` -> `new`.
-     */
-    public function canTransitionTo(self $target): bool
-    {
-        if (self::New === $target && (self::Done === $this || self::Rejected === $this)) {
-            return false;
-        }
-
-        return true;
-    }
-}
diff --git a/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php b/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
deleted file mode 100644
index 463c0ba..0000000
--- a/src/Module/ClientPortal/Domain/Enum/ClientTicketType.php
+++ /dev/null
@@ -1,21 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Domain\Enum;
-
-enum ClientTicketType: string
-{
-    case Bug         = 'bug';
-    case Improvement = 'improvement';
-    case Other       = 'other';
-
-    public function label(): string
-    {
-        return match ($this) {
-            self::Bug         => 'Bug',
-            self::Improvement => 'Amélioration',
-            self::Other       => 'Autre',
-        };
-    }
-}
diff --git a/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php b/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
deleted file mode 100644
index 477eecd..0000000
--- a/src/Module/ClientPortal/Domain/Repository/ClientTicketRepositoryInterface.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Domain\Repository;
-
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-
-interface ClientTicketRepositoryInterface
-{
-    public function findById(int $id): ?ClientTicket;
-
-    /**
-     * Highest ticket number currently used on a given project, behind a
-     * PostgreSQL advisory transaction lock so concurrent inserts serialize.
-     * Returns 0 if the project has no ticket yet. Must run inside a transaction.
-     */
-    public function findMaxNumberByProjectForUpdate(int $projectId): int;
-}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
deleted file mode 100644
index 44b5c47..0000000
--- a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketNumberProcessor.php
+++ /dev/null
@@ -1,126 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
-
-use ApiPlatform\Metadata\Operation;
-use ApiPlatform\State\ProcessorInterface;
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
-use App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface;
-use App\Module\Core\Domain\Repository\UserRepositoryInterface;
-use App\Shared\Domain\Contract\NotifierInterface;
-use App\Shared\Domain\Contract\ProjectInterface;
-use App\Shared\Domain\Contract\UserInterface;
-use DateTimeImmutable;
-use Doctrine\ORM\EntityManagerInterface;
-use Symfony\Bundle\SecurityBundle\Security;
-use Symfony\Component\DependencyInjection\Attribute\Autowire;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
-use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
-use Throwable;
-
-/**
- * Handles creation of a client ticket (POST).
- *
- * - Rejects users whose `client` is null (an admin inheriting ROLE_CLIENT via
- *   the role hierarchy cannot create a ticket).
- * - Enforces that the target project belongs to the user's allowed projects.
- * - Sets submittedBy, status = new, timestamps.
- * - Generates the per-project incremental number behind an advisory lock so the
- *   unique constraint `(project_id, number)` is never violated by concurrency.
- *
- * @implements ProcessorInterface<ClientTicket, ClientTicket>
- */
-final readonly class ClientTicketNumberProcessor implements ProcessorInterface
-{
-    /**
-     * @param ProcessorInterface<ClientTicket, ClientTicket> $persistProcessor
-     */
-    public function __construct(
-        #[Autowire(service: 'api_platform.doctrine.orm.state.persist_processor')]
-        private ProcessorInterface $persistProcessor,
-        private ClientTicketRepositoryInterface $repository,
-        private EntityManagerInterface $entityManager,
-        private Security $security,
-        private NotifierInterface $notifier,
-        private UserRepositoryInterface $userRepository,
-    ) {}
-
-    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
-    {
-        assert($data instanceof ClientTicket);
-
-        $user = $this->security->getUser();
-        assert($user instanceof UserInterface);
-
-        // An admin must not be able to create a ticket even though ROLE_ADMIN
-        // inherits ROLE_CLIENT in the role hierarchy.
-        if (null === $user->getClient()) {
-            throw new AccessDeniedHttpException('Only client users can submit tickets.');
-        }
-
-        $project = $data->getProject();
-        if (!$project instanceof ProjectInterface) {
-            throw new UnprocessableEntityHttpException('A project is required.');
-        }
-
-        if (!$this->userMayAccessProject($user, $project)) {
-            throw new AccessDeniedHttpException('You are not allowed to submit tickets on this project.');
-        }
-
-        $data->setSubmittedBy($user);
-        $data->setStatus(ClientTicketStatus::New);
-        $data->setStatusComment(null);
-
-        $now = new DateTimeImmutable();
-        $data->setCreatedAt($now);
-        $data->setUpdatedAt($now);
-
-        $ticket = $this->entityManager->wrapInTransaction(function () use ($data, $project, $operation, $uriVariables, $context): ClientTicket {
-            $maxNumber = $this->repository->findMaxNumberByProjectForUpdate((int) $project->getId());
-            $data->setNumber($maxNumber + 1);
-
-            $result = $this->persistProcessor->process($data, $operation, $uriVariables, $context);
-            assert($result instanceof ClientTicket);
-
-            return $result;
-        });
-
-        // Notify admins after the ticket is committed; never let a notification
-        // failure roll back or break the creation.
-        $this->notifyAdmins($ticket, $project);
-
-        return $ticket;
-    }
-
-    private function notifyAdmins(ClientTicket $ticket, ProjectInterface $project): void
-    {
-        try {
-            $number      = sprintf('CT-%03d', (int) $ticket->getNumber());
-            $projectName = $project->getName() ?? '';
-            $title       = sprintf('Nouveau ticket client %s', $number);
-            $message     = '' !== $projectName
-                ? sprintf('« %s » — %s', (string) $ticket->getTitle(), $projectName)
-                : sprintf('« %s »', (string) $ticket->getTitle());
-
-            foreach ($this->userRepository->findByRole('ROLE_ADMIN') as $admin) {
-                $this->notifier->notify($admin, 'ticket_created', $title, $message, $ticket);
-            }
-        } catch (Throwable) {
-            // Tolerant: ticket creation must succeed even if notifications fail.
-        }
-    }
-
-    private function userMayAccessProject(UserInterface $user, ProjectInterface $project): bool
-    {
-        foreach ($user->getAllowedProjects() as $allowed) {
-            if ($allowed->getId() === $project->getId()) {
-                return true;
-            }
-        }
-
-        return false;
-    }
-}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
deleted file mode 100644
index fb52021..0000000
--- a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketProvider.php
+++ /dev/null
@@ -1,124 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
-
-use ApiPlatform\Metadata\Operation;
-use ApiPlatform\State\ProviderInterface;
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Shared\Domain\Contract\ProjectInterface;
-use App\Shared\Domain\Contract\UserInterface;
-use Doctrine\ORM\EntityManagerInterface;
-use Symfony\Bundle\SecurityBundle\Security;
-
-/**
- * Provider for ClientTicket read operations.
- *
- * - ROLE_ADMIN: no restriction.
- * - ROLE_CLIENT: only tickets the user submitted, and only on projects the
- *   user is allowed to access (allowedProjects).
- *
- * @implements ProviderInterface<ClientTicket>
- */
-final readonly class ClientTicketProvider implements ProviderInterface
-{
-    public function __construct(
-        private EntityManagerInterface $entityManager,
-        private Security $security,
-    ) {}
-
-    public function provide(Operation $operation, array $uriVariables = [], array $context = []): array|ClientTicket|null
-    {
-        $user = $this->security->getUser();
-        assert($user instanceof UserInterface);
-
-        $isAdmin = $this->security->isGranted('ROLE_ADMIN');
-
-        $repo = $this->entityManager->getRepository(ClientTicket::class);
-
-        // Single item.
-        if (isset($uriVariables['id'])) {
-            $ticket = $repo->find($uriVariables['id']);
-            if (null === $ticket) {
-                return null;
-            }
-            if ($isAdmin) {
-                return $ticket;
-            }
-            if ($ticket->getSubmittedBy() !== $user) {
-                return null;
-            }
-            if (!$this->userMayAccessProject($user, $ticket->getProject())) {
-                return null;
-            }
-
-            return $ticket;
-        }
-
-        // Collection.
-        $qb = $repo->createQueryBuilder('t')
-            ->orderBy('t.createdAt', 'DESC')
-        ;
-
-        if (!$isAdmin) {
-            $qb->andWhere('t.submittedBy = :user')->setParameter('user', $user);
-
-            $allowedIds = $this->allowedProjectIds($user);
-            if ([] === $allowedIds) {
-                return [];
-            }
-            $qb->andWhere('IDENTITY(t.project) IN (:allowedProjects)')
-                ->setParameter('allowedProjects', $allowedIds)
-            ;
-        }
-
-        $filters = $context['filters'] ?? [];
-
-        if (isset($filters['project'])) {
-            $qb->andWhere('IDENTITY(t.project) = :project')
-                ->setParameter('project', self::extractId($filters['project']))
-            ;
-        }
-        if (isset($filters['status'])) {
-            $qb->andWhere('t.status = :status')->setParameter('status', $filters['status']);
-        }
-        if ($isAdmin && isset($filters['submittedBy'])) {
-            $qb->andWhere('t.submittedBy = :submittedBy')
-                ->setParameter('submittedBy', self::extractId($filters['submittedBy']))
-            ;
-        }
-
-        return $qb->getQuery()->getResult();
-    }
-
-    private function userMayAccessProject(UserInterface $user, ?ProjectInterface $project): bool
-    {
-        if (null === $project) {
-            return false;
-        }
-
-        return in_array($project->getId(), $this->allowedProjectIds($user), true);
-    }
-
-    /**
-     * @return list<int>
-     */
-    private function allowedProjectIds(UserInterface $user): array
-    {
-        $ids = [];
-        foreach ($user->getAllowedProjects() as $project) {
-            $id = $project->getId();
-            if (null !== $id) {
-                $ids[] = $id;
-            }
-        }
-
-        return $ids;
-    }
-
-    private static function extractId(string $value): int
-    {
-        return is_numeric($value) ? (int) $value : (int) basename($value);
-    }
-}
diff --git a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php b/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
deleted file mode 100644
index 64a78de..0000000
--- a/src/Module/ClientPortal/Infrastructure/ApiPlatform/State/ClientTicketStatusProcessor.php
+++ /dev/null
@@ -1,88 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Infrastructure\ApiPlatform\State;
-
-use ApiPlatform\Metadata\Operation;
-use ApiPlatform\State\ProcessorInterface;
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
-use App\Shared\Domain\Contract\NotifierInterface;
-use App\Shared\Domain\Contract\UserInterface;
-use DateTimeImmutable;
-use Doctrine\ORM\EntityManagerInterface;
-use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
-use Throwable;
-
-/**
- * Handles status changes on a client ticket (PATCH, ROLE_ADMIN only).
- *
- * - Rejects the forbidden transitions `done` -> `new` and `rejected` -> `new`.
- * - Requires a statusComment when moving to the `rejected` status.
- * - Refreshes updatedAt.
- *
- * @implements ProcessorInterface<ClientTicket, ClientTicket>
- */
-final readonly class ClientTicketStatusProcessor implements ProcessorInterface
-{
-    public function __construct(
-        private EntityManagerInterface $entityManager,
-        private NotifierInterface $notifier,
-    ) {}
-
-    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
-    {
-        assert($data instanceof ClientTicket);
-
-        $newStatus = $data->getStatusEnum();
-
-        $previous  = $context['previous_data'] ?? null;
-        $oldStatus = $previous instanceof ClientTicket ? $previous->getStatusEnum() : null;
-
-        if (null !== $oldStatus && !$oldStatus->canTransitionTo($newStatus)) {
-            throw new UnprocessableEntityHttpException(sprintf(
-                'Transition from "%s" to "%s" is not allowed.',
-                $oldStatus->value,
-                $newStatus->value,
-            ));
-        }
-
-        if (ClientTicketStatus::Rejected === $newStatus && '' === trim((string) $data->getStatusComment())) {
-            throw new UnprocessableEntityHttpException('A status comment is required to reject a ticket.');
-        }
-
-        $data->setUpdatedAt(new DateTimeImmutable());
-
-        $this->entityManager->persist($data);
-        $this->entityManager->flush();
-
-        // Notify the submitter when the status actually changed.
-        if ($oldStatus !== $newStatus) {
-            $this->notifySubmitter($data, $newStatus);
-        }
-
-        return $data;
-    }
-
-    private function notifySubmitter(ClientTicket $ticket, ClientTicketStatus $newStatus): void
-    {
-        $submitter = $ticket->getSubmittedBy();
-        if (!$submitter instanceof UserInterface) {
-            return;
-        }
-
-        try {
-            $number  = sprintf('CT-%03d', (int) $ticket->getNumber());
-            $title   = sprintf('Ticket %s mis à jour', $number);
-            $comment = trim((string) $ticket->getStatusComment());
-            $message = '' !== $comment
-                ? sprintf('%s — %s', $newStatus->label(), $comment)
-                : $newStatus->label();
-
-            $this->notifier->notify($submitter, 'ticket_status_changed', $title, $message, $ticket);
-        } catch (Throwable) {
-            // Tolerant: the status change must succeed even if notifications fail.
-        }
-    }
-}
diff --git a/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php b/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
deleted file mode 100644
index 14e4ba4..0000000
--- a/src/Module/ClientPortal/Infrastructure/Doctrine/DoctrineClientTicketRepository.php
+++ /dev/null
@@ -1,46 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Module\ClientPortal\Infrastructure\Doctrine;
-
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Module\ClientPortal\Domain\Repository\ClientTicketRepositoryInterface;
-use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Doctrine\Persistence\ManagerRegistry;
-
-/**
- * @extends ServiceEntityRepository<ClientTicket>
- */
-final class DoctrineClientTicketRepository extends ServiceEntityRepository implements ClientTicketRepositoryInterface
-{
-    public function __construct(ManagerRegistry $registry)
-    {
-        parent::__construct($registry, ClientTicket::class);
-    }
-
-    public function findById(int $id): ?ClientTicket
-    {
-        return $this->find($id);
-    }
-
-    public function findMaxNumberByProjectForUpdate(int $projectId): int
-    {
-        $conn = $this->getEntityManager()->getConnection();
-
-        // Use a PostgreSQL advisory lock (project ID as lock key) instead of
-        // FOR UPDATE because FOR UPDATE is not allowed with aggregate functions
-        // in PostgreSQL. The lock is held until the surrounding transaction ends.
-        $conn->executeStatement(
-            'SELECT pg_advisory_xact_lock(:project)',
-            ['project' => $projectId],
-        );
-
-        $result = $conn->fetchOne(
-            'SELECT COALESCE(MAX(number), 0) FROM client_ticket WHERE project_id = :project',
-            ['project' => $projectId],
-        );
-
-        return (int) $result;
-    }
-}
diff --git a/src/Module/Core/Domain/Entity/Notification.php b/src/Module/Core/Domain/Entity/Notification.php
index 41756ff..1eded34 100644
--- a/src/Module/Core/Domain/Entity/Notification.php
+++ b/src/Module/Core/Domain/Entity/Notification.php
@@ -9,7 +9,6 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use App\Module\Core\Infrastructure\ApiPlatform\State\NotificationProvider;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineNotificationRepository;
-use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\DBAL\Types\Types;
@@ -33,7 +32,6 @@ use Symfony\Component\Serializer\Attribute\Groups;
 #[ORM\Entity(repositoryClass: DoctrineNotificationRepository::class)]
 #[ORM\Index(columns: ['user_id'], name: 'idx_notification_user')]
 #[ORM\Index(columns: ['user_id', 'is_read'], name: 'idx_notification_user_read')]
-#[ORM\Index(columns: ['related_ticket_id'], name: 'idx_notification_related_ticket')]
 class Notification
 {
     #[ORM\Id]
@@ -59,12 +57,6 @@ class Notification
     #[Groups(['notification:read'])]
     private ?string $message = null;
 
-    /** Optional link to the client ticket this notification relates to. */
-    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
-    #[ORM\JoinColumn(name: 'related_ticket_id', nullable: true, onDelete: 'SET NULL')]
-    #[Groups(['notification:read'])]
-    private ?ClientTicketInterface $relatedTicket = null;
-
     #[ORM\Column]
     #[Groups(['notification:read', 'notification:write'])]
     private bool $isRead = false;
@@ -126,18 +118,6 @@ class Notification
         return $this;
     }
 
-    public function getRelatedTicket(): ?ClientTicketInterface
-    {
-        return $this->relatedTicket;
-    }
-
-    public function setRelatedTicket(?ClientTicketInterface $relatedTicket): static
-    {
-        $this->relatedTicket = $relatedTicket;
-
-        return $this;
-    }
-
     public function isRead(): bool
     {
         return $this->isRead;
diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index 88f104e..f3fbdab 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -18,9 +18,7 @@ use App\Module\Core\Infrastructure\ApiPlatform\State\UserPasswordHasherProcessor
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
 use App\Shared\Domain\Attribute\Auditable;
 use App\Shared\Domain\Attribute\AuditIgnore;
-use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\LeaveProfileInterface;
-use App\Shared\Domain\Contract\ProjectInterface;
 use App\Shared\Domain\Contract\UserInterface as SharedUserInterface;
 use DateTimeImmutable;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -177,34 +175,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     #[Groups(['user:rbac:read', 'user:rbac:write'])]
     private Collection $directPermissions;
 
-    // --- Client portal fields ---
-
-    /** Client this user belongs to. null = internal user, set = client user. */
-    #[ORM\ManyToOne(targetEntity: ClientInterface::class)]
-    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
-    #[Groups(['me:read', 'user:read', 'user:write'])]
-    private ?ClientInterface $client = null;
-
-    /**
-     * Projects a client user is allowed to access (a subset of the client's projects).
-     *
-     * @var Collection<int, ProjectInterface>
-     */
-    #[ORM\ManyToMany(targetEntity: ProjectInterface::class)]
-    #[ORM\JoinTable(
-        name: 'user_allowed_projects',
-        joinColumns: [new ORM\JoinColumn(name: 'user_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
-        inverseJoinColumns: [new ORM\JoinColumn(name: 'project_id', referencedColumnName: 'id', onDelete: 'CASCADE')],
-    )]
-    #[Groups(['me:read', 'user:read', 'user:write'])]
-    private Collection $allowedProjects;
-
     public function __construct()
     {
         $this->createdAt         = new DateTimeImmutable();
         $this->rbacRoles         = new ArrayCollection();
         $this->directPermissions = new ArrayCollection();
-        $this->allowedProjects   = new ArrayCollection();
     }
 
     public function getId(): ?int
@@ -258,11 +233,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     {
         $roles = $this->roles;
 
-        // A client user must NOT inherit ROLE_USER (which would grant access to
-        // the internal application). Only non-client users get ROLE_USER.
-        if (!in_array('ROLE_CLIENT', $roles, true)) {
-            $roles[] = 'ROLE_USER';
-        }
+        // Every authenticated user gets ROLE_USER.
+        $roles[] = 'ROLE_USER';
 
         return array_values(array_unique($roles));
     }
@@ -486,42 +458,6 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
         $this->directPermissions->removeElement($permission);
     }
 
-    public function getClient(): ?ClientInterface
-    {
-        return $this->client;
-    }
-
-    public function setClient(?ClientInterface $client): static
-    {
-        $this->client = $client;
-
-        return $this;
-    }
-
-    /**
-     * @return Collection<int, ProjectInterface>
-     */
-    public function getAllowedProjects(): Collection
-    {
-        return $this->allowedProjects;
-    }
-
-    public function addAllowedProject(ProjectInterface $project): static
-    {
-        if (!$this->allowedProjects->contains($project)) {
-            $this->allowedProjects->add($project);
-        }
-
-        return $this;
-    }
-
-    public function removeAllowedProject(ProjectInterface $project): static
-    {
-        $this->allowedProjects->removeElement($project);
-
-        return $this;
-    }
-
     /**
      * Permissions effectives = union (rôles RBAC → permissions) ∪ (permissions directes), triée, dédupliquée.
      *
diff --git a/src/Module/Core/Infrastructure/Notifier.php b/src/Module/Core/Infrastructure/Notifier.php
index 38a1cbf..83e4a31 100644
--- a/src/Module/Core/Infrastructure/Notifier.php
+++ b/src/Module/Core/Infrastructure/Notifier.php
@@ -5,7 +5,6 @@ declare(strict_types=1);
 namespace App\Module\Core\Infrastructure;
 
 use App\Module\Core\Domain\Entity\Notification;
-use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\NotifierInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
@@ -20,14 +19,12 @@ final readonly class Notifier implements NotifierInterface
         string $type,
         string $title,
         string $message,
-        ?ClientTicketInterface $relatedTicket = null,
     ): void {
         $notification = new Notification();
         $notification->setUser($user);
         $notification->setType($type);
         $notification->setTitle($title);
         $notification->setMessage($message);
-        $notification->setRelatedTicket($relatedTicket);
         $notification->setCreatedAt(new DateTimeImmutable());
 
         $this->em->persist($notification);
diff --git a/src/Module/ProjectManagement/Domain/Entity/Task.php b/src/Module/ProjectManagement/Domain/Entity/Task.php
index 28b0b72..661a531 100644
--- a/src/Module/ProjectManagement/Domain/Entity/Task.php
+++ b/src/Module/ProjectManagement/Domain/Entity/Task.php
@@ -19,7 +19,6 @@ use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskCalendarPr
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskNumberProcessor;
 use App\Module\ProjectManagement\Infrastructure\Doctrine\DoctrineTaskRepository;
 use App\Shared\Domain\Contract\BlamableInterface;
-use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\TaskInterface;
 use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
@@ -164,16 +163,6 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
     #[Groups(['task:read', 'task:write'])]
     private ?TaskRecurrence $recurrence = null;
 
-    /**
-     * Optional manual link to a client ticket. Exposed (number/type/status/title)
-     * in task:read so the kanban can show the linked-ticket icon without giving
-     * ROLE_USER access to the /api/client_tickets collection.
-     */
-    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
-    #[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
-    #[Groups(['task:read', 'task:write'])]
-    private ?ClientTicketInterface $clientTicket = null;
-
     public function __construct()
     {
         $this->tags          = new ArrayCollection();
@@ -452,18 +441,6 @@ class Task implements TaskInterface, TimestampableInterface, BlamableInterface
         return $this;
     }
 
-    public function getClientTicket(): ?ClientTicketInterface
-    {
-        return $this->clientTicket;
-    }
-
-    public function setClientTicket(?ClientTicketInterface $clientTicket): static
-    {
-        $this->clientTicket = $clientTicket;
-
-        return $this;
-    }
-
     #[Assert\Callback]
     public function validateScheduledDates(ExecutionContextInterface $context): void
     {
diff --git a/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
index 6cb79eb..3d2d5f3 100644
--- a/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
+++ b/src/Module/ProjectManagement/Domain/Entity/TaskDocument.php
@@ -14,7 +14,6 @@ use ApiPlatform\Metadata\Post;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProcessor;
 use App\Module\ProjectManagement\Infrastructure\ApiPlatform\State\TaskDocumentProvider;
 use App\Module\ProjectManagement\Infrastructure\EventListener\TaskDocumentListener;
-use App\Shared\Domain\Contract\ClientTicketInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\Mapping as ORM;
@@ -22,10 +21,10 @@ use Symfony\Component\Serializer\Attribute\Groups;
 
 #[ApiResource(
     operations: [
-        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
-        new Get(security: "is_granted('ROLE_USER') or is_granted('ROLE_CLIENT')", provider: TaskDocumentProvider::class),
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
+        new Get(security: "is_granted('ROLE_USER')", provider: TaskDocumentProvider::class),
         new Post(
-            security: "is_granted('ROLE_ADMIN') or is_granted('ROLE_CLIENT')",
+            security: "is_granted('ROLE_ADMIN')",
             processor: TaskDocumentProcessor::class,
             deserialize: false,
         ),
@@ -35,11 +34,9 @@ use Symfony\Component\Serializer\Attribute\Groups;
     denormalizationContext: ['groups' => ['task_document:write']],
     order: ['id' => 'DESC'],
 )]
-#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact', 'clientTicket' => 'exact'])]
+#[ApiFilter(SearchFilter::class, properties: ['task' => 'exact'])]
 #[ORM\Entity]
 #[ORM\EntityListeners([TaskDocumentListener::class])]
-// A document must be attached to either a task or a client ticket.
-#[ORM\Table(name: 'task_document')]
 class TaskDocument
 {
     #[ORM\Id]
@@ -49,16 +46,10 @@ class TaskDocument
     private ?int $id = null;
 
     #[ORM\ManyToOne(targetEntity: Task::class, inversedBy: 'documents')]
-    #[ORM\JoinColumn(name: 'task_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[ORM\JoinColumn(nullable: false, onDelete: 'CASCADE')]
     #[Groups(['task_document:read', 'task_document:write'])]
     private ?Task $task = null;
 
-    /** Client ticket this document is attached to (alternative to task). */
-    #[ORM\ManyToOne(targetEntity: ClientTicketInterface::class)]
-    #[ORM\JoinColumn(name: 'client_ticket_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
-    #[Groups(['task_document:read', 'task_document:write', 'client_ticket:read'])]
-    private ?ClientTicketInterface $clientTicket = null;
-
     #[ORM\Column(length: 255)]
     #[Groups(['task_document:read', 'task:read'])]
     private ?string $originalName = null;
@@ -109,18 +100,6 @@ class TaskDocument
         return $this;
     }
 
-    public function getClientTicket(): ?ClientTicketInterface
-    {
-        return $this->clientTicket;
-    }
-
-    public function setClientTicket(?ClientTicketInterface $clientTicket): static
-    {
-        $this->clientTicket = $clientTicket;
-
-        return $this;
-    }
-
     public function getOriginalName(): ?string
     {
         return $this->originalName;
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
index ed2b949..5c579c9 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProcessor.php
@@ -14,8 +14,6 @@ use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\Integration\Domain\Service\SharePathResolver;
 use App\Module\ProjectManagement\Domain\Entity\Task;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
-use App\Shared\Domain\Contract\ClientTicketInterface;
-use App\Shared\Domain\Contract\UserInterface;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -77,12 +75,11 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
      */
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TaskDocument
     {
-        // Défense en profondeur : l'opération Post est déjà protégée par
-        // ROLE_ADMIN ou ROLE_CLIENT, mais on re-vérifie ici pour que les deux
-        // chemins (upload ET lien partage) restent sûrs si la configuration de
-        // sécurité de l'opération venait à changer.
-        if (!$this->security->isGranted('ROLE_ADMIN') && !$this->security->isGranted('ROLE_CLIENT')) {
-            throw new AccessDeniedHttpException('Creating documents requires admin or client privileges.');
+        // Défense en profondeur : l'opération Post est déjà protégée par ROLE_ADMIN, mais on
+        // re-vérifie ici pour que les deux chemins (upload ET lien partage) restent sûrs si la
+        // configuration de sécurité de l'opération venait à changer.
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating task documents requires admin privileges.');
         }
 
         $request = $this->requestStack->getCurrentRequest();
@@ -94,14 +91,6 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         // Deux modes de création : upload d'un fichier (multipart) ou lien vers un fichier du partage SMB (JSON).
         $sharePath = $this->extractSharePath($request);
 
-        // Sécurité : un utilisateur client ne peut PAS créer de lien vers le
-        // partage SMB interne (référence de fichier arbitraire hors de son
-        // périmètre) — seul le téléversement lui est permis. Le lien partage
-        // reste réservé aux administrateurs.
-        if (null !== $sharePath && !$this->security->isGranted('ROLE_ADMIN')) {
-            throw new AccessDeniedHttpException('Les utilisateurs clients ne peuvent pas créer de lien vers le partage ; un téléversement est requis.');
-        }
-
         $document = null !== $sharePath
             ? $this->createShareLink($request, $sharePath)
             : $this->createUpload($request);
@@ -147,6 +136,8 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
             throw new BadRequestHttpException('File size exceeds 50 MB limit.');
         }
 
+        $task = $this->resolveTask($request->request->get('task', ''));
+
         // Use server-detected MIME type (finfo), not the client-supplied one
         $originalName = $file->getClientOriginalName();
         $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
@@ -166,7 +157,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         $file->move($this->uploadDir, $fileName);
 
         $document = new TaskDocument();
-        $this->attachTarget($document, $request);
+        $document->setTask($task);
         $document->setOriginalName($originalName);
         $document->setFileName($fileName);
         $document->setMimeType($mimeType);
@@ -177,6 +168,15 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
 
     private function createShareLink(Request $request, string $rawSharePath): TaskDocument
     {
+        $taskIri = $request->request->get('task');
+
+        if (!is_string($taskIri) || '' === $taskIri) {
+            $payload = json_decode($request->getContent() ?: '{}', true);
+            $taskIri = is_array($payload) ? ($payload['task'] ?? '') : '';
+        }
+
+        $task = $this->resolveTask((string) $taskIri);
+
         try {
             $path = $this->pathResolver->normalizeRelative($rawSharePath);
         } catch (InvalidPathException) {
@@ -198,7 +198,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         }
 
         $document = new TaskDocument();
-        $this->attachTarget($document, $request);
+        $document->setTask($task);
         $document->setOriginalName($entry->name);
         $document->setSharePath($path);
         $document->setMimeType($entry->mimeType);
@@ -233,61 +233,12 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
         return null;
     }
 
-    /**
-     * Attaches the document to a task OR a client ticket, enforcing per-role
-     * access. Exactly one of the two targets must be provided.
-     *
-     * - ROLE_ADMIN may attach to any task or any client ticket.
-     * - ROLE_CLIENT may only attach to a client ticket they submitted, and may
-     *   never attach to a task.
-     */
-    private function attachTarget(TaskDocument $document, Request $request): void
-    {
-        $taskIri         = $this->readField($request, 'task');
-        $clientTicketIri = $this->readField($request, 'clientTicket');
-
-        if ('' === $taskIri && '' === $clientTicketIri) {
-            throw new BadRequestHttpException('A task or a clientTicket IRI is required.');
-        }
-        if ('' !== $taskIri && '' !== $clientTicketIri) {
-            throw new BadRequestHttpException('Provide either a task or a clientTicket, not both.');
-        }
-
-        $isClient = $this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN');
-
-        if ('' !== $clientTicketIri) {
-            $document->setClientTicket($this->resolveClientTicket($clientTicketIri, $isClient));
-
-            return;
-        }
-
-        if ($isClient) {
-            throw new AccessDeniedHttpException('Client users can only attach documents to a client ticket.');
-        }
-
-        $document->setTask($this->resolveTask($taskIri));
-    }
-
-    private function readField(Request $request, string $field): string
-    {
-        $value = $request->request->get($field);
-
-        if (is_string($value) && '' !== $value) {
-            return $value;
-        }
-
-        if (str_contains((string) $request->headers->get('Content-Type'), 'application/json')) {
-            $payload = json_decode($request->getContent() ?: '{}', true);
-            if (is_array($payload) && isset($payload[$field]) && is_string($payload[$field])) {
-                return $payload[$field];
-            }
-        }
-
-        return '';
-    }
-
     private function resolveTask(string $taskIri): Task
     {
+        if ('' === $taskIri) {
+            throw new BadRequestHttpException('A task IRI is required.');
+        }
+
         $task = $this->entityManager->getRepository(Task::class)->find((int) basename($taskIri));
 
         if (null === $task) {
@@ -296,24 +247,4 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
 
         return $task;
     }
-
-    private function resolveClientTicket(string $ticketIri, bool $isClient): ClientTicketInterface
-    {
-        $ticket = $this->entityManager->getRepository(ClientTicketInterface::class)->find((int) basename($ticketIri));
-
-        if (null === $ticket) {
-            throw new BadRequestHttpException('Client ticket not found.');
-        }
-
-        if ($isClient) {
-            $user = $this->security->getUser();
-            assert($user instanceof UserInterface);
-
-            if ($ticket->getSubmittedBy() !== $user) {
-                throw new AccessDeniedHttpException('You can only attach documents to your own tickets.');
-            }
-        }
-
-        return $ticket;
-    }
 }
diff --git a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
index 042dd93..4687569 100644
--- a/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
+++ b/src/Module/ProjectManagement/Infrastructure/ApiPlatform/State/TaskDocumentProvider.php
@@ -12,12 +12,6 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 
 /**
- * Provider for TaskDocument read operations.
- *
- * - ROLE_ADMIN: every document.
- * - ROLE_USER: documents attached to a task (task IS NOT NULL).
- * - ROLE_CLIENT: documents attached to a client ticket the user submitted.
- *
  * @implements ProviderInterface<TaskDocument>
  */
 final readonly class TaskDocumentProvider implements ProviderInterface
@@ -32,56 +26,25 @@ final readonly class TaskDocumentProvider implements ProviderInterface
         $user = $this->security->getUser();
         assert($user instanceof UserInterface);
 
-        $isAdmin  = $this->security->isGranted('ROLE_ADMIN');
-        $isClient = $this->security->isGranted('ROLE_CLIENT');
-
         $repo = $this->entityManager->getRepository(TaskDocument::class);
 
-        // Single item.
+        // Single item
         if (isset($uriVariables['id'])) {
-            $document = $repo->find($uriVariables['id']);
-            if (null === $document) {
-                return null;
-            }
-            if ($isAdmin) {
-                return $document;
-            }
-            if ($isClient) {
-                $ticket = $document->getClientTicket();
-
-                return null !== $ticket && $ticket->getSubmittedBy() === $user ? $document : null;
-            }
-
-            // ROLE_USER: task-linked documents only.
-            return null !== $document->getTask() ? $document : null;
+            return $repo->find($uriVariables['id']);
         }
 
-        // Collection.
+        // Collection
         $qb = $repo->createQueryBuilder('d')
             ->orderBy('d.id', 'DESC')
         ;
 
-        if ($isClient && !$isAdmin) {
-            $qb->innerJoin('d.clientTicket', 'ct')
-                ->andWhere('ct.submittedBy = :user')
-                ->setParameter('user', $user)
-            ;
-        } elseif (!$isAdmin) {
-            // ROLE_USER: only documents attached to a task.
-            $qb->andWhere('d.task IS NOT NULL');
-        }
-
+        // Apply filters from query parameters
         $filters = $context['filters'] ?? [];
         if (isset($filters['task'])) {
             $qb->andWhere('d.task = :task')
                 ->setParameter('task', self::extractId($filters['task']))
             ;
         }
-        if (isset($filters['clientTicket'])) {
-            $qb->andWhere('d.clientTicket = :clientTicket')
-                ->setParameter('clientTicket', self::extractId($filters['clientTicket']))
-            ;
-        }
 
         return $qb->getQuery()->getResult();
     }
diff --git a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
index fb705f5..9d8e2b7 100644
--- a/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
+++ b/src/Module/ProjectManagement/Infrastructure/Controller/TaskDocumentDownloadController.php
@@ -10,13 +10,11 @@ use App\Module\Integration\Domain\Service\FileSource;
 use App\Module\ProjectManagement\Domain\Entity\TaskDocument;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
-use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
 use Symfony\Component\HttpFoundation\HeaderUtils;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Symfony\Component\HttpFoundation\StreamedResponse;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\Routing\Attribute\Route;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
@@ -28,7 +26,6 @@ class TaskDocumentDownloadController extends AbstractController
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly FileSource $fileSource,
-        private readonly Security $security,
         private readonly string $uploadDir,
     ) {}
 
@@ -42,19 +39,6 @@ class TaskDocumentDownloadController extends AbstractController
             throw new NotFoundHttpException('Document not found.');
         }
 
-        $isAdmin  = $this->security->isGranted('ROLE_ADMIN');
-        $isClient = $this->security->isGranted('ROLE_CLIENT') && !$isAdmin;
-        if (!$isAdmin) {
-            if ($isClient) {
-                $ticket = $document->getClientTicket();
-                if (null === $ticket || $ticket->getSubmittedBy() !== $this->security->getUser()) {
-                    throw new AccessDeniedHttpException();
-                }
-            } elseif (null === $document->getTask()) {
-                throw new AccessDeniedHttpException();
-            }
-        }
-
         $mimeType = $document->getMimeType() ?? 'application/octet-stream';
 
         // Inline for images (except SVG) and PDFs, attachment for everything else.
diff --git a/src/Shared/Domain/Contract/ClientTicketInterface.php b/src/Shared/Domain/Contract/ClientTicketInterface.php
deleted file mode 100644
index 97435d8..0000000
--- a/src/Shared/Domain/Contract/ClientTicketInterface.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Shared\Domain\Contract;
-
-/**
- * Contrat de LECTURE d'un ticket client, consommé hors du module ClientPortal.
- *
- * Permet à ProjectManagement (Task, TaskDocument) de référencer un ticket
- * client sans dépendre directement de l'entité concrète du module ClientPortal.
- */
-interface ClientTicketInterface
-{
-    public function getId(): ?int;
-
-    public function getNumber(): ?int;
-
-    public function getType(): string;
-
-    public function getStatus(): string;
-
-    public function getTitle(): ?string;
-}
diff --git a/src/Shared/Domain/Contract/NotifierInterface.php b/src/Shared/Domain/Contract/NotifierInterface.php
index ec6225e..b3643f1 100644
--- a/src/Shared/Domain/Contract/NotifierInterface.php
+++ b/src/Shared/Domain/Contract/NotifierInterface.php
@@ -11,6 +11,5 @@ interface NotifierInterface
         string $type,
         string $title,
         string $message,
-        ?ClientTicketInterface $relatedTicket = null,
     ): void;
 }
diff --git a/src/Shared/Domain/Contract/UserInterface.php b/src/Shared/Domain/Contract/UserInterface.php
index 8844934..7a3e89a 100644
--- a/src/Shared/Domain/Contract/UserInterface.php
+++ b/src/Shared/Domain/Contract/UserInterface.php
@@ -4,8 +4,6 @@ declare(strict_types=1);
 
 namespace App\Shared\Domain\Contract;
 
-use Doctrine\Common\Collections\Collection;
-
 /**
  * Contrat de LECTURE de l'identité, consommé hors du module Core.
  * Les écritures (setPassword, setters HR…) restent sur le concret Core\Domain\Entity\User.
@@ -31,16 +29,4 @@ interface UserInterface
 
     /** @return list<string> */
     public function getEffectivePermissions(): array;
-
-    /**
-     * Client this user belongs to, or null for an internal user.
-     */
-    public function getClient(): ?ClientInterface;
-
-    /**
-     * Projects a client user is allowed to access.
-     *
-     * @return Collection<int, ProjectInterface>
-     */
-    public function getAllowedProjects(): Collection;
 }
diff --git a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php b/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
deleted file mode 100644
index 7ae3cb7..0000000
--- a/tests/Functional/Module/ClientPortal/ClientTicketApiTest.php
+++ /dev/null
@@ -1,293 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Tests\Functional\Module\ClientPortal;
-
-use App\Module\ClientPortal\Domain\Entity\ClientTicket;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketStatus;
-use App\Module\ClientPortal\Domain\Enum\ClientTicketType;
-use App\Module\Core\Domain\Entity\Notification;
-use App\Module\Core\Domain\Entity\User;
-use App\Module\ProjectManagement\Domain\Entity\Project;
-use DateTimeImmutable;
-use Doctrine\ORM\EntityManagerInterface;
-use PHPUnit\Framework\Attributes\DataProvider;
-use Symfony\Bundle\FrameworkBundle\KernelBrowser;
-use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-
-use function count;
-
-/**
- * Phase 1 security boundary: a pure ROLE_CLIENT user is walled off from the
- * internal API but can reach its own client portal collection.
- *
- * @internal
- */
-final class ClientTicketApiTest extends WebTestCase
-{
-    public function testClientUserCannotListTasks(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'client-liot');
-
-        $client->request('GET', '/api/tasks');
-
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    public function testClientUserCannotListProjects(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'client-liot');
-
-        $client->request('GET', '/api/projects');
-
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    /**
-     * Regression guard for the post-migration security review: internal
-     * endpoints that were only behind IS_AUTHENTICATED_FULLY (or had no
-     * security) must reject a pure ROLE_CLIENT.
-     */
-    #[DataProvider('internalEndpointsForbiddenToClients')]
-    public function testClientUserIsWalledOffFromInternalEndpoints(string $uri): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'client-liot');
-
-        $client->request('GET', $uri);
-
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    /** @return iterable<string, array{string}> */
-    public static function internalEndpointsForbiddenToClients(): iterable
-    {
-        yield 'users directory' => ['/api/users'];
-
-        yield 'smb share browse' => ['/api/share/browse'];
-
-        yield 'smb share status' => ['/api/share/status'];
-
-        yield 'bookstack links' => ['/api/tasks/1/bookstack/links'];
-    }
-
-    public function testClientUserCanListOwnClientTickets(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'client-liot');
-
-        $client->request('GET', '/api/client_tickets');
-
-        self::assertResponseIsSuccessful();
-        $data = json_decode($client->getResponse()->getContent(), true);
-        self::assertArrayHasKey('member', $data);
-        self::assertNotEmpty($data['member']);
-        // Tenancy invariant (robust to POST tests accumulating tickets in the
-        // shared test DB): client-liot sees its own SIRH ticket but NEVER the
-        // ticket submitted by another client (ACME, on the CRM project).
-        $titles = array_column($data['member'], 'title');
-        self::assertContains('Erreur lors de l\'export des congés', $titles);
-        self::assertNotContains('Ajouter un filtre par commercial', $titles);
-    }
-
-    public function testClientUserSeesOnlyOwnTickets(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'client-acme');
-
-        $client->request('GET', '/api/client_tickets');
-
-        self::assertResponseIsSuccessful();
-        $data = json_decode($client->getResponse()->getContent(), true);
-        self::assertNotEmpty($data['member']);
-        // Tenancy invariant: client-acme sees its own CRM ticket but NEVER the
-        // ticket submitted by client-liot (on the SIRH project).
-        $titles = array_column($data['member'], 'title');
-        self::assertContains('Ajouter un filtre par commercial', $titles);
-        self::assertNotContains('Erreur lors de l\'export des congés', $titles);
-    }
-
-    public function testInternalUserCannotListClientTickets(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'alice');
-
-        $client->request('GET', '/api/client_tickets');
-
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    public function testAdminCanListAllClientTickets(): void
-    {
-        $client = self::createClient();
-        $this->loginClient($client, 'admin');
-
-        $client->request('GET', '/api/client_tickets');
-
-        self::assertResponseIsSuccessful();
-        $data = json_decode($client->getResponse()->getContent(), true);
-        self::assertGreaterThanOrEqual(2, count($data['member']));
-    }
-
-    public function testClientCanCreateTicketAndNumberIsGenerated(): void
-    {
-        $client = self::createClient();
-        $em     = self::getContainer()->get(EntityManagerInterface::class);
-
-        $projectIri = $this->sirhProjectIri($em);
-        $this->loginClient($client, 'client-liot');
-
-        $client->request('POST', '/api/client_tickets', server: [
-            'CONTENT_TYPE' => 'application/ld+json',
-        ], content: json_encode([
-            'type'        => 'other',
-            'title'       => 'Demande de fonctionnalité',
-            'description' => 'Une nouvelle option serait utile.',
-            'project'     => $projectIri,
-        ]));
-
-        self::assertResponseStatusCodeSame(201);
-        $data = json_decode($client->getResponse()->getContent(), true);
-        self::assertSame('new', $data['status']);
-        self::assertGreaterThanOrEqual(1, $data['number']);
-    }
-
-    public function testCreatingTicketNotifiesAdmins(): void
-    {
-        $client = self::createClient();
-        $em     = self::getContainer()->get(EntityManagerInterface::class);
-
-        $projectIri = $this->sirhProjectIri($em);
-        $this->loginClient($client, 'client-liot');
-
-        $title = 'Notif test '.uniqid('', true);
-        $client->request('POST', '/api/client_tickets', server: [
-            'CONTENT_TYPE' => 'application/ld+json',
-        ], content: json_encode([
-            'type'        => 'other',
-            'title'       => $title,
-            'description' => 'Trigger an admin notification.',
-            'project'     => $projectIri,
-        ]));
-
-        self::assertResponseStatusCodeSame(201);
-        $data     = json_decode($client->getResponse()->getContent(), true);
-        $ticketId = $data['id'];
-
-        $admin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
-        self::assertNotNull($admin);
-
-        $notification = $em->getRepository(Notification::class)->findOneBy([
-            'user' => $admin,
-            'type' => 'ticket_created',
-        ], ['createdAt' => 'DESC']);
-
-        self::assertInstanceOf(Notification::class, $notification);
-        self::assertNotNull($notification->getRelatedTicket());
-        self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
-    }
-
-    public function testChangingStatusNotifiesSubmitter(): void
-    {
-        $client = self::createClient();
-        $em     = self::getContainer()->get(EntityManagerInterface::class);
-
-        // Set up a fresh `new` ticket whose submitter is a known client user,
-        // so we can assert the submitter is the notification recipient.
-        $submitter = $em->getRepository(User::class)->findOneBy(['username' => 'client-liot']);
-        self::assertNotNull($submitter);
-        $project = $em->getRepository(Project::class)->findOneBy(['code' => 'SIRH']);
-        self::assertNotNull($project);
-
-        $ticket = new ClientTicket();
-        $ticket->setType(ClientTicketType::Other);
-        $ticket->setTitle('Status notif '.uniqid('', true));
-        $ticket->setDescription('Will be moved to in_progress.');
-        $ticket->setProject($project);
-        $ticket->setSubmittedBy($submitter);
-        $ticket->setStatus(ClientTicketStatus::New);
-        $ticket->setNumber(9000 + random_int(1, 999));
-        $ticket->setCreatedAt(new DateTimeImmutable());
-        $ticket->setUpdatedAt(new DateTimeImmutable());
-        $em->persist($ticket);
-        $em->flush();
-        $ticketId = $ticket->getId();
-
-        // Admin moves it to in_progress.
-        $this->loginClient($client, 'admin');
-        $client->request('PATCH', '/api/client_tickets/'.$ticketId, server: [
-            'CONTENT_TYPE' => 'application/merge-patch+json',
-        ], content: json_encode(['status' => 'in_progress']));
-        self::assertResponseIsSuccessful();
-
-        $notification = $em->getRepository(Notification::class)->findOneBy([
-            'user' => $submitter,
-            'type' => 'ticket_status_changed',
-        ], ['createdAt' => 'DESC']);
-
-        self::assertInstanceOf(Notification::class, $notification);
-        self::assertNotNull($notification->getRelatedTicket());
-        self::assertSame($ticketId, $notification->getRelatedTicket()->getId());
-    }
-
-    public function testAdminCannotCreateTicket(): void
-    {
-        $client = self::createClient();
-        $em     = self::getContainer()->get(EntityManagerInterface::class);
-
-        $projectIri = $this->sirhProjectIri($em);
-        $this->loginClient($client, 'admin');
-
-        $client->request('POST', '/api/client_tickets', server: [
-            'CONTENT_TYPE' => 'application/ld+json',
-        ], content: json_encode([
-            'type'        => 'other',
-            'title'       => 'Admin attempt',
-            'description' => 'Should be forbidden.',
-            'project'     => $projectIri,
-        ]));
-
-        // Admin has no client, so ticket creation is denied.
-        self::assertResponseStatusCodeSame(403);
-    }
-
-    public function testRejectingTicketRequiresStatusComment(): void
-    {
-        $client = self::createClient();
-        $em     = self::getContainer()->get(EntityManagerInterface::class);
-        $ticket = $em->getRepository(ClientTicket::class)
-            ->findOneBy(['status' => ClientTicketStatus::New])
-        ;
-        self::assertNotNull($ticket);
-        $id = $ticket->getId();
-
-        $this->loginClient($client, 'admin');
-
-        $client->request('PATCH', '/api/client_tickets/'.$id, server: [
-            'CONTENT_TYPE' => 'application/merge-patch+json',
-        ], content: json_encode(['status' => 'rejected']));
-
-        self::assertResponseStatusCodeSame(422);
-    }
-
-    private function sirhProjectIri(EntityManagerInterface $em): string
-    {
-        $project = $em->getRepository(Project::class)
-            ->findOneBy(['code' => 'SIRH'])
-        ;
-        self::assertNotNull($project);
-
-        return '/api/projects/'.$project->getId();
-    }
-
-    private function loginClient(KernelBrowser $client, string $username): void
-    {
-        $em   = self::getContainer()->get(EntityManagerInterface::class);
-        $user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
-        self::assertInstanceOf(User::class, $user);
-        $client->loginUser($user);
-    }
-}
diff --git a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
index 73780cc..750e9da 100644
--- a/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
+++ b/tests/Unit/Shared/Doctrine/TimestampableBlamableSubscriberTest.php
@@ -6,14 +6,11 @@ namespace App\Tests\Unit\Shared\Doctrine;
 
 use App\Shared\Application\CurrentUserProviderInterface;
 use App\Shared\Domain\Contract\BlamableInterface;
-use App\Shared\Domain\Contract\ClientInterface;
 use App\Shared\Domain\Contract\TimestampableInterface;
 use App\Shared\Domain\Contract\UserInterface;
 use App\Shared\Domain\Trait\TimestampableBlamableTrait;
 use App\Shared\Infrastructure\Doctrine\TimestampableBlamableSubscriber;
 use DateTimeImmutable;
-use Doctrine\Common\Collections\ArrayCollection;
-use Doctrine\Common\Collections\Collection;
 use PHPUnit\Framework\TestCase;
 use stdClass;
 
@@ -123,16 +120,6 @@ final class TimestampableBlamableSubscriberTest extends TestCase
             {
                 return [];
             }
-
-            public function getClient(): ?ClientInterface
-            {
-                return null;
-            }
-
-            public function getAllowedProjects(): Collection
-            {
-                return new ArrayCollection();
-            }
         };
     }
 
-- 
2.39.5


From bf263f4c63125910aa78c1dc59ea3e72d3b2cd31 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:39:12 +0200
Subject: [PATCH 76/99] feat(directory) : add ReportType enum for commercial
 reports

---
 .../Directory/Domain/Enum/ReportType.php      | 23 +++++++++++++++++++
 .../Directory/Domain/Enum/ReportTypeTest.php  | 23 +++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 src/Module/Directory/Domain/Enum/ReportType.php
 create mode 100644 tests/Module/Directory/Domain/Enum/ReportTypeTest.php

diff --git a/src/Module/Directory/Domain/Enum/ReportType.php b/src/Module/Directory/Domain/Enum/ReportType.php
new file mode 100644
index 0000000..f762ae1
--- /dev/null
+++ b/src/Module/Directory/Domain/Enum/ReportType.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ReportType: string
+{
+    case Call    = 'call';
+    case Meeting = 'meeting';
+    case Email   = 'email';
+    case Note    = 'note';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::Call    => 'Appel',
+            self::Meeting => 'Rendez-vous',
+            self::Email   => 'Email',
+            self::Note    => 'Note',
+        };
+    }
+}
diff --git a/tests/Module/Directory/Domain/Enum/ReportTypeTest.php b/tests/Module/Directory/Domain/Enum/ReportTypeTest.php
new file mode 100644
index 0000000..40bec90
--- /dev/null
+++ b/tests/Module/Directory/Domain/Enum/ReportTypeTest.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory\Domain\Enum;
+
+use App\Module\Directory\Domain\Enum\ReportType;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class ReportTypeTest extends TestCase
+{
+    public function testValuesAndLabels(): void
+    {
+        self::assertSame('call', ReportType::Call->value);
+        self::assertSame('Appel', ReportType::Call->label());
+        self::assertSame('Rendez-vous', ReportType::Meeting->label());
+        self::assertSame('Email', ReportType::Email->label());
+        self::assertSame('Note', ReportType::Note->label());
+    }
+}
-- 
2.39.5


From e5a64a60c4cd2dcb5779c4715c2423786c6184f1 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:42:09 +0200
Subject: [PATCH 77/99] feat(directory) : add Contact entity with
 client/prospect dual ownership

---
 .../Directory/Domain/Entity/Contact.php       | 183 ++++++++++++++++++
 .../Repository/ContactRepositoryInterface.php |  12 ++
 .../Doctrine/DoctrineContactRepository.php    |  26 +++
 3 files changed, 221 insertions(+)
 create mode 100644 src/Module/Directory/Domain/Entity/Contact.php
 create mode 100644 src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php

diff --git a/src/Module/Directory/Domain/Entity/Contact.php b/src/Module/Directory/Domain/Entity/Contact.php
new file mode 100644
index 0000000..0f9e1d5
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Contact.php
@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineContactRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['contact:read']],
+    denormalizationContext: ['groups' => ['contact:write']],
+    order: ['lastName' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineContactRepository::class)]
+#[ORM\Table(name: 'directory_contact')]
+class Contact implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['contact:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $firstName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $lastName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $jobTitle = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phonePrimary = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phoneSecondary = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getFirstName(): ?string
+    {
+        return $this->firstName;
+    }
+
+    public function setFirstName(?string $firstName): static
+    {
+        $this->firstName = $firstName;
+
+        return $this;
+    }
+
+    public function getLastName(): ?string
+    {
+        return $this->lastName;
+    }
+
+    public function setLastName(?string $lastName): static
+    {
+        $this->lastName = $lastName;
+
+        return $this;
+    }
+
+    public function getJobTitle(): ?string
+    {
+        return $this->jobTitle;
+    }
+
+    public function setJobTitle(?string $jobTitle): static
+    {
+        $this->jobTitle = $jobTitle;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhonePrimary(): ?string
+    {
+        return $this->phonePrimary;
+    }
+
+    public function setPhonePrimary(?string $phonePrimary): static
+    {
+        $this->phonePrimary = $phonePrimary;
+
+        return $this;
+    }
+
+    public function getPhoneSecondary(): ?string
+    {
+        return $this->phoneSecondary;
+    }
+
+    public function setPhoneSecondary(?string $phoneSecondary): static
+    {
+        $this->phoneSecondary = $phoneSecondary;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
new file mode 100644
index 0000000..0f28c4d
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Contact;
+
+interface ContactRepositoryInterface
+{
+    public function findById(int $id): ?Contact;
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
new file mode 100644
index 0000000..bca52e9
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Repository\ContactRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Contact>
+ */
+final class DoctrineContactRepository extends ServiceEntityRepository implements ContactRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Contact::class);
+    }
+
+    public function findById(int $id): ?Contact
+    {
+        return $this->find($id);
+    }
+}
-- 
2.39.5


From 8d63735bd852bbe9d949b3b9196caccb0e1662bd Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:45:05 +0200
Subject: [PATCH 78/99] feat(directory) : add Address entity with
 client/prospect dual ownership

---
 .../Directory/Domain/Entity/Address.php       | 183 ++++++++++++++++++
 .../Repository/AddressRepositoryInterface.php |  12 ++
 .../Doctrine/DoctrineAddressRepository.php    |  26 +++
 3 files changed, 221 insertions(+)
 create mode 100644 src/Module/Directory/Domain/Entity/Address.php
 create mode 100644 src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php

diff --git a/src/Module/Directory/Domain/Entity/Address.php b/src/Module/Directory/Domain/Entity/Address.php
new file mode 100644
index 0000000..00c2e45
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/Address.php
@@ -0,0 +1,183 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineAddressRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['address:read']],
+    denormalizationContext: ['groups' => ['address:write']],
+    order: ['id' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineAddressRepository::class)]
+#[ORM\Table(name: 'directory_address')]
+class Address implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['address:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $label = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $street = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $streetComplement = null;
+
+    #[ORM\Column(length: 20, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $postalCode = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $city = null;
+
+    #[ORM\Column(length: 2)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private string $country = 'FR';
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getLabel(): ?string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(?string $label): static
+    {
+        $this->label = $label;
+
+        return $this;
+    }
+
+    public function getStreet(): ?string
+    {
+        return $this->street;
+    }
+
+    public function setStreet(?string $street): static
+    {
+        $this->street = $street;
+
+        return $this;
+    }
+
+    public function getStreetComplement(): ?string
+    {
+        return $this->streetComplement;
+    }
+
+    public function setStreetComplement(?string $streetComplement): static
+    {
+        $this->streetComplement = $streetComplement;
+
+        return $this;
+    }
+
+    public function getPostalCode(): ?string
+    {
+        return $this->postalCode;
+    }
+
+    public function setPostalCode(?string $postalCode): static
+    {
+        $this->postalCode = $postalCode;
+
+        return $this;
+    }
+
+    public function getCity(): ?string
+    {
+        return $this->city;
+    }
+
+    public function setCity(?string $city): static
+    {
+        $this->city = $city;
+
+        return $this;
+    }
+
+    public function getCountry(): string
+    {
+        return $this->country;
+    }
+
+    public function setCountry(string $country): static
+    {
+        $this->country = $country;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php b/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
new file mode 100644
index 0000000..44b05f0
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Address;
+
+interface AddressRepositoryInterface
+{
+    public function findById(int $id): ?Address;
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
new file mode 100644
index 0000000..f32d731
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Repository\AddressRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Address>
+ */
+final class DoctrineAddressRepository extends ServiceEntityRepository implements AddressRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Address::class);
+    }
+
+    public function findById(int $id): ?Address
+    {
+        return $this->find($id);
+    }
+}
-- 
2.39.5


From 5af529d1b29fe11d7b73d2d33b5d9ec19c73b72e Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:51:19 +0200
Subject: [PATCH 79/99] feat(directory) : add CommercialReport entity with dual
 ownership and author

---
 config/services.yaml                          |  18 ++
 .../Domain/Entity/CommercialReport.php        | 187 ++++++++++++++++++
 .../CommercialReportRepositoryInterface.php   |  12 ++
 .../DoctrineCommercialReportRepository.php    |  26 +++
 .../CommercialReportAuthorListener.php        |  28 +++
 5 files changed, 271 insertions(+)
 create mode 100644 src/Module/Directory/Domain/Entity/CommercialReport.php
 create mode 100644 src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php

diff --git a/config/services.yaml b/config/services.yaml
index 6d11bb1..e40a324 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -113,6 +113,24 @@ services:
 
     App\Module\Directory\Domain\Repository\ProspectRepositoryInterface: '@App\Module\Directory\Infrastructure\Doctrine\DoctrineProspectRepository'
 
+    App\Module\Directory\Infrastructure\EventListener\CommercialReportAuthorListener:
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\CommercialReport', event: prePersist }
+
+    App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\Controller\ReportDocumentDownloadController:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags:
+            - { name: doctrine.orm.entity_listener }
+
     App\Module\Mail\Domain\Repository\MailConfigurationRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailConfigurationRepository'
 
     App\Module\Mail\Domain\Repository\MailFolderRepositoryInterface: '@App\Module\Mail\Infrastructure\Doctrine\DoctrineMailFolderRepository'
diff --git a/src/Module/Directory/Domain/Entity/CommercialReport.php b/src/Module/Directory/Domain/Entity/CommercialReport.php
new file mode 100644
index 0000000..ce55791
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/CommercialReport.php
@@ -0,0 +1,187 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineCommercialReportRepository;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['commercial_report:read']],
+    denormalizationContext: ['groups' => ['commercial_report:write']],
+    order: ['occurredAt' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineCommercialReportRepository::class)]
+#[ORM\Table(name: 'commercial_report')]
+class CommercialReport implements TimestampableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $subject = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $body = null;
+
+    #[ORM\Column(type: Types::DATE_IMMUTABLE)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?DateTimeImmutable $occurredAt = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ReportType::class)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ReportType $type = ReportType::Note;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'author_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['commercial_report:read'])]
+    private ?UserInterface $author = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Prospect $prospect = null;
+
+    /** @var Collection<int, ReportDocument> */
+    #[ORM\OneToMany(targetEntity: ReportDocument::class, mappedBy: 'commercialReport', cascade: ['remove'])]
+    #[Groups(['commercial_report:read'])]
+    private Collection $documents;
+
+    public function __construct()
+    {
+        $this->documents = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getSubject(): ?string
+    {
+        return $this->subject;
+    }
+
+    public function setSubject(string $subject): static
+    {
+        $this->subject = $subject;
+
+        return $this;
+    }
+
+    public function getBody(): ?string
+    {
+        return $this->body;
+    }
+
+    public function setBody(?string $body): static
+    {
+        $this->body = $body;
+
+        return $this;
+    }
+
+    public function getOccurredAt(): ?DateTimeImmutable
+    {
+        return $this->occurredAt;
+    }
+
+    public function setOccurredAt(DateTimeImmutable $occurredAt): static
+    {
+        $this->occurredAt = $occurredAt;
+
+        return $this;
+    }
+
+    public function getType(): ReportType
+    {
+        return $this->type;
+    }
+
+    public function setType(ReportType $type): static
+    {
+        $this->type = $type;
+
+        return $this;
+    }
+
+    public function getAuthor(): ?UserInterface
+    {
+        return $this->author;
+    }
+
+    public function setAuthor(?UserInterface $author): static
+    {
+        $this->author = $author;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+
+    /** @return Collection<int, ReportDocument> */
+    public function getDocuments(): Collection
+    {
+        return $this->documents;
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php b/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
new file mode 100644
index 0000000..94fa3d0
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+
+interface CommercialReportRepositoryInterface
+{
+    public function findById(int $id): ?CommercialReport;
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
new file mode 100644
index 0000000..17e855a
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Repository\CommercialReportRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<CommercialReport>
+ */
+final class DoctrineCommercialReportRepository extends ServiceEntityRepository implements CommercialReportRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, CommercialReport::class);
+    }
+
+    public function findById(int $id): ?CommercialReport
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php b/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php
new file mode 100644
index 0000000..5cf23cc
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class CommercialReportAuthorListener
+{
+    public function __construct(private Security $security) {}
+
+    public function prePersist(CommercialReport $report, PrePersistEventArgs $args): void
+    {
+        if (null !== $report->getAuthor()) {
+            return;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof UserInterface) {
+            $report->setAuthor($user);
+        }
+    }
+}
-- 
2.39.5


From b9538454a964947f5caff1c1ff40aae3abaddace Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:51:53 +0200
Subject: [PATCH 80/99] feat(directory) : add ReportDocument storage (entity,
 upload processor, download, cleanup)

---
 .../Domain/Entity/ReportDocument.php          | 166 ++++++++++++++++++
 .../ReportDocumentRepositoryInterface.php     |  12 ++
 .../State/ReportDocumentProcessor.php         | 152 ++++++++++++++++
 .../ReportDocumentDownloadController.php      |  56 ++++++
 .../DoctrineReportDocumentRepository.php      |  26 +++
 .../EventListener/ReportDocumentListener.php  |  32 ++++
 6 files changed, 444 insertions(+)
 create mode 100644 src/Module/Directory/Domain/Entity/ReportDocument.php
 create mode 100644 src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
 create mode 100644 src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
 create mode 100644 src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
 create mode 100644 src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
 create mode 100644 src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php

diff --git a/src/Module/Directory/Domain/Entity/ReportDocument.php b/src/Module/Directory/Domain/Entity/ReportDocument.php
new file mode 100644
index 0000000..4c4a8b5
--- /dev/null
+++ b/src/Module/Directory/Domain/Entity/ReportDocument.php
@@ -0,0 +1,166 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor;
+use App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ReportDocumentProcessor::class,
+            deserialize: false,
+        ),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['report_document:read']],
+    denormalizationContext: ['groups' => ['report_document:write']],
+    order: ['id' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['commercialReport' => 'exact'])]
+#[ORM\Entity]
+#[ORM\Table(name: 'report_document')]
+#[ORM\EntityListeners([ReportDocumentListener::class])]
+class ReportDocument
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\ManyToOne(targetEntity: CommercialReport::class, inversedBy: 'documents')]
+    #[ORM\JoinColumn(name: 'commercial_report_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    #[Groups(['report_document:read', 'report_document:write'])]
+    private ?CommercialReport $commercialReport = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $originalName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $fileName = null;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $mimeType = null;
+
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $size = null;
+
+    #[ORM\Column(type: 'datetime_immutable')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'uploaded_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?UserInterface $uploadedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCommercialReport(): ?CommercialReport
+    {
+        return $this->commercialReport;
+    }
+
+    public function setCommercialReport(?CommercialReport $commercialReport): static
+    {
+        $this->commercialReport = $commercialReport;
+
+        return $this;
+    }
+
+    public function getOriginalName(): ?string
+    {
+        return $this->originalName;
+    }
+
+    public function setOriginalName(string $originalName): static
+    {
+        $this->originalName = $originalName;
+
+        return $this;
+    }
+
+    public function getFileName(): ?string
+    {
+        return $this->fileName;
+    }
+
+    public function setFileName(?string $fileName): static
+    {
+        $this->fileName = $fileName;
+
+        return $this;
+    }
+
+    public function getMimeType(): ?string
+    {
+        return $this->mimeType;
+    }
+
+    public function setMimeType(string $mimeType): static
+    {
+        $this->mimeType = $mimeType;
+
+        return $this;
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function setSize(int $size): static
+    {
+        $this->size = $size;
+
+        return $this;
+    }
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): static
+    {
+        $this->createdAt = $createdAt;
+
+        return $this;
+    }
+
+    public function getUploadedBy(): ?UserInterface
+    {
+        return $this->uploadedBy;
+    }
+
+    public function setUploadedBy(?UserInterface $uploadedBy): static
+    {
+        $this->uploadedBy = $uploadedBy;
+
+        return $this;
+    }
+}
diff --git a/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php b/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
new file mode 100644
index 0000000..841936f
--- /dev/null
+++ b/src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+
+interface ReportDocumentRepositoryInterface
+{
+    public function findById(int $id): ?ReportDocument;
+}
diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
new file mode 100644
index 0000000..2931620
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\Uid\Uuid;
+
+use function in_array;
+
+/**
+ * @implements ProcessorInterface<ReportDocument, ReportDocument>
+ */
+final readonly class ReportDocumentProcessor implements ProcessorInterface
+{
+    private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
+
+    private const ALLOWED_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'text/plain', 'text/csv',
+        'application/zip', 'application/x-rar-compressed', 'application/gzip',
+        'application/json', 'application/xml', 'text/xml',
+    ];
+
+    private const MIME_TO_EXTENSION = [
+        'image/jpeg'                                                                => 'jpg',
+        'image/png'                                                                 => 'png',
+        'image/gif'                                                                 => 'gif',
+        'image/webp'                                                                => 'webp',
+        'application/pdf'                                                           => 'pdf',
+        'application/msword'                                                        => 'doc',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
+        'application/vnd.ms-excel'                                                  => 'xls',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'         => 'xlsx',
+        'application/vnd.ms-powerpoint'                                             => 'ppt',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation' => 'pptx',
+        'text/plain'                                                                => 'txt',
+        'text/csv'                                                                  => 'csv',
+        'application/zip'                                                           => 'zip',
+        'application/x-rar-compressed'                                              => 'rar',
+        'application/gzip'                                                          => 'gz',
+        'application/json'                                                          => 'json',
+        'application/xml'                                                           => 'xml',
+        'text/xml'                                                                  => 'xml',
+    ];
+
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+        private RequestStack $requestStack,
+        private string $uploadDir,
+    ) {}
+
+    /**
+     * @param ReportDocument $data
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ReportDocument
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating report documents requires admin privileges.');
+        }
+
+        $request = $this->requestStack->getCurrentRequest();
+
+        if (null === $request) {
+            throw new BadRequestHttpException('No request available.');
+        }
+
+        $document = $this->createUpload($request);
+        $document->setCreatedAt(new DateTimeImmutable());
+        $document->setUploadedBy($this->security->getUser());
+
+        $this->entityManager->persist($document);
+        $this->entityManager->flush();
+
+        return $document;
+    }
+
+    private function createUpload(Request $request): ReportDocument
+    {
+        $file = $request->files->get('file');
+
+        if (null === $file || !$file->isValid()) {
+            throw new BadRequestHttpException('No valid file uploaded.');
+        }
+
+        if ($file->getSize() > self::MAX_FILE_SIZE) {
+            throw new BadRequestHttpException('File size exceeds 50 MB limit.');
+        }
+
+        $report = $this->resolveReport((string) $request->request->get('commercialReport', ''));
+
+        $originalName = $file->getClientOriginalName();
+        $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
+        $fileSize     = $file->getSize();
+
+        if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+            throw new BadRequestHttpException(sprintf('File type "%s" is not allowed.', $mimeType));
+        }
+
+        $extension = self::MIME_TO_EXTENSION[$mimeType] ?? 'bin';
+        $fileName  = Uuid::v4()->toRfc4122().'.'.$extension;
+
+        if (!is_dir($this->uploadDir)) {
+            mkdir($this->uploadDir, 0o775, true);
+        }
+
+        $file->move($this->uploadDir, $fileName);
+
+        $document = new ReportDocument();
+        $document->setCommercialReport($report);
+        $document->setOriginalName($originalName);
+        $document->setFileName($fileName);
+        $document->setMimeType($mimeType);
+        $document->setSize($fileSize);
+
+        return $document;
+    }
+
+    private function resolveReport(string $iri): CommercialReport
+    {
+        if ('' === $iri) {
+            throw new BadRequestHttpException('A commercialReport IRI is required.');
+        }
+
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) basename($iri));
+
+        if (null === $report) {
+            throw new BadRequestHttpException('Commercial report not found.');
+        }
+
+        return $report;
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php b/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
new file mode 100644
index 0000000..f31e792
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Controller;
+
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+final class ReportDocumentDownloadController
+{
+    private const INLINE_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+    ];
+
+    public function __construct(
+        private readonly ReportDocumentRepositoryInterface $repository,
+        private readonly string $uploadDir,
+    ) {}
+
+    #[Route('/api/report_documents/{id}/download', name: 'report_document_download', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(int $id): Response
+    {
+        $document = $this->repository->findById($id);
+
+        if (null === $document || null === $document->getFileName()) {
+            throw new NotFoundHttpException('Document not found.');
+        }
+
+        $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+        if (!is_file($filePath)) {
+            throw new NotFoundHttpException('File missing on disk.');
+        }
+
+        $response = new BinaryFileResponse($filePath);
+        $mimeType = (string) $document->getMimeType();
+
+        $disposition = in_array($mimeType, self::INLINE_MIME_TYPES, true)
+            ? ResponseHeaderBag::DISPOSITION_INLINE
+            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+
+        $response->setContentDisposition($disposition, (string) $document->getOriginalName());
+        $response->headers->set('Content-Type', $mimeType);
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php b/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
new file mode 100644
index 0000000..20cd0c5
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<ReportDocument>
+ */
+final class DoctrineReportDocumentRepository extends ServiceEntityRepository implements ReportDocumentRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ReportDocument::class);
+    }
+
+    public function findById(int $id): ?ReportDocument
+    {
+        return $this->find($id);
+    }
+}
diff --git a/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php b/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php
new file mode 100644
index 0000000..583db11
--- /dev/null
+++ b/src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use Doctrine\ORM\Event\PreRemoveEventArgs;
+use Psr\Log\LoggerInterface;
+
+final readonly class ReportDocumentListener
+{
+    public function __construct(
+        private string $uploadDir,
+        private LoggerInterface $logger,
+    ) {}
+
+    public function preRemove(ReportDocument $document, PreRemoveEventArgs $args): void
+    {
+        $fileName = $document->getFileName();
+
+        if (null === $fileName) {
+            return;
+        }
+
+        $path = $this->uploadDir.'/'.$fileName;
+
+        if (is_file($path) && !@unlink($path)) {
+            $this->logger->warning('Failed to delete report document file', ['path' => $path]);
+        }
+    }
+}
-- 
2.39.5


From 33ba90a00d4362369bb42ce3d66c3b481f0a73ea Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 11:56:21 +0200
Subject: [PATCH 81/99] refactor(directory) : harden report document upload
 (iri guard, orphan cleanup)

---
 .../State/ReportDocumentProcessor.php         | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
index 2931620..fdbee11 100644
--- a/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php
@@ -16,6 +16,7 @@ use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Uid\Uuid;
+use Throwable;
 
 use function in_array;
 
@@ -88,8 +89,18 @@ final readonly class ReportDocumentProcessor implements ProcessorInterface
         $document->setCreatedAt(new DateTimeImmutable());
         $document->setUploadedBy($this->security->getUser());
 
-        $this->entityManager->persist($document);
-        $this->entityManager->flush();
+        try {
+            $this->entityManager->persist($document);
+            $this->entityManager->flush();
+        } catch (Throwable $e) {
+            $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+            if (file_exists($filePath)) {
+                @unlink($filePath);
+            }
+
+            throw $e;
+        }
 
         return $document;
     }
@@ -137,11 +148,13 @@ final readonly class ReportDocumentProcessor implements ProcessorInterface
 
     private function resolveReport(string $iri): CommercialReport
     {
-        if ('' === $iri) {
-            throw new BadRequestHttpException('A commercialReport IRI is required.');
+        $idString = basename($iri);
+
+        if ('' === $iri || !ctype_digit($idString)) {
+            throw new BadRequestHttpException('A valid commercialReport IRI is required.');
         }
 
-        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) basename($iri));
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) $idString);
 
         if (null === $report) {
             throw new BadRequestHttpException('Commercial report not found.');
-- 
2.39.5


From 354d7c34ba865df776be42c820a7e4b28ed55e99 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 12:11:11 +0200
Subject: [PATCH 82/99] feat(directory) : add contact/address/report tables,
 migrate inline addresses, drop inline columns

---
 migrations/Version20260622100916.php          | 222 ++++++++++++++++++
 src/DataFixtures/AppFixtures.php              |  69 ++++--
 src/Module/Directory/Domain/Entity/Client.php |  48 ----
 .../Directory/Domain/Entity/Prospect.php      |  48 ----
 .../State/ConvertProspectProcessor.php        |   3 -
 .../Mcp/Tool/ConvertProspectTool.php          |   3 -
 .../Mcp/Tool/CreateClientTool.php             |   6 -
 .../Mcp/Tool/CreateProspectTool.php           |   6 -
 .../Mcp/Tool/UpdateClientTool.php             |  12 -
 .../Mcp/Tool/UpdateProspectTool.php           |  12 -
 src/Shared/Infrastructure/Mcp/Serializer.php  |  14 +-
 .../Directory/ProspectConversionTest.php      |   3 -
 12 files changed, 279 insertions(+), 167 deletions(-)
 create mode 100644 migrations/Version20260622100916.php

diff --git a/migrations/Version20260622100916.php b/migrations/Version20260622100916.php
new file mode 100644
index 0000000..337586b
--- /dev/null
+++ b/migrations/Version20260622100916.php
@@ -0,0 +1,222 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20260622100916 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('CREATE TABLE commercial_report (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, subject VARCHAR(255) NOT NULL, body TEXT DEFAULT NULL, occurred_at DATE NOT NULL, type VARCHAR(32) NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, author_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_886919D819EB6921 ON commercial_report (client_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8D182060A ON commercial_report (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8F675F31B ON commercial_report (author_id)');
+        $this->addSql('CREATE INDEX IDX_886919D8DE12AB56 ON commercial_report (created_by)');
+        $this->addSql('CREATE INDEX IDX_886919D816FE72E1 ON commercial_report (updated_by)');
+        $this->addSql('CREATE TABLE directory_address (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, label VARCHAR(255) DEFAULT NULL, street VARCHAR(255) DEFAULT NULL, street_complement VARCHAR(255) DEFAULT NULL, postal_code VARCHAR(20) DEFAULT NULL, city VARCHAR(255) DEFAULT NULL, country VARCHAR(2) NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_6E5D970719EB6921 ON directory_address (client_id)');
+        $this->addSql('CREATE INDEX IDX_6E5D9707D182060A ON directory_address (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_6E5D9707DE12AB56 ON directory_address (created_by)');
+        $this->addSql('CREATE INDEX IDX_6E5D970716FE72E1 ON directory_address (updated_by)');
+        $this->addSql('CREATE TABLE directory_contact (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, first_name VARCHAR(255) DEFAULT NULL, last_name VARCHAR(255) DEFAULT NULL, job_title VARCHAR(255) DEFAULT NULL, email VARCHAR(255) DEFAULT NULL, phone_primary VARCHAR(50) DEFAULT NULL, phone_secondary VARCHAR(50) DEFAULT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, updated_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, client_id INT DEFAULT NULL, prospect_id INT DEFAULT NULL, created_by INT DEFAULT NULL, updated_by INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_2F711EBE19EB6921 ON directory_contact (client_id)');
+        $this->addSql('CREATE INDEX IDX_2F711EBED182060A ON directory_contact (prospect_id)');
+        $this->addSql('CREATE INDEX IDX_2F711EBEDE12AB56 ON directory_contact (created_by)');
+        $this->addSql('CREATE INDEX IDX_2F711EBE16FE72E1 ON directory_contact (updated_by)');
+        $this->addSql('CREATE TABLE report_document (id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, original_name VARCHAR(255) NOT NULL, file_name VARCHAR(255) DEFAULT NULL, mime_type VARCHAR(100) NOT NULL, size INT NOT NULL, created_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, commercial_report_id INT NOT NULL, uploaded_by_id INT DEFAULT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE INDEX IDX_D809130B4AB5D1D4 ON report_document (commercial_report_id)');
+        $this->addSql('CREATE INDEX IDX_D809130BA2B28FE8 ON report_document (uploaded_by_id)');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D819EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8D182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8F675F31B FOREIGN KEY (author_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D8DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT FK_886919D816FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D970719EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D9707D182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D9707DE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT FK_6E5D970716FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBE19EB6921 FOREIGN KEY (client_id) REFERENCES client (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBED182060A FOREIGN KEY (prospect_id) REFERENCES prospect (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBEDE12AB56 FOREIGN KEY (created_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT FK_2F711EBE16FE72E1 FOREIGN KEY (updated_by) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE report_document ADD CONSTRAINT FK_D809130B4AB5D1D4 FOREIGN KEY (commercial_report_id) REFERENCES commercial_report (id) ON DELETE CASCADE NOT DEFERRABLE');
+        $this->addSql('ALTER TABLE report_document ADD CONSTRAINT FK_D809130BA2B28FE8 FOREIGN KEY (uploaded_by_id) REFERENCES "user" (id) ON DELETE SET NULL NOT DEFERRABLE');
+
+        // Ownership CHECK constraints: each row must belong to a client or a prospect.
+        $this->addSql('ALTER TABLE directory_contact ADD CONSTRAINT chk_contact_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+        $this->addSql('ALTER TABLE directory_address ADD CONSTRAINT chk_address_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+        $this->addSql('ALTER TABLE commercial_report ADD CONSTRAINT chk_report_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)');
+
+        // Data migration: copy existing inline addresses into directory_address before dropping the columns.
+        $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, client_id, created_at, updated_at)
+            SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+            FROM client
+            WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+        $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, prospect_id, created_at, updated_at)
+            SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+            FROM prospect
+            WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_by IS \'\'');
+        $this->addSql('ALTER TABLE client DROP street');
+        $this->addSql('ALTER TABLE client DROP city');
+        $this->addSql('ALTER TABLE client DROP postal_code');
+        $this->addSql('COMMENT ON COLUMN client.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_by IS \'\'');
+        $this->addSql('ALTER TABLE prospect DROP street');
+        $this->addSql('ALTER TABLE prospect DROP city');
+        $this->addSql('ALTER TABLE prospect DROP postal_code');
+        $this->addSql('COMMENT ON COLUMN prospect.status IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.converted_client_id IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_at IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_by IS \'\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_by IS \'\'');
+        $this->addSql('DROP INDEX idx_75ea56e016ba31db');
+        $this->addSql('DROP INDEX idx_75ea56e0fb7336f0');
+        $this->addSql('DROP INDEX idx_75ea56e0e3bd61ce');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id DROP DEFAULT');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id ADD GENERATED BY DEFAULT AS IDENTITY');
+        $this->addSql('CREATE INDEX IDX_75EA56E0FB7336F0E3BD61CE16BA31DBBF396750 ON messenger_messages (queue_name, available_at, delivered_at, id)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D819EB6921');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8D182060A');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8F675F31B');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D8DE12AB56');
+        $this->addSql('ALTER TABLE commercial_report DROP CONSTRAINT FK_886919D816FE72E1');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D970719EB6921');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D9707D182060A');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D9707DE12AB56');
+        $this->addSql('ALTER TABLE directory_address DROP CONSTRAINT FK_6E5D970716FE72E1');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBE19EB6921');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBED182060A');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBEDE12AB56');
+        $this->addSql('ALTER TABLE directory_contact DROP CONSTRAINT FK_2F711EBE16FE72E1');
+        $this->addSql('ALTER TABLE report_document DROP CONSTRAINT FK_D809130B4AB5D1D4');
+        $this->addSql('ALTER TABLE report_document DROP CONSTRAINT FK_D809130BA2B28FE8');
+        $this->addSql('DROP TABLE commercial_report');
+        $this->addSql('DROP TABLE directory_address');
+        $this->addSql('DROP TABLE directory_contact');
+        $this->addSql('DROP TABLE report_document');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_balance.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN absence_policy.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN book_stack_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('ALTER TABLE client ADD street VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD city VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE client ADD postal_code VARCHAR(20) DEFAULT NULL');
+        $this->addSql('COMMENT ON COLUMN client.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN client.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN client.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN gitea_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN mail_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('DROP INDEX IDX_75EA56E0FB7336F0E3BD61CE16BA31DBBF396750');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id SET DEFAULT nextval(\'messenger_messages_id_seq\'::regclass)');
+        $this->addSql('ALTER TABLE messenger_messages ALTER id DROP IDENTITY');
+        $this->addSql('CREATE INDEX idx_75ea56e016ba31db ON messenger_messages (delivered_at)');
+        $this->addSql('CREATE INDEX idx_75ea56e0fb7336f0 ON messenger_messages (queue_name)');
+        $this->addSql('CREATE INDEX idx_75ea56e0e3bd61ce ON messenger_messages (available_at)');
+        $this->addSql('COMMENT ON COLUMN project.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN project.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN project.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('ALTER TABLE prospect ADD street VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE prospect ADD city VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE prospect ADD postal_code VARCHAR(20) DEFAULT NULL');
+        $this->addSql('COMMENT ON COLUMN prospect.status IS \'Prospect pipeline status (ProspectStatus enum: new, contacted, qualified, won, lost)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.converted_client_id IS \'Client created when the prospect is converted (FK client.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN prospect.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN share_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN task.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN task.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN task.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN time_entry.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_at IS \'Creation timestamp (Timestampable, set on prePersist)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_at IS \'Last update timestamp (Timestampable, set on prePersist/preUpdate)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.created_by IS \'User who created the entry (Blamable, FK user.id, SET NULL on delete)\'');
+        $this->addSql('COMMENT ON COLUMN zimbra_configuration.updated_by IS \'User who last updated the entry (Blamable, FK user.id, SET NULL on delete)\'');
+    }
+}
diff --git a/src/DataFixtures/AppFixtures.php b/src/DataFixtures/AppFixtures.php
index e6fd000..52a1d7e 100644
--- a/src/DataFixtures/AppFixtures.php
+++ b/src/DataFixtures/AppFixtures.php
@@ -12,6 +12,7 @@ use App\Module\Absence\Domain\Enum\AbsenceType;
 use App\Module\Core\Application\Rbac\RbacSeeder;
 use App\Module\Core\Domain\Entity\User;
 use App\Module\Core\Domain\Enum\ContractType;
+use App\Module\Directory\Domain\Entity\Address;
 use App\Module\Directory\Domain\Entity\Client;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
@@ -83,66 +84,102 @@ class AppFixtures extends Fixture
         $clientLiot->setName('LIOT');
         $clientLiot->setEmail('contact@liot.fr');
         $clientLiot->setPhone('05 50 50 50 50');
-        $clientLiot->setStreet('14 allée d\'argenson');
-        $clientLiot->setCity('Poitiers');
-        $clientLiot->setPostalCode('86100');
         $manager->persist($clientLiot);
 
+        $addressLiot = new Address();
+        $addressLiot->setLabel('Principale');
+        $addressLiot->setStreet('14 allée d\'argenson');
+        $addressLiot->setCity('Poitiers');
+        $addressLiot->setPostalCode('86100');
+        $addressLiot->setCountry('FR');
+        $addressLiot->setClient($clientLiot);
+        $manager->persist($addressLiot);
+
         $clientAcme = new Client();
         $clientAcme->setName('ACME Corp');
         $clientAcme->setEmail('contact@acme.com');
         $clientAcme->setPhone('01 23 45 67 89');
-        $clientAcme->setStreet('10 rue de la Paix');
-        $clientAcme->setCity('Paris');
-        $clientAcme->setPostalCode('75002');
         $manager->persist($clientAcme);
 
+        $addressAcme = new Address();
+        $addressAcme->setLabel('Principale');
+        $addressAcme->setStreet('10 rue de la Paix');
+        $addressAcme->setCity('Paris');
+        $addressAcme->setPostalCode('75002');
+        $addressAcme->setCountry('FR');
+        $addressAcme->setClient($clientAcme);
+        $manager->persist($addressAcme);
+
         $clientNova = new Client();
         $clientNova->setName('Nova Tech');
         $clientNova->setEmail('info@novatech.io');
         $clientNova->setPhone('04 56 78 90 12');
-        $clientNova->setStreet('5 avenue Jean Jaurès');
-        $clientNova->setCity('Lyon');
-        $clientNova->setPostalCode('69007');
         $manager->persist($clientNova);
 
+        $addressNova = new Address();
+        $addressNova->setLabel('Principale');
+        $addressNova->setStreet('5 avenue Jean Jaurès');
+        $addressNova->setCity('Lyon');
+        $addressNova->setPostalCode('69007');
+        $addressNova->setCountry('FR');
+        $addressNova->setClient($clientNova);
+        $manager->persist($addressNova);
+
         // Prospects
         $prospectLead = new Prospect();
         $prospectLead->setName('Marie Dupont');
         $prospectLead->setCompany('Atelier Dupont');
         $prospectLead->setEmail('marie@atelier-dupont.fr');
         $prospectLead->setPhone('06 11 22 33 44');
-        $prospectLead->setCity('Nantes');
-        $prospectLead->setPostalCode('44000');
         $prospectLead->setStatus(ProspectStatus::New);
         $prospectLead->setSource('Site web');
         $prospectLead->setNotes('Demande de devis via le formulaire de contact.');
         $manager->persist($prospectLead);
 
+        $addressLead = new Address();
+        $addressLead->setLabel('Principale');
+        $addressLead->setCity('Nantes');
+        $addressLead->setPostalCode('44000');
+        $addressLead->setCountry('FR');
+        $addressLead->setProspect($prospectLead);
+        $manager->persist($addressLead);
+
         $prospectQualified = new Prospect();
         $prospectQualified->setName('Jean Martin');
         $prospectQualified->setCompany('Martin & Fils');
         $prospectQualified->setEmail('contact@martin-fils.fr');
         $prospectQualified->setPhone('07 55 66 77 88');
-        $prospectQualified->setStreet('22 rue du Commerce');
-        $prospectQualified->setCity('Bordeaux');
-        $prospectQualified->setPostalCode('33000');
         $prospectQualified->setStatus(ProspectStatus::Qualified);
         $prospectQualified->setSource('Salon professionnel');
         $manager->persist($prospectQualified);
 
+        $addressQualified = new Address();
+        $addressQualified->setLabel('Principale');
+        $addressQualified->setStreet('22 rue du Commerce');
+        $addressQualified->setCity('Bordeaux');
+        $addressQualified->setPostalCode('33000');
+        $addressQualified->setCountry('FR');
+        $addressQualified->setProspect($prospectQualified);
+        $manager->persist($addressQualified);
+
         $prospectWon = new Prospect();
         $prospectWon->setName('Sophie Bernard');
         $prospectWon->setCompany('ACME Corp');
         $prospectWon->setEmail('contact@acme.com');
         $prospectWon->setPhone('01 23 45 67 89');
-        $prospectWon->setCity('Paris');
-        $prospectWon->setPostalCode('75002');
         $prospectWon->setStatus(ProspectStatus::Won);
         $prospectWon->setSource('Recommandation');
         $prospectWon->setConvertedClient($clientAcme);
         $manager->persist($prospectWon);
 
+        $addressWon = new Address();
+        $addressWon->setLabel('Principale');
+        $addressWon->setCity('Paris');
+        $addressWon->setPostalCode('75002');
+        $addressWon->setCountry('FR');
+        $addressWon->setProspect($prospectWon);
+        $manager->persist($addressWon);
+
         // Workflow par défaut
         $standardWorkflow = new Workflow();
         $standardWorkflow->setName('Standard');
diff --git a/src/Module/Directory/Domain/Entity/Client.php b/src/Module/Directory/Domain/Entity/Client.php
index eb28ae0..9d420be 100644
--- a/src/Module/Directory/Domain/Entity/Client.php
+++ b/src/Module/Directory/Domain/Entity/Client.php
@@ -58,18 +58,6 @@ class Client implements ClientInterface, TimestampableInterface, BlamableInterfa
     #[Groups(['client:read', 'client:write'])]
     private ?string $phone = null;
 
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $street = null;
-
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $city = null;
-
-    #[ORM\Column(length: 20, nullable: true)]
-    #[Groups(['client:read', 'client:write'])]
-    private ?string $postalCode = null;
-
     /** @var Collection<int, ProjectInterface> */
     #[ORM\OneToMany(targetEntity: ProjectInterface::class, mappedBy: 'client')]
     private Collection $projects;
@@ -120,42 +108,6 @@ class Client implements ClientInterface, TimestampableInterface, BlamableInterfa
         return $this;
     }
 
-    public function getStreet(): ?string
-    {
-        return $this->street;
-    }
-
-    public function setStreet(?string $street): static
-    {
-        $this->street = $street;
-
-        return $this;
-    }
-
-    public function getCity(): ?string
-    {
-        return $this->city;
-    }
-
-    public function setCity(?string $city): static
-    {
-        $this->city = $city;
-
-        return $this;
-    }
-
-    public function getPostalCode(): ?string
-    {
-        return $this->postalCode;
-    }
-
-    public function setPostalCode(?string $postalCode): static
-    {
-        $this->postalCode = $postalCode;
-
-        return $this;
-    }
-
     /** @return Collection<int, ProjectInterface> */
     public function getProjects(): Collection
     {
diff --git a/src/Module/Directory/Domain/Entity/Prospect.php b/src/Module/Directory/Domain/Entity/Prospect.php
index 2806fd7..cd0f213 100644
--- a/src/Module/Directory/Domain/Entity/Prospect.php
+++ b/src/Module/Directory/Domain/Entity/Prospect.php
@@ -71,18 +71,6 @@ class Prospect implements TimestampableInterface, BlamableInterface
     #[Groups(['prospect:read', 'prospect:write'])]
     private ?string $phone = null;
 
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['prospect:read', 'prospect:write'])]
-    private ?string $street = null;
-
-    #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['prospect:read', 'prospect:write'])]
-    private ?string $city = null;
-
-    #[ORM\Column(length: 20, nullable: true)]
-    #[Groups(['prospect:read', 'prospect:write'])]
-    private ?string $postalCode = null;
-
     #[ORM\Column(type: Types::STRING, length: 32, enumType: ProspectStatus::class)]
     #[Groups(['prospect:read', 'prospect:write'])]
     private ProspectStatus $status = ProspectStatus::New;
@@ -153,42 +141,6 @@ class Prospect implements TimestampableInterface, BlamableInterface
         return $this;
     }
 
-    public function getStreet(): ?string
-    {
-        return $this->street;
-    }
-
-    public function setStreet(?string $street): static
-    {
-        $this->street = $street;
-
-        return $this;
-    }
-
-    public function getCity(): ?string
-    {
-        return $this->city;
-    }
-
-    public function setCity(?string $city): static
-    {
-        $this->city = $city;
-
-        return $this;
-    }
-
-    public function getPostalCode(): ?string
-    {
-        return $this->postalCode;
-    }
-
-    public function setPostalCode(?string $postalCode): static
-    {
-        $this->postalCode = $postalCode;
-
-        return $this;
-    }
-
     public function getStatus(): ProspectStatus
     {
         return $this->status;
diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
index 51d801a..7c62c93 100644
--- a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
@@ -47,9 +47,6 @@ final readonly class ConvertProspectProcessor implements ProcessorInterface
         $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
         $client->setEmail($prospect->getEmail());
         $client->setPhone($prospect->getPhone());
-        $client->setStreet($prospect->getStreet());
-        $client->setCity($prospect->getCity());
-        $client->setPostalCode($prospect->getPostalCode());
 
         $this->entityManager->persist($client);
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
index 22d81d3..b52595b 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
@@ -41,9 +41,6 @@ class ConvertProspectTool
             $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
             $client->setEmail($prospect->getEmail());
             $client->setPhone($prospect->getPhone());
-            $client->setStreet($prospect->getStreet());
-            $client->setCity($prospect->getCity());
-            $client->setPostalCode($prospect->getPostalCode());
 
             $this->entityManager->persist($client);
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
index af39f52..cef763d 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateClientTool.php
@@ -23,9 +23,6 @@ class CreateClientTool
         string $name,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
     ): string {
         if (!$this->security->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
@@ -35,9 +32,6 @@ class CreateClientTool
         $client->setName($name);
         $client->setEmail($email);
         $client->setPhone($phone);
-        $client->setStreet($street);
-        $client->setCity($city);
-        $client->setPostalCode($postalCode);
 
         $this->entityManager->persist($client);
         $this->entityManager->flush();
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
index ddce7c0..7230599 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/CreateProspectTool.php
@@ -28,9 +28,6 @@ class CreateProspectTool
         ?string $company = null,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
         ?string $status = null,
         ?string $source = null,
         ?string $notes = null,
@@ -44,9 +41,6 @@ class CreateProspectTool
         $prospect->setCompany($company);
         $prospect->setEmail($email);
         $prospect->setPhone($phone);
-        $prospect->setStreet($street);
-        $prospect->setCity($city);
-        $prospect->setPostalCode($postalCode);
         $prospect->setSource($source);
         $prospect->setNotes($notes);
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
index 145cd6c..f780006 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateClientTool.php
@@ -28,9 +28,6 @@ class UpdateClientTool
         ?string $name = null,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
     ): string {
         if (!$this->security->isGranted('ROLE_ADMIN')) {
             throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
@@ -50,15 +47,6 @@ class UpdateClientTool
         if (null !== $phone) {
             $client->setPhone($phone);
         }
-        if (null !== $street) {
-            $client->setStreet($street);
-        }
-        if (null !== $city) {
-            $client->setCity($city);
-        }
-        if (null !== $postalCode) {
-            $client->setPostalCode($postalCode);
-        }
 
         $this->entityManager->flush();
 
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
index e411200..d4dfb72 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/UpdateProspectTool.php
@@ -30,9 +30,6 @@ class UpdateProspectTool
         ?string $company = null,
         ?string $email = null,
         ?string $phone = null,
-        ?string $street = null,
-        ?string $city = null,
-        ?string $postalCode = null,
         ?string $status = null,
         ?string $source = null,
         ?string $notes = null,
@@ -58,15 +55,6 @@ class UpdateProspectTool
         if (null !== $phone) {
             $prospect->setPhone($phone);
         }
-        if (null !== $street) {
-            $prospect->setStreet($street);
-        }
-        if (null !== $city) {
-            $prospect->setCity($city);
-        }
-        if (null !== $postalCode) {
-            $prospect->setPostalCode($postalCode);
-        }
         if (null !== $status) {
             $statusEnum = ProspectStatus::tryFrom($status);
             if (null === $statusEnum) {
diff --git a/src/Shared/Infrastructure/Mcp/Serializer.php b/src/Shared/Infrastructure/Mcp/Serializer.php
index 74ff602..c8269d7 100644
--- a/src/Shared/Infrastructure/Mcp/Serializer.php
+++ b/src/Shared/Infrastructure/Mcp/Serializer.php
@@ -366,13 +366,10 @@ final class Serializer
     public static function client(Client $c): array
     {
         return [
-            'id'         => $c->getId(),
-            'name'       => $c->getName(),
-            'email'      => $c->getEmail(),
-            'phone'      => $c->getPhone(),
-            'street'     => $c->getStreet(),
-            'city'       => $c->getCity(),
-            'postalCode' => $c->getPostalCode(),
+            'id'    => $c->getId(),
+            'name'  => $c->getName(),
+            'email' => $c->getEmail(),
+            'phone' => $c->getPhone(),
         ];
     }
 
@@ -389,9 +386,6 @@ final class Serializer
             'company'         => $p->getCompany(),
             'email'           => $p->getEmail(),
             'phone'           => $p->getPhone(),
-            'street'          => $p->getStreet(),
-            'city'            => $p->getCity(),
-            'postalCode'      => $p->getPostalCode(),
             'status'          => $p->getStatus()->value,
             'statusLabel'     => $p->getStatus()->label(),
             'source'          => $p->getSource(),
diff --git a/tests/Functional/Module/Directory/ProspectConversionTest.php b/tests/Functional/Module/Directory/ProspectConversionTest.php
index 852b2f8..5bbf7b0 100644
--- a/tests/Functional/Module/Directory/ProspectConversionTest.php
+++ b/tests/Functional/Module/Directory/ProspectConversionTest.php
@@ -32,9 +32,6 @@ class ProspectConversionTest extends KernelTestCase
         $prospect->setCompany('Lead Company '.uniqid());
         $prospect->setEmail('lead@example.com');
         $prospect->setPhone('06 00 00 00 00');
-        $prospect->setStreet('1 rue du Test');
-        $prospect->setCity('Testville');
-        $prospect->setPostalCode('00000');
         $prospect->setStatus(ProspectStatus::Qualified);
         $this->em->persist($prospect);
         $this->em->flush();
-- 
2.39.5


From d95f14dadc98989b89de02138e51e6fe5849e5c7 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 12:13:14 +0200
Subject: [PATCH 83/99] feat(directory) : carry over contacts/addresses/reports
 on prospect conversion

---
 .../State/ConvertProspectProcessor.php        | 38 +++++++++--
 .../Mcp/Tool/ConvertProspectTool.php          | 32 +++++++++
 .../ConvertProspectProcessorTest.php          | 67 +++++++++++++++++++
 3 files changed, 133 insertions(+), 4 deletions(-)
 create mode 100644 tests/Module/Directory/ConvertProspectProcessorTest.php

diff --git a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
index 7c62c93..94e5067 100644
--- a/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
+++ b/src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php
@@ -6,7 +6,10 @@ namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
 
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\Address;
 use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
 use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
@@ -14,11 +17,10 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
- * Converts a Prospect into a Client.
+ * Converts a Prospect into a Client and reassigns its contacts, addresses and
+ * commercial reports to the new client (preserving the commercial history).
  *
- * Loads the Prospect via the URI id, creates a Client (name = company or name,
- * copying contact details), links it back via convertedClient and flags the
- * prospect as Won. Idempotent: if already converted, returns it unchanged.
+ * Idempotent: if already converted, returns it unchanged.
  *
  * @implements ProcessorInterface<Prospect, Prospect>
  */
@@ -50,6 +52,10 @@ final readonly class ConvertProspectProcessor implements ProcessorInterface
 
         $this->entityManager->persist($client);
 
+        $this->reassignContacts($prospect, $client);
+        $this->reassignAddresses($prospect, $client);
+        $this->reassignReports($prospect, $client);
+
         $prospect->setConvertedClient($client);
         $prospect->setStatus(ProspectStatus::Won);
 
@@ -57,4 +63,28 @@ final readonly class ConvertProspectProcessor implements ProcessorInterface
 
         return $prospect;
     }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
 }
diff --git a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
index b52595b..a049837 100644
--- a/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
+++ b/src/Module/Directory/Infrastructure/Mcp/Tool/ConvertProspectTool.php
@@ -4,7 +4,11 @@ declare(strict_types=1);
 
 namespace App\Module\Directory\Infrastructure\Mcp\Tool;
 
+use App\Module\Directory\Domain\Entity\Address;
 use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
 use App\Module\Directory\Domain\Enum\ProspectStatus;
 use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
 use App\Shared\Infrastructure\Mcp\Serializer;
@@ -44,6 +48,10 @@ class ConvertProspectTool
 
             $this->entityManager->persist($client);
 
+            $this->reassignContacts($prospect, $client);
+            $this->reassignAddresses($prospect, $client);
+            $this->reassignReports($prospect, $client);
+
             $prospect->setConvertedClient($client);
             $prospect->setStatus(ProspectStatus::Won);
 
@@ -52,4 +60,28 @@ class ConvertProspectTool
 
         return json_encode(Serializer::prospect($prospect));
     }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
 }
diff --git a/tests/Module/Directory/ConvertProspectProcessorTest.php b/tests/Module/Directory/ConvertProspectProcessorTest.php
new file mode 100644
index 0000000..c232318
--- /dev/null
+++ b/tests/Module/Directory/ConvertProspectProcessorTest.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+/**
+ * @internal
+ */
+final class ConvertProspectProcessorTest extends KernelTestCase
+{
+    public function testConvertReassignsContactsAddressesAndReports(): void
+    {
+        self::bootKernel();
+
+        /** @var EntityManagerInterface $em */
+        $em = self::getContainer()->get(EntityManagerInterface::class);
+
+        $prospect = new Prospect();
+        $prospect->setName('Atelier Test');
+        $prospect->setCompany('Atelier Test SARL');
+        $em->persist($prospect);
+
+        $contact = new Contact()->setLastName('Durand')->setProspect($prospect);
+        $address = new Address()->setCity('Niort')->setProspect($prospect);
+        $report  = new CommercialReport()
+            ->setSubject('Premier contact')
+            ->setOccurredAt(new DateTimeImmutable('2026-06-01'))
+            ->setType(ReportType::Call)
+            ->setProspect($prospect)
+        ;
+        $em->persist($contact);
+        $em->persist($address);
+        $em->persist($report);
+        $em->flush();
+
+        $processor = self::getContainer()->get(ConvertProspectProcessor::class);
+        $operation = new Post();
+        $processor->process($prospect, $operation, ['id' => $prospect->getId()]);
+
+        $em->refresh($contact);
+        $em->refresh($address);
+        $em->refresh($report);
+
+        $client = $prospect->getConvertedClient();
+        self::assertNotNull($client, 'Prospect should be converted to a client');
+
+        // Invariants (pas de counts absolus) : chaque sous-entité pointe vers le client, plus vers le prospect.
+        self::assertSame($client->getId(), $contact->getClient()?->getId());
+        self::assertNull($contact->getProspect());
+        self::assertSame($client->getId(), $address->getClient()?->getId());
+        self::assertNull($address->getProspect());
+        self::assertSame($client->getId(), $report->getClient()?->getId());
+        self::assertNull($report->getProspect());
+    }
+}
-- 
2.39.5


From bc9c036d1fc975effc054d72e09721c7e41afa20 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:34:41 +0200
Subject: [PATCH 84/99] feat(directory) : add frontend DTOs for contacts,
 addresses, reports

---
 .../modules/directory/services/dto/address.ts | 23 ++++++++++++++++
 .../services/dto/commercial-report.ts         | 27 +++++++++++++++++++
 .../modules/directory/services/dto/contact.ts | 23 ++++++++++++++++
 .../directory/services/dto/report-document.ts | 13 +++++++++
 4 files changed, 86 insertions(+)
 create mode 100644 frontend/modules/directory/services/dto/address.ts
 create mode 100644 frontend/modules/directory/services/dto/commercial-report.ts
 create mode 100644 frontend/modules/directory/services/dto/contact.ts
 create mode 100644 frontend/modules/directory/services/dto/report-document.ts

diff --git a/frontend/modules/directory/services/dto/address.ts b/frontend/modules/directory/services/dto/address.ts
new file mode 100644
index 0000000..f66d3a9
--- /dev/null
+++ b/frontend/modules/directory/services/dto/address.ts
@@ -0,0 +1,23 @@
+export type Address = {
+    id: number
+    '@id'?: string
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+
+export type AddressWrite = {
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/modules/directory/services/dto/commercial-report.ts b/frontend/modules/directory/services/dto/commercial-report.ts
new file mode 100644
index 0000000..bdfaccc
--- /dev/null
+++ b/frontend/modules/directory/services/dto/commercial-report.ts
@@ -0,0 +1,27 @@
+import type { ReportDocument } from './report-document'
+
+export type ReportType = 'call' | 'meeting' | 'email' | 'note'
+
+export type CommercialReport = {
+    id: number
+    '@id'?: string
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    author?: { id: number, username: string } | null
+    client?: string | null
+    prospect?: string | null
+    documents?: ReportDocument[]
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type CommercialReportWrite = {
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/modules/directory/services/dto/contact.ts b/frontend/modules/directory/services/dto/contact.ts
new file mode 100644
index 0000000..eead371
--- /dev/null
+++ b/frontend/modules/directory/services/dto/contact.ts
@@ -0,0 +1,23 @@
+export type Contact = {
+    id: number
+    '@id'?: string
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+
+export type ContactWrite = {
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
diff --git a/frontend/modules/directory/services/dto/report-document.ts b/frontend/modules/directory/services/dto/report-document.ts
new file mode 100644
index 0000000..c97100c
--- /dev/null
+++ b/frontend/modules/directory/services/dto/report-document.ts
@@ -0,0 +1,13 @@
+import type { UserData } from '~/services/dto/user-data'
+
+export type ReportDocument = {
+    '@id'?: string
+    id: number
+    commercialReport: string
+    originalName: string
+    fileName?: string | null
+    mimeType: string
+    size: number
+    createdAt: string
+    uploadedBy?: UserData | null
+}
-- 
2.39.5


From dd78f6c2758d04e70206a64425956ee72f23b3e6 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:34:51 +0200
Subject: [PATCH 85/99] feat(directory) : add frontend services for contacts,
 addresses, reports, documents

---
 .../modules/directory/services/addresses.ts   | 32 +++++++++++++++
 .../directory/services/commercial-reports.ts  | 32 +++++++++++++++
 .../modules/directory/services/contacts.ts    | 32 +++++++++++++++
 .../directory/services/report-documents.ts    | 39 +++++++++++++++++++
 4 files changed, 135 insertions(+)
 create mode 100644 frontend/modules/directory/services/addresses.ts
 create mode 100644 frontend/modules/directory/services/commercial-reports.ts
 create mode 100644 frontend/modules/directory/services/contacts.ts
 create mode 100644 frontend/modules/directory/services/report-documents.ts

diff --git a/frontend/modules/directory/services/addresses.ts b/frontend/modules/directory/services/addresses.ts
new file mode 100644
index 0000000..3676e8f
--- /dev/null
+++ b/frontend/modules/directory/services/addresses.ts
@@ -0,0 +1,32 @@
+import type { Address, AddressWrite } from './dto/address'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useAddressService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Address[]> {
+        const data = await api.get<HydraCollection<Address>>('/addresses', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: AddressWrite): Promise<Address> {
+        return api.post<Address>('/addresses', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<AddressWrite>): Promise<Address> {
+        return api.patch<Address>(`/addresses/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/addresses/${id}`, {}, { toastSuccessKey: 'directory.addresses.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/modules/directory/services/commercial-reports.ts b/frontend/modules/directory/services/commercial-reports.ts
new file mode 100644
index 0000000..4f27deb
--- /dev/null
+++ b/frontend/modules/directory/services/commercial-reports.ts
@@ -0,0 +1,32 @@
+import type { CommercialReport, CommercialReportWrite } from './dto/commercial-report'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useCommercialReportService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<CommercialReport[]> {
+        const data = await api.get<HydraCollection<CommercialReport>>('/commercial_reports', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: CommercialReportWrite): Promise<CommercialReport> {
+        return api.post<CommercialReport>('/commercial_reports', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<CommercialReportWrite>): Promise<CommercialReport> {
+        return api.patch<CommercialReport>(`/commercial_reports/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/commercial_reports/${id}`, {}, { toastSuccessKey: 'directory.reports.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/modules/directory/services/contacts.ts b/frontend/modules/directory/services/contacts.ts
new file mode 100644
index 0000000..551b3d2
--- /dev/null
+++ b/frontend/modules/directory/services/contacts.ts
@@ -0,0 +1,32 @@
+import type { Contact, ContactWrite } from './dto/contact'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useContactService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Contact[]> {
+        const data = await api.get<HydraCollection<Contact>>('/contacts', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: ContactWrite): Promise<Contact> {
+        return api.post<Contact>('/contacts', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ContactWrite>): Promise<Contact> {
+        return api.patch<Contact>(`/contacts/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/contacts/${id}`, {}, { toastSuccessKey: 'directory.contacts.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
diff --git a/frontend/modules/directory/services/report-documents.ts b/frontend/modules/directory/services/report-documents.ts
new file mode 100644
index 0000000..3306496
--- /dev/null
+++ b/frontend/modules/directory/services/report-documents.ts
@@ -0,0 +1,39 @@
+import type { ReportDocument } from './dto/report-document'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+import { $fetch } from 'ofetch'
+
+export function useReportDocumentService() {
+    const api = useApi()
+    const config = useRuntimeConfig()
+    const baseURL = config.public.apiBase || '/api'
+
+    async function getByReport(reportId: number): Promise<ReportDocument[]> {
+        const data = await api.get<HydraCollection<ReportDocument>>('/report_documents', {
+            commercialReport: `/api/commercial_reports/${reportId}`,
+        })
+        return extractHydraMembers(data)
+    }
+
+    async function upload(reportId: number, file: File): Promise<ReportDocument> {
+        const formData = new FormData()
+        formData.append('file', file)
+        formData.append('commercialReport', `/api/commercial_reports/${reportId}`)
+
+        return $fetch<ReportDocument>(`${baseURL}/report_documents`, {
+            method: 'POST',
+            body: formData,
+            credentials: 'include',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/report_documents/${id}`, {}, { toastSuccessKey: 'directory.documents.deleted' })
+    }
+
+    function getDownloadUrl(id: number): string {
+        return `${baseURL}/report_documents/${id}/download`
+    }
+
+    return { getByReport, upload, remove, getDownloadUrl }
+}
-- 
2.39.5


From 1bd9d5bc56bf0076cae85e4714471801157ec4a0 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:37:10 +0200
Subject: [PATCH 86/99] feat(directory) : add repeatable contact block
 component

---
 .../components/DirectoryContactBlock.vue      | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 frontend/modules/directory/components/DirectoryContactBlock.vue

diff --git a/frontend/modules/directory/components/DirectoryContactBlock.vue b/frontend/modules/directory/components/DirectoryContactBlock.vue
new file mode 100644
index 0000000..57a5ca6
--- /dev/null
+++ b/frontend/modules/directory/components/DirectoryContactBlock.vue
@@ -0,0 +1,73 @@
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            :label="$t('directory.contacts.fields.lastName')"
+            :model-value="modelValue.lastName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('lastName', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.firstName')"
+            :model-value="modelValue.firstName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('firstName', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.contacts.fields.jobTitle')"
+            :model-value="modelValue.jobTitle ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('jobTitle', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.email')"
+            :model-value="modelValue.email ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('email', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phonePrimary')"
+            :model-value="modelValue.phonePrimary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phonePrimary', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phoneSecondary')"
+            :model-value="modelValue.phoneSecondary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phoneSecondary', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Contact } from '~/modules/directory/services/dto/contact'
+
+const props = defineProps<{
+    modelValue: Contact
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Contact]
+    'remove': []
+}>()
+
+function update(field: keyof Contact, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
-- 
2.39.5


From 00b9677e8e9b8f106271351f161cf0f30f099553 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:37:20 +0200
Subject: [PATCH 87/99] feat(directory) : add repeatable address block
 component

---
 .../components/DirectoryAddressBlock.vue      | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 frontend/modules/directory/components/DirectoryAddressBlock.vue

diff --git a/frontend/modules/directory/components/DirectoryAddressBlock.vue b/frontend/modules/directory/components/DirectoryAddressBlock.vue
new file mode 100644
index 0000000..67c1327
--- /dev/null
+++ b/frontend/modules/directory/components/DirectoryAddressBlock.vue
@@ -0,0 +1,69 @@
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.label')"
+            :model-value="modelValue.label ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('label', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.street')"
+            :model-value="modelValue.street ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('street', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.streetComplement')"
+            :model-value="modelValue.streetComplement ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('streetComplement', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.postalCode')"
+            :model-value="modelValue.postalCode ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('postalCode', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.city')"
+            :model-value="modelValue.city ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('city', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Address } from '~/modules/directory/services/dto/address'
+
+const props = defineProps<{
+    modelValue: Address
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Address]
+    'remove': []
+}>()
+
+function update(field: keyof Address, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
-- 
2.39.5


From f90d30975eb0f8189c9333a50e850effd70185d3 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:38:08 +0200
Subject: [PATCH 88/99] feat(directory) : add report document upload/list
 components

---
 .../components/ReportDocumentList.vue         | 42 +++++++++++++++++
 .../components/ReportDocumentUpload.vue       | 45 +++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 frontend/modules/directory/components/ReportDocumentList.vue
 create mode 100644 frontend/modules/directory/components/ReportDocumentUpload.vue

diff --git a/frontend/modules/directory/components/ReportDocumentList.vue b/frontend/modules/directory/components/ReportDocumentList.vue
new file mode 100644
index 0000000..705f9dd
--- /dev/null
+++ b/frontend/modules/directory/components/ReportDocumentList.vue
@@ -0,0 +1,42 @@
+<template>
+    <ul v-if="documents.length" class="flex flex-col gap-2">
+        <li
+            v-for="doc in documents"
+            :key="doc.id"
+            class="flex items-center justify-between rounded border border-neutral-200 px-3 py-2"
+        >
+            <a
+                :href="downloadUrl(doc.id)"
+                target="_blank"
+                rel="noopener"
+                class="flex items-center gap-2 text-sm text-blue-700 hover:underline"
+            >
+                <Icon name="mdi:file-document-outline" />
+                {{ doc.originalName }}
+            </a>
+            <MalioButtonIcon
+                v-if="isAdmin"
+                icon="mdi:trash-can-outline"
+                button-class="!text-red-600"
+                :aria-label="$t('common.delete')"
+                @click="$emit('delete', doc.id)"
+            />
+        </li>
+    </ul>
+    <p v-else class="text-sm text-neutral-400">
+        {{ $t('directory.documents.empty') }}
+    </p>
+</template>
+
+<script setup lang="ts">
+import type { ReportDocument } from '~/modules/directory/services/dto/report-document'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+defineProps<{ documents: ReportDocument[], isAdmin: boolean }>()
+defineEmits<{ delete: [id: number] }>()
+
+const { getDownloadUrl } = useReportDocumentService()
+function downloadUrl(id: number): string {
+    return getDownloadUrl(id)
+}
+</script>
diff --git a/frontend/modules/directory/components/ReportDocumentUpload.vue b/frontend/modules/directory/components/ReportDocumentUpload.vue
new file mode 100644
index 0000000..14625bc
--- /dev/null
+++ b/frontend/modules/directory/components/ReportDocumentUpload.vue
@@ -0,0 +1,45 @@
+<template>
+    <div class="flex items-center gap-3">
+        <input
+            ref="fileInput"
+            type="file"
+            class="hidden"
+            @change="onFileSelected"
+        >
+        <MalioButton
+            icon-name="mdi:paperclip"
+            icon-position="left"
+            button-class="w-auto px-4"
+            :label="$t('directory.documents.add')"
+            :disabled="uploading"
+            @click="fileInput?.click()"
+        />
+        <span v-if="uploading" class="text-sm text-neutral-500">{{ $t('directory.documents.uploading') }}</span>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{ reportId: number }>()
+const emit = defineEmits<{ uploaded: [] }>()
+
+const service = useReportDocumentService()
+const fileInput = ref<HTMLInputElement | null>(null)
+const uploading = ref(false)
+
+async function onFileSelected(event: Event): Promise<void> {
+    const input = event.target as HTMLInputElement
+    const file = input.files?.[0]
+    if (!file) return
+
+    uploading.value = true
+    try {
+        await service.upload(props.reportId, file)
+        emit('uploaded')
+    } finally {
+        uploading.value = false
+        input.value = ''
+    }
+}
+</script>
-- 
2.39.5


From bf7253c52f04f4720718fadaf9d1ed7bc3eaba42 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:39:34 +0200
Subject: [PATCH 89/99] feat(directory) : add commercial report tab (list,
 form, documents)

---
 .../components/CommercialReportTab.vue        | 160 ++++++++++++++++++
 1 file changed, 160 insertions(+)
 create mode 100644 frontend/modules/directory/components/CommercialReportTab.vue

diff --git a/frontend/modules/directory/components/CommercialReportTab.vue b/frontend/modules/directory/components/CommercialReportTab.vue
new file mode 100644
index 0000000..e29c78c
--- /dev/null
+++ b/frontend/modules/directory/components/CommercialReportTab.vue
@@ -0,0 +1,160 @@
+<template>
+    <div class="flex flex-col gap-6 pt-6">
+        <!-- Formulaire d'ajout / édition -->
+        <div v-if="isAdmin" class="grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+            <MalioInputText
+                class="col-span-2"
+                :label="$t('directory.reports.fields.subject')"
+                v-model="draft.subject"
+            />
+            <MalioSelect
+                :label="$t('directory.reports.fields.type')"
+                v-model="draft.type"
+                :options="typeOptions"
+                group-class="w-full"
+            />
+            <MalioDate
+                :label="$t('directory.reports.fields.occurredAt')"
+                v-model="draft.occurredAt"
+            />
+            <MalioInputTextArea
+                class="col-span-2"
+                :label="$t('directory.reports.fields.body')"
+                v-model="draft.body"
+            />
+            <div class="col-span-2 flex justify-end gap-3">
+                <MalioButton
+                    v-if="editingId"
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('common.cancel')"
+                    @click="resetDraft"
+                />
+                <MalioButton
+                    button-class="w-auto px-4"
+                    :label="editingId ? $t('common.save') : $t('directory.reports.add')"
+                    :disabled="!draft.subject"
+                    @click="save"
+                />
+            </div>
+        </div>
+
+        <!-- Liste des comptes-rendus -->
+        <div v-for="report in reports" :key="report.id" class="rounded border border-neutral-200 p-4">
+            <div class="flex items-start justify-between">
+                <div>
+                    <p class="font-semibold text-neutral-800">{{ report.subject }}</p>
+                    <p class="text-xs text-neutral-500">
+                        {{ formatDate(report.occurredAt) }} · {{ $t(`directory.reports.types.${report.type}`) }}
+                        <span v-if="report.author"> · {{ report.author.username }}</span>
+                    </p>
+                </div>
+                <div v-if="isAdmin" class="flex gap-2">
+                    <MalioButtonIcon icon="mdi:pencil-outline" :aria-label="$t('common.edit')" @click="edit(report)" />
+                    <MalioButtonIcon icon="mdi:trash-can-outline" button-class="!text-red-600" :aria-label="$t('common.delete')" @click="remove(report.id)" />
+                </div>
+            </div>
+            <p v-if="report.body" class="mt-2 whitespace-pre-wrap text-sm text-neutral-700">{{ report.body }}</p>
+
+            <div class="mt-3 flex flex-col gap-2">
+                <ReportDocumentList
+                    :documents="report.documents ?? []"
+                    :is-admin="isAdmin"
+                    @delete="(id) => removeDocument(report, id)"
+                />
+                <ReportDocumentUpload
+                    v-if="isAdmin"
+                    :report-id="report.id"
+                    @uploaded="reload"
+                />
+            </div>
+        </div>
+
+        <p v-if="!reports.length" class="text-sm text-neutral-400">
+            {{ $t('directory.reports.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { CommercialReport, CommercialReportWrite, ReportType } from '~/modules/directory/services/dto/commercial-report'
+import { useCommercialReportService } from '~/modules/directory/services/commercial-reports'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{
+    owner: { client?: string, prospect?: string }
+    isAdmin: boolean
+}>()
+
+const { t } = useI18n()
+const reportService = useCommercialReportService()
+const documentService = useReportDocumentService()
+
+const reports = ref<CommercialReport[]>([])
+const editingId = ref<number | null>(null)
+
+function emptyDraft(): CommercialReportWrite {
+    return {
+        subject: '',
+        body: null,
+        occurredAt: new Date().toISOString().slice(0, 10),
+        type: 'note',
+        ...props.owner,
+    }
+}
+const draft = ref<CommercialReportWrite>(emptyDraft())
+
+const typeOptions: { label: string, value: ReportType }[] = [
+    { label: t('directory.reports.types.call'), value: 'call' },
+    { label: t('directory.reports.types.meeting'), value: 'meeting' },
+    { label: t('directory.reports.types.email'), value: 'email' },
+    { label: t('directory.reports.types.note'), value: 'note' },
+]
+
+function formatDate(iso: string): string {
+    return new Date(iso).toLocaleDateString('fr-FR')
+}
+
+async function reload(): Promise<void> {
+    reports.value = await reportService.getByOwner(props.owner)
+}
+
+function resetDraft(): void {
+    editingId.value = null
+    draft.value = emptyDraft()
+}
+
+function edit(report: CommercialReport): void {
+    editingId.value = report.id
+    draft.value = {
+        subject: report.subject,
+        body: report.body,
+        occurredAt: report.occurredAt.slice(0, 10),
+        type: report.type,
+        ...props.owner,
+    }
+}
+
+async function save(): Promise<void> {
+    if (editingId.value) {
+        await reportService.update(editingId.value, draft.value)
+    } else {
+        await reportService.create(draft.value)
+    }
+    resetDraft()
+    await reload()
+}
+
+async function remove(id: number): Promise<void> {
+    await reportService.remove(id)
+    await reload()
+}
+
+async function removeDocument(report: CommercialReport, id: number): Promise<void> {
+    await documentService.remove(id)
+    await reload()
+}
+
+onMounted(reload)
+watch(() => props.owner, reload, { deep: true })
+</script>
-- 
2.39.5


From e19e392adb6207cdba1b303f02f9681b0be2710a Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:42:47 +0200
Subject: [PATCH 90/99] feat(directory) : add client detail page with
 contact/address/report tabs

---
 .../composables/useDirectoryDetail.ts         |  92 +++++++++++++++
 .../pages/directory/clients/[id].vue          | 107 ++++++++++++++++++
 .../modules/directory/services/clients.ts     |   6 +-
 3 files changed, 204 insertions(+), 1 deletion(-)
 create mode 100644 frontend/modules/directory/composables/useDirectoryDetail.ts
 create mode 100644 frontend/modules/directory/pages/directory/clients/[id].vue

diff --git a/frontend/modules/directory/composables/useDirectoryDetail.ts b/frontend/modules/directory/composables/useDirectoryDetail.ts
new file mode 100644
index 0000000..122c4cf
--- /dev/null
+++ b/frontend/modules/directory/composables/useDirectoryDetail.ts
@@ -0,0 +1,92 @@
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+type Owner = { client?: string, prospect?: string }
+
+/**
+ * Logique partagée des fiches détail Client/Prospect : gestion des blocs
+ * répétables Contact et Adresse (chargement, ajout, édition par bloc avec
+ * persistance immédiate, suppression). Paramétré par l'IRI du propriétaire
+ * (`{ client }` ou `{ prospect }`), réutilisé tel quel par les deux pages.
+ */
+export function useDirectoryDetail(owner: Owner) {
+    const contactService = useContactService()
+    const addressService = useAddressService()
+
+    const contacts = ref<Contact[]>([])
+    const addresses = ref<Address[]>([])
+
+    function emptyContact(): Contact {
+        return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, ...owner }
+    }
+    function emptyAddress(): Address {
+        return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', ...owner }
+    }
+
+    async function onContactInput(index: number, value: Contact): Promise<void> {
+        contacts.value[index] = value
+        await persistContact(index)
+    }
+    async function persistContact(index: number): Promise<void> {
+        const c = contacts.value[index]
+        if (!c) return
+        const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, ...owner }
+        if (c.id && c.id > 0) {
+            await contactService.update(c.id, payload)
+        } else if (c.lastName || c.firstName) {
+            const created = await contactService.create(payload)
+            contacts.value[index] = created
+        }
+    }
+    function addContact(): void {
+        contacts.value.push(emptyContact())
+    }
+    async function removeContact(index: number): Promise<void> {
+        const c = contacts.value[index]
+        if (c?.id && c.id > 0) await contactService.remove(c.id)
+        contacts.value.splice(index, 1)
+    }
+
+    async function onAddressInput(index: number, value: Address): Promise<void> {
+        addresses.value[index] = value
+        await persistAddress(index)
+    }
+    async function persistAddress(index: number): Promise<void> {
+        const a = addresses.value[index]
+        if (!a) return
+        const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, ...owner }
+        if (a.id && a.id > 0) {
+            await addressService.update(a.id, payload)
+        } else if (a.street || a.city || a.postalCode) {
+            const created = await addressService.create(payload)
+            addresses.value[index] = created
+        }
+    }
+    function addAddress(): void {
+        addresses.value.push(emptyAddress())
+    }
+    async function removeAddress(index: number): Promise<void> {
+        const a = addresses.value[index]
+        if (a?.id && a.id > 0) await addressService.remove(a.id)
+        addresses.value.splice(index, 1)
+    }
+
+    async function load(): Promise<void> {
+        contacts.value = await contactService.getByOwner(owner)
+        addresses.value = await addressService.getByOwner(owner)
+    }
+
+    return {
+        contacts,
+        addresses,
+        onContactInput,
+        addContact,
+        removeContact,
+        onAddressInput,
+        addAddress,
+        removeAddress,
+        load,
+    }
+}
diff --git a/frontend/modules/directory/pages/directory/clients/[id].vue b/frontend/modules/directory/pages/directory/clients/[id].vue
new file mode 100644
index 0000000..28c723a
--- /dev/null
+++ b/frontend/modules/directory/pages/directory/clients/[id].vue
@@ -0,0 +1,107 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ client?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="client">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import { useClientService } from '~/modules/directory/services/clients'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/clients/${id}`
+const owner = { client: ownerIri }
+
+const clientService = useClientService()
+const {
+    contacts,
+    addresses,
+    onContactInput,
+    addContact,
+    removeContact,
+    onAddressInput,
+    addAddress,
+    removeAddress,
+    load,
+} = useDirectoryDetail(owner)
+
+const client = ref<Client | null>(null)
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    client.value = await clientService.getById(id)
+    await load()
+    loading.value = false
+})
+</script>
diff --git a/frontend/modules/directory/services/clients.ts b/frontend/modules/directory/services/clients.ts
index 6a100be..05d73a4 100644
--- a/frontend/modules/directory/services/clients.ts
+++ b/frontend/modules/directory/services/clients.ts
@@ -10,6 +10,10 @@ export function useClientService() {
         return extractHydraMembers(data)
     }
 
+    async function getById(id: number): Promise<Client> {
+        return api.get<Client>(`/clients/${id}`)
+    }
+
     async function create(payload: ClientWrite): Promise<Client> {
         return api.post<Client>('/clients', payload as Record<string, unknown>, {
             toastSuccessKey: 'clients.created',
@@ -28,5 +32,5 @@ export function useClientService() {
         })
     }
 
-    return { getAll, create, update, remove }
+    return { getAll, getById, create, update, remove }
 }
-- 
2.39.5


From fb8cc790d7cf352a27191416dfe14f254b2e9b46 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:42:57 +0200
Subject: [PATCH 91/99] feat(directory) : add prospect detail page with
 contact/address/report tabs

---
 .../pages/directory/prospects/[id].vue        | 107 ++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 frontend/modules/directory/pages/directory/prospects/[id].vue

diff --git a/frontend/modules/directory/pages/directory/prospects/[id].vue b/frontend/modules/directory/pages/directory/prospects/[id].vue
new file mode 100644
index 0000000..d621f5d
--- /dev/null
+++ b/frontend/modules/directory/pages/directory/prospects/[id].vue
@@ -0,0 +1,107 @@
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ prospect?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="prospect">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Prospect } from '~/modules/directory/services/dto/prospect'
+import { useProspectService } from '~/modules/directory/services/prospects'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/prospects/${id}`
+const owner = { prospect: ownerIri }
+
+const prospectService = useProspectService()
+const {
+    contacts,
+    addresses,
+    onContactInput,
+    addContact,
+    removeContact,
+    onAddressInput,
+    addAddress,
+    removeAddress,
+    load,
+} = useDirectoryDetail(owner)
+
+const prospect = ref<Prospect | null>(null)
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    prospect.value = await prospectService.getById(id)
+    await load()
+    loading.value = false
+})
+</script>
-- 
2.39.5


From 21eeb36766e052ec8c0e55518afc7d610c3218ad Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:46:05 +0200
Subject: [PATCH 92/99] feat(directory) : open detail page on row click, drop
 inline address from drawers

---
 .../directory/components/ClientDrawer.vue     | 27 -----------------
 .../directory/components/ProspectDrawer.vue   | 30 -------------------
 .../modules/directory/pages/directory.vue     | 10 ++-----
 .../modules/directory/services/dto/client.ts  |  6 ----
 .../directory/services/dto/prospect.ts        |  6 ----
 5 files changed, 2 insertions(+), 77 deletions(-)

diff --git a/frontend/modules/directory/components/ClientDrawer.vue b/frontend/modules/directory/components/ClientDrawer.vue
index ecd8e27..8534d6c 100644
--- a/frontend/modules/directory/components/ClientDrawer.vue
+++ b/frontend/modules/directory/components/ClientDrawer.vue
@@ -21,21 +21,6 @@
                 label="Téléphone"
                 input-class="w-full"
             />
-            <MalioInputText
-                v-model="form.street"
-                label="Rue"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.city"
-                label="Ville"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.postalCode"
-                label="Code Postal"
-                input-class="w-full"
-            />
 
             <div class="mt-6 flex justify-end">
                 <MalioButton
@@ -75,9 +60,6 @@ const form = reactive({
     name: '',
     email: '',
     phone: '',
-    street: '',
-    city: '',
-    postalCode: '',
 })
 
 const touched = reactive({
@@ -91,16 +73,10 @@ watch(() => props.modelValue, (open) => {
             form.name = props.client.name ?? ''
             form.email = props.client.email ?? ''
             form.phone = props.client.phone ?? ''
-            form.street = props.client.street ?? ''
-            form.city = props.client.city ?? ''
-            form.postalCode = props.client.postalCode ?? ''
         } else {
             form.name = ''
             form.email = ''
             form.phone = ''
-            form.street = ''
-            form.city = ''
-            form.postalCode = ''
         }
         touched.name = false
         touched.email = false
@@ -119,9 +95,6 @@ async function handleSubmit() {
             name: form.name.trim(),
             email: form.email.trim() || null,
             phone: form.phone.trim() || null,
-            street: form.street.trim() || null,
-            city: form.city.trim() || null,
-            postalCode: form.postalCode.trim() || null,
         }
 
         if (isEditing.value && props.client) {
diff --git a/frontend/modules/directory/components/ProspectDrawer.vue b/frontend/modules/directory/components/ProspectDrawer.vue
index 3921ef7..350939d 100644
--- a/frontend/modules/directory/components/ProspectDrawer.vue
+++ b/frontend/modules/directory/components/ProspectDrawer.vue
@@ -26,21 +26,6 @@
                 :label="$t('prospects.fields.phone')"
                 input-class="w-full"
             />
-            <MalioInputText
-                v-model="form.street"
-                :label="$t('prospects.fields.street')"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.city"
-                :label="$t('prospects.fields.city')"
-                input-class="w-full"
-            />
-            <MalioInputText
-                v-model="form.postalCode"
-                :label="$t('prospects.fields.postalCode')"
-                input-class="w-full"
-            />
             <MalioSelect
                 v-model="form.status"
                 :label="$t('prospects.fields.status')"
@@ -121,9 +106,6 @@ const form = reactive<{
     company: string
     email: string
     phone: string
-    street: string
-    city: string
-    postalCode: string
     status: ProspectStatus
     source: string
     notes: string
@@ -132,9 +114,6 @@ const form = reactive<{
     company: '',
     email: '',
     phone: '',
-    street: '',
-    city: '',
-    postalCode: '',
     status: 'new',
     source: '',
     notes: '',
@@ -151,9 +130,6 @@ watch(() => props.modelValue, (open) => {
             form.company = props.prospect.company ?? ''
             form.email = props.prospect.email ?? ''
             form.phone = props.prospect.phone ?? ''
-            form.street = props.prospect.street ?? ''
-            form.city = props.prospect.city ?? ''
-            form.postalCode = props.prospect.postalCode ?? ''
             form.status = props.prospect.status ?? 'new'
             form.source = props.prospect.source ?? ''
             form.notes = props.prospect.notes ?? ''
@@ -162,9 +138,6 @@ watch(() => props.modelValue, (open) => {
             form.company = ''
             form.email = ''
             form.phone = ''
-            form.street = ''
-            form.city = ''
-            form.postalCode = ''
             form.status = 'new'
             form.source = ''
             form.notes = ''
@@ -186,9 +159,6 @@ async function handleSubmit() {
             company: form.company.trim() || null,
             email: form.email.trim() || null,
             phone: form.phone.trim() || null,
-            street: form.street.trim() || null,
-            city: form.city.trim() || null,
-            postalCode: form.postalCode.trim() || null,
             status: form.status,
             source: form.source.trim() || null,
             notes: form.notes.trim() || null,
diff --git a/frontend/modules/directory/pages/directory.vue b/frontend/modules/directory/pages/directory.vue
index 2bdaae3..4c0e8db 100644
--- a/frontend/modules/directory/pages/directory.vue
+++ b/frontend/modules/directory/pages/directory.vue
@@ -31,9 +31,6 @@
                         <template #cell-phone="{ item }">
                             {{ (item as Client).phone ?? '—' }}
                         </template>
-                        <template #cell-city="{ item }">
-                            {{ (item as Client).city ?? '—' }}
-                        </template>
                     </MalioDataTable>
                 </div>
             </template>
@@ -142,7 +139,6 @@ const clientColumns = [
     { key: 'name', label: t('prospects.fields.name') },
     { key: 'email', label: t('prospects.fields.email') },
     { key: 'phone', label: t('prospects.fields.phone') },
-    { key: 'city', label: t('prospects.fields.city') },
 ]
 
 async function loadClients() {
@@ -155,8 +151,7 @@ function openCreateClient() {
 }
 
 function openEditClient(item: Record<string, unknown>) {
-    selectedClient.value = item as Client
-    clientDrawerOpen.value = true
+    navigateTo(`/directory/clients/${(item as Client).id}`)
 }
 
 // --- Prospects ---
@@ -215,8 +210,7 @@ function openCreateProspect() {
 }
 
 function openEditProspect(item: Record<string, unknown>) {
-    selectedProspect.value = item as Prospect
-    prospectDrawerOpen.value = true
+    navigateTo(`/directory/prospects/${(item as Prospect).id}`)
 }
 
 async function convertProspect(row: ProspectRow) {
diff --git a/frontend/modules/directory/services/dto/client.ts b/frontend/modules/directory/services/dto/client.ts
index 191931a..cb65b73 100644
--- a/frontend/modules/directory/services/dto/client.ts
+++ b/frontend/modules/directory/services/dto/client.ts
@@ -4,16 +4,10 @@ export type Client = {
     name: string
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
 }
 
 export type ClientWrite = {
     name: string
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
 }
diff --git a/frontend/modules/directory/services/dto/prospect.ts b/frontend/modules/directory/services/dto/prospect.ts
index 17a8f66..6d16590 100644
--- a/frontend/modules/directory/services/dto/prospect.ts
+++ b/frontend/modules/directory/services/dto/prospect.ts
@@ -9,9 +9,6 @@ export type Prospect = {
     company: string | null
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
     status: ProspectStatus
     source: string | null
     notes: string | null
@@ -25,9 +22,6 @@ export type ProspectWrite = {
     company: string | null
     email: string | null
     phone: string | null
-    street: string | null
-    city: string | null
-    postalCode: string | null
     status: ProspectStatus
     source: string | null
     notes: string | null
-- 
2.39.5


From cd7cb93bac3c3f72194f92a840849b4563e27a49 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:47:09 +0200
Subject: [PATCH 93/99] feat(directory) : add i18n keys for contacts,
 addresses, reports tabs

---
 frontend/i18n/locales/fr.json | 59 +++++++++++++++++++++++++++++++++--
 1 file changed, 57 insertions(+), 2 deletions(-)

diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index db34baa..9c9c74a 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -425,7 +425,8 @@
     "day": "Jour",
     "weekShort": "Sem.",
     "submit": "Soumettre",
-    "close": "Fermer"
+    "close": "Fermer",
+    "back": "Retour"
   },
   "gitea": {
     "settings": {
@@ -934,7 +935,10 @@
     "title": "Répertoire",
     "tabs": {
       "clients": "Clients",
-      "prospects": "Prospects"
+      "prospects": "Prospects",
+      "contact": "Contact",
+      "address": "Adresse",
+      "report": "Rapport"
     },
     "clients": {
       "add": "Ajouter un client",
@@ -944,6 +948,57 @@
       "add": "Ajouter un prospect",
       "empty": "Aucun prospect trouvé.",
       "allStatuses": "Tous les statuts"
+    },
+    "contacts": {
+      "add": "Ajouter un contact",
+      "item": "Contact {n}",
+      "saved": "Contact enregistré.",
+      "deleted": "Contact supprimé.",
+      "fields": {
+        "lastName": "Nom",
+        "firstName": "Prénom",
+        "jobTitle": "Fonction",
+        "email": "Email",
+        "phonePrimary": "Téléphone",
+        "phoneSecondary": "Téléphone secondaire"
+      }
+    },
+    "addresses": {
+      "add": "Ajouter une adresse",
+      "item": "Adresse {n}",
+      "saved": "Adresse enregistrée.",
+      "deleted": "Adresse supprimée.",
+      "fields": {
+        "label": "Libellé",
+        "street": "Rue",
+        "streetComplement": "Complément",
+        "postalCode": "Code postal",
+        "city": "Ville"
+      }
+    },
+    "reports": {
+      "add": "Ajouter un compte-rendu",
+      "empty": "Aucun compte-rendu.",
+      "saved": "Compte-rendu enregistré.",
+      "deleted": "Compte-rendu supprimé.",
+      "fields": {
+        "subject": "Objet",
+        "type": "Type d'échange",
+        "occurredAt": "Date",
+        "body": "Compte-rendu"
+      },
+      "types": {
+        "call": "Appel",
+        "meeting": "Rendez-vous",
+        "email": "Email",
+        "note": "Note"
+      }
+    },
+    "documents": {
+      "add": "Joindre un document",
+      "uploading": "Envoi…",
+      "empty": "Aucun document.",
+      "deleted": "Document supprimé."
     }
   }
 }
-- 
2.39.5


From 6aa099cd28aa346457de0c35392ba4be409bc27d Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 13:52:12 +0200
Subject: [PATCH 94/99] fix(directory) : embed commercial report author (id,
 username) in API read

---
 src/Module/Core/Domain/Entity/User.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Module/Core/Domain/Entity/User.php b/src/Module/Core/Domain/Entity/User.php
index f3fbdab..45b940e 100644
--- a/src/Module/Core/Domain/Entity/User.php
+++ b/src/Module/Core/Domain/Entity/User.php
@@ -71,11 +71,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, SharedU
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column]
-    #[Groups(['me:read', 'task:read', 'user:list', 'time_entry:read', 'absence_request:read', 'absence_balance:read'])]
+    #[Groups(['me:read', 'task:read', 'user:list', 'time_entry:read', 'absence_request:read', 'absence_balance:read', 'commercial_report:read'])]
     private ?int $id = null;
 
     #[ORM\Column(length: 180, unique: true)]
-    #[Groups(['me:read', 'task:read', 'user:list', 'user:write', 'time_entry:read', 'absence_request:read', 'absence_balance:read'])]
+    #[Groups(['me:read', 'task:read', 'user:list', 'user:write', 'time_entry:read', 'absence_request:read', 'absence_balance:read', 'commercial_report:read'])]
     private ?string $username = null;
 
     #[ORM\Column(length: 100, nullable: true)]
-- 
2.39.5


From 1589908e4cbeadf3fa705d9bef297f8099552f39 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 14:17:12 +0200
Subject: [PATCH 95/99] docs : add directory commercial reports spec and
 implementation plan

---
 ...2026-06-22-directory-commercial-reports.md | 3306 +++++++++++++++++
 ...-22-directory-commercial-reports-design.md |  203 +
 2 files changed, 3509 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
 create mode 100644 docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md

diff --git a/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md b/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
new file mode 100644
index 0000000..8b66ddb
--- /dev/null
+++ b/docs/superpowers/plans/2026-06-22-directory-commercial-reports.md
@@ -0,0 +1,3306 @@
+# Répertoire — Contacts, Adresses & Rapports commerciaux — Plan d'implémentation
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Doter chaque fiche client/prospect du répertoire Lesstime de contacts multiples, adresses multiples et d'un journal de comptes-rendus commerciaux (avec pièces jointes), via une fiche détail à onglets inspirée de Starseed.
+
+**Architecture:** Trois entités répétables (`Contact`, `Address`, `CommercialReport`) dans le module `Directory`, chacune rattachée à un `Client` **ou** un `Prospect` via double-FK nullable + contrainte CHECK (pattern existant). Les pièces jointes des comptes-rendus passent par une entité `ReportDocument` dédiée au module (frontière modulaire préservée, réutilisant le même répertoire de stockage que `TaskDocument`). Frontend : fiches détail à route dédiée avec `MalioTabList`, blocs répétables, sauvegarde indépendante par entité.
+
+**Tech Stack:** PHP 8.4 / Symfony 8 / API Platform 4 / Doctrine ORM / PostgreSQL 16 ; Nuxt 4 / Vue 3 / Pinia / TypeScript / Tailwind / @malio/layer-ui.
+
+## Global Constraints
+
+- **Spec de référence :** `docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md`.
+- **Backend :** `declare(strict_types=1)` en tête de chaque fichier PHP ; pas de controller pour le CRUD (API Platform : ApiResource + Provider/Processor) ; controllers custom sous `/api/` → `priority: 1` sur la route.
+- **Sécurité API :** lecture `is_granted('ROLE_USER')`, écriture `is_granted('ROLE_ADMIN')` (pattern du module `Directory`).
+- **Doctrine/PostgreSQL :** noms de colonnes en **minuscules** dans le SQL brut.
+- **Module modular monolith :** code backend sous `src/Module/Directory/{Domain,Infrastructure}` ; relations cross-module via contrats `App\Shared\Domain\Contract\*` (ex. `UserInterface`).
+- **Sérialisation :** pour embarquer une relation (et non un IRI), ajouter le groupe `*:read` du parent sur les propriétés de l'entité cible.
+- **Upload :** valider le MIME via `$file->getMimeType()` (serveur), pas `getClientMimeType()`. Max 50 MB. Réutiliser le paramètre Symfony `task_document_upload_dir`.
+- **Frontend :** TypeScript strict, 4 espaces d'indentation ; tous les appels API via `useApi()` ; collections lues via `extractHydraMembers` doivent être servies non paginées (`paginationEnabled: false`).
+- **i18n :** toutes les chaînes UI dans `frontend/i18n/locales/fr.json` (pas de texte en dur).
+- **Tests :** `make test` (PHPUnit). Base de test **non isolée** (les POST s'accumulent) → tester des **invariants** (relations, statuts, présence), **jamais des counts absolus**.
+- **Commits :** `<type>(<scope>) : <message>` (espace autour du `:`). Aucune mention d'IA/Claude. Ne pas tagger/pusher.
+- **Commandes utiles :** `make migration-migrate` (migrations), `make php-cs-fixer-allow-risky` (style PHP), `make dev-nuxt` (front hot reload), `make shell` (shell PHP). Test ciblé : `docker exec -i php-lesstime-fpm php bin/phpunit --filter <TestName>`.
+
+## File Structure
+
+**Backend — `src/Module/Directory/`**
+- `Domain/Enum/ReportType.php` — enum type d'échange (call/meeting/email/note) + libellés FR.
+- `Domain/Entity/Contact.php` — contact répétable (double-FK client/prospect).
+- `Domain/Entity/Address.php` — adresse répétable (double-FK).
+- `Domain/Entity/CommercialReport.php` — compte-rendu (double-FK) + OneToMany ReportDocument.
+- `Domain/Entity/ReportDocument.php` — pièce jointe d'un compte-rendu.
+- `Domain/Repository/{Contact,Address,CommercialReport,ReportDocument}RepositoryInterface.php`.
+- `Infrastructure/Doctrine/Doctrine{Contact,Address,CommercialReport,ReportDocument}Repository.php`.
+- `Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php` — upload multipart.
+- `Infrastructure/Controller/ReportDocumentDownloadController.php` — download.
+- `Infrastructure/EventListener/ReportDocumentListener.php` — `unlink` fichier au `preRemove`.
+- `Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php` — *modifié* (réaffectation).
+- `DirectoryModule.php` — *modifié* (permissions reports).
+
+**Backend — racine**
+- `migrations/Version2026XXXXXXXXXX.php` — tables + data migration adresse inline.
+- `tests/Module/Directory/...` — tests fonctionnels.
+
+**Frontend — `frontend/modules/directory/`**
+- `services/dto/{contact,address,commercial-report,report-document}.ts`.
+- `services/{contacts,addresses,commercial-reports,report-documents}.ts`.
+- `components/DirectoryContactBlock.vue`, `DirectoryAddressBlock.vue`.
+- `components/CommercialReportTab.vue`, `ReportDocumentUpload.vue`, `ReportDocumentList.vue`.
+- `pages/clients/[id].vue`, `pages/prospects/[id].vue`.
+- `pages/directory.vue` — *modifié* (navigation vers fiche détail).
+- `frontend/i18n/locales/fr.json` — *modifié*.
+
+---
+
+## Task 1 : Enum `ReportType`
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Enum/ReportType.php`
+- Test: `tests/Module/Directory/Domain/Enum/ReportTypeTest.php`
+
+**Interfaces:**
+- Produces: `enum ReportType: string { Call='call'; Meeting='meeting'; Email='email'; Note='note'; public function label(): string }`
+
+- [ ] **Step 1 : Écrire le test qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory\Domain\Enum;
+
+use App\Module\Directory\Domain\Enum\ReportType;
+use PHPUnit\Framework\TestCase;
+
+final class ReportTypeTest extends TestCase
+{
+    public function testValuesAndLabels(): void
+    {
+        self::assertSame('call', ReportType::Call->value);
+        self::assertSame('Appel', ReportType::Call->label());
+        self::assertSame('Rendez-vous', ReportType::Meeting->label());
+        self::assertSame('Email', ReportType::Email->label());
+        self::assertSame('Note', ReportType::Note->label());
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ReportTypeTest`
+Expected: FAIL (classe `ReportType` inexistante).
+
+- [ ] **Step 3 : Implémenter l'enum**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Enum;
+
+enum ReportType: string
+{
+    case Call    = 'call';
+    case Meeting = 'meeting';
+    case Email   = 'email';
+    case Note    = 'note';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::Call    => 'Appel',
+            self::Meeting => 'Rendez-vous',
+            self::Email   => 'Email',
+            self::Note    => 'Note',
+        };
+    }
+}
+```
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ReportTypeTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Enum/ReportType.php tests/Module/Directory/Domain/Enum/ReportTypeTest.php
+git commit -m "feat(directory) : add ReportType enum for commercial reports"
+```
+
+---
+
+## Task 2 : Entité `Contact` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/Contact.php`
+- Create: `src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php`
+
+**Interfaces:**
+- Consumes: `App\Shared\Domain\Contract\TimestampableInterface`, `TimestampableBlamableTrait`, `Auditable`.
+- Produces: `Contact` (ApiResource `/contacts`, groupes `contact:read`/`contact:write`, double ManyToOne `client`/`prospect`), `ContactRepositoryInterface::findById(int): ?Contact`.
+
+> Pas de table en base tant que la migration (Task 6) n'a pas tourné. Cette tâche se valide par l'absence d'erreur de mapping Doctrine (`schema:validate` mapping) ; la persistance est testée en Task 6.
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineContactRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['contact:read']],
+    denormalizationContext: ['groups' => ['contact:write']],
+    order: ['lastName' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineContactRepository::class)]
+#[ORM\Table(name: 'directory_contact')]
+class Contact implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['contact:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $firstName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $lastName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $jobTitle = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $email = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phonePrimary = null;
+
+    #[ORM\Column(length: 50, nullable: true)]
+    #[Groups(['contact:read', 'contact:write', 'client:read', 'prospect:read'])]
+    private ?string $phoneSecondary = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['contact:read', 'contact:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getFirstName(): ?string
+    {
+        return $this->firstName;
+    }
+
+    public function setFirstName(?string $firstName): static
+    {
+        $this->firstName = $firstName;
+
+        return $this;
+    }
+
+    public function getLastName(): ?string
+    {
+        return $this->lastName;
+    }
+
+    public function setLastName(?string $lastName): static
+    {
+        $this->lastName = $lastName;
+
+        return $this;
+    }
+
+    public function getJobTitle(): ?string
+    {
+        return $this->jobTitle;
+    }
+
+    public function setJobTitle(?string $jobTitle): static
+    {
+        $this->jobTitle = $jobTitle;
+
+        return $this;
+    }
+
+    public function getEmail(): ?string
+    {
+        return $this->email;
+    }
+
+    public function setEmail(?string $email): static
+    {
+        $this->email = $email;
+
+        return $this;
+    }
+
+    public function getPhonePrimary(): ?string
+    {
+        return $this->phonePrimary;
+    }
+
+    public function setPhonePrimary(?string $phonePrimary): static
+    {
+        $this->phonePrimary = $phonePrimary;
+
+        return $this;
+    }
+
+    public function getPhoneSecondary(): ?string
+    {
+        return $this->phoneSecondary;
+    }
+
+    public function setPhoneSecondary(?string $phoneSecondary): static
+    {
+        $this->phoneSecondary = $phoneSecondary;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Contact;
+
+interface ContactRepositoryInterface
+{
+    public function findById(int $id): ?Contact;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Repository\ContactRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Contact>
+ */
+final class DoctrineContactRepository extends ServiceEntityRepository implements ContactRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Contact::class);
+    }
+
+    public function findById(int $id): ?Contact
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Valider le mapping Doctrine**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.` (le `--skip-sync` ignore le fait que la table n'existe pas encore).
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/Contact.php src/Module/Directory/Domain/Repository/ContactRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineContactRepository.php
+git commit -m "feat(directory) : add Contact entity with client/prospect dual ownership"
+```
+
+---
+
+## Task 3 : Entité `Address` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/Address.php`
+- Create: `src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php`
+
+**Interfaces:**
+- Produces: `Address` (ApiResource `/addresses`, groupes `address:read`/`address:write`, double ManyToOne), `AddressRepositoryInterface::findById(int): ?Address`.
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineAddressRepository;
+use App\Shared\Domain\Attribute\Auditable;
+use App\Shared\Domain\Contract\BlamableInterface;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[Auditable]
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['address:read']],
+    denormalizationContext: ['groups' => ['address:write']],
+    order: ['id' => 'ASC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineAddressRepository::class)]
+#[ORM\Table(name: 'directory_address')]
+class Address implements TimestampableInterface, BlamableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['address:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $label = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $street = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $streetComplement = null;
+
+    #[ORM\Column(length: 20, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $postalCode = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private ?string $city = null;
+
+    #[ORM\Column(length: 2)]
+    #[Groups(['address:read', 'address:write', 'client:read', 'prospect:read'])]
+    private string $country = 'FR';
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['address:read', 'address:write'])]
+    private ?Prospect $prospect = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getLabel(): ?string
+    {
+        return $this->label;
+    }
+
+    public function setLabel(?string $label): static
+    {
+        $this->label = $label;
+
+        return $this;
+    }
+
+    public function getStreet(): ?string
+    {
+        return $this->street;
+    }
+
+    public function setStreet(?string $street): static
+    {
+        $this->street = $street;
+
+        return $this;
+    }
+
+    public function getStreetComplement(): ?string
+    {
+        return $this->streetComplement;
+    }
+
+    public function setStreetComplement(?string $streetComplement): static
+    {
+        $this->streetComplement = $streetComplement;
+
+        return $this;
+    }
+
+    public function getPostalCode(): ?string
+    {
+        return $this->postalCode;
+    }
+
+    public function setPostalCode(?string $postalCode): static
+    {
+        $this->postalCode = $postalCode;
+
+        return $this;
+    }
+
+    public function getCity(): ?string
+    {
+        return $this->city;
+    }
+
+    public function setCity(?string $city): static
+    {
+        $this->city = $city;
+
+        return $this;
+    }
+
+    public function getCountry(): string
+    {
+        return $this->country;
+    }
+
+    public function setCountry(string $country): static
+    {
+        $this->country = $country;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\Address;
+
+interface AddressRepositoryInterface
+{
+    public function findById(int $id): ?Address;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Repository\AddressRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<Address>
+ */
+final class DoctrineAddressRepository extends ServiceEntityRepository implements AddressRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, Address::class);
+    }
+
+    public function findById(int $id): ?Address
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Valider le mapping Doctrine**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.`
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/Address.php src/Module/Directory/Domain/Repository/AddressRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineAddressRepository.php
+git commit -m "feat(directory) : add Address entity with client/prospect dual ownership"
+```
+
+---
+
+## Task 4 : Entité `CommercialReport` + repository
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/CommercialReport.php`
+- Create: `src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php`
+
+**Files (suite) :**
+- Create: `src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php`
+- Modify: `config/services.yaml`
+
+**Interfaces:**
+- Consumes: `ReportType` (Task 1), `UserInterface` (Shared contract), `ReportDocument` (Task 5 — déclarée ici en OneToMany ; l'entité `ReportDocument` est créée en Task 5, qui doit être appliquée avant la migration Task 6).
+- Produces: `CommercialReport` (ApiResource `/commercial_reports`, groupes `commercial_report:read`/`commercial_report:write`), `CommercialReportRepositoryInterface::findById(int): ?CommercialReport`. `author` renseigné automatiquement au `prePersist` avec l'utilisateur connecté.
+
+> ⚠️ Ordre : cette entité référence `ReportDocument::class` (Task 5). Implémenter Task 5 juste après, avant la migration (Task 6) et toute exécution.
+> ⚠️ `author` n'est PAS alimenté par le trait Blamable (qui gère `created_by`). Il est rempli par un listener dédié (Steps 4–5 ci-dessous), et n'a volontairement pas de groupe `:write` (non modifiable par le client).
+
+- [ ] **Step 1 : Créer l'entité**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Domain\Enum\ReportType;
+use App\Module\Directory\Infrastructure\Doctrine\DoctrineCommercialReportRepository;
+use App\Shared\Domain\Contract\TimestampableInterface;
+use App\Shared\Domain\Contract\UserInterface;
+use App\Shared\Domain\Trait\TimestampableBlamableTrait;
+use DateTimeImmutable;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(security: "is_granted('ROLE_ADMIN')"),
+        new Patch(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['commercial_report:read']],
+    denormalizationContext: ['groups' => ['commercial_report:write']],
+    order: ['occurredAt' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['client' => 'exact', 'prospect' => 'exact'])]
+#[ORM\Entity(repositoryClass: DoctrineCommercialReportRepository::class)]
+#[ORM\Table(name: 'commercial_report')]
+class CommercialReport implements TimestampableInterface
+{
+    use TimestampableBlamableTrait;
+
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $subject = null;
+
+    #[ORM\Column(type: Types::TEXT, nullable: true)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?string $body = null;
+
+    #[ORM\Column(type: Types::DATE_IMMUTABLE)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?DateTimeImmutable $occurredAt = null;
+
+    #[ORM\Column(type: Types::STRING, length: 32, enumType: ReportType::class)]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ReportType $type = ReportType::Note;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'author_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['commercial_report:read'])]
+    private ?UserInterface $author = null;
+
+    #[ORM\ManyToOne(targetEntity: Client::class)]
+    #[ORM\JoinColumn(name: 'client_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Client $client = null;
+
+    #[ORM\ManyToOne(targetEntity: Prospect::class)]
+    #[ORM\JoinColumn(name: 'prospect_id', referencedColumnName: 'id', nullable: true, onDelete: 'CASCADE')]
+    #[Groups(['commercial_report:read', 'commercial_report:write'])]
+    private ?Prospect $prospect = null;
+
+    /** @var Collection<int, ReportDocument> */
+    #[ORM\OneToMany(targetEntity: ReportDocument::class, mappedBy: 'commercialReport', cascade: ['remove'])]
+    #[Groups(['commercial_report:read'])]
+    private Collection $documents;
+
+    public function __construct()
+    {
+        $this->documents = new ArrayCollection();
+    }
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getSubject(): ?string
+    {
+        return $this->subject;
+    }
+
+    public function setSubject(string $subject): static
+    {
+        $this->subject = $subject;
+
+        return $this;
+    }
+
+    public function getBody(): ?string
+    {
+        return $this->body;
+    }
+
+    public function setBody(?string $body): static
+    {
+        $this->body = $body;
+
+        return $this;
+    }
+
+    public function getOccurredAt(): ?DateTimeImmutable
+    {
+        return $this->occurredAt;
+    }
+
+    public function setOccurredAt(DateTimeImmutable $occurredAt): static
+    {
+        $this->occurredAt = $occurredAt;
+
+        return $this;
+    }
+
+    public function getType(): ReportType
+    {
+        return $this->type;
+    }
+
+    public function setType(ReportType $type): static
+    {
+        $this->type = $type;
+
+        return $this;
+    }
+
+    public function getAuthor(): ?UserInterface
+    {
+        return $this->author;
+    }
+
+    public function setAuthor(?UserInterface $author): static
+    {
+        $this->author = $author;
+
+        return $this;
+    }
+
+    public function getClient(): ?Client
+    {
+        return $this->client;
+    }
+
+    public function setClient(?Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
+
+    public function getProspect(): ?Prospect
+    {
+        return $this->prospect;
+    }
+
+    public function setProspect(?Prospect $prospect): static
+    {
+        $this->prospect = $prospect;
+
+        return $this;
+    }
+
+    /** @return Collection<int, ReportDocument> */
+    public function getDocuments(): Collection
+    {
+        return $this->documents;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface de repository**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+
+interface CommercialReportRepositoryInterface
+{
+    public function findById(int $id): ?CommercialReport;
+}
+```
+
+- [ ] **Step 3 : Créer le repository Doctrine**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Repository\CommercialReportRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<CommercialReport>
+ */
+final class DoctrineCommercialReportRepository extends ServiceEntityRepository implements CommercialReportRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, CommercialReport::class);
+    }
+
+    public function findById(int $id): ?CommercialReport
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 4 : Créer le listener qui renseigne l'auteur**
+
+`src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Shared\Domain\Contract\UserInterface;
+use Doctrine\ORM\Event\PrePersistEventArgs;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final readonly class CommercialReportAuthorListener
+{
+    public function __construct(private Security $security) {}
+
+    public function prePersist(CommercialReport $report, PrePersistEventArgs $args): void
+    {
+        if (null !== $report->getAuthor()) {
+            return;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof UserInterface) {
+            $report->setAuthor($user);
+        }
+    }
+}
+```
+
+- [ ] **Step 5 : Enregistrer le listener dans `config/services.yaml`**
+
+```yaml
+    App\Module\Directory\Infrastructure\EventListener\CommercialReportAuthorListener:
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\CommercialReport', event: prePersist }
+```
+
+> Si l'autowiring du projet enregistre déjà tous les services de `src/`, seule la partie `tags` est nécessaire (vérifier le bloc `services:` par défaut de `config/services.yaml`).
+
+- [ ] **Step 6 : Commit** (validation Doctrine après Task 5, car référence `ReportDocument`)
+
+```bash
+git add src/Module/Directory/Domain/Entity/CommercialReport.php src/Module/Directory/Domain/Repository/CommercialReportRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineCommercialReportRepository.php src/Module/Directory/Infrastructure/EventListener/CommercialReportAuthorListener.php config/services.yaml
+git commit -m "feat(directory) : add CommercialReport entity with dual ownership and author"
+```
+
+---
+
+## Task 5 : Entité `ReportDocument` + processor + download + listener
+
+**Files:**
+- Create: `src/Module/Directory/Domain/Entity/ReportDocument.php`
+- Create: `src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php`
+- Create: `src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php`
+- Create: `src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php`
+- Create: `src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php`
+- Create: `src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php`
+- Modify: `config/services.yaml` (injecter `task_document_upload_dir` dans le processor/controller/listener)
+
+**Interfaces:**
+- Consumes: `CommercialReport` (Task 4), `UserInterface`, paramètre Symfony `task_document_upload_dir`.
+- Produces: `ReportDocument` (ApiResource `/report_documents`, groupes `report_document:read`/`report_document:write`), endpoint download `/api/report_documents/{id}/download`.
+
+- [ ] **Step 1 : Créer l'entité `ReportDocument`**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Entity;
+
+use ApiPlatform\Doctrine\Orm\Filter\SearchFilter;
+use ApiPlatform\Metadata\ApiFilter;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Post;
+use App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor;
+use App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener;
+use App\Shared\Domain\Contract\UserInterface;
+use DateTimeImmutable;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Serializer\Attribute\Groups;
+
+#[ApiResource(
+    operations: [
+        new GetCollection(paginationEnabled: false, security: "is_granted('ROLE_USER')"),
+        new Get(security: "is_granted('ROLE_USER')"),
+        new Post(
+            security: "is_granted('ROLE_ADMIN')",
+            processor: ReportDocumentProcessor::class,
+            deserialize: false,
+        ),
+        new Delete(security: "is_granted('ROLE_ADMIN')"),
+    ],
+    normalizationContext: ['groups' => ['report_document:read']],
+    denormalizationContext: ['groups' => ['report_document:write']],
+    order: ['id' => 'DESC'],
+)]
+#[ApiFilter(SearchFilter::class, properties: ['commercialReport' => 'exact'])]
+#[ORM\Entity]
+#[ORM\Table(name: 'report_document')]
+#[ORM\EntityListeners([ReportDocumentListener::class])]
+class ReportDocument
+{
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $id = null;
+
+    #[ORM\ManyToOne(targetEntity: CommercialReport::class, inversedBy: 'documents')]
+    #[ORM\JoinColumn(name: 'commercial_report_id', referencedColumnName: 'id', nullable: false, onDelete: 'CASCADE')]
+    #[Groups(['report_document:read', 'report_document:write'])]
+    private ?CommercialReport $commercialReport = null;
+
+    #[ORM\Column(length: 255)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $originalName = null;
+
+    #[ORM\Column(length: 255, nullable: true)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $fileName = null;
+
+    #[ORM\Column(length: 100)]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?string $mimeType = null;
+
+    #[ORM\Column]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?int $size = null;
+
+    #[ORM\Column(type: 'datetime_immutable')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?DateTimeImmutable $createdAt = null;
+
+    #[ORM\ManyToOne(targetEntity: UserInterface::class)]
+    #[ORM\JoinColumn(name: 'uploaded_by_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+    #[Groups(['report_document:read', 'commercial_report:read'])]
+    private ?UserInterface $uploadedBy = null;
+
+    public function getId(): ?int
+    {
+        return $this->id;
+    }
+
+    public function getCommercialReport(): ?CommercialReport
+    {
+        return $this->commercialReport;
+    }
+
+    public function setCommercialReport(?CommercialReport $commercialReport): static
+    {
+        $this->commercialReport = $commercialReport;
+
+        return $this;
+    }
+
+    public function getOriginalName(): ?string
+    {
+        return $this->originalName;
+    }
+
+    public function setOriginalName(string $originalName): static
+    {
+        $this->originalName = $originalName;
+
+        return $this;
+    }
+
+    public function getFileName(): ?string
+    {
+        return $this->fileName;
+    }
+
+    public function setFileName(?string $fileName): static
+    {
+        $this->fileName = $fileName;
+
+        return $this;
+    }
+
+    public function getMimeType(): ?string
+    {
+        return $this->mimeType;
+    }
+
+    public function setMimeType(string $mimeType): static
+    {
+        $this->mimeType = $mimeType;
+
+        return $this;
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function setSize(int $size): static
+    {
+        $this->size = $size;
+
+        return $this;
+    }
+
+    public function getCreatedAt(): ?DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function setCreatedAt(DateTimeImmutable $createdAt): static
+    {
+        $this->createdAt = $createdAt;
+
+        return $this;
+    }
+
+    public function getUploadedBy(): ?UserInterface
+    {
+        return $this->uploadedBy;
+    }
+
+    public function setUploadedBy(?UserInterface $uploadedBy): static
+    {
+        $this->uploadedBy = $uploadedBy;
+
+        return $this;
+    }
+}
+```
+
+- [ ] **Step 2 : Créer l'interface + le repository Doctrine**
+
+`src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Domain\Repository;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+
+interface ReportDocumentRepositoryInterface
+{
+    public function findById(int $id): ?ReportDocument;
+}
+```
+
+`src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Doctrine;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Persistence\ManagerRegistry;
+
+/**
+ * @extends ServiceEntityRepository<ReportDocument>
+ */
+final class DoctrineReportDocumentRepository extends ServiceEntityRepository implements ReportDocumentRepositoryInterface
+{
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ReportDocument::class);
+    }
+
+    public function findById(int $id): ?ReportDocument
+    {
+        return $this->find($id);
+    }
+}
+```
+
+- [ ] **Step 3 : Créer le processor d'upload** (calqué sur `TaskDocumentProcessor`, sans SMB)
+
+`src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\Uid\Uuid;
+
+use function in_array;
+
+/**
+ * @implements ProcessorInterface<ReportDocument, ReportDocument>
+ */
+final readonly class ReportDocumentProcessor implements ProcessorInterface
+{
+    private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
+
+    private const ALLOWED_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'text/plain', 'text/csv',
+        'application/zip', 'application/x-rar-compressed', 'application/gzip',
+        'application/json', 'application/xml', 'text/xml',
+    ];
+
+    private const MIME_TO_EXTENSION = [
+        'image/jpeg'                                                                => 'jpg',
+        'image/png'                                                                 => 'png',
+        'image/gif'                                                                 => 'gif',
+        'image/webp'                                                                => 'webp',
+        'application/pdf'                                                           => 'pdf',
+        'application/msword'                                                        => 'doc',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
+        'application/vnd.ms-excel'                                                  => 'xls',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'         => 'xlsx',
+        'application/vnd.ms-powerpoint'                                             => 'ppt',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation' => 'pptx',
+        'text/plain'                                                                => 'txt',
+        'text/csv'                                                                  => 'csv',
+        'application/zip'                                                           => 'zip',
+        'application/x-rar-compressed'                                              => 'rar',
+        'application/gzip'                                                          => 'gz',
+        'application/json'                                                          => 'json',
+        'application/xml'                                                           => 'xml',
+        'text/xml'                                                                  => 'xml',
+    ];
+
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private Security $security,
+        private RequestStack $requestStack,
+        private string $uploadDir,
+    ) {}
+
+    /**
+     * @param ReportDocument $data
+     */
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ReportDocument
+    {
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating report documents requires admin privileges.');
+        }
+
+        $request = $this->requestStack->getCurrentRequest();
+
+        if (null === $request) {
+            throw new BadRequestHttpException('No request available.');
+        }
+
+        $document = $this->createUpload($request);
+        $document->setCreatedAt(new DateTimeImmutable());
+        $document->setUploadedBy($this->security->getUser());
+
+        $this->entityManager->persist($document);
+        $this->entityManager->flush();
+
+        return $document;
+    }
+
+    private function createUpload(Request $request): ReportDocument
+    {
+        $file = $request->files->get('file');
+
+        if (null === $file || !$file->isValid()) {
+            throw new BadRequestHttpException('No valid file uploaded.');
+        }
+
+        if ($file->getSize() > self::MAX_FILE_SIZE) {
+            throw new BadRequestHttpException('File size exceeds 50 MB limit.');
+        }
+
+        $report = $this->resolveReport((string) $request->request->get('commercialReport', ''));
+
+        $originalName = $file->getClientOriginalName();
+        $mimeType     = $file->getMimeType() ?: 'application/octet-stream';
+        $fileSize     = $file->getSize();
+
+        if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+            throw new BadRequestHttpException(sprintf('File type "%s" is not allowed.', $mimeType));
+        }
+
+        $extension = self::MIME_TO_EXTENSION[$mimeType] ?? 'bin';
+        $fileName  = Uuid::v4()->toRfc4122().'.'.$extension;
+
+        if (!is_dir($this->uploadDir)) {
+            mkdir($this->uploadDir, 0o775, true);
+        }
+
+        $file->move($this->uploadDir, $fileName);
+
+        $document = new ReportDocument();
+        $document->setCommercialReport($report);
+        $document->setOriginalName($originalName);
+        $document->setFileName($fileName);
+        $document->setMimeType($mimeType);
+        $document->setSize($fileSize);
+
+        return $document;
+    }
+
+    private function resolveReport(string $iri): CommercialReport
+    {
+        if ('' === $iri) {
+            throw new BadRequestHttpException('A commercialReport IRI is required.');
+        }
+
+        $report = $this->entityManager->getRepository(CommercialReport::class)->find((int) basename($iri));
+
+        if (null === $report) {
+            throw new BadRequestHttpException('Commercial report not found.');
+        }
+
+        return $report;
+    }
+}
+```
+
+- [ ] **Step 4 : Créer le controller de download** (calqué sur `TaskDocumentDownloadController`, fichier disque uniquement)
+
+`src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\Controller;
+
+use App\Module\Directory\Domain\Repository\ReportDocumentRepositoryInterface;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+final class ReportDocumentDownloadController
+{
+    private const INLINE_MIME_TYPES = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
+        'application/pdf',
+    ];
+
+    public function __construct(
+        private readonly ReportDocumentRepositoryInterface $repository,
+        private readonly string $uploadDir,
+    ) {}
+
+    #[Route('/api/report_documents/{id}/download', name: 'report_document_download', methods: ['GET'], priority: 1)]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
+    public function __invoke(int $id): Response
+    {
+        $document = $this->repository->findById($id);
+
+        if (null === $document || null === $document->getFileName()) {
+            throw new NotFoundHttpException('Document not found.');
+        }
+
+        $filePath = $this->uploadDir.'/'.$document->getFileName();
+
+        if (!is_file($filePath)) {
+            throw new NotFoundHttpException('File missing on disk.');
+        }
+
+        $response = new BinaryFileResponse($filePath);
+        $mimeType = (string) $document->getMimeType();
+
+        $disposition = in_array($mimeType, self::INLINE_MIME_TYPES, true)
+            ? ResponseHeaderBag::DISPOSITION_INLINE
+            : ResponseHeaderBag::DISPOSITION_ATTACHMENT;
+
+        $response->setContentDisposition($disposition, (string) $document->getOriginalName());
+        $response->headers->set('Content-Type', $mimeType);
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        return $response;
+    }
+}
+```
+
+- [ ] **Step 5 : Créer le listener de suppression**
+
+`src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php` :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\EventListener;
+
+use App\Module\Directory\Domain\Entity\ReportDocument;
+use Doctrine\ORM\Event\PreRemoveEventArgs;
+use Psr\Log\LoggerInterface;
+
+final readonly class ReportDocumentListener
+{
+    public function __construct(
+        private string $uploadDir,
+        private LoggerInterface $logger,
+    ) {}
+
+    public function preRemove(ReportDocument $document, PreRemoveEventArgs $args): void
+    {
+        $fileName = $document->getFileName();
+
+        if (null === $fileName) {
+            return;
+        }
+
+        $path = $this->uploadDir.'/'.$fileName;
+
+        if (is_file($path) && !@unlink($path)) {
+            $this->logger->warning('Failed to delete report document file', ['path' => $path]);
+        }
+    }
+}
+```
+
+- [ ] **Step 6 : Injecter le paramètre `task_document_upload_dir`**
+
+Dans `config/services.yaml`, ajouter (à la suite des autres définitions explicites de services) :
+
+```yaml
+    App\Module\Directory\Infrastructure\ApiPlatform\State\ReportDocumentProcessor:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+
+    App\Module\Directory\Infrastructure\Controller\ReportDocumentDownloadController:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags: ['controller.service_arguments']
+
+    App\Module\Directory\Infrastructure\EventListener\ReportDocumentListener:
+        arguments:
+            $uploadDir: '%task_document_upload_dir%'
+        tags:
+            - { name: doctrine.orm.entity_listener, entity: 'App\Module\Directory\Domain\Entity\ReportDocument', event: preRemove }
+```
+
+> Vérifier d'abord comment `TaskDocumentProcessor`/`TaskDocumentListener` reçoivent `$uploadDir` et sont tagués (`grep -n "task_document_upload_dir\|TaskDocumentListener" config/services.yaml`) et reproduire exactement le même style (autowiring partiel vs définition explicite).
+
+- [ ] **Step 7 : Valider le mapping Doctrine de tout le module**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:schema:validate --skip-sync`
+Expected: `[Mapping]  OK.`
+
+- [ ] **Step 8 : Commit**
+
+```bash
+git add src/Module/Directory/Domain/Entity/ReportDocument.php src/Module/Directory/Domain/Repository/ReportDocumentRepositoryInterface.php src/Module/Directory/Infrastructure/Doctrine/DoctrineReportDocumentRepository.php src/Module/Directory/Infrastructure/ApiPlatform/State/ReportDocumentProcessor.php src/Module/Directory/Infrastructure/Controller/ReportDocumentDownloadController.php src/Module/Directory/Infrastructure/EventListener/ReportDocumentListener.php config/services.yaml
+git commit -m "feat(directory) : add ReportDocument storage (entity, upload processor, download, cleanup)"
+```
+
+---
+
+## Task 6 : Migration — tables + data migration adresse inline
+
+**Files:**
+- Create: `migrations/Version2026XXXXXXXXXX.php` (généré puis édité)
+- Modify: `src/Module/Directory/Domain/Entity/Client.php` (retrait colonnes inline `street`/`city`/`postalCode`)
+- Modify: `src/Module/Directory/Domain/Entity/Prospect.php` (idem)
+
+**Interfaces:**
+- Consumes: les 4 entités des Tasks 2–5.
+- Produces: tables `directory_contact`, `directory_address`, `commercial_report`, `report_document` ; contraintes CHECK d'appartenance ; suppression des colonnes inline d'adresse sur `client`/`prospect` (données migrées vers `directory_address`).
+
+- [ ] **Step 1 : Retirer les colonnes inline d'adresse de `Client`**
+
+Dans `src/Module/Directory/Domain/Entity/Client.php`, **supprimer** les 3 propriétés `street`, `city`, `postalCode` (lignes 61–71 actuelles) **et** leurs getters/setters (`getStreet/setStreet/getCity/setCity/getPostalCode/setPostalCode`). Conserver `name`, `email`, `phone`, `projects`.
+
+- [ ] **Step 2 : Retirer les colonnes inline d'adresse de `Prospect`**
+
+Dans `src/Module/Directory/Domain/Entity/Prospect.php`, **supprimer** les propriétés `street`, `city`, `postalCode` (lignes 74–84 actuelles) et leurs getters/setters. Conserver `name`, `company`, `email`, `phone`, `status`, `source`, `notes`, `convertedClient`.
+
+- [ ] **Step 3 : Générer le diff de migration**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:migrations:diff --no-interaction`
+Expected: un fichier `migrations/Version2026XXXXXXXXXX.php` créé contenant les `CREATE TABLE` des 4 nouvelles tables, les FK, et les `ALTER TABLE client/prospect DROP COLUMN street/city/postal_code`.
+
+- [ ] **Step 4 : Éditer la migration — ajouter le CHECK et la data migration**
+
+Ouvrir le fichier généré. Dans `up()`, **avant** les `DROP COLUMN` sur `client`/`prospect`, insérer la copie des adresses inline existantes vers `directory_address`, et **après** les `CREATE TABLE`, ajouter les contraintes CHECK. Le corps de `up()` doit contenir (ordre important) :
+
+```php
+public function up(Schema $schema): void
+{
+    // 1. CREATE TABLE directory_contact / directory_address / commercial_report / report_document
+    //    + FK + index : conserver tel quel le SQL généré par le diff.
+    //    (ne pas recopier ici : garder les addSql() générés)
+
+    // 2. Contraintes CHECK d'appartenance (au moins un propriétaire).
+    $this->addSql("ALTER TABLE directory_contact ADD CONSTRAINT chk_contact_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+    $this->addSql("ALTER TABLE directory_address ADD CONSTRAINT chk_address_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+    $this->addSql("ALTER TABLE commercial_report ADD CONSTRAINT chk_report_owner CHECK (client_id IS NOT NULL OR prospect_id IS NOT NULL)");
+
+    // 3. Data migration : adresse inline -> directory_address (avant DROP COLUMN).
+    $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, client_id, created_at, updated_at)
+        SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+        FROM client
+        WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+    $this->addSql("INSERT INTO directory_address (label, street, postal_code, city, country, prospect_id, created_at, updated_at)
+        SELECT 'Principale', street, postal_code, city, 'FR', id, NOW(), NOW()
+        FROM prospect
+        WHERE COALESCE(street, '') <> '' OR COALESCE(city, '') <> '' OR COALESCE(postal_code, '') <> ''");
+
+    // 4. DROP COLUMN street/city/postal_code sur client et prospect : conserver le SQL généré.
+}
+```
+
+> ⚠️ Vérifier les noms de colonnes Timestampable réels sur `directory_address` après le diff (le trait peut générer `created_at`/`updated_at`/`created_by_id`/`updated_by_id`) et adapter la liste de colonnes de l'`INSERT` en conséquence. `created_by_id`/`updated_by_id` étant nullable, ne pas les inclure. Colonnes en **minuscules**.
+> Dans `down()`, ajouter en premier les `ALTER TABLE client/prospect ADD street/city/postal_code` (recréation) générés par le diff, puis les `DROP TABLE`. La perte de données au `down()` est acceptable (dev).
+
+- [ ] **Step 5 : Appliquer la migration**
+
+Run: `docker exec -i php-lesstime-fpm php bin/console doctrine:migrations:migrate --no-interaction`
+Expected: migration exécutée sans erreur ; `doctrine:schema:validate` → `[Mapping] OK` **et** `[Database] OK`.
+
+- [ ] **Step 6 : Vérifier les tables et le CHECK**
+
+Run:
+```bash
+docker exec -i php-lesstime-fpm php bin/console dbal:run-sql "SELECT conname FROM pg_constraint WHERE conname LIKE 'chk_%owner'"
+```
+Expected: `chk_contact_owner`, `chk_address_owner`, `chk_report_owner`.
+
+- [ ] **Step 7 : Commit**
+
+```bash
+git add migrations/Version2026XXXXXXXXXX.php src/Module/Directory/Domain/Entity/Client.php src/Module/Directory/Domain/Entity/Prospect.php
+git commit -m "feat(directory) : add contact/address/report tables and migrate inline addresses"
+```
+
+---
+
+## Task 7 : Conversion prospect → client réaffecte les sous-entités
+
+**Files:**
+- Modify: `src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php`
+- Test: `tests/Module/Directory/ConvertProspectProcessorTest.php`
+
+**Interfaces:**
+- Consumes: `Contact`, `Address`, `CommercialReport` (Tasks 2–4), repositories Doctrine.
+- Produces: après convert, les contacts/adresses/rapports du prospect ont `client = <nouveau client>` et `prospect = null`.
+
+- [ ] **Step 1 : Écrire le test fonctionnel qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ReportType;
+use DateTimeImmutable;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+final class ConvertProspectProcessorTest extends KernelTestCase
+{
+    public function testConvertReassignsContactsAddressesAndReports(): void
+    {
+        self::bootKernel();
+        /** @var EntityManagerInterface $em */
+        $em = self::getContainer()->get(EntityManagerInterface::class);
+
+        $prospect = new Prospect();
+        $prospect->setName('Atelier Test');
+        $prospect->setCompany('Atelier Test SARL');
+        $em->persist($prospect);
+
+        $contact = (new Contact())->setLastName('Durand')->setProspect($prospect);
+        $address = (new Address())->setCity('Niort')->setProspect($prospect);
+        $report  = (new CommercialReport())
+            ->setSubject('Premier contact')
+            ->setOccurredAt(new DateTimeImmutable('2026-06-01'))
+            ->setType(ReportType::Call)
+            ->setProspect($prospect);
+        $em->persist($contact);
+        $em->persist($address);
+        $em->persist($report);
+        $em->flush();
+
+        $processor = self::getContainer()->get(\App\Module\Directory\Infrastructure\ApiPlatform\State\ConvertProspectProcessor::class);
+        $operation = new \ApiPlatform\Metadata\Post();
+        $processor->process($prospect, $operation, ['id' => $prospect->getId()]);
+
+        $em->refresh($contact);
+        $em->refresh($address);
+        $em->refresh($report);
+
+        $client = $prospect->getConvertedClient();
+        self::assertNotNull($client, 'Prospect should be converted to a client');
+
+        // Invariants (pas de counts absolus) : chaque sous-entité pointe vers le client, plus vers le prospect.
+        self::assertSame($client->getId(), $contact->getClient()?->getId());
+        self::assertNull($contact->getProspect());
+        self::assertSame($client->getId(), $address->getClient()?->getId());
+        self::assertNull($address->getProspect());
+        self::assertSame($client->getId(), $report->getClient()?->getId());
+        self::assertNull($report->getProspect());
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ConvertProspectProcessorTest`
+Expected: FAIL (le processor ne réaffecte pas encore ; `getClient()` est null).
+
+- [ ] **Step 3 : Modifier le processor**
+
+Remplacer le contenu de `ConvertProspectProcessor.php` par :
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Directory\Infrastructure\ApiPlatform\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Directory\Domain\Entity\Address;
+use App\Module\Directory\Domain\Entity\Client;
+use App\Module\Directory\Domain\Entity\CommercialReport;
+use App\Module\Directory\Domain\Entity\Contact;
+use App\Module\Directory\Domain\Entity\Prospect;
+use App\Module\Directory\Domain\Enum\ProspectStatus;
+use App\Module\Directory\Domain\Repository\ProspectRepositoryInterface;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Converts a Prospect into a Client and reassigns its contacts, addresses and
+ * commercial reports to the new client (preserving the commercial history).
+ *
+ * Idempotent: if already converted, returns it unchanged.
+ *
+ * @implements ProcessorInterface<Prospect, Prospect>
+ */
+final readonly class ConvertProspectProcessor implements ProcessorInterface
+{
+    public function __construct(
+        private EntityManagerInterface $entityManager,
+        private ProspectRepositoryInterface $prospectRepository,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): Prospect
+    {
+        $id       = $uriVariables['id'] ?? null;
+        $prospect = is_numeric($id) ? $this->prospectRepository->findById((int) $id) : null;
+
+        if (!$prospect instanceof Prospect) {
+            throw new NotFoundHttpException('Prospect not found.');
+        }
+
+        if (null !== $prospect->getConvertedClient()) {
+            return $prospect;
+        }
+
+        $client = new Client();
+        $client->setName($prospect->getCompany() ?: (string) $prospect->getName());
+        $client->setEmail($prospect->getEmail());
+        $client->setPhone($prospect->getPhone());
+
+        $this->entityManager->persist($client);
+
+        $this->reassignContacts($prospect, $client);
+        $this->reassignAddresses($prospect, $client);
+        $this->reassignReports($prospect, $client);
+
+        $prospect->setConvertedClient($client);
+        $prospect->setStatus(ProspectStatus::Won);
+
+        $this->entityManager->flush();
+
+        return $prospect;
+    }
+
+    private function reassignContacts(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Contact::class)->findBy(['prospect' => $prospect]) as $contact) {
+            $contact->setClient($client);
+            $contact->setProspect(null);
+        }
+    }
+
+    private function reassignAddresses(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(Address::class)->findBy(['prospect' => $prospect]) as $address) {
+            $address->setClient($client);
+            $address->setProspect(null);
+        }
+    }
+
+    private function reassignReports(Prospect $prospect, Client $client): void
+    {
+        foreach ($this->entityManager->getRepository(CommercialReport::class)->findBy(['prospect' => $prospect]) as $report) {
+            $report->setClient($client);
+            $report->setProspect(null);
+        }
+    }
+}
+```
+
+> Note : la copie des champs adresse inline (`street`/`city`/`postalCode`) est retirée du processor (colonnes supprimées en Task 6). Les adresses suivent désormais via `reassignAddresses`.
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter ConvertProspectProcessorTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php tests/Module/Directory/ConvertProspectProcessorTest.php
+git commit -m "feat(directory) : carry over contacts/addresses/reports on prospect conversion"
+```
+
+---
+
+## Task 8 : Permissions RBAC du module
+
+**Files:**
+- Modify: `src/Module/Directory/DirectoryModule.php`
+- Test: `tests/Module/Directory/DirectoryModulePermissionsTest.php`
+
+**Interfaces:**
+- Produces: `DirectoryModule::permissions()` inclut `directory.reports.view` et `directory.reports.manage`.
+
+- [ ] **Step 1 : Écrire le test qui échoue**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\DirectoryModule;
+use PHPUnit\Framework\TestCase;
+
+final class DirectoryModulePermissionsTest extends TestCase
+{
+    public function testReportPermissionsAreDeclared(): void
+    {
+        $codes = array_column(DirectoryModule::permissions(), 'code');
+
+        self::assertContains('directory.reports.view', $codes);
+        self::assertContains('directory.reports.manage', $codes);
+    }
+}
+```
+
+- [ ] **Step 2 : Lancer le test, vérifier l'échec**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter DirectoryModulePermissionsTest`
+Expected: FAIL.
+
+- [ ] **Step 3 : Ajouter les permissions**
+
+Dans `DirectoryModule::permissions()`, ajouter au tableau retourné :
+
+```php
+            ['code' => 'directory.reports.view', 'label' => 'Voir les comptes-rendus commerciaux'],
+            ['code' => 'directory.reports.manage', 'label' => 'Gérer les comptes-rendus commerciaux'],
+```
+
+- [ ] **Step 4 : Lancer le test, vérifier le succès**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter DirectoryModulePermissionsTest`
+Expected: PASS.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add src/Module/Directory/DirectoryModule.php tests/Module/Directory/DirectoryModulePermissionsTest.php
+git commit -m "feat(directory) : declare commercial report RBAC permissions"
+```
+
+---
+
+## Task 9 : Tests API d'appartenance et de sécurité
+
+**Files:**
+- Test: `tests/Module/Directory/CommercialReportApiTest.php`
+
+**Interfaces:**
+- Consumes: endpoints `/api/commercial_reports`, `/api/contacts`, fixtures users (`admin`/`admin`, `alice`/`alice`).
+
+> Réutiliser le pattern de test fonctionnel API existant du projet (`grep -rl "ApiTestCase\|createClient" tests/` pour trouver la classe de base et la façon de s'authentifier en JWT cookie). Adapter le helper d'auth ci-dessous au helper réel du projet.
+
+- [ ] **Step 1 : Écrire les tests (invariants, pas de counts)**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Directory;
+
+use App\Module\Directory\Domain\Entity\Client;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+final class CommercialReportApiTest extends WebTestCase
+{
+    public function testAnonymousCannotReadReports(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/commercial_reports');
+
+        self::assertGreaterThanOrEqual(401, $client->getResponse()->getStatusCode());
+    }
+
+    public function testNonAdminCannotCreateReport(): void
+    {
+        $client = self::createClient();
+        // TODO(remplacer) : authentifier en ROLE_USER via le helper JWT du projet (cf. autres tests API).
+        $this->loginAs($client, 'alice', 'alice');
+
+        $target = $this->anyClientIri();
+        $client->request('POST', '/api/commercial_reports', server: [
+            'CONTENT_TYPE' => 'application/ld+json',
+        ], content: json_encode([
+            'subject'    => 'Test',
+            'occurredAt' => '2026-06-01',
+            'type'       => 'call',
+            'client'     => $target,
+        ]));
+
+        self::assertSame(403, $client->getResponse()->getStatusCode());
+    }
+
+    private function anyClientIri(): string
+    {
+        /** @var EntityManagerInterface $em */
+        $em     = self::getContainer()->get(EntityManagerInterface::class);
+        $client = $em->getRepository(Client::class)->findOneBy([]);
+
+        self::assertNotNull($client, 'A client fixture is required');
+
+        return '/api/clients/'.$client->getId();
+    }
+
+    // loginAs(): à implémenter selon le helper d'auth JWT cookie du projet.
+}
+```
+
+- [ ] **Step 2 : Adapter `loginAs` au helper réel** (lire un test API existant et reproduire l'auth JWT cookie).
+
+- [ ] **Step 3 : Lancer les tests**
+
+Run: `docker exec -i php-lesstime-fpm php bin/phpunit --filter CommercialReportApiTest`
+Expected: PASS (anonyme rejeté, ROLE_USER interdit en écriture).
+
+- [ ] **Step 4 : Lancer la suite complète**
+
+Run: `make test`
+Expected: suite verte.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add tests/Module/Directory/CommercialReportApiTest.php
+git commit -m "test(directory) : api security for commercial reports"
+```
+
+---
+
+## Task 10 : DTO frontend
+
+**Files:**
+- Create: `frontend/modules/directory/services/dto/contact.ts`
+- Create: `frontend/modules/directory/services/dto/address.ts`
+- Create: `frontend/modules/directory/services/dto/commercial-report.ts`
+- Create: `frontend/modules/directory/services/dto/report-document.ts`
+
+**Interfaces:**
+- Produces: types `Contact`/`ContactWrite`, `Address`/`AddressWrite`, `CommercialReport`/`CommercialReportWrite`, `ReportType`, `ReportDocument`.
+
+- [ ] **Step 1 : `contact.ts`**
+
+```ts
+export type Contact = {
+    id: number
+    '@id'?: string
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+
+export type ContactWrite = {
+    firstName: string | null
+    lastName: string | null
+    jobTitle: string | null
+    email: string | null
+    phonePrimary: string | null
+    phoneSecondary: string | null
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 2 : `address.ts`**
+
+```ts
+export type Address = {
+    id: number
+    '@id'?: string
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+
+export type AddressWrite = {
+    label: string | null
+    street: string | null
+    streetComplement: string | null
+    postalCode: string | null
+    city: string | null
+    country: string
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 3 : `report-document.ts`**
+
+```ts
+import type { UserData } from '~/services/dto/user'
+
+export type ReportDocument = {
+    '@id'?: string
+    id: number
+    commercialReport: string
+    originalName: string
+    fileName?: string | null
+    mimeType: string
+    size: number
+    createdAt: string
+    uploadedBy?: UserData | null
+}
+```
+
+> Vérifier le chemin réel du type `UserData` (`grep -rn "export type UserData\|export interface UserData" frontend`) et ajuster l'import. À défaut, remplacer par `{ id: number, username: string } | null`.
+
+- [ ] **Step 4 : `commercial-report.ts`**
+
+```ts
+import type { ReportDocument } from './report-document'
+
+export type ReportType = 'call' | 'meeting' | 'email' | 'note'
+
+export type CommercialReport = {
+    id: number
+    '@id'?: string
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    author?: { id: number, username: string } | null
+    client?: string | null
+    prospect?: string | null
+    documents?: ReportDocument[]
+    createdAt?: string
+    updatedAt?: string
+}
+
+export type CommercialReportWrite = {
+    subject: string
+    body: string | null
+    occurredAt: string
+    type: ReportType
+    client?: string | null
+    prospect?: string | null
+}
+```
+
+- [ ] **Step 5 : Vérifier la compilation TS**
+
+Run: `cd frontend && npx nuxi typecheck` (ou `npm run typecheck` si défini ; sinon `npx vue-tsc --noEmit`).
+Expected: pas d'erreur sur les nouveaux fichiers.
+
+- [ ] **Step 6 : Commit**
+
+```bash
+git add frontend/modules/directory/services/dto/
+git commit -m "feat(directory) : add frontend DTOs for contacts, addresses, reports"
+```
+
+---
+
+## Task 11 : Services frontend
+
+**Files:**
+- Create: `frontend/modules/directory/services/contacts.ts`
+- Create: `frontend/modules/directory/services/addresses.ts`
+- Create: `frontend/modules/directory/services/commercial-reports.ts`
+- Create: `frontend/modules/directory/services/report-documents.ts`
+
+**Interfaces:**
+- Consumes: DTO de Task 10, `useApi()`, `extractHydraMembers`.
+- Produces: `useContactService`, `useAddressService`, `useCommercialReportService`, `useReportDocumentService` (CRUD + filtre par owner).
+
+- [ ] **Step 1 : `contacts.ts`**
+
+```ts
+import type { Contact, ContactWrite } from './dto/contact'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useContactService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Contact[]> {
+        const data = await api.get<HydraCollection<Contact>>('/contacts', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: ContactWrite): Promise<Contact> {
+        return api.post<Contact>('/contacts', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<ContactWrite>): Promise<Contact> {
+        return api.patch<Contact>(`/contacts/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.contacts.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/contacts/${id}`, {}, { toastSuccessKey: 'directory.contacts.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 2 : `addresses.ts`** (même structure, ressource `/addresses`, clés i18n `directory.addresses.*`)
+
+```ts
+import type { Address, AddressWrite } from './dto/address'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useAddressService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<Address[]> {
+        const data = await api.get<HydraCollection<Address>>('/addresses', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: AddressWrite): Promise<Address> {
+        return api.post<Address>('/addresses', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<AddressWrite>): Promise<Address> {
+        return api.patch<Address>(`/addresses/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.addresses.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/addresses/${id}`, {}, { toastSuccessKey: 'directory.addresses.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 3 : `commercial-reports.ts`**
+
+```ts
+import type { CommercialReport, CommercialReportWrite } from './dto/commercial-report'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+
+type Owner = { client?: string, prospect?: string }
+
+export function useCommercialReportService() {
+    const api = useApi()
+
+    async function getByOwner(owner: Owner): Promise<CommercialReport[]> {
+        const data = await api.get<HydraCollection<CommercialReport>>('/commercial_reports', owner as Record<string, unknown>)
+        return extractHydraMembers(data)
+    }
+
+    async function create(payload: CommercialReportWrite): Promise<CommercialReport> {
+        return api.post<CommercialReport>('/commercial_reports', payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function update(id: number, payload: Partial<CommercialReportWrite>): Promise<CommercialReport> {
+        return api.patch<CommercialReport>(`/commercial_reports/${id}`, payload as Record<string, unknown>, {
+            toastSuccessKey: 'directory.reports.saved',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/commercial_reports/${id}`, {}, { toastSuccessKey: 'directory.reports.deleted' })
+    }
+
+    return { getByOwner, create, update, remove }
+}
+```
+
+- [ ] **Step 4 : `report-documents.ts`** (upload multipart + download URL, calqué sur `task-documents.ts`)
+
+```ts
+import type { ReportDocument } from './dto/report-document'
+import type { HydraCollection } from '~/utils/api'
+import { extractHydraMembers } from '~/utils/api'
+import { $fetch } from 'ofetch'
+
+export function useReportDocumentService() {
+    const api = useApi()
+    const config = useRuntimeConfig()
+    const baseURL = config.public.apiBase || '/api'
+
+    async function getByReport(reportId: number): Promise<ReportDocument[]> {
+        const data = await api.get<HydraCollection<ReportDocument>>('/report_documents', {
+            commercialReport: `/api/commercial_reports/${reportId}`,
+        })
+        return extractHydraMembers(data)
+    }
+
+    async function upload(reportId: number, file: File): Promise<ReportDocument> {
+        const formData = new FormData()
+        formData.append('file', file)
+        formData.append('commercialReport', `/api/commercial_reports/${reportId}`)
+
+        return $fetch<ReportDocument>(`${baseURL}/report_documents`, {
+            method: 'POST',
+            body: formData,
+            credentials: 'include',
+        })
+    }
+
+    async function remove(id: number): Promise<void> {
+        await api.delete(`/report_documents/${id}`, {}, { toastSuccessKey: 'directory.documents.deleted' })
+    }
+
+    function getDownloadUrl(id: number): string {
+        return `${baseURL}/report_documents/${id}/download`
+    }
+
+    return { getByReport, upload, remove, getDownloadUrl }
+}
+```
+
+- [ ] **Step 5 : Vérifier la compilation TS** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 6 : Commit**
+
+```bash
+git add frontend/modules/directory/services/
+git commit -m "feat(directory) : add frontend services for contacts, addresses, reports, documents"
+```
+
+---
+
+## Task 12 : Composant `DirectoryContactBlock`
+
+**Files:**
+- Create: `frontend/modules/directory/components/DirectoryContactBlock.vue`
+
+**Interfaces:**
+- Consumes: type `Contact` (Task 10), composants `@malio/layer-ui` (`MalioInputText`, `MalioInputEmail`, `MalioButtonIcon`).
+- Produces: bloc d'édition d'un contact ; props `modelValue: Contact`, `title: string`, `removable?: boolean`, `readonly?: boolean` ; events `update:modelValue`, `remove`.
+
+> Avant d'écrire : ouvrir `frontend/node_modules/@malio/layer-ui/COMPONENTS.md` pour confirmer les noms de props des inputs (`label`, `model-value`/`v-model`, `readonly`, `error`). Reproduire le style des drawers existants (`ProspectDrawer.vue`).
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            :label="$t('directory.contacts.fields.lastName')"
+            :model-value="modelValue.lastName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('lastName', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.firstName')"
+            :model-value="modelValue.firstName ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('firstName', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.contacts.fields.jobTitle')"
+            :model-value="modelValue.jobTitle ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('jobTitle', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.email')"
+            :model-value="modelValue.email ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('email', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phonePrimary')"
+            :model-value="modelValue.phonePrimary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phonePrimary', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.contacts.fields.phoneSecondary')"
+            :model-value="modelValue.phoneSecondary ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('phoneSecondary', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Contact } from '~/modules/directory/services/dto/contact'
+
+const props = defineProps<{
+    modelValue: Contact
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Contact]
+    'remove': []
+}>()
+
+function update(field: keyof Contact, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
+```
+
+- [ ] **Step 2 : Vérifier le rendu** — `make dev-nuxt`, importer le composant dans une page de test ou attendre Task 16. Vérifier l'absence d'erreur console au build : `cd frontend && npx nuxi typecheck`.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/DirectoryContactBlock.vue
+git commit -m "feat(directory) : add repeatable contact block component"
+```
+
+---
+
+## Task 13 : Composant `DirectoryAddressBlock`
+
+**Files:**
+- Create: `frontend/modules/directory/components/DirectoryAddressBlock.vue`
+
+**Interfaces:**
+- Produces: bloc d'édition d'une adresse ; mêmes props/events que `DirectoryContactBlock` mais `modelValue: Address`.
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="relative grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+        <h3 class="col-span-2 text-sm font-semibold text-neutral-700">
+            {{ title }}
+        </h3>
+        <MalioButtonIcon
+            v-if="removable && !readonly"
+            icon="mdi:trash-can-outline"
+            class="absolute right-2 top-2"
+            button-class="!text-red-600"
+            :aria-label="$t('common.delete')"
+            @click="$emit('remove')"
+        />
+
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.label')"
+            :model-value="modelValue.label ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('label', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.street')"
+            :model-value="modelValue.street ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('street', $event)"
+        />
+        <MalioInputText
+            class="col-span-2"
+            :label="$t('directory.addresses.fields.streetComplement')"
+            :model-value="modelValue.streetComplement ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('streetComplement', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.postalCode')"
+            :model-value="modelValue.postalCode ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('postalCode', $event)"
+        />
+        <MalioInputText
+            :label="$t('directory.addresses.fields.city')"
+            :model-value="modelValue.city ?? ''"
+            :readonly="readonly"
+            @update:model-value="update('city', $event)"
+        />
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Address } from '~/modules/directory/services/dto/address'
+
+const props = defineProps<{
+    modelValue: Address
+    title: string
+    removable?: boolean
+    readonly?: boolean
+}>()
+
+const emit = defineEmits<{
+    'update:modelValue': [value: Address]
+    'remove': []
+}>()
+
+function update(field: keyof Address, value: string): void {
+    emit('update:modelValue', { ...props.modelValue, [field]: value === '' ? null : value })
+}
+</script>
+```
+
+- [ ] **Step 2 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/DirectoryAddressBlock.vue
+git commit -m "feat(directory) : add repeatable address block component"
+```
+
+---
+
+## Task 14 : Composants documents de rapport (`ReportDocumentUpload`, `ReportDocumentList`)
+
+**Files:**
+- Create: `frontend/modules/directory/components/ReportDocumentUpload.vue`
+- Create: `frontend/modules/directory/components/ReportDocumentList.vue`
+
+**Interfaces:**
+- Consumes: `useReportDocumentService` (Task 11), `ReportDocument` DTO.
+- Produces: `ReportDocumentUpload` (prop `reportId: number`, event `uploaded`), `ReportDocumentList` (prop `documents: ReportDocument[]`, `isAdmin: boolean`, event `delete`).
+
+> S'inspirer de `frontend/modules/project-management/components/TaskDocumentUpload.vue` et `TaskDocumentList.vue` (les lire d'abord). Version simplifiée : upload simple + liste avec lien download + bouton suppression. Pas de SMB, pas de preview avancé (lien `getDownloadUrl` ouvert dans un onglet).
+
+- [ ] **Step 1 : `ReportDocumentUpload.vue`**
+
+```vue
+<template>
+    <div class="flex items-center gap-3">
+        <input
+            ref="fileInput"
+            type="file"
+            class="hidden"
+            @change="onFileSelected"
+        >
+        <MalioButton
+            icon-name="mdi:paperclip"
+            icon-position="left"
+            button-class="w-auto px-4"
+            :label="$t('directory.documents.add')"
+            :disabled="uploading"
+            @click="fileInput?.click()"
+        />
+        <span v-if="uploading" class="text-sm text-neutral-500">{{ $t('directory.documents.uploading') }}</span>
+    </div>
+</template>
+
+<script setup lang="ts">
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{ reportId: number }>()
+const emit = defineEmits<{ uploaded: [] }>()
+
+const service = useReportDocumentService()
+const fileInput = ref<HTMLInputElement | null>(null)
+const uploading = ref(false)
+
+async function onFileSelected(event: Event): Promise<void> {
+    const input = event.target as HTMLInputElement
+    const file = input.files?.[0]
+    if (!file) return
+
+    uploading.value = true
+    try {
+        await service.upload(props.reportId, file)
+        emit('uploaded')
+    } finally {
+        uploading.value = false
+        input.value = ''
+    }
+}
+</script>
+```
+
+- [ ] **Step 2 : `ReportDocumentList.vue`**
+
+```vue
+<template>
+    <ul v-if="documents.length" class="flex flex-col gap-2">
+        <li
+            v-for="doc in documents"
+            :key="doc.id"
+            class="flex items-center justify-between rounded border border-neutral-200 px-3 py-2"
+        >
+            <a
+                :href="downloadUrl(doc.id)"
+                target="_blank"
+                rel="noopener"
+                class="flex items-center gap-2 text-sm text-blue-700 hover:underline"
+            >
+                <Icon name="mdi:file-document-outline" />
+                {{ doc.originalName }}
+            </a>
+            <MalioButtonIcon
+                v-if="isAdmin"
+                icon="mdi:trash-can-outline"
+                button-class="!text-red-600"
+                :aria-label="$t('common.delete')"
+                @click="$emit('delete', doc.id)"
+            />
+        </li>
+    </ul>
+    <p v-else class="text-sm text-neutral-400">
+        {{ $t('directory.documents.empty') }}
+    </p>
+</template>
+
+<script setup lang="ts">
+import type { ReportDocument } from '~/modules/directory/services/dto/report-document'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+defineProps<{ documents: ReportDocument[], isAdmin: boolean }>()
+defineEmits<{ delete: [id: number] }>()
+
+const { getDownloadUrl } = useReportDocumentService()
+function downloadUrl(id: number): string {
+    return getDownloadUrl(id)
+}
+</script>
+```
+
+- [ ] **Step 3 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 4 : Commit**
+
+```bash
+git add frontend/modules/directory/components/ReportDocumentUpload.vue frontend/modules/directory/components/ReportDocumentList.vue
+git commit -m "feat(directory) : add report document upload/list components"
+```
+
+---
+
+## Task 15 : Onglet Rapport (`CommercialReportTab`)
+
+**Files:**
+- Create: `frontend/modules/directory/components/CommercialReportTab.vue`
+
+**Interfaces:**
+- Consumes: `useCommercialReportService` (Task 11), `ReportDocumentUpload`/`ReportDocumentList` (Task 14), composants Malio (`MalioInputText`, `MalioInputTextArea`, `MalioSelect`, `MalioDate`, `MalioButton`).
+- Produces: onglet complet ; prop `owner: { client?: string, prospect?: string }`, `isAdmin: boolean`. Gère liste + formulaire d'ajout/édition + documents.
+
+- [ ] **Step 1 : Écrire le composant**
+
+```vue
+<template>
+    <div class="flex flex-col gap-6 pt-6">
+        <!-- Formulaire d'ajout / édition -->
+        <div v-if="isAdmin" class="grid grid-cols-2 gap-x-8 gap-y-3 rounded bg-white p-4 shadow">
+            <MalioInputText
+                class="col-span-2"
+                :label="$t('directory.reports.fields.subject')"
+                v-model="draft.subject"
+            />
+            <MalioSelect
+                :label="$t('directory.reports.fields.type')"
+                v-model="draft.type"
+                :options="typeOptions"
+                group-class="w-full"
+            />
+            <MalioDate
+                :label="$t('directory.reports.fields.occurredAt')"
+                v-model="draft.occurredAt"
+            />
+            <MalioInputTextArea
+                class="col-span-2"
+                :label="$t('directory.reports.fields.body')"
+                v-model="draft.body"
+            />
+            <div class="col-span-2 flex justify-end gap-3">
+                <MalioButton
+                    v-if="editingId"
+                    variant="secondary"
+                    button-class="w-auto px-4"
+                    :label="$t('common.cancel')"
+                    @click="resetDraft"
+                />
+                <MalioButton
+                    button-class="w-auto px-4"
+                    :label="editingId ? $t('common.save') : $t('directory.reports.add')"
+                    :disabled="!draft.subject"
+                    @click="save"
+                />
+            </div>
+        </div>
+
+        <!-- Liste des comptes-rendus -->
+        <div v-for="report in reports" :key="report.id" class="rounded border border-neutral-200 p-4">
+            <div class="flex items-start justify-between">
+                <div>
+                    <p class="font-semibold text-neutral-800">{{ report.subject }}</p>
+                    <p class="text-xs text-neutral-500">
+                        {{ formatDate(report.occurredAt) }} · {{ $t(`directory.reports.types.${report.type}`) }}
+                        <span v-if="report.author"> · {{ report.author.username }}</span>
+                    </p>
+                </div>
+                <div v-if="isAdmin" class="flex gap-2">
+                    <MalioButtonIcon icon="mdi:pencil-outline" :aria-label="$t('common.edit')" @click="edit(report)" />
+                    <MalioButtonIcon icon="mdi:trash-can-outline" button-class="!text-red-600" :aria-label="$t('common.delete')" @click="remove(report.id)" />
+                </div>
+            </div>
+            <p v-if="report.body" class="mt-2 whitespace-pre-wrap text-sm text-neutral-700">{{ report.body }}</p>
+
+            <div class="mt-3 flex flex-col gap-2">
+                <ReportDocumentList
+                    :documents="report.documents ?? []"
+                    :is-admin="isAdmin"
+                    @delete="(id) => removeDocument(report, id)"
+                />
+                <ReportDocumentUpload
+                    v-if="isAdmin"
+                    :report-id="report.id"
+                    @uploaded="reload"
+                />
+            </div>
+        </div>
+
+        <p v-if="!reports.length" class="text-sm text-neutral-400">
+            {{ $t('directory.reports.empty') }}
+        </p>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { CommercialReport, CommercialReportWrite, ReportType } from '~/modules/directory/services/dto/commercial-report'
+import { useCommercialReportService } from '~/modules/directory/services/commercial-reports'
+import { useReportDocumentService } from '~/modules/directory/services/report-documents'
+
+const props = defineProps<{
+    owner: { client?: string, prospect?: string }
+    isAdmin: boolean
+}>()
+
+const { t } = useI18n()
+const reportService = useCommercialReportService()
+const documentService = useReportDocumentService()
+
+const reports = ref<CommercialReport[]>([])
+const editingId = ref<number | null>(null)
+
+function emptyDraft(): CommercialReportWrite {
+    return {
+        subject: '',
+        body: null,
+        occurredAt: new Date().toISOString().slice(0, 10),
+        type: 'note',
+        ...props.owner,
+    }
+}
+const draft = ref<CommercialReportWrite>(emptyDraft())
+
+const typeOptions: { label: string, value: ReportType }[] = [
+    { label: t('directory.reports.types.call'), value: 'call' },
+    { label: t('directory.reports.types.meeting'), value: 'meeting' },
+    { label: t('directory.reports.types.email'), value: 'email' },
+    { label: t('directory.reports.types.note'), value: 'note' },
+]
+
+function formatDate(iso: string): string {
+    return new Date(iso).toLocaleDateString('fr-FR')
+}
+
+async function reload(): Promise<void> {
+    reports.value = await reportService.getByOwner(props.owner)
+}
+
+function resetDraft(): void {
+    editingId.value = null
+    draft.value = emptyDraft()
+}
+
+function edit(report: CommercialReport): void {
+    editingId.value = report.id
+    draft.value = {
+        subject: report.subject,
+        body: report.body,
+        occurredAt: report.occurredAt.slice(0, 10),
+        type: report.type,
+        ...props.owner,
+    }
+}
+
+async function save(): Promise<void> {
+    if (editingId.value) {
+        await reportService.update(editingId.value, draft.value)
+    } else {
+        await reportService.create(draft.value)
+    }
+    resetDraft()
+    await reload()
+}
+
+async function remove(id: number): Promise<void> {
+    await reportService.remove(id)
+    await reload()
+}
+
+async function removeDocument(report: CommercialReport, id: number): Promise<void> {
+    await documentService.remove(id)
+    await reload()
+}
+
+onMounted(reload)
+watch(() => props.owner, reload, { deep: true })
+</script>
+```
+
+> Confirmer les props réelles de `MalioDate`, `MalioInputTextArea`, `MalioSelect` dans `COMPONENTS.md` (notamment `v-model` vs `model-value`/`@update:model-value`, et que `MalioSelect` accepte une valeur `string` — cf. CLAUDE.md). Ajuster si nécessaire.
+
+- [ ] **Step 2 : Vérifier la compilation** — `cd frontend && npx nuxi typecheck`. Expected: pas d'erreur.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/components/CommercialReportTab.vue
+git commit -m "feat(directory) : add commercial report tab (list, form, documents)"
+```
+
+---
+
+## Task 16 : Fiche détail Client
+
+**Files:**
+- Create: `frontend/modules/directory/pages/clients/[id].vue`
+
+**Interfaces:**
+- Consumes: `useClientService`, `useContactService`, `useAddressService`, blocs Task 12/13, `CommercialReportTab` (Task 15), `MalioTabList`.
+- Produces: page `/directory/clients/:id` ; onglets Contact/Adresse/Rapport ; owner = `{ client: '/api/clients/:id' }`.
+
+> `useClientService` n'a pas `getById` aujourd'hui (`services/clients.ts`). Ajouter une méthode `getById(id)` au service clients (calquée sur prospects.ts) dans cette tâche.
+
+- [ ] **Step 1 : Ajouter `getById` au service clients**
+
+Dans `frontend/modules/directory/services/clients.ts`, ajouter à l'intérieur de `useClientService` (et l'exposer dans le `return`) :
+
+```ts
+    async function getById(id: number): Promise<Client> {
+        return api.get<Client>(`/clients/${id}`)
+    }
+```
+
+- [ ] **Step 2 : Écrire la page**
+
+```vue
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ client?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="client">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Client } from '~/modules/directory/services/dto/client'
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useClientService } from '~/modules/directory/services/clients'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/clients/${id}`
+const owner = { client: ownerIri }
+
+const clientService = useClientService()
+const contactService = useContactService()
+const addressService = useAddressService()
+
+const client = ref<Client | null>(null)
+const contacts = ref<Contact[]>([])
+const addresses = ref<Address[]>([])
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function emptyContact(): Contact {
+    return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, client: ownerIri }
+}
+function emptyAddress(): Address {
+    return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', client: ownerIri }
+}
+
+async function onContactInput(index: number, value: Contact): Promise<void> {
+    contacts.value[index] = value
+    await persistContact(index)
+}
+async function persistContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, client: ownerIri }
+    if (c.id && c.id > 0) {
+        await contactService.update(c.id, payload)
+    } else if (c.lastName || c.firstName) {
+        const created = await contactService.create(payload)
+        contacts.value[index] = created
+    }
+}
+function addContact(): void {
+    contacts.value.push(emptyContact())
+}
+async function removeContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    if (c.id && c.id > 0) await contactService.remove(c.id)
+    contacts.value.splice(index, 1)
+}
+
+async function onAddressInput(index: number, value: Address): Promise<void> {
+    addresses.value[index] = value
+    await persistAddress(index)
+}
+async function persistAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, client: ownerIri }
+    if (a.id && a.id > 0) {
+        await addressService.update(a.id, payload)
+    } else if (a.street || a.city || a.postalCode) {
+        const created = await addressService.create(payload)
+        addresses.value[index] = created
+    }
+}
+function addAddress(): void {
+    addresses.value.push(emptyAddress())
+}
+async function removeAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    if (a.id && a.id > 0) await addressService.remove(a.id)
+    addresses.value.splice(index, 1)
+}
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    client.value = await clientService.getById(id)
+    contacts.value = await contactService.getByOwner({ client: ownerIri })
+    addresses.value = await addressService.getByOwner({ client: ownerIri })
+    loading.value = false
+})
+</script>
+```
+
+> Décision UX explicite : la sauvegarde par bloc se fait au `@update:model-value` (à la frappe). Si ça génère trop d'appels, ajouter un debounce ou un bouton « Enregistrer » par bloc dans une itération ultérieure (hors périmètre de ce plan).
+
+- [ ] **Step 3 : Vérifier le routage et le rendu**
+
+Run: `make dev-nuxt` puis naviguer vers `/directory/clients/1`.
+Expected: page chargée, 3 onglets visibles, ajout d'un contact persiste (vérifier via `GET /api/contacts?client=/api/clients/1`).
+
+- [ ] **Step 4 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/clients/ frontend/modules/directory/services/clients.ts
+git commit -m "feat(directory) : add client detail page with contact/address/report tabs"
+```
+
+---
+
+## Task 17 : Fiche détail Prospect
+
+**Files:**
+- Create: `frontend/modules/directory/pages/prospects/[id].vue`
+
+**Interfaces:**
+- Identique à Task 16 mais owner = `{ prospect: '/api/prospects/:id' }`, service `useProspectService().getById` (déjà présent).
+
+- [ ] **Step 1 : Écrire la page**
+
+Reprendre **intégralement** la page de Task 16 (`clients/[id].vue`) en remplaçant :
+- `useClientService` → `useProspectService` ; `clientService.getById` → `prospectService.getById` ; type `Client` → `Prospect` (import `~/modules/directory/services/dto/prospect`).
+- `const ownerIri = '/api/prospects/${id}'` ; `const owner = { prospect: ownerIri }`.
+- Dans `emptyContact`/`emptyAddress` et les payloads : remplacer `client: ownerIri` par `prospect: ownerIri`.
+- `getByOwner({ client: ownerIri })` → `getByOwner({ prospect: ownerIri })` (contacts et adresses).
+
+Code complet :
+
+```vue
+<template>
+    <div class="flex flex-col gap-6">
+        <div class="flex items-center gap-3 pt-4">
+            <MalioButtonIcon icon="mdi:arrow-left" :aria-label="$t('common.back')" @click="goBack" />
+            <h1 class="text-2xl font-bold text-neutral-900">{{ prospect?.name ?? '…' }}</h1>
+        </div>
+
+        <p v-if="loading">{{ $t('common.loading') }}</p>
+        <template v-else-if="prospect">
+            <MalioTabList v-model="activeTab" :tabs="tabs">
+                <template #contact>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryContactBlock
+                            v-for="(contact, i) in contacts"
+                            :key="contact.id || `new-${i}`"
+                            :model-value="contact"
+                            :title="$t('directory.contacts.item', { n: i + 1 })"
+                            :removable="contacts.length > 0"
+                            @update:model-value="(v) => onContactInput(i, v)"
+                            @remove="removeContact(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.contacts.add')"
+                            @click="addContact"
+                        />
+                    </div>
+                </template>
+
+                <template #address>
+                    <div class="flex flex-col gap-4 pt-6">
+                        <DirectoryAddressBlock
+                            v-for="(address, i) in addresses"
+                            :key="address.id || `new-${i}`"
+                            :model-value="address"
+                            :title="$t('directory.addresses.item', { n: i + 1 })"
+                            :removable="addresses.length > 0"
+                            @update:model-value="(v) => onAddressInput(i, v)"
+                            @remove="removeAddress(i)"
+                        />
+                        <MalioButton
+                            icon-name="mdi:plus"
+                            icon-position="left"
+                            button-class="w-auto px-4"
+                            :label="$t('directory.addresses.add')"
+                            @click="addAddress"
+                        />
+                    </div>
+                </template>
+
+                <template #report>
+                    <CommercialReportTab :owner="owner" :is-admin="true" />
+                </template>
+            </MalioTabList>
+        </template>
+    </div>
+</template>
+
+<script setup lang="ts">
+import type { Prospect } from '~/modules/directory/services/dto/prospect'
+import type { Contact } from '~/modules/directory/services/dto/contact'
+import type { Address } from '~/modules/directory/services/dto/address'
+import { useProspectService } from '~/modules/directory/services/prospects'
+import { useContactService } from '~/modules/directory/services/contacts'
+import { useAddressService } from '~/modules/directory/services/addresses'
+
+definePageMeta({ middleware: ['admin'] })
+
+const route = useRoute()
+const router = useRouter()
+const { t } = useI18n()
+
+const id = Number(route.params.id)
+const ownerIri = `/api/prospects/${id}`
+const owner = { prospect: ownerIri }
+
+const prospectService = useProspectService()
+const contactService = useContactService()
+const addressService = useAddressService()
+
+const prospect = ref<Prospect | null>(null)
+const contacts = ref<Contact[]>([])
+const addresses = ref<Address[]>([])
+const loading = ref(true)
+
+const activeTab = ref('contact')
+const tabs = [
+    { key: 'contact', label: t('directory.tabs.contact'), icon: 'mdi:account-outline' },
+    { key: 'address', label: t('directory.tabs.address'), icon: 'mdi:map-marker-outline' },
+    { key: 'report', label: t('directory.tabs.report'), icon: 'mdi:file-document-outline' },
+]
+
+function emptyContact(): Contact {
+    return { id: 0, firstName: null, lastName: null, jobTitle: null, email: null, phonePrimary: null, phoneSecondary: null, prospect: ownerIri }
+}
+function emptyAddress(): Address {
+    return { id: 0, label: null, street: null, streetComplement: null, postalCode: null, city: null, country: 'FR', prospect: ownerIri }
+}
+
+async function onContactInput(index: number, value: Contact): Promise<void> {
+    contacts.value[index] = value
+    await persistContact(index)
+}
+async function persistContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    const payload = { firstName: c.firstName, lastName: c.lastName, jobTitle: c.jobTitle, email: c.email, phonePrimary: c.phonePrimary, phoneSecondary: c.phoneSecondary, prospect: ownerIri }
+    if (c.id && c.id > 0) {
+        await contactService.update(c.id, payload)
+    } else if (c.lastName || c.firstName) {
+        const created = await contactService.create(payload)
+        contacts.value[index] = created
+    }
+}
+function addContact(): void {
+    contacts.value.push(emptyContact())
+}
+async function removeContact(index: number): Promise<void> {
+    const c = contacts.value[index]
+    if (c.id && c.id > 0) await contactService.remove(c.id)
+    contacts.value.splice(index, 1)
+}
+
+async function onAddressInput(index: number, value: Address): Promise<void> {
+    addresses.value[index] = value
+    await persistAddress(index)
+}
+async function persistAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    const payload = { label: a.label, street: a.street, streetComplement: a.streetComplement, postalCode: a.postalCode, city: a.city, country: a.country, prospect: ownerIri }
+    if (a.id && a.id > 0) {
+        await addressService.update(a.id, payload)
+    } else if (a.street || a.city || a.postalCode) {
+        const created = await addressService.create(payload)
+        addresses.value[index] = created
+    }
+}
+function addAddress(): void {
+    addresses.value.push(emptyAddress())
+}
+async function removeAddress(index: number): Promise<void> {
+    const a = addresses.value[index]
+    if (a.id && a.id > 0) await addressService.remove(a.id)
+    addresses.value.splice(index, 1)
+}
+
+function goBack(): void {
+    router.push('/directory')
+}
+
+onMounted(async () => {
+    prospect.value = await prospectService.getById(id)
+    contacts.value = await contactService.getByOwner({ prospect: ownerIri })
+    addresses.value = await addressService.getByOwner({ prospect: ownerIri })
+    loading.value = false
+})
+</script>
+```
+
+- [ ] **Step 2 : Vérifier le rendu** — `/directory/prospects/1`. Expected: 3 onglets, ajout de contact persiste.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/prospects/
+git commit -m "feat(directory) : add prospect detail page with contact/address/report tabs"
+```
+
+---
+
+## Task 18 : Navigation liste → fiche détail
+
+**Files:**
+- Modify: `frontend/modules/directory/pages/directory.vue`
+
+**Interfaces:**
+- Consumes: pages détail Task 16/17.
+- Produces: clic sur une ligne client/prospect → navigation vers la fiche détail (au lieu d'ouvrir le drawer). Le drawer reste pour la création (`openCreateClient`/`openCreateProspect`).
+
+- [ ] **Step 1 : Modifier les handlers de clic**
+
+Dans `frontend/modules/directory/pages/directory.vue`, remplacer `openEditClient` et `openEditProspect` par une navigation :
+
+```ts
+function openEditClient(item: Record<string, unknown>) {
+    navigateTo(`/directory/clients/${(item as Client).id}`)
+}
+
+function openEditProspect(item: Record<string, unknown>) {
+    navigateTo(`/directory/prospects/${(item as Prospect).id}`)
+}
+```
+
+Laisser `selectedClient`/`selectedProspect` et les drawers en place **uniquement** pour la création (`openCreateClient`/`openCreateProspect` inchangés). Retirer `selectedClient.value = item` des anciens handlers.
+
+- [ ] **Step 2 : Vérifier**
+
+Run: `make dev-nuxt` ; sur `/directory`, cliquer une ligne client → arrive sur `/directory/clients/:id` ; le bouton « Ajouter » ouvre toujours le drawer.
+
+- [ ] **Step 3 : Commit**
+
+```bash
+git add frontend/modules/directory/pages/directory.vue
+git commit -m "feat(directory) : open detail page on row click, keep drawer for creation"
+```
+
+---
+
+## Task 19 : Traductions i18n
+
+**Files:**
+- Modify: `frontend/i18n/locales/fr.json`
+
+**Interfaces:**
+- Produces: toutes les clés `directory.tabs.{contact,address,report}`, `directory.contacts.*`, `directory.addresses.*`, `directory.reports.*`, `directory.documents.*`, et les clés `common.*` utilisées (`back`, `loading`, `edit`, `delete`, `save`, `cancel`).
+
+- [ ] **Step 1 : Ajouter les clés sous `directory`**
+
+Dans `frontend/i18n/locales/fr.json`, étendre l'objet `directory` (fusionner avec l'existant `directory.title`/`directory.tabs.clients`/...) :
+
+```json
+"directory": {
+    "tabs": {
+        "contact": "Contact",
+        "address": "Adresse",
+        "report": "Rapport"
+    },
+    "contacts": {
+        "add": "Ajouter un contact",
+        "item": "Contact {n}",
+        "saved": "Contact enregistré.",
+        "deleted": "Contact supprimé.",
+        "fields": {
+            "lastName": "Nom",
+            "firstName": "Prénom",
+            "jobTitle": "Fonction",
+            "email": "Email",
+            "phonePrimary": "Téléphone",
+            "phoneSecondary": "Téléphone secondaire"
+        }
+    },
+    "addresses": {
+        "add": "Ajouter une adresse",
+        "item": "Adresse {n}",
+        "saved": "Adresse enregistrée.",
+        "deleted": "Adresse supprimée.",
+        "fields": {
+            "label": "Libellé",
+            "street": "Rue",
+            "streetComplement": "Complément",
+            "postalCode": "Code postal",
+            "city": "Ville"
+        }
+    },
+    "reports": {
+        "add": "Ajouter un compte-rendu",
+        "empty": "Aucun compte-rendu.",
+        "saved": "Compte-rendu enregistré.",
+        "deleted": "Compte-rendu supprimé.",
+        "fields": {
+            "subject": "Objet",
+            "type": "Type d'échange",
+            "occurredAt": "Date",
+            "body": "Compte-rendu"
+        },
+        "types": {
+            "call": "Appel",
+            "meeting": "Rendez-vous",
+            "email": "Email",
+            "note": "Note"
+        }
+    },
+    "documents": {
+        "add": "Joindre un document",
+        "uploading": "Envoi…",
+        "empty": "Aucun document.",
+        "deleted": "Document supprimé."
+    }
+}
+```
+
+> ⚠️ Préserver les clés `directory` existantes (`title`, `tabs.clients`, `tabs.prospects`, `clients.*`, `prospects.*`). Fusionner, ne pas écraser. `tabs` reçoit `contact`/`address`/`report` **en plus** de `clients`/`prospects`.
+
+- [ ] **Step 2 : Ajouter les clés `common` manquantes** (si absentes — vérifier d'abord `grep '"common"' frontend/i18n/locales/fr.json`)
+
+```json
+"common": {
+    "back": "Retour",
+    "loading": "Chargement…",
+    "edit": "Modifier",
+    "delete": "Supprimer",
+    "save": "Enregistrer",
+    "cancel": "Annuler"
+}
+```
+
+- [ ] **Step 3 : Vérifier le JSON**
+
+Run: `docker exec -i php-lesstime-fpm node -e "require('./frontend/i18n/locales/fr.json')"` (ou `python3 -m json.tool frontend/i18n/locales/fr.json > /dev/null`).
+Expected: pas d'erreur de parsing.
+
+- [ ] **Step 4 : Vérifier l'absence de clés manquantes en UI** — `make dev-nuxt`, parcourir les fiches : aucun libellé brut `directory.xxx` affiché.
+
+- [ ] **Step 5 : Commit**
+
+```bash
+git add frontend/i18n/locales/fr.json
+git commit -m "feat(directory) : add i18n keys for contacts, addresses, reports tabs"
+```
+
+---
+
+## Task 20 : Vérification de bout en bout
+
+**Files:** aucun (vérification manuelle + suite de tests).
+
+- [ ] **Step 1 : Suite backend complète**
+
+Run: `make test`
+Expected: vert.
+
+- [ ] **Step 2 : Style PHP**
+
+Run: `make php-cs-fixer-allow-risky`
+Expected: fichiers conformes (commit si des corrections sont appliquées).
+
+- [ ] **Step 3 : Parcours fonctionnel**
+
+Avec `make dev-nuxt` et un compte `admin/admin` :
+1. `/directory` → cliquer un client → fiche détail.
+2. Onglet Contact : ajouter 2 contacts, recharger la page → les 2 sont présents.
+3. Onglet Adresse : ajouter 1 adresse → présente après reload.
+4. Onglet Rapport : créer un compte-rendu (type « Appel »), joindre un PDF → document listé et téléchargeable.
+5. Sur un prospect avec contacts/adresses/rapports → « Convertir en client » → ouvrir le client créé → contacts/adresses/rapports présents sur le client, absents du prospect.
+
+- [ ] **Step 4 : Commit de clôture éventuel** (si php-cs-fixer a modifié des fichiers)
+
+```bash
+git add -A
+git commit -m "style(directory) : apply php-cs-fixer"
+```
+
+---
+
+## Notes d'exécution
+
+- **Ordre des tâches :** 1 → 9 (backend) avant 10 → 19 (frontend) ; Task 5 doit précéder la migration (Task 6) car `CommercialReport` référence `ReportDocument`.
+- **Points à confirmer en cours de route** (signalés inline) : style d'injection des services dans `services.yaml` (copier le pattern `TaskDocument*`), props exactes des composants Malio (`COMPONENTS.md`), chemin du type `UserData`, helper d'auth JWT des tests API.
+- **Décision UX assumée :** sauvegarde par bloc à la frappe (Contact/Adresse). Debounce/bouton explicite = itération ultérieure si besoin.
diff --git a/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md b/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md
new file mode 100644
index 0000000..16d8255
--- /dev/null
+++ b/docs/superpowers/specs/2026-06-22-directory-commercial-reports-design.md
@@ -0,0 +1,203 @@
+# Répertoire — Contacts, Adresses & Rapports commerciaux
+
+**Date :** 2026-06-22
+**Module :** `Directory` (Lesstime)
+**Statut :** Conception validée — prêt pour plan d'implémentation
+
+## Contexte & objectif
+
+Le module `Directory` gère aujourd'hui `Client` et `Prospect` de façon volontairement
+minimaliste : champs à plat (`name`, `email`, `phone`, `street`, `city`, `postalCode`),
+adresse *inline*, aucun contact individuel, aucun suivi commercial. Le CRUD se fait via
+des drawers sur une page unique `/directory` à deux onglets, sans fiche détail.
+
+On veut transformer chaque fiche client/prospect en une **vraie fiche détail à onglets**,
+inspirée du répertoire de Starseed (blocs répétables, sauvegarde indépendante par onglet,
+validation 422 inline), avec trois onglets : **Contact**, **Adresse**, **Rapport**.
+Le « rapport commercial » est un **journal de comptes-rendus** (objet + texte + date +
+type d'échange + auteur) auquel on peut **joindre des documents**.
+
+Décisions cadrées avec l'utilisateur :
+- Contacts et adresses : **plusieurs** par fiche (blocs répétables, façon Starseed).
+- UX : **fiche détail à route dédiée** (le clic sur une ligne ouvre la fiche, plus le drawer).
+- Rapport = **comptes-rendus** (objet + texte + date + type) **avec documents joints**.
+- Conversion prospect → client : **tout est repris** (contacts, adresses, rapports).
+- Cible : **Lesstime** (Starseed sert uniquement de référence de design).
+
+## Approche retenue
+
+**Entités partagées via double-FK** : `Contact`, `Address`, `CommercialReport` sont
+chacune rattachées à **un `Client` OU un `Prospect`** via deux FK nullables
+(`client_id?`, `prospect_id?`) + une contrainte CHECK « exactly-one ».
+
+C'est le pattern **déjà employé par `task_document`** (`task_id` / `client_ticket_id` +
+CHECK `task_id IS NOT NULL OR client_ticket_id IS NOT NULL`) — on reste donc cohérent
+avec le code existant. La conversion prospect→client se réduit à une **réaffectation de
+FK** (pas de copie), ce qui préserve l'historique.
+
+Alternative écartée : entités dupliquées par propriétaire (`ClientContact` +
+`ProspectContact`, etc.) → 2× plus de tables/code et conversion par recopie.
+
+## Modèle de données (backend — `src/Module/Directory`)
+
+Toutes les nouvelles entités vivent dans le module `Directory`
+(`Domain/Entity`, `Domain/Repository`, `Domain/Enum`, `Infrastructure/Doctrine`,
+`Infrastructure/ApiPlatform`), suivent les traits `TimestampableBlamableTrait` et
+sont `#[Auditable]` comme `Client`/`Prospect`.
+
+### `Contact` (répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| firstName | string? | |
+| lastName | string? | |
+| jobTitle | string? | fonction |
+| email | string? | lowercase |
+| phonePrimary | string? | |
+| phoneSecondary | string? | |
+| client | ManyToOne Client? | FK `client_id`, ON DELETE CASCADE |
+| prospect | ManyToOne Prospect? | FK `prospect_id`, ON DELETE CASCADE |
+
+Contrainte CHECK : `client_id IS NOT NULL OR prospect_id IS NOT NULL` (et au plus un des
+deux, garanti par la logique applicative + index). « Sans contrainte » fonctionnelle : un
+contact est valide dès qu'il a au moins un nom **ou** prénom (validation souple, façon
+`isContactNamed` de Starseed).
+
+### `Address` (répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| label | string? | libellé libre (« Siège », « Facturation »…) |
+| street | string? | |
+| streetComplement | string? | |
+| postalCode | string? | |
+| city | string? | |
+| country | string | défaut `FR` |
+| client / prospect | ManyToOne ?, FK CASCADE | double-FK + CHECK |
+
+### `CommercialReport` (compte-rendu, répétable)
+| Champ | Type | Notes |
+|-------|------|-------|
+| id | int PK | |
+| subject | string | objet du compte-rendu |
+| body | text | le compte-rendu lui-même |
+| occurredAt | date | date de l'échange |
+| type | enum `ReportType` | `call` / `meeting` / `email` / `note` |
+| author | ManyToOne User? | rempli via Blamable (utilisateur connecté) |
+| documents | OneToMany ReportDocument | pièces jointes (voir section dédiée) |
+| client / prospect | ManyToOne ?, FK CASCADE | double-FK + CHECK |
+
+`ReportType` (enum, libellés FR) : Appel, Rendez-vous, Email, Note.
+
+### Migration de l'adresse *inline*
+Les colonnes `street`, `city`, `postal_code` de `client` et `prospect` sont **migrées**
+vers une première ligne `Address` (data migration : pour chaque client/prospect ayant une
+adresse non vide, créer une `Address` rattachée), puis **supprimées** des tables
+`client`/`prospect` pour ne pas dédoubler la donnée. Les champs `name`, `email`, `phone`
+restent sur `Client`/`Prospect` (identité principale).
+
+### Documents des comptes-rendus
+
+> **Correction post-exploration :** contrairement à une première hypothèse, `task_document`
+> n'a **aucune** colonne propriétaire générique. La migration `Version20260522110000`
+> (suppression du portail client) a **retiré** `client_ticket_id` de `task_document` et
+> restauré `task_id` en `NOT NULL`. Le `TaskDocumentProcessor` **exige** une tâche.
+> « Réutiliser TaskDocument » impose donc de le **généraliser** (FK + processor), ce qui
+> recouple `ProjectManagement` ↔ `Directory`.
+
+**Décision d'architecture (`ReportDocument` dédié — recommandé) :** créer une entité
+`ReportDocument` **propre au module `Directory`**, qui réutilise le **même mécanisme de
+stockage** (même paramètre `task_document_upload_dir`, mêmes validations MIME/taille, même
+stratégie de download `BinaryFileResponse`), mais **sans** la mécanique SMB (inutile pour
+des pièces jointes de compte-rendu). Cela préserve la frontière modulaire (pas de FK
+croisée `ProjectManagement` → `Directory`) au prix d'une duplication maîtrisée du processor
+et du controller de download (≈ 150 lignes, sans la partie SMB). Côté front, les composants
+de preview/list de `ProjectManagement` sont **génériques** et réutilisés tels quels (ils ne
+dépendent que du DTO document + de l'URL de download).
+
+Entité `ReportDocument` (module `Directory`) : `id`, `commercialReport` (ManyToOne, FK
+`commercial_report_id`, nullable:false, ON DELETE CASCADE), `originalName`, `fileName`,
+`mimeType`, `size`, `createdAt`, `uploadedBy` (ManyToOne User, SET NULL). Endpoint
+`POST /api/report_documents` (multipart, `deserialize:false`, `ReportDocumentProcessor`),
+`GET /api/report_documents/{id}/download` (controller dédié, `priority: 1`),
+`DELETE /api/report_documents/{id}` (listener `preRemove` qui `unlink` le fichier disque),
+`GetCollection` filtrable par `commercialReport`.
+
+## API Platform
+
+Trois ressources (`Contact`, `Address`, `CommercialReport`) exposées avec :
+- Opérations : `GetCollection`, `Get`, `Post`, `Patch`, `Delete`.
+- Filtres : `SearchFilter` sur `client` et `prospect` (exact) pour charger la collection
+  d'une fiche donnée. Collections non paginées (aligné sur `Client`/`Prospect`).
+- Sécurité : lecture `ROLE_USER`, écriture `ROLE_ADMIN` (pattern existant du module).
+- Groupes de sérialisation : `contact:read`/`contact:write`, `address:read`/`address:write`,
+  `commercial_report:read`/`commercial_report:write`. `CommercialReport:read` embarque
+  `author` (id + username) et `documents`.
+
+Permissions RBAC ajoutées au `Module::permissions()` :
+`directory.reports.view`, `directory.reports.manage`. (Contacts/adresses couverts par
+`directory.clients.*` / `directory.prospects.*` existants.)
+
+## Conversion prospect → client
+
+`ConvertProspectProcessor`
+(`src/Module/Directory/Infrastructure/ApiPlatform/State/ConvertProspectProcessor.php`)
+est étendu : après création/liaison du `Client`, pour chaque `Contact`, `Address` et
+`CommercialReport` du prospect → set `client = <nouveau client>` et `prospect = null`.
+Reste **idempotent** (si déjà converti, retourne inchangé). Les documents suivent
+automatiquement (rattachés au `CommercialReport`, pas au prospect).
+
+## Frontend (Nuxt — `frontend/modules/directory`)
+
+### Liste & navigation
+- `pages/directory.vue` (2 onglets Clients/Prospects, `MalioDataTable`) **reste**.
+- Le clic sur une ligne ouvre désormais la **fiche détail** (`navigateTo`), au lieu du drawer.
+- Le drawer (`ClientDrawer`/`ProspectDrawer`) est **conservé pour la création rapide**
+  (champs principaux : name/email/phone, + company/status/source/notes pour le prospect).
+
+### Fiches détail
+`pages/clients/[id].vue` et `pages/prospects/[id].vue` :
+- En-tête : retour + titre + actions (archiver/supprimer selon droits).
+- Bloc principal (identité : name/email/phone…), éditable en place.
+- `MalioTabList` avec onglets **Contact**, **Adresse**, **Rapport** :
+  - **Contact** : `DirectoryContactBlock` répétable (ajout/suppression, sauvegarde par bloc
+    POST/PATCH, suppression = DELETE immédiat), validation 422 inline via `useFormErrors`.
+  - **Adresse** : `DirectoryAddressBlock` répétable, même mécanique.
+  - **Rapport** : liste des comptes-rendus (date, type badge, objet, auteur) + formulaire
+    d'ajout/édition (objet, type, date, corps) + zone documents (`ReportDocumentUpload` /
+    `ReportDocumentList`, calqués sur les composants `TaskDocument*` génériques).
+
+Les blocs Contact/Adresse sont des composants **génériques** (mêmes pour client et prospect),
+paramétrés par l'IRI du propriétaire (`client` ou `prospect`).
+
+### Services & DTO
+Nouveaux services `services/contacts.ts`, `services/addresses.ts`,
+`services/commercial-reports.ts` (CRUD + filtre par owner) et DTO associés
+(`dto/contact.ts`, `dto/address.ts`, `dto/commercial-report.ts`). Réutilisation du service
+existant `task-documents.ts` via `uploadWithRelation('commercialReport', iri, file)`.
+
+## i18n
+
+Traductions FR ajoutées sous `directory.*` : libellés des onglets (Contact, Adresse,
+Rapport), champs des trois entités, types de compte-rendu (Appel/Rendez-vous/Email/Note),
+toasts de succès (créé/mis à jour/supprimé) et messages de validation.
+
+## Tests (PHPUnit)
+
+- Entités + contrainte CHECK double-FK (un contact/adresse/rapport ne peut être orphelin).
+- Conversion : après convert, contacts/adresses/rapports du prospect pointent vers le
+  client (`prospect = null`), idempotence.
+- Sécurité : lecture `ROLE_USER`, écriture refusée hors `ROLE_ADMIN`.
+- Upload : un document peut être rattaché à un `CommercialReport` ; CHECK respecté.
+- Data migration adresse inline → `Address` (au moins une adresse créée par client/prospect
+  ayant une adresse non vide).
+
+> ⚠️ Base de test non isolée (les POST s'accumulent) : tester des **invariants**
+> (relations, statuts, présence), pas des **counts absolus**.
+
+## Hors périmètre (YAGNI)
+
+- Pas de pipeline d'opportunités/affaires avec montants (le `status` du prospect suffit).
+- Pas de dashboard/statistiques commerciales chiffrées.
+- Pas de relance/prochaine action datée sur le compte-rendu (non retenu au cadrage).
+- Pas de gestion de types d'adresse structurés (facturation/livraison) : `label` libre.
-- 
2.39.5


From f6d37e46674ea5358e24aed235416a5c42c3b270 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 17:28:07 +0200
Subject: [PATCH 96/99] fix(api) : register #[ApiFilter] services by mapping
 module entity paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Modular monolith moved entities out of src/Entity into src/Module/*/Domain/Entity
without configuring api_platform.mapping.paths. Resources stayed discoverable via
service autoconfiguration, but annotated filter services were registered only for
classes found in resource_class_directories (the now-empty default src/Entity and
src/ApiResource), so every #[ApiFilter] (SearchFilter, BooleanFilter, OrderFilter,
DateFilter) was silently ignored across the whole API — collection filters never
narrowed results (my-tasks showed all users' tasks, time entries leaked across
users, directory would leak per-client data).

Declare the seven module entity directories under mapping.paths so the annotated
filter services are generated again.
---
 config/packages/api_platform.yaml                  | 14 ++++++++++++++
 .../pages/{directory.vue => directory/index.vue}   |  0
 2 files changed, 14 insertions(+)
 rename frontend/modules/directory/pages/{directory.vue => directory/index.vue} (100%)

diff --git a/config/packages/api_platform.yaml b/config/packages/api_platform.yaml
index 8b825c8..e8f764d 100644
--- a/config/packages/api_platform.yaml
+++ b/config/packages/api_platform.yaml
@@ -1,6 +1,20 @@
 api_platform:
     title: Lesstime API
     version: 1.0.0
+    # Modular monolith: entities (and their #[ApiFilter] attributes) live under
+    # src/Module/*/Domain/Entity, not the default src/Entity. Resources are still
+    # discovered via service autoconfiguration, but #[ApiFilter] services are only
+    # registered for classes found in these paths — without them, every filter is
+    # silently ignored. Decoupled ApiResource classes stay discovered via tags.
+    mapping:
+        paths:
+            - '%kernel.project_dir%/src/Module/Core/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/TimeTracking/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/ProjectManagement/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Absence/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Directory/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Mail/Domain/Entity'
+            - '%kernel.project_dir%/src/Module/Integration/Domain/Entity'
     formats:
         jsonld: ['application/ld+json']
         json: ['application/json']
diff --git a/frontend/modules/directory/pages/directory.vue b/frontend/modules/directory/pages/directory/index.vue
similarity index 100%
rename from frontend/modules/directory/pages/directory.vue
rename to frontend/modules/directory/pages/directory/index.vue
-- 
2.39.5


From bf55a55fa60bf7f8e10c0b245bffb230623f0117 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Tue, 23 Jun 2026 12:14:22 +0200
Subject: [PATCH 97/99] fix(project-management) : reflect saved task
 immediately in board, list and reopened modal

TaskModal now emits the fresh task returned by the API (same task:read
shape as the collection). The board, my-tasks and archives pages reinject
it into their local state and selectedTask before the background re-fetch,
so the list and a reopened modal no longer show the previous snapshot while
loadData() is still running.
---
 .../project-management/components/TaskModal.vue       |  4 ++--
 .../modules/project-management/pages/my-tasks.vue     |  8 +++++++-
 .../pages/projects/[id]/archives.vue                  |  8 +++++++-
 .../project-management/pages/projects/[id]/index.vue  | 11 ++++++++++-
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/frontend/modules/project-management/components/TaskModal.vue b/frontend/modules/project-management/components/TaskModal.vue
index 7f11066..bb90876 100644
--- a/frontend/modules/project-management/components/TaskModal.vue
+++ b/frontend/modules/project-management/components/TaskModal.vue
@@ -569,7 +569,7 @@ const props = defineProps<{
 
 const emit = defineEmits<{
     (e: 'update:modelValue', value: boolean): void
-    (e: 'saved'): void
+    (e: 'saved', task?: Task): void
 }>()
 
 const isOpen = computed({
@@ -1042,7 +1042,7 @@ async function handleSubmit() {
             await removeRecurrence(props.task.recurrence.id)
         }
 
-        emit('saved')
+        emit('saved', savedTask)
         isOpen.value = false
     } finally {
         isSubmitting.value = false
diff --git a/frontend/modules/project-management/pages/my-tasks.vue b/frontend/modules/project-management/pages/my-tasks.vue
index 35bb536..7b015da 100644
--- a/frontend/modules/project-management/pages/my-tasks.vue
+++ b/frontend/modules/project-management/pages/my-tasks.vue
@@ -269,7 +269,13 @@ watch(taskModalOpen, (open) => {
     }
 })
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste avant le re-fetch (cf. index.vue) pour éviter le snapshot stale.
+    if (savedTask) {
+        const idx = tasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) tasks.value[idx] = savedTask
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadTasks()
 }
 
diff --git a/frontend/modules/project-management/pages/projects/[id]/archives.vue b/frontend/modules/project-management/pages/projects/[id]/archives.vue
index b17dd26..de3ea86 100644
--- a/frontend/modules/project-management/pages/projects/[id]/archives.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/archives.vue
@@ -150,7 +150,13 @@ function openTaskEdit(task: Task) {
     taskDrawerOpen.value = true
 }
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste avant le re-fetch (cf. index.vue) pour éviter le snapshot stale.
+    if (savedTask) {
+        const idx = archivedTasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) archivedTasks.value[idx] = savedTask
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadData()
 }
 
diff --git a/frontend/modules/project-management/pages/projects/[id]/index.vue b/frontend/modules/project-management/pages/projects/[id]/index.vue
index b8165f0..13bd443 100644
--- a/frontend/modules/project-management/pages/projects/[id]/index.vue
+++ b/frontend/modules/project-management/pages/projects/[id]/index.vue
@@ -473,7 +473,16 @@ async function onBulkDelete() {
     await loadData()
 }
 
-async function onSaved() {
+async function onSaved(savedTask?: Task) {
+    // Mise à jour optimiste : la modale se ferme avant la fin du re-fetch, on
+    // réinjecte immédiatement la tâche fraîche renvoyée par l'API pour éviter
+    // que la liste (et un éventuel ré-ouverture de la modale) reste sur l'ancien snapshot.
+    if (savedTask) {
+        const idx = tasks.value.findIndex(t => t.id === savedTask.id)
+        if (idx !== -1) tasks.value[idx] = savedTask
+        else tasks.value.push(savedTask)
+        if (selectedTask.value?.id === savedTask.id) selectedTask.value = savedTask
+    }
     await loadData()
 }
 
-- 
2.39.5


From bfbab5bbf24b63d4dbb254b399797d0391adbaf5 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Tue, 23 Jun 2026 12:14:44 +0200
Subject: [PATCH 98/99] fix(directory) : refresh clients list after converting
 a prospect

Converting a prospect creates a client and removes the prospect, but only
loadProspects() was called, so the new client did not appear in the Clients
tab until a manual page refresh. Both the table convert button and the
ProspectDrawer saved event now reload prospects and clients.
---
 frontend/modules/directory/pages/directory/index.vue | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/frontend/modules/directory/pages/directory/index.vue b/frontend/modules/directory/pages/directory/index.vue
index 4c0e8db..3803d64 100644
--- a/frontend/modules/directory/pages/directory/index.vue
+++ b/frontend/modules/directory/pages/directory/index.vue
@@ -103,7 +103,7 @@
         <ProspectDrawer
             v-model="prospectDrawerOpen"
             :prospect="selectedProspect"
-            @saved="loadProspects"
+            @saved="onProspectSaved"
         />
     </div>
 </template>
@@ -215,7 +215,14 @@ function openEditProspect(item: Record<string, unknown>) {
 
 async function convertProspect(row: ProspectRow) {
     await prospectService.convert(row.id)
-    await loadProspects()
+    // La conversion crée un client et retire le prospect : rafraîchir les deux listes.
+    await Promise.all([loadProspects(), loadClients()])
+}
+
+// Le ProspectDrawer porte aussi le bouton « Convertir » : son event 'saved' peut
+// donc être une conversion → toujours rafraîchir les deux listes par sécurité.
+async function onProspectSaved() {
+    await Promise.all([loadProspects(), loadClients()])
 }
 
 watch(statusFilter, loadProspects)
-- 
2.39.5


From ee9b751a1f61ab54e6e33d4f6248608a08485af2 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Tue, 23 Jun 2026 15:42:57 +0200
Subject: [PATCH 99/99] fix(project-management) : make my-tasks kanban
 drag-drop status change instant

---
 .../modules/project-management/pages/my-tasks.vue    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/frontend/modules/project-management/pages/my-tasks.vue b/frontend/modules/project-management/pages/my-tasks.vue
index 7b015da..52e019d 100644
--- a/frontend/modules/project-management/pages/my-tasks.vue
+++ b/frontend/modules/project-management/pages/my-tasks.vue
@@ -87,8 +87,16 @@ function statusesForTaskCategory(task: Task, category: StatusCategory): TaskStat
 }
 
 async function applyStatus(task: Task, status: TaskStatus): Promise<void> {
-    await taskService.update(task.id, { status: `/api/task_statuses/${status.id}` })
-    await loadTasks()
+    if (task.status?.id === status.id) return
+    // Mise à jour optimiste : re-bucket le kanban instantanément avant la réponse réseau (cf. index.vue).
+    const previousStatus = task.status
+    task.status = status
+    try {
+        await taskService.update(task.id, { status: `/api/task_statuses/${status.id}` })
+    } catch (e) {
+        task.status = previousStatus
+        throw e
+    }
 }
 
 function onDrop(category: StatusCategory, event: DragEvent): void {
-- 
2.39.5